|PoC_HTTPKerberosPac_EoP||Loading last commit info...|
I’ve provided a PoC as a C# project. You need to get and build a copy of my
NtApiDotNet library to build the project (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools). Note that there's a bug in the loopback library of Windows 10 which means the POC will get an access token with a session ID of 0 which would mean the token can't be impersonated. This doesn't happen if U2U is used instead, therefore to verify that this is a working exploit it's best to run on Windows 11.
- Compile the C# project, put a copy of
NtApiDotNet.dllin the project's directory before building. Make sure you compile it for 64-bit otherwise the server authentication doesn't work correctly.
- Run the POC on a domain joined machine passing the password for the current domain user. This isn't completely necessary as you could use U2U but this for demo purposes only.
- The POC should print out the groups for the token.
The authentication fails.
The authentication succeeds and the token has the Domain Administrator's group.