Local Admin in less than 60 seconds

okay ladies and gentlemen so welcome back to the uh first session of the final uh presentations of uh besides 2024 I'll hand you over straight away to Nikos FAS thank you very much uh hello uh ladies and gentlemen uh my name is Nikos vas H welcome to local admin in less than 60 Seconds first of all I want to thanks the event uh about the invitation this is my first time in Budapest and I think uh your country is very beautiful uh I think it's very similar to my country uh Greece uh before beginning before the beginning I need to say a special thanks to those two guys my friends as I said my favorite uh Greek rapper blood bloody

Hulk said my friend are my idols and those guys there are my Idols who inspired me to do these uh things okay uh thank you before the beginning let me to set time a timer to be on time hey Siri set timer for uh minutes okay okay uh who am I I'm a senior offense security consultant at uh a Greece uh I have uh experience in some thread LS like Tyber U or iast how many of you do you know what is a Tyber uh or iast okay uh it's a uh it's adversary simulation in um biking sector I have a few certifications uh at I am and I am proudly one month not smoker uh I have I have write to two

tools uh and uh these are my social media today sorry uh my AI is a little silly um today I will present my favorite uh TTP uh a big disclaimer here I don't think you can use it uh this dtp for adversary simulation red teaming engagement because I think it's not so uh stealthy as you think I think it's a little noisy so the life it's not only red teing and bypass detection and all of this stuff the life is uh includes internal penetration test so I recommend to use this TTP uh in internal penetration test uh I will present four methodologies about uh this dtp uh which I use uh in my last uh

engagement so uh have you ever seen this tweet uh on Twitter or this or this or post like this or a g like this all of this talks about anti attack from webdb protocol to ldb and this is one uh internal penetration things uh penetration test I think uh like a silver bullet okay but before explaining this attack let's let's see some prerequisites of of this attack okay first of all we need L up sinic not enforced in my experience uh 9 to 10 clients nine out of 10 clients uh has not configured this policy and H without this setting uh you can't perform this attack by default L up signning is not enforced and and El up uh binding too

what uh okay uh furthermore we need to know that we want to do ANM relay attack from webdav to ldb protocol because ldb is a powerful protocol you can configure things you can edit things you can add things you can do anything you want the result of this attack will be uh facing two two attacks Shadow credentials and resource based costra delegation I'm sure that you already know both of them but let let me um explain uh quickly what what is uh what is uh Shadow credentials and resource based cation tag the first one we need to edit um the uh value of this attribute with a public key W which we have already owned the private key and

the second one we need to configure uh this uh uh value of this attribute with a uh security descript of the own machine account of our own machine account so how this attack actually works because user objects cannot edit their own attributes such as Ms uh MSDS key cred link but computer objects uh are able to perform this action so behind the scenes the reason uh why this attack also works is because computer object can do the action for us why we don't use SMB and we want web dab protocol SMB is a powerful protocol but it uses net nlm V2 uh version to uh authentication and as you can see there are three messages uh during the

authentication for the last message there is a security protection uh name uh message Integrity code which uh which blocks uh to perform this action uh ntlm relay attack uh fromb to L up but you can find a machine with this CV and patch of this CV uh this CV gives you the ability to uh uh to drop to bypass this message uh Integrity code but honestly I have never seen uh in 2024 uh machine un patch with this uh vulnerability but you never know hello my oldest friend webdav it's a HTTP ex station which you can perform um some basic functionalities like a copy move uh create uh from uh using HTTP this table show us that webdav

still exist in Windows 10 by default Windows 11 Windows 20 uh 12 R2 servers and micros has uh removed from uh from Windows 2016 uh server so if you have access in a Windows Server like this you you you will not find webdav but if you open now your uh uh your Windows 10 or 11 uh laptop you will see that webdav exist uh with the name web client service but webdav is disabled by default and as you already know in a regular condition a low privilege user doesn't has doesn't have the permission to enable and to start a service okay so unfortunately we can't we can't do something for this so guys okay we

can't do something for this let's go let's go back to Greece okay okay let's go let's go guys okay sit down sit down I think a low privilege user can enable the web client service and if anyone uh has a different uh opinion uh tried to change my mind why I think this because I said you before one one sec a low privileged user in a regular condition doesn't have permission to enable to start a service well this policy I have never seen a client with this configured with this policy this policy gives you the ability to use uh icon preferences sorry uh don't I don't want to hide the the photo to use icon

preferences in order to trigger uh the service uh uh there are many files file types which uses uh icon preferences like shortcuts lnk files set set connector Library M URL shortcuts or you can use programmatically with Windows 32 apis I think there is a project etw trigger from CL virus on GitHub uh in sharp uh so if I use lnk shortcut for example I can enable the service and now I will show you a video

okay okay here is a cobblestone I have a I use scobble strike it's a command control for anyone who don't know this I have access in um uh Windows 10 workstation and my user is uh Nikos kirzis it's a low privilege user as you can see Okay one minute

okay sorry I stop it and as you can see the user is not in local admins uh group

so as you can see and I don't have permissions to start and stop or resume or pose to do uh anything with the service Okay so so go back I will uh start a so proxy I will uh create a reverse port forward I will expose a random Port anything I

want

okay okay okay I will go back to workstation and I will try to create a shortcut a simply shortcut nothing

malicious and now I will go to properties and I will try to use the reverse port for p port forward port and the random s back I have opened an impacket give me a minute uh here I have open nlm relx which forces uh which targets L up uh from DC Shadow credentials and Shadow Target uh the machine account of the workstation and the port forward Port 8081 we you can use use the same thing uh with the with a responder or a farmer just like just like that okay I will press okay it will not find this but behind come on the attack seem uh seem uh it it failed okay because as I said before

user can't write their own attributes and the attack seems to failed it's good for us because when attack failed something something other happens uh behind the

scene going back to workstation and opening Services just the refresh

as you can see the web client now is running so we have the service already enabled and now we can perform the attack come on so let's try to repeat the attack and try to take over the workstation and compromise the local admin first we need to see uh who is the local admin I will try to take this um I'll try to choose this local admin you can uh you can choose any any local admin you want going back and try to perform again we have already enabled the service

okay we'll try

to okay again and in order now we will use a CO authentication like Petit BM PR printer back anything you want uh in order to qu authenticate the machines

and after that we achieve to write MSDS key creation link now the machine is vable to Shadow credentials now we can I can use this Tool uh from pki tools D jams repository in order to uh use the P the encrypted pfx and exchange the pfx with the TGT of the machine and then I can use this as you can see on the the video you can I can use it to perform s for you to self abuse uh to ask a tjs for uh the local admin okay let's do it to see in action okay performing this uh using this tool we uh we use the encrypted pfx file and we created the TGT now we have

the TGT of the of the machine

okay all yeah okay nice use this um after that we need as I said to perform as for s for you to self uh as for you to self attack uh by and specifying a a specific uh SPN and uh to impersonate a specific user as you can see you have a TGs for this user we can export this uh uh in Linux in order to work in Linux and then you can use uh impacket or uh wmi exec or uh Pac to connect as local admin

okay as you can see I'm El kotlas in work station

one very useful trick but I have better tricks okay trust me in order to use the first methodology you need to have a public infrastructure or a adcs implementation if you don't have adcs supplementation because I don't know the clients here I have seen clients that doesn't have uh I have seen clients don't have still don't don't use adcs so what you can do you can search for machine account quota by default any active directory user has the um this permission to create uh until 10 machine accounts so instead of us using sad Target and sad credal you can use delegate access and you can you can perform resource based C TR delegation create a

machine account then secur the description and delegate this machine and then as for you uh abuse to continue but uh by the way uh he's uh Legend Greek rapper T and what's what say what t uh says what is better than a local privilege scalation a later of movement with a local admin

rights think about you don't uh you are in in a internal penetration test and you have a VPN access okay you don't have a workstation access okay how many of you have done a internal penetration test and you had only VPN VPN access Okay so you need to use uh a scanner like uh like modules of net exec if you are from cobal Strike I said okay you don't have workstation uh admin but you can use get web D status I created the CNA of this uh both or you can use this python um uh scanner from uh hak sh shout out to hak I think uh hak learned me a lot about Windows ad

directory uh you should read his uh blog and try to find if the already a machine has web client uh webd service enabled why a machine should have uh this service enabled because another application can trigger it or uh I have seen in my experience some citric servers uh to have this enabled so if you want to perform this attack uh by the way in uh uh against servers you need to know except from webdav uh enabled you uh the server should have a user experience desk code uh enabled I have never seen uh my honestly a server without uh this feature user experience desktop but uh you never know from VPN access uh you need to know

another one thing uh because if you have a bon or malware a C2 connection everything with so broks and reverse port forward uh uh works works fine but when you have a VPN access uh you need to add a DNS record how many of you uh do you know that um any authenticated user in an active directory can add the a record inside no ah okay uh well uh this is true any authenticated user can add a record so uh you can use D jams uh this amazing Tool uh which is the part of k x uh repository with the First Command as you can see we add uh a a record uh named attacker okay uh which points to our IP

and with the second command we just verify that everything works fine if you don't uh use uh this uh to inject a DNS record probably via VPN that tag will not work so easily so and the methodology for is what if I'm in a VPN connection in a uh during internal penetration test and I can't find any mine on server with a web CL a web Dove enabled so I I tried everything and I can't find something very helpful so what can I do a good option is go back to Greece with my friends uh uh a second option is to think not harder smarter I think how many of you do you have clients

which still have Legacy implementations and for example uses SMB version one come on guys I I I'm sure that uh you have clients for sure uh they have a some machine which uses SMB version one for sure

SB version one would be an opportunity for us and I will explain you why what is how many okay uh let me Express the question correct what is wrong with this picture with this command

I perform a command with net EXA I use a module net LM uh nlm

V1 okay it says that SMB version one is true okay but I think SMB version one and and net n ntlm version one is something different doesn't mean that when SMB version one is enabled is net nlm version one enabled as I said SMB version one is not enough in order to have uh ntlm version one you need to you to have configure one of these options and net exec is not the best way to uh check this you need open a responder perform a petit pum as before and use D Das LM to down to try to downgrade uh net nlm version two to net uh to ntlm version one if this happens then you can relay

from SMB to L dab do you know why in this um situation you can relay from SM SMB to up because SMB uh uh ntlm version one doesn't have message Integrity code

so one minute

as I said I will add this I will use a remove MC because without this option inage doesn't understand that uh I want to relay from SMB to dab but uh I use SMB H SMB has net and tlm net and tlm version one and back I I will try this time uh give me a minute to go back the video come on okay I will try uh to perform Petit PM by using SMB the main difference using uh uh something that I forgot is when uh in the previous example with webdav when you use Petit pom uh or uh printer bu and you want to use a webd you need to uh to add end point to

understand a port and end point uh after uh the host names to understand the tool that you don't use SMB but webdav and as you can see the attack worked and you and after that I can perform the same steps

so uh okay there are a lot of DET take event IDs as I said before it's not stealthy approach uh I have I I use it one uh one time in a red team it worked but uh I don't recommend to use it uh when you want to be uh stealthy uh there are a lot of event IDs for Care Service generation for uh TGT request for uh uh MSDS cred link mod modification so if you are from a blue side you you need to focus on these events okay I think [Music] uh we finish the presentation uh very quick but uh it was a local admin in less than 60 seconds thank you any you have any

questions do we have uh questions for

Nikos or comments I hope you like it and uh didn't disappoint you and I hope to use it in your uh next engagements I think it's like a silver bullet uh with my partner in crime we have done many times uh when uh nothing uh didn't work so uh we tried this and always work uh I one thing uh in order don't uh a good question uh is okay you are a local ad okay uh probably you can impersonate at domain admin can you change uh the password of the domain admin or the local admin uh if in if it's in domain context the answer is no because this ticket is delegated it's only for the

context of this machine but you can use it uh to dump Hy you can you can perform any action that any local admin can do but not to change uh password uh of the local admin in the in the domain context okay if there isn't anything else thank you again to Nikos thank you very [Applause] much e