Hack0ura

Hack0ura / WebClientRelayUp

Public

WebClientRelayUp - an universal no-fix local privilege escalation in domain-joined windows workstations in default configuration.

74
7
69% credibility
Found Feb 17, 2026 at 38 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C#
AI Summary

WebClientRelayUp is a security research tool that tests for privilege escalation vulnerabilities on domain-joined Windows workstations by coercing the WebClient service into authenticating to an attacker-controlled relay server.

How It Works

1
🔍 Discover the security tester

You hear about a helpful tool for checking weaknesses on company computers connected to a network.

2
📥 Get it ready

You download the tool and prepare it on your test machine, noting the main network computer to point to.

3
🚀 Start the magic relay

With one simple command, you launch the tool—it listens quietly for a special connection while you wake up the file-sharing helper on the target computer.

4
🔗 Trigger the connection

You nudge the computer to reach out to your tool using a built-in file trick, and it connects automatically.

5
Unlock higher access

The tool cleverly grabs top-level network permissions, creates a secret key for the computer, and swaps in admin powers seamlessly.

Run powerful commands

You now execute any command as the highest admin on the machine, proving the security gap and feeling in full control.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 38 to 74 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is WebClientRelayUp?

WebClientRelayUp is a C# tool delivering universal local privilege escalation on domain-joined Windows workstations in default configuration. It forces the WebClient service to relay SYSTEM's NTLM authentication via EFS coercion to an attacker-controlled HTTP server, then proxies it to a domain controller's LDAP for shadow credential injection. Users get a single executable that runs arbitrary commands as SYSTEM through S4U2Self impersonation and SCM UAC bypass—no admin rights or fixes required.

Why is it gaining traction?

It outshines tools like DavRelayUp by skipping resource-based constrained delegation (which needs new accounts) for stealthier Shadow Credentials plus S4U2Self, working in vanilla AD setups with PKINIT-enabled DCs. The CLI is dead simple: `WebClientRelayUp.exe -t dc01.contoso.local -u Administrator -c cmd.exe`, publishing to a trimmed self-contained exe via dotnet. Red teamers dig the no-prereqs reliability on Win10/11.

Who should use this?

Red and purple teamers assessing Active Directory privilege escalation paths on domain-joined workstations. Security researchers testing WebClient service exposures or LDAP relay mitigations like signing/channel binding. Defenders validating event 5136 detection for msDS-KeyCredentialLink mods.

Verdict

Grab it for AD pentesting labs—solid docs, usage examples, and mitigations make it practical despite 18 stars and 0.7% credibility score signaling early maturity. Pair with monitoring tweaks for real-world eval; skip if seeking battle-tested alternatives.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.