Skip to content

Instantly share code, notes, and snippets.

View keyboardancer's full-sized avatar

rceeeeeeeeeeeeee keyboardancer

18 followers · 224 following
  • moon
View GitHub Profile
@keyboardancer
keyboardancer / LAPSDecrypt.cs
Created April 21, 2023 10:04 — forked from xpn/LAPSDecrypt.cs
Quick POC looking at how encryption works for LAPS (v2)
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;
@keyboardancer
keyboardancer / certifried_with_krbrelayup.md
Created May 17, 2022 22:05 — forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites: