Giacomo Giallombardo aaarghhh

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

LDAP signing not required on Domain Controller (default!)

Dissecting Go Binaries
Go: Overview of the Compiler
Go compiler internals: adding a new statement to Go - Part 1
Go compiler internals: adding a new statement to Go - Part 2
Reversing GO binaries like a pro
How a Go Program Compiles down to Machine Code
Analyzing Golang Executables
Go Reverse Engineering Tool Kit
go-internals book
[Reconstructing Program Semantics from Go Binaries](http://home.in.tum.de/

wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

 // Custom alphabets are supported, but I have it commented out for now. ;)

Base64 Patterns - Learning Aid

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)

	// Adapted from https://raddle.me/f/Privacy/3722/how-to-circumvent-cloudflare-s-email-protected-thing-without with the help of chatGPT
	function fixObfuscatedEmails() {
	const elements = document.getElementsByClassName('__cf_email__');
	for (let i = 0; i < elements.length; i++) {
	const element = elements[i];
	const obfuscatedEmail = element.getAttribute('data-cfemail');
	if (obfuscatedEmail) {
	const decodedEmail = decrypt(obfuscatedEmail);
	element.setAttribute('href', 'mailto:' + decodedEmail);
	element.innerHTML = decodedEmail;

	WIN-QQ80VPAFRNH
	84.252.95.225 - SolarMarker
	37.120.237.251 - SolarMarker
	217.138.205.170 - Ursnif
	185.236.202.184 - Pegasus, NSO Group

	DESKTOP-2NFCDE2
	94.142.138.32 - Aurora Stealer
	45.15.156.250 - Aurora Stealer
	45.15.156.40 - Raccoon Stealer

	[
	{
	"label": "GEOSINTsearch",
	"description": "Searches within posts from Twitter, Reddit and 4Chan and presents anything that contains a Google Maps link",
	"value": "https://cse.google.com/cse?cx=015328649639895072395:sbv3zyxzmji"
	},
	{
	"label": "Pasted tekst",
	"description": "Look if any specifc text has been posted before",
	"value": "https://cse.google.com/cse/publicurl?cx=013991603413798772546:nxs552dhq8k"


	#general
	privilege::debug
	log
	log customlogfilename.log


	#sekurlsa
	sekurlsa::logonpasswords
	sekurlsa::logonPasswords full


	typedef interface IEditionUpgradeManager IEditionUpgradeManager;

	typedef struct IEditionUpgradeManagerVtbl {

	BEGIN_INTERFACE

	HRESULT(STDMETHODCALLTYPE *QueryInterface)(
	__RPC__in IEditionUpgradeManager * This,
	__RPC__in REFIID riid,

	# copied from https://github.com/tulir/mautrix-telegram/blob/master/mautrix_telegram/util/parallel_file_transfer.py
	# Copyright (C) 2021 Tulir Asokan
	import asyncio
	import hashlib
	import inspect
	import logging
	import math
	import os
	from collections import defaultdict
	from typing import Optional, List, AsyncGenerator, Union, Awaitable, DefaultDict, Tuple, BinaryIO