In the first two parts of this series, we covered how attackers may attempt to gain persistence in Active Directory by forging Kerberos tickets or through domain replication abuse, and also discussed strategies to detect these methods.
In part one of this series, we discussed how attackers may attempt to gain persistence in Active Directory by forging Kerberos tickets, as well as ways to detect these efforts. In this part, we’ll discuss another method attackers may use: domain replication abuse.
Vulnerabilities can be found in just about any type of software—and even some pieces of hardware. Threat actors are all too eager to take advantage of these vulnerabilities, leveraging them to gain access to or escalate privileges in an organization’s IT infrastructure. When these vulnerabilities are discovered before the vendor is aware, these are known as zero-day threats.
In the first Inside the Mind of an Attacker series, we walked through scenarios of potential attacks on Active Directory, as well as techniques on how to identify and avoid breaches.
As data breaches continue to dominate the headlines, suggestions for enhancing your cybersecurity stance are everywhere. While much of this advice may be worth following, it’s often complicated, entailing multi-step processes or requiring expert intervention. However, before you start exploring advanced options, it’s important to begin with the basics. When it comes to cybersecurity, the simplest advice is to always implement patches.
In part 8, we solved ABO3 using IDA FREE. In this part, we’ll use Radare to solve ABO4.
Updating Radare and Cutter
First, we’ll need to update to the new version of Cutter, the Radare GUI. A pop-up will prompt us to update whenever there is a new version:
1. Advisory Information
Title: Cisco AnyConnect Posture (HostScan) Security Service CVE-2021-1366 Bypass
Advisory ID: CORE-2021-0002
Advisory URL: https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-bypass
Date published: 2021-06-16
CVE-2021-26897 is a DNS server RCE vulnerability, and is triggered when many consecutive Signature RRs Dynamic Updates are sent. This vulnerability is an OOB write on the heap when combining the many consecutive Signature RR Dynamic Updates into base64-encoded strings before writing to the Zone file.
In part 7, we solved ABO2 in GHIDRA. In this part, we’ll use IDA FREE to solve ABO3.
As is the case with all of the ABOS, the goal is to run the calculator or some other executable that we want.