What’s the Big Deal with MS14-068?
At its heart, this vulnerability is all about something called the Privilege Attribute Certificate (PAC). Think of the PAC as a digital ID card that tells a server who you are and what you’re allowed to do. It’s issued and signed by a server called the Key Distribution Center (KDC) to make sure it’s legit.
The problem was that in older versions of Windows Server (like 2003, 2008, and 2012), an attacker could create their own forged PAC. They could essentially make a fake ID card that said they were an administrator, and the KDC would be tricked into believing it. With this forged PAC, an attacker with just a regular user account could suddenly gain god-like admin access to the system. This vulnerability has been patched, but it’s a great example of a critical flaw.
In Windows active directory environment, PAC stands for privilege attribute certificate which stores information about the user privileges, permissions and groups. When it’s send to the key distribution center it gets signed with a secret key and based on that the user privileges are determined.
MS14-068 is a vulnerability that affects the PAC component and impacted Windows server 2012 R2 and prior versions. It allows an attacker to create forged or fake PAC with administrative privileges and send it to the Kerberos key distribution center which then logs the attacker as the domain admin.
Using Impacket tools and specifically goldenpac.py we can craft a command such as the below one to gain a shell with administrative privileges
python goldenPac.py -dc-ip [ip] -target-ip [ip] DC-domain-name/username@target-computer-name
Putting it into Practice: The HTB Mantis Machine
To show you how this works in the real world, I’ll be using the “Mantis” machine from Hack The Box.
Finding a Way In
My first step is always reconnaissance. An Nmap scan tells me the machine is running Active Directory on a vulnerable version of Windows Server. I also find a web server running on an unusual port. After some digging, I find a web.config file that gives me a username (“admin”) and a password, but the password is a mess of Base64 and hexadecimal encoding. After decoding it, I have my first set of credentials.
Pivoting to the Database
I use these credentials to connect to a Microsoft SQL Server instance running on the machine. I start poking around the databases and find one called “Orchard DB.” Inside, I find a table with user records, and I’m able to pull out another username, “James,” and his password in plaintext. Now I have a valid, low-privilege user account on the domain.
The Golden PAC Attack
This is where it all comes together. I use a tool from the Impacket suite called goldenpac.py. This tool takes the credentials for our user “James,” the domain information, and the target machine’s name, and it does all the hard work of generating the forged PAC for us.
Golden PAC then uses this forged PAC to connect to the target machine and, using psexec, it gives me a system shell. I run the whoami command, and just like that, I’m “nt authority\system”—the highest level of privilege you can get on a Windows machine.
This walkthrough really highlights the importance of keeping your systems patched. A single vulnerability like this can be the key to unlocking an entire network.
Technical Commands
Here are some of the key commands I used in my terminal during this engagement:
- Decoding Credentials:
base64 -Decho <hex_string> | xxd -r -p
- Connecting to MS SQL Server:
python3 mssqlclient.py admin@<IP_ADDRESS> -port 1433
- SQL Queries:
SELECT name FROM master.dbo.sysdatabasesUSE OrchardDBSELECT * FROM information_schema.tablesSELECT COLUMN_NAME FROM information_schema.columns WHERE TABLE_NAME = 'Orchard_Users_UserPartRecord'SELECT Username, Password FROM Orchard_Users_UserPartRecord
- The Golden PAC Attack:
python3 goldenpac.py -dc-ip <DC_IP> -target-ip <TARGET_IP> -dc-name <DOMAIN_NAME> -user <USERNAME> -target-computer <TARGET_COMPUTER_NAME>
- Confirming Privileges:
whoami
