working on restoring empty upn

Author: jheysel-r7

docs/metasploit-framework.wiki/ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md

@@ -1,4 +1,3 @@
-
 # Setting Up An AD CS Target
 Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server
 for testing purposes.
@@ -1104,12 +1103,6 @@ So `NEW_VALUE` as well as `ALT_DNS` will be set to `DC2.kerberos.issue`.
 
 
 
-
-
-
-
-
-
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield

lib/msf/core/exploit/remote/ms_icpr.rb

@@ -104,6 +104,7 @@ def request_certificate(opts = {})
     if datastore['UPDATE_ESC9_ESC10_OBJECT']
       # Get the original value before updating
       opts[:original_value] = get_original_esc9_esc10_object_value
+      print_status("Original #{datastore['UPDATE_ESC9_ESC10_OBJECT']} of #{datastore['TARGET_USERNAME']}: #{opts[:original_value]}")
       # Update the UPN or dnsHostname of the target user before requesting the cert in order to exploit ESC9 or ESC10
       print_status("Updating #{datastore['UPDATE_ESC9_ESC10_OBJECT']} of #{datastore['TARGET_USERNAME']} to #{datastore['NEW_VALUE']}")
       update_esc9_esc10_object(datastore['NEW_VALUE'])
@@ -523,8 +524,8 @@ def get_original_esc9_esc10_object_value
     ldap_query_module.datastore['ACTION'] = "RUN_SINGLE_QUERY"
 
 
-    output = Rex::Ui::Text::Output::Buffer.new    # ✅ Valid class
-    output.extend(Rex::Ui::Text::Output::Buffer::Stdout)  # Add `write` method
+    output = Rex::Ui::Text::Output::Buffer.new
+    output.extend(Rex::Ui::Text::Output::Buffer::Stdout)
 
     original_output = self.user_output
     self.user_output = output
@@ -544,6 +545,10 @@ def get_original_esc9_esc10_object_value
       original_value = Regexp.last_match(1)
       print_good("Original value retrieved: #{original_value}")
       return original_value
+    end
+      if output.buf =~ /Query returned 1 result/
+      # The Administrator account does not have it's UPN set by default
+      return ''
     else
       fail_with(Msf::Module::Failure::NotFound, "Failed to retrieve the original value of #{datastore['UPDATE_ESC9_ESC10_OBJECT']}")
     end
@@ -561,6 +566,7 @@ def update_esc9_esc10_object(new_value)
       return
     end
 
+
     # Default to using the SMB credentials if LDAP credentials are not provided
     ldap_update_module = framework.modules.create(mod_refname)
     ldap_update_module.datastore['RHOST'] = datastore['RHOST']
@@ -572,13 +578,13 @@ def update_esc9_esc10_object(new_value)
     ldap_update_module.datastore['ATTRIBUTE'] = datastore['UPDATE_ESC9_ESC10_OBJECT']
     ldap_update_module.datastore['NEW_VALUE'] = new_value
 
+
     print_status("Running #{mod_refname}")
     ldap_update_module.run_simple(
       'LocalInput' => self.user_input,
       'LocalOutput' => self.user_output,
       'RunAsJob' => false
     )
-
   end
 
 

modules/auxiliary/gather/ldap_update_object.rb

@@ -66,12 +66,20 @@ def update_object_attribute
       target_dn = result.first.dn
       print_good("Found target object DN: #{target_dn}")
 
-      ops = [
-        [:replace, attribute.to_sym, new_value]
-      ]
+
+      if new_value.present?
+        ops = [
+          [:replace, attribute.to_sym, new_value]
+        ]
+      else
+        #TODO replacing with empty string / nil causes errors :delete is no what we want. Needed to reset empty UPN
+      end
 
       print_status("Attempting to update #{attribute} for #{target_dn} to #{new_value}...")
 
+      require 'pry-byebug'
+      binding.pry
+
       if ldap.modify(dn: target_dn, operations: ops)
         print_good("Successfully updated #{target_dn}'s #{attribute} to #{new_value}")
       else