BadSuccessor – Full Active Directory Compromise

SharpSuccessor

SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. A low privilege user with CreateChild permissions over any Organizational Unit (OU) in the Active Directory domain can escalate privileges to domain administrator.

Use SharpSuccessor to add and weaponize the dMSA object, setting the account with access to the current user context:

SharpSuccessor.exe add /impersonate:Administrator /path:"ou=test,dc=lab,dc=lan" /account:jdoe /name:attacker_dMSA

Request a TGT as the current user context, in this case jdoe:

Then use that tgt to impersonate the dMSA account:

Now you can request a service ticket with Administrator context for any SPN, including the Domain Controllers for post-exploitation. For example here I will show admin privileges for SMB on the domain controller:

Now that we have the ticket in memory, we can test access:

REFERENCES

• https://github.com/logangoins/SharpSuccessor?tab=readme-ov-file

• https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

• https://www.youtube.com/watch?v=IWP-8IMzQU8&list=WL&index=1&ab_channel=TheWeeklyPurpleTeam