To achieve code execution the user or machine needs to be in the Administrator Group and/or have permissions to write on a share, in this example we have the user mwinchester on Desktop-Alpha moving to Desktop-Bravo since the user compromised was mwinchester but has no Administrator privileges on the current box, so we can relay the authentication and gain code execution on the target machine, the setup is simple.

Will start by running ntlmrelay targeting the machine we want to authenticate and enabling SMB2Support if necessary

The user needs to authenticate to our relaying machine, in this example the Linux Box. We have various methods to relay authentication but, in this case, will just force it by trying to browse a fake share on the Linux box, (various methods to control this authentication exists an example would be to Taint a Share and Force Authentication), from the Windows machine we can verify our user

The user is not an Administrator on the Box. The user tries to browse the Linux Machine

Our attacking machine will successfully relay the authentication to Desktop-Bravo and gain code execution

We can tell from here that a user was authenticating to the Linux machine, and we relayed that to our targeted box.

Last updated