so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

KrbRelayUp - a universal no-fix local privilege escalation in windows domain

Simple wrapper around some of the features of Rubeus and KrbRelay (and a few other honorable mentions in the acknowledgements section) in order to streamline the abuse of the following attack primitive:

(Optional) New machine account creation (New-MachineAccount)
Local machine account auth coercion (KrbRelay)
Kerberos relay to LDAP (KrbRelay)
Add RBCD privs and obtain privileged ST to local machine (Rubeus)
Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. (SCMUACBypass)

This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). KrbRelayUp - a universal no-fix local privilege escalation

Nickname: sizeof(cat)
Job: Consultant, Hacker
PGP key: F273 5495

For a bird born in captivity, flight is a mental illness.