Introduction
We covered the recent vulnerability CVE-2022-26923 that affected Microsoft Windows Active Directory Certificate Service which allowed for local privilege escalation.
Research done and released as a whitepaper by SpecterOps showed that it was possible to exploit misconfigured certificate templates for privilege escalation and lateral movement. Based on the severity of the misconfiguration, it could allow any low-privileged user on the AD domain to escalate their privilege to that of an Enterprise Domain Admin with just a few clicks. If you are interested in learning more about these Certificate Template exploits, see this room.
Further research was performed by Oliver Lyak, who discovered an additional vulnerability (CVE-2022-26923) in the Certificate Service. A patch was released for the vulnerability by Microsoft on the 10th of May. You can read more about the research here. This room provides a walkthrough of the exploitation of the vulnerability, as detailed in the research.
Windows Active Directory Penetration Testing Study Notes
Key Concepts
- Active Directory Certificate Services (ADCS):
- A Microsoft implementation of Public Key Infrastructure (PKI).
- Used to issue certificates for:
- Encrypting file systems.
- Digital signatures.
- Authentication (subject of this vulnerability).
- Vulnerability Context:
- Exploiting ADCS to create certificates enabling user authentication.
- Requires initial access as an authenticated user in the Active Directory domain.
- Focused on machine certificate templates, not user certificate templates.
ADCS Components and Vulnerability Details
- Certificate Templates:
- User Templates: Used by domain users for certificates linked to unique User Principal Names (UPNs).
- Machine Templates: Allow machines to request certificates based on DNS hostnames.
- Exploit Vector:
- DNS Hostnames in machine templates can be altered.
- By changing the DNS hostname of a machine to match the domain controller, attackers can impersonate it.
- However, Service Principal Names (SPNs) must also be unique, requiring attackers to remove SPN conflicts.
- Steps to Exploit:
- Gain access to a low-privileged user account in the domain.
- Register a new machine in the domain.
- Modify the DNS hostname to match the domain controller.
- Remove conflicting SPNs to avoid detection.
- Request a machine certificate with the modified hostname.
- Use the certificate to authenticate as the domain controller.
- Challenges:
- Microsoft automatically adjusts SPNs for uniqueness.
- Attackers need to bypass this by manipulating or removing SPNs.
Exploitation Steps Demonstrated
- Setup:
- Use the TryHackMe attack box pre-configured with tools.
- Tools required:
- Certify: For certificate enumeration and exploitation.
- Impacket: Supports Kerberos authentication.
- Process:
- Enumerate ADCS environment using Certify.
- Modify DNS hostname and SPNs to bypass uniqueness requirements.
- Request a machine certificate as the domain controller.
- Use the certificate to authenticate and escalate privileges.
Challenge Answers
What does the user create to ask the CA for a certificate?
What is the name of Microsoft’s PKI implementation?
Which EKU allows us to use the generated certificate for Kerberos authentication?
What AD group can request a certificate using the Machine Certificate Template?
What value in the Machine Certificate is used for identification and authentication?
What is the syntax of the command to use Impacket’s addcomputer.py to add a new computer to the lunar.eruca.com domain using the AD credentials of test:pass, with the LDAPS method, with the hostname of thmtest, and the password of computer1?
Conclusion
The video explains the technical details of the CVE and provides a step-by-step approach to exploiting the vulnerability in a controlled lab environment using tools like Certify and Impacket. This emphasizes the importance of understanding ADCS and its role in securing Active Directory environments.
Video Walk-through
Get Cyber Security Field Notes By Joining My YouTube Channel Membership
