We covered the recent vulnerability CVE-2022-26923 that affected Microsoft Windows Active Directory Certificate Service which allowed for local privilege escalation.
Research done and released as a whitepaper by SpecterOps showed that it was possible to exploit misconfigured certificate templates for privilege escalation and lateral movement. Based on the severity of the misconfiguration, it could allow any low-privileged user on the AD domain to escalate their privilege to that of an Enterprise Domain Admin with just a few clicks. If you are interested in learning more about these Certificate Template exploits, see this room.
Further research was performed by Oliver Lyak, who discovered an additional vulnerability (CVE-2022-26923) in the Certificate Service. A patch was released for the vulnerability by Microsoft on the 10th of May. You can read more about the research here. This room provides a walkthrough of the exploitation of the vulnerability, as detailed in the research.
What does the user create to ask the CA for a certificate?
What is the name of Microsoft’s PKI implementation?
Which EKU allows us to use the generated certificate for Kerberos authentication?
What AD group can request a certificate using the Machine Certificate Template?
What value in the Machine Certificate is used for identification and authentication?
What is the syntax of the command to use Impacket’s addcomputer.py to add a new computer to the lunar.eruca.com domain using the AD credentials of test:pass, with the LDAPS method, with the hostname of thmtest, and the password of computer1?