Webdav on MrAzoth https://az0th.it/tags/webdav/ Recent content in Webdav on MrAzoth Hugo -- 0.154.5 en-us Advanced Techniques — From Windows https://az0th.it/ad/windows/advanced-techniques/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/advanced-techniques/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>KrbRelayUp (RBCD)</td> <td>KrbRelayUp + Rubeus</td> <td>Domain-joined, no LDAP signing</td> <td>Low-priv → SYSTEM</td> </tr> <tr> <td>gMSA password read</td> <td>GMSAPasswordReader</td> <td>Authorized principal</td> <td>Lateral movement</td> </tr> <tr> <td>LAPS password read</td> <td>Get-AdmPwdPassword / PowerView</td> <td>Read perm on ms-Mcs-AdmPwd</td> <td>Local admin on target</td> </tr> <tr> <td>PPL bypass (mimidrv)</td> <td>Mimikatz + mimidrv.sys</td> <td>Local admin</td> <td>LSASS dump despite PPL</td> </tr> <tr> <td>PPL bypass (PPLdump)</td> <td>PPLdump</td> <td>Local admin</td> <td>LSASS dump despite PPL</td> </tr> <tr> <td>LSASS dump (comsvcs)</td> <td>LOLBAS / rundll32</td> <td>Local admin</td> <td>Credential extraction</td> </tr> <tr> <td>WebDAV coercion trigger</td> <td>PowerShell</td> <td>Shell on target</td> <td>Force HTTP auth for relay</td> </tr> <tr> <td>Shadow credentials</td> <td>Whisker</td> <td>GenericWrite on account</td> <td>PKINIT auth, NT hash</td> </tr> </tbody> </table> <hr> <h2 id="krbrelayup--local-privilege-escalation-to-system">KrbRelayUp — Local Privilege Escalation to SYSTEM</h2> <h3 id="what-krbrelayup-is">What KrbRelayUp Is</h3> <p>KrbRelayUp abuses Resource-Based Constrained Delegation (RBCD) to escalate from a low-privilege domain user with a local shell to <code>NT AUTHORITY\SYSTEM</code> on the same machine. The attack creates a new machine account, configures RBCD on the target machine to trust that new account, then uses S4U2Self + S4U2Proxy to get a Kerberos service ticket impersonating <code>Administrator</code> (or any domain user) for the current machine — then uses that ticket to spawn a SYSTEM process.</p> Advanced Techniques — From Kali https://az0th.it/ad/kali/advanced-techniques/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/advanced-techniques/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>WebDAV Coercion → LDAP relay</td> <td>ntlmrelayx + PetitPotam</td> <td>WebClient running on target</td> <td>RBCD, shadow creds, DA</td> </tr> <tr> <td>gMSA password read</td> <td>gMSADumper / nxc</td> <td>Authorized principal</td> <td>Lateral movement</td> </tr> <tr> <td>Zerologon</td> <td>cve-2020-1472</td> <td>Network access to DC (pre-patch)</td> <td>Instant DA</td> </tr> <tr> <td>noPac (CVE-2021-42278/42287)</td> <td>noPac.py</td> <td>Domain user</td> <td>DA via KDC spoofing</td> </tr> <tr> <td>LAPS read</td> <td>nxc / ldapsearch</td> <td>Read perm on ms-Mcs-AdmPwd</td> <td>Local admin on target</td> </tr> <tr> <td>LSASS dump (offline parse)</td> <td>pypykatz</td> <td>LSASS dump file</td> <td>Credential extraction</td> </tr> <tr> <td>KrbRelayUp pre-check</td> <td>nxc ldap</td> <td>Network access</td> <td>Identify LDAP signing state</td> </tr> </tbody> </table> <hr> <h2 id="webdav-coercion--bypass-smb-signing-for-ntlm-relay">WebDAV Coercion — Bypass SMB Signing for NTLM Relay</h2> <h3 id="why-webdav-coercion-works">Why WebDAV Coercion Works</h3> <p>Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled.</p>