itsMe Posted July 30, 2023 Share Posted July 30, 2023 This is the hidden content, please Sign In or Sign Up UAC Bypass By Abusing Kerberos Tickets This POC is inspired by James Forshaw (@tiraniddo) shared at BlackHat USA 2022 titled “Taking Kerberos To The Next Level ” topic, he shared a Demo of abusing Kerberos tickets to achieve UAC bypass. By adding a KERB-AD-RESTRICTION-ENTRY to the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges by accessing the SCM to create a system service. James Forshaw explained the rationale behind this in a blog post called “Bypassing UAC in the most Complex Way Possible!“, which got me very interested. Although he didn’t provide the full exploit code, I built a POC based on Rubeus. As a C# toolset for raw Kerberos interaction and ticket abuse, Rubeus provides an easy interface that allows us to easily initiate Kerberos requests and manipulate Kerberos tickets. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
itsMe Posted August 3, 2023 Author Share Posted August 3, 2023 This is the hidden content, please Sign In or Sign Up Changelog v1.0 Now let’s take a look at the running effect, as shown in the figure below. First request a ticket for the HOST service of the current server through the asktgs function, and then create a system service through krbscm to gain the SYSTEM privilege. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts