In May 2022 Microsoft has fixed a vulnerability related to certificate logon to Active Directory. As a non-privileged user you could escalate privileges by impersonating a Domain Controller, as you can join machines to the domain and thus control the dnsHostName attribute. Microsoft fixed this in an indirect way: Since last May, Windows Certification Authority…
Category: punktwissen
Stargate of Diffraction. Escaping the Labyrinth of Colorful Wires.
This blog has been many things. Experimental poetry playground, notes from the field by a small business owner, popular science and tech blog, compilation of dry research reports, self-referential musing of a web developer. The only intersection between all of this has been me being interested & invested in it. I had tech-blogged myself into…
Defused That SAN Flag!
In May, Microsoft has fixed a bug that allowed normal users to impersonate Domain Controllers. This bug allowed non-privileged users to obtain a logon certificate issued to a domain controller, because users can write to the Active Directory attribute dnsHostNameof a computer they have joined to the domain. If a machine can enroll for a…
How to Add a Subject Alternative Name Safely
I am writing about that PKI stuff again. I am running out of ideas for catchy introductions. So, here is a new post with old code! In Active Directory a UPN is mapped to a user automatically if it matches a user’s LDAP attribute userPrincipalName (and a DNS SAN is mapped to dnsHostName). A Windows…
Rogue Certificate Challenge: No Hardware Tokens, No Linux, Just a Web Server with Certificate Mapping.
I am back to my favorite security research: How to abuse certificates in a Windows / Active Directory environment! If an Active Directory integrated certification authority sign a certificate with a custom Subject Alternative Name of your choosing, you can impersonate any administrator in an AD forest. I’ve published two blog posts about how to…
Innovation and Scarcity (and Panic)
I tried to avoid such words. They sounded like hollow buzzwords in times of abundance, used by advertizers playing on fears. But our complacent world is taught a lesson, right now, at furious speed. I am following news as everybody else, I am reading about gloomy forecasts. An Austria paper mill has announced today it…
Joys of Geometry
Creating figures with math software does not feel like fabricating illustrations for science posts. It is more of a meditation on geometry. I want to literally draw every line. I am not using grid lines or rendered surfaces. I craft a parametric curve for every line. A curve is set of equations. Yet, playing with…
Galaxies of Diffraction
These – the arrangement of points in the image below – are covectors, sort of. I wrote about them, some time ago. They are entities dual to vectors. Eating vectors, spitting out numbers. Vectors are again ‘co’ to vectors; they will eat covectors. If vectors live in a space with axes all perpendicular to each…
Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)
I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article…
Vintage Covectors
Covectors in the Dual Space. This sounds like an alien tribe living in a parallel universe hitherto unknown to humans. In this lectures on General Relativity, Prof. Frederic Schuller says: Now comes a much-feared topic: Dual vector space. And it’s totally unclear why this is such a feared topic! A vector feels familiar: three numbers…
Dirac’s Belt Trick
Is classical physics boring? In his preface to Volume 1 of The Feynman Lectures on Physics, Richard Feynman worries about students’ enthusiasm: … They have heard a lot about how interesting and exciting physics is—the theory of relativity, quantum mechanics, and other modern ideas. By the end of two years of our previous course, many…
Parse Certificates Stored in the Windows Registry
You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutil seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by…
Statistical Independence and Logarithms
In classical mechanics you want to understand the motion of all constituents of a system in detail. The trajectory of each ‘particle’ can be calculated from the forces between them and initial positions and velocities. In statistical mechanics you try to work out what can still be said about a system even though – or…
The RSA Algorithm
You want this: Encrypt a message to somebody else – using information that is publicly available. Somebody else should then be able to decrypt the message, using only information they have; nobody else should be able to read this information. The public key cryptography algorithm RSA does achieve this. This article is my way of…
Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux
This is about a serious misconfiguration of a Windows Public Key Infrastructure integrated with Active Directory: If you can edit certificate templates, you can impersonate the Active Directory Forests’s Enterprise Administrator by logging on with a client certificate. You have a persistent credential that will also survive the reset of this admin’s password. In the…
Locating Domain Controllers and Spoofing Active Directory DNS Servers
Last year, hackthebox let me test something I have always found fascinating – and scary: You can impersonate any user in a Windows Active Directory Forest if you have control over the certificate templates of an AD-integrated Windows Public Key Infrastructure: Add extended key usages for smartcard logon to the template, enroll for the certificate,…
Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files
Another great machine has been retired on hackthebox.eu – Helpline by @egre55! Here is my ‘silly’ unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone – if you wait for a legit user to just look at the file. This is unlikely…
Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!
My writeup – how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle – created by @mrb3n813 and @lkys37en – was the first box on HTB that had my favorite Windows Server Role – the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user – amanda –…
Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution
Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily. Trying to ping all hosts in a subnet Linux for i in $(seq 1 254); do host=192.168.0.$i;…
Echo Unreadable Hex Characters in Windows: forfiles
How to transfer small files to a locked-down Windows machine? When there is no option to copy, ftp, or http GET a file. When powershell is blocked so that you can only use Windows cmd commands? My first choice would be to use certutil: certutil is a built-in tool for certificate and PKI management. It…
Ethereal @ hackthebox: Certificate-Related Rabbit Holes
This post is related to the ‘insanely’ difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware – It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me – as somebody who…
Certificates and PKI. The Prequel.
Some public key infrastructures run quietly in the background since years. They are half forgotten until the life of a signed file has come to an end – but then everything is on fire. In contrast to other seemingly important deadlines (Management needs this until XY or the world will come to an end!) this…
Modbus Server on Raspberry Pi as Babelfish for UVR16x2
Our main data logger is the Control and Monitoring Interface of the freely programmable controller UVR16x2. There are two pieces of hardware you need for logging – the actual control unit and the logger connected to the controller via the CAN bus. This ‘architecture’ might be due to historical reasons, but I like the separation…
Unintended 2nd Order SQL Injection
Why I am not afraid of the AI / Big Data / Cloud powered robot apocalypse. SQL order injection means to run custom SQL queries through web interfaces because the input to the intended query is not sanitized, like appending the infamous ‘ OR ‘1’=’1 to a user name or search term. It is 2nd…
A Color Box. Lost in Translation
It was that time again. The Chief Engineer had rebuilt the technical room from scratch. Each piece of heavy equipment had a new place, each pipe and wire was reborn in a new incarnation (German stories here.) The control system was turned upset down as well, and thus the Data Kraken was looking at its…
Heat Conduction Cheat Sheet
I am dumping some equations here I need now and then! The sections about 3-dimensional temperature waves summarize what is described at length in the second part of this post. Temperature waves are interesting for simulating yearly and daily oscillations in the temperature below the surface of the earth or near wall/floor of our ice/water…
Hacking
I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind – in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu. I have been hacking…
Sources of Heat, Life, and Everything
Same procedure as every summer: Science and tech blogging comes to a halt, and the daring ‘internet artist’ is summoned. But also unorthodox avant-garde art is rooted in down-to-earth engineering. In summer elkement leaves the programmer’s cave (a bit) and sees the sun. The local elkemental microcosmos is a fully functional biosphere-2-like ecosystem with lots…
Cloudy Troubleshooting (2)
Unrelated to part 1 – but the same genre. Actors this time: File Cloud: A cloud service for syncing and sharing files. We won’t drop a brand name, will we? Client: Another user of File Cloud. [Redacted]: Once known for reliability and as The Best Network. Dark Platform: Wannabe hackers’ playground. elkement: Somebody who sometimes just wants to be an…
Where Are the Files? [Winsol – UVR16x2]
Recently somebody has asked me where the log files are stored. This question is more interesting then it seems. We are using the freely programmable controller UVR16x2 (and its predecessor) UVR1611) … .. and their Control and Monitoring Interface – CMI: The CMI is a data logger and runs a web server. It logs data…
elkemental Force 