{"id":367,"date":"2022-07-24T21:03:57","date_gmt":"2022-07-24T13:03:57","guid":{"rendered":"http:\/\/www.aqwu.net\/wp\/?p=367"},"modified":"2022-07-24T21:10:20","modified_gmt":"2022-07-24T13:10:20","slug":"windows-privilege-boost%ef%bc%9a-samaccountname-spoofing","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=367","title":{"rendered":"Windows Privilege Boost\uff1a sAMAccountName Spoofing"},"content":{"rendered":"\n<p>\u539f\u6587\u94fe\u63a5\uff1a<a href=\"https:\/\/www.hackingarticles.in\/windows-privilege-escalation-samaccountname-spoofing\/\">Windows \u6743\u9650\u63d0\u5347\uff1asAMAccountName Spoofing &#8211; Hacking Articles<\/a><\/p>\n\n\n\n<p>\u8fd9\u7bc7\u6587\u7ae0\u8ba8\u8bba\u4e86CVE-2021-42278\u5982\u4f55\u5141\u8bb8\u6f5c\u5728\u7684\u653b\u51fb\u8005\u901a\u8fc7\u4f4e\u7279\u6743\u7528\u6237\uff08\u4efb\u4f55\u666e\u901a\u57df\u7528\u6237\uff09\u83b7\u5f97\u9ad8\u7279\u6743\u7528\u6237\u8bbf\u95ee\u6743\u9650\uff08\u57df\u63a7\u5236\u5668\u7ba1\u7406\u5458\u7ea7\u8bbf\u95ee\u6743\u9650\uff09<\/p>\n\n\n\n<p><strong>\u63cf\u8ff0\uff1a<\/strong>Active Directory \u57df\u670d\u52a1\u7279\u6743\u63d0\u5347\u6f0f\u6d1e \u6b64 CVE ID \u5728 CVE-2021-42278\u3001CVE-2021-42282\u3001CVE-2021-42291 \u4e2d\u662f\u552f\u4e00\u7684\u3002<\/p>\n\n\n\n<p><strong>\u4e0a\u6620\u65e5\u671f\uff1a<\/strong>11\u6708 9\uff0c 2021<\/p>\n\n\n\n<p><strong>\u51b2\u51fb\uff1a<\/strong>\u7279\u6743\u63d0\u5347<\/p>\n\n\n\n<p><strong>\u4e25\u5389\uff1a<\/strong>\u91cd\u8981<\/p>\n\n\n\n<p><strong>CVSS\u5f97\u5206\uff1a<\/strong>&nbsp;8.8<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEhUJzqlbnxZrQF73l7wPdStpxlqspAIMUGK4x2Zk1-OHoRWcWeVfVwC3D7ckvbIae9jjwilQL6kW1-xe_7v6GbCHOo5oiYUSje9yJ714WPuD4DzQ-xh52JGLx4qmuYbGoJyiRJIUmTzaWC3qb_t6npbW0S8KCdDzuwLJOsFgNZHh9Um4vgtfbcEia9lNA=s16000\" alt=\"\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u6e17\u900f\u6d4b\u8bd5\u5b9e\u9a8c\u5ba4\u8bbe\u7f6e<\/strong><\/h3>\n\n\n\n<p>\u5728\u5b9e\u9a8c\u5ba4\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528 Kali VM \u4f5c\u4e3a\u653b\u51fb\u8005\u8ba1\u7b97\u673a\uff0c\u5e76\u4f7f\u7528\u81ea 2021 \u5e74 11 \u6708 9 \u65e5\u4ee5\u6765\u672a\u4fee\u8865\u7684 Windows \u57df\u63a7\u5236\u5668\uff08\u672c\u6587\u4e0a\u9762\u5217\u51fa\u4e86\u53d7\u5f71\u54cd\u7684 Windows \u5e73\u53f0\uff09\u4f5c\u4e3a\u53d7\u5bb3\u8005\/\u76ee\u6807\u8ba1\u7b97\u673a\u3002<\/p>\n\n\n\n<p>\u73b0\u5728\uff0c\u5982\u60a8\u6240\u89c1\uff0c\u5df2\u5728\u6d4b\u8bd5\u57df\u63a7\u5236\u5668\u5b9e\u9a8c\u5ba4\u8bbe\u7f6e\u4e2d\u521b\u5efa\u4e86\u5177\u6709\u666e\u901a\u57df\u7528\u6237\u6743\u9650\u7684\u7528\u6237\u3002<\/p>\n\n\n\n<p>\u53ef\u4ee5\u5728\u57df\u63a7\u5236\u5668\u4e0a\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4\u4ee5\u68c0\u67e5\u7528\u6237\u8be6\u7ec6\u4fe1\u606f\uff0c\u5982\u60a8\u6240\u89c1\uff0c\u8be5\u7528\u6237\u662f\u666e\u901a\u57df\u7528\u6237\uff08\u4ee5\u7ea2\u8272\u7a81\u51fa\u663e\u793a\uff09\u3002<\/p>\n\n\n\n<p>\u51c0\u7528\u6237 sakshi<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjimJpxnvI0YnvCZvfez16f-y3jqhrFe_fEfNn3MoLodMxxYdsU119qQjwF-ibUB0Epq4mL6EjoE2_3819nG26bAxTK2lha2N8gXL8iL56VVTsbEzzjB_zyIV6ATLLsJsrbEnsljEq3-GPmvjwz5v9zdN0t63LFo1OwfG1hdaSZksYKqjD5DILbM6d7ug=s16000\" alt=\"\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u5f00\u53d1<\/strong><\/h3>\n\n\n\n<p>\u73b0\u5728\uff0c\u5728\u60a8\u7684\u653b\u51fb\u8005\u7cfb\u7edf\uff08\u5373Kali VM\uff09\u4e0a\uff0c\u60a8\u5fc5\u987b\u4ece\u4e0b\u9762\u63d0\u4f9b\u7684git\u5b58\u50a8\u5e93\u514b\u9686\u6f0f\u6d1e\u3002<\/p>\n\n\n\n<p>git clone https\uff1a\/\/github.com\/Ridter\/noPac<\/p>\n\n\n\n<p>\u514b\u9686\u5b58\u50a8\u5e93&nbsp;<strong><a href=\"https:\/\/github.com\/Ridter\/noPac\">https:\/\/github.com\/Ridter\/noPac<\/a><\/strong>&nbsp;\u540e\uff0c\u5bfc\u822a\u5230 noPac \u6587\u4ef6\u5939<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd noPac\nls -al<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEgWBhW8jZIbBB_rHqPUzSNMphKReY58NktDe5W8Wfj-HdTmJNpuqWonnTDWomDMhttz6SsQmvbj_BI4TOgseYCt8-50EpJR_Hys0oaaosTiCL8PTDyJxVOuDBATjKwdvrvDdfuD12Yp7qHQDYAiXLfJ9AGnuYgEJ5v9HmQ8TiEagTBSTrWYpziH8m7owQ=s16000\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u7136\u540e\u6267\u884c\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 noPac.py ignite.local\/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap<\/code><\/pre>\n\n\n\n<p>\u6b64 CVE \u662f\u4e00\u4e2a\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u7531 Kerberos \u7684 PAC \u6df7\u6dc6\u548c\u57df\u63a7\u5236\u5668\u7684\u6a21\u62df\u5f15\u8d77\u3002<\/p>\n\n\n\n<p>\u5b83\u5141\u8bb8\u6f5c\u5728\u7684\u653b\u51fb\u8005\u901a\u8fc7\u5728\u6ca1\u6709PAC\u7684\u60c5\u51b5\u4e0b\u4eceKerberos\u8bf7\u6c42TGT\u6765\u6a21\u62df\u57df\u63a7\u5236\u5668\uff0c\u5e76\u4e14\u5728\u4e0d\u9881\u53d1PAC\u7684\u60c5\u51b5\u4e0b\u53d1\u51faTGT\u7684\u90a3\u4e00\u523b\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5192\u5145\u4e3a\u9ad8\u7279\u6743\u7528\u6237\u3002<\/p>\n\n\n\n<p>\u73b0\u5728\uff0c\u8981\u83b7\u5f97 DC \u4ee5\u5728\u8bf7\u6c42\u670d\u52a1\u7968\u8bc1 \uff08ST\uff09 \u65f6\u4f7f\u7528\u4e0d\u5e26 PAC \u7684 TGT \u8bf7\u6c42\u65f6\u6dfb\u52a0 PAC\uff0c\u662f\u901a\u8fc7\u914d\u7f6e<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/ad\/security-properties\">\u201c<strong>altSecurityIdentities<\/strong>\u201d<\/a>\u5c5e\u6027\u6765\u5b9e\u73b0\u7684\u3002<\/p>\n\n\n\n<p>\u6b64\u8fc7\u7a0b\u6d89\u53ca\u5c06\u5916\u90e8\u57df\u4e2d\u5e10\u6237\u7684&nbsp;<em>altSecurityIdentities<\/em>&nbsp;\u5c5e\u6027\u4fee\u6539\u4e3a&nbsp;<strong>Kerberos\uff1a[samaccountname]@[domain]<\/strong>&nbsp;\u4ee5\u6a21\u62df\u8be5\u7528\u6237\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjK8ZAWY-v4W80_VthPFYWwury6Lc3ReJm_X6s3bRBsqL1o3v_YSMyLy6lpeJ1mFGG3qi30GshEko_2qQI_AsW4SuXCgyyFQlmGACW6VutWb7feE_twToPAsEox1F_mxinY46bW7mIskJx6r9t-k83dvUfvZCGCe9vlxZMnzLoRQYsnpdzXcQB9tp90Dg=s16000\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u6b63\u5982\u60a8\u5728\u6267\u884c\u4e0a\u8ff0\u547d\u4ee4\u65f6\u6240\u770b\u5230\u7684\uff0c\u8f93\u51fa\u663e\u793a\u653b\u51fb\u8005\u673a\u5668\uff08Kali VM\uff09\u5df2\u83b7\u5f97\u201cNT AUTHORITY\\System\u201d\u7279\u6743\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u7f13\u89e3<\/strong><\/h3>\n\n\n\n<p>KB5008602 \u2013 https:\/\/support.microsoft.com\/en-us\/topic\/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7<\/p>\n\n\n\n<p>KB5008380 \u2013 https:\/\/support.microsoft.com\/en-us\/topic\/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u53c2\u8003\u8d44\u6599\uff1a<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-42287\">https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-42287<\/a><\/p>\n\n\n\n<p><strong>\u4f5c\u8005\u8be6\u7ec6\u4fe1\u606f\uff1a<\/strong>Amit Kishor \u62e5\u6709 10 \u591a\u5e74\u7684\u7f51\u7edc\u5b89\u5168\u7ecf\u9a8c\uff0c\u5728\u591a\u4e2a\u9632\u706b\u5899\u4ea7\u54c1\u548c SaaS \u4ea7\u54c1\u65b9\u9762\u62e5\u6709\u4e13\u4e1a\u77e5\u8bc6\u3002&nbsp;\u53ef\u5728<strong><a href=\"https:\/\/linkedin.com\/in\/amit-kishor-627a8b39\">LinkedIn<\/a><\/strong>\u8054\u7cfb<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1aWindows \u6743\u9650\u63d0\u5347\uff1asAMAccountName Spoofing &#8211; Hacki [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[86,102,43],"tags":[73],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-kali","category-windows-infoarticle","category-infoarticle","tag-windows"],"views":978,"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=367"}],"version-history":[{"count":1,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":368,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=\/wp\/v2\/posts\/367\/revisions\/368"}],"wp:attachment":[{"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aqwu.net\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}