In Windows active directory environment, PAC stands for privilege attribute certificate which stores information about the user privileges, permissions and groups. When it’s send to the key distribution center it gets signed with a secret key and based on that the user privileges are determined.
MS14-068 is a vulnerability that affects the PAC component and impacted Windows server 2012 R2 and prior versions. It allows an attacker to create forged or fake PAC with administrative privileges and send it to the Kerberos key distribution center which then logs the attacker as the domain admin.
In this port, We covered the privilege attribute certificate vulnerability that affected windows server 2012 R2 and previous versions. We used HackTheBox Mantis as a lab material for demonstration.
Using Impacket tools and specifically goldenpac.py we can craft a command such as the below one to gain a shell with administrative privileges
python goldenPac.py -dc-ip [ip] -target-ip [ip] DC-domain-name/username@target-computer-name
Download HackTheBox Mantis learning material in PDF