ihack4falafel ihack4falafel

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

LDAP signing not required on Domain Controller (default!)

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

How to download old versions of Chrome

Click here to download old versions of Chrome for Linux, Mac and Windows.

The download_url field of the desired section houses the URL to the download.

Alternatively, for not too old versions, you can get it directly here.

	"""
	summary: drawing custom graphs
	description:
	Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
	show how to write actions that can be performed on those.
	keywords: graph, actions
	"""

	from __future__ import print_function
	# -----------------------------------------------------------------------

	Vagrant.configure("2") do \|config\|
	config.vm.guest = :windows # tell Vagrant this is a Windows-based guest
	config.vm.communicator = "winrm" # use winrm for management instead of ssh
	config.vm.provider 'vmware_workstation' do \|p\|
	p.linked_clone = false
	end
	config.vm.provider :vmware_desktop do \|p\|
	p.vmx["ethernet0.pcislotnumber"] = "160"
	end

	#include <Windows.h>

	LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
	typedef VOID(__stdcall* Shellcode)();

	LPBYTE ShellcodeBuffer;
	ULONG_PTR PreviousOffset;
	ULONG_PTR CurrentOffset;
	ULONGLONG InstructionCount;
	DWORD dwOld;

	#!/usr/bin/python

	import requests
	import json
	import time
	import paramiko
	from Crypto.PublicKey import RSA
	from os import chmod

	public_key_name = "test1.key"

	/* -- PS5 Skin for GamepadViewer \| Created by CrazyGrape --
	HOW TO USE IN OBS:
	1. Go to GamepadViewer.com and generate a URL (make sure to USE THE XBOX SKIN or leave the skin blank)
	2. Generate your URL once the settings are correct and copy it to your clipboard
	3. In OBS, create a new browser source
	4. In the URL Screen, paste the link copied from GamepadViewer.com
	5. Set the width to 807 and the height to 651
	6. Paste the contents of this CSS file into the Custom CSS field
	7. Click Done.
	8. Enjoy the skin! */

	# https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
	# https://twitter.com/richinseattle/status/1354296177743679489

	# if true on powershell command or no error on reg query output you are infected !

	reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
	reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
	reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
	[System.IO.File]::Exists('C:\Windows\System32\Nwsapagent.sys')
	[System.IO.File]::Exists('C:\Windows\System32\helpsvc.sys')

	#include <Windows.h>
	#include <stdio.h>
	#include <winternl.h>

	#pragma comment(lib, "ntdll")

	#define IOCTL_BEEP CTL_CODE(FILE_DEVICE_BEEP, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)

	typedef struct _BEEP_SETTINGS {
	ULONG ulFrequency;