Showing 1 - 3 of 3

Files from Oliver Lyak

First Active	2022-03-16
Last Active	2024-08-31

Active Directory Certificate Services (ADCS) Privilege Escalation (Certifried): Posted Aug 31, 2024; Authored by Christophe de la Fuente, Erik Wynter, Oliver Lyak, CravateRouge | Site metasploit.com; This Metasploit module exploits a privilege escalation vulnerability in Active Directory Certificate Services (ADCS) to generate a valid certificate impersonating the Domain Controller (DC) computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT preauthentication mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.; tags | exploit; advisories | CVE-2022-26923; SHA-256 | 4711426ef94613fcb75202051eeb6967ed730af89bad38174d480f454b5faee3; Download | Favorite | View

AD CS Certificate Template Management: Posted Aug 31, 2024; Authored by Spencer McIntyre, Lee Christensen, Oliver Lyak, Will Schroeder | Site metasploit.com; This Metasploit module can create, read, update, and delete AD CS certificate templates from a Active Directory Domain Controller. The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data file to be specified to define the attributes. Template data files are provided to create a template that is vulnerable to ESC1, ESC2, and ESC3. This Metasploit module is capable of exploiting ESC4.; tags | exploit; SHA-256 | 39e78029adb8e2f049f0341e4f83ee9ba74d76ede012c61713ede2f024542edd; Download | Favorite | View

Windows SpoolFool Privilege Escalation: Posted Mar 16, 2022; Authored by Shelby Pace, Oliver Lyak | Site metasploit.com; The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via SetPrinterDataEx() provided the caller has the PRINTER_ACCESS_ADMINISTER permission. If the SpoolDirectory path does not exist, it will be created once the print spooler reinitializes. Calling SetPrinterDataEx() with the CopyFiles\ registry key will load the dll passed in as the pData argument, meaning that writing a dll to the SpoolDirectory location can be loaded by the print spooler. Using a directory junction and UNC path for the SpoolDirectory, the exploit writes a payload to C:\Windows\System32\spool\drivers\x64\4 and loads it by calling SetPrinterDataEx(), resulting in code execution as SYSTEM.; tags | exploit, registry, code execution; systems | windows; advisories | CVE-2022-21999; SHA-256 | 3e62199fe39127be4320ed28c4a8d52211edb9c506d1e42a0aba3faef33cb58c; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days