CVE-2021–42278 is a privilege escalation vulnerability exploiting domain controllers KDC and TGT system. The exploit is able to remotely escalate a user from user to system using valid user credentials. Microsoft patched the vulnerability on November 9th 2021. Step by step rundown of the exploit:
- A new computer is added to the domain
- The new computer is renamed to the name of the domain controller with the $ sign removed.
- A TGT is requested using the new computer name
- S4U2SELF is used to request a new TGT
- The new ticket can be used to own the domain controller
An automated tool has been created by IMpacket and can be downloaded from:
https://github.com/WazeHell/sam-the-admin
POC:
