• XSS.stack #1 – первый литературный журнал от юзеров форума

PrivEsc LPE , admin access

Отслеживать
TheExample сказал(а):
cs doesnt worked on the network
Do you suggest anything for proxy on network??
If it has internet access, just get a reverse shell via meterpreter or if that is not possible, use ligolo to set up tunnel/ proxy and connect your machine to their network. Ligolo does not need admin privs to run, but it is detected by AV.
 
TheExample сказал(а):
hello everyone
We have some access, but we need LPE for admin access

1-Windows 2012 R2 64 bit

2-Microsoft(R) Windows(R) Server 2003 Enterprise x64 Edition
Operating system version: 5.2.3790 Service Pack 2 build 3790

this users in the domain
domain user

two access dont have any AV/EDR

Is there a way to get admin access?

Or anything that helps us
thanks
waiting,
 
EnLopXf сказал(а):
для этого юзер должен быть в группе administrators
- The compromised user must belong to the "Administrators group".

да, вы правы, видимо я забыл это
 
First, list the services to see if any of them have a bug. Then, if it's 2012, why don't you try Zerologon?

Check services :
Код: 
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """


github.com

GitHub - VoidSec/CVE-2020-1472: Exploit Code for CVE-2020-1472 aka Zerologon

Exploit Code for CVE-2020-1472 aka Zerologon. Contribute to VoidSec/CVE-2020-1472 development by creating an account on GitHub.
github.com
github.com

GitHub - dirkjanm/CVE-2020-1472: PoC for Zerologon - all research credits go to Tom Tervoort of Secura

PoC for Zerologon - all research credits go to Tom Tervoort of Secura - dirkjanm/CVE-2020-1472
github.com
 
Sec13B сказал(а):
do whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
 
Its kinda unclear what do you want to do. If pc is joined to domain, and you are logged in as standard domain user, you cannot elevate with UAC bypass, since it requires administrator credentials for elevation.

If you are logged as normal user (LOCAL not DOMAIN) you can elevate easily. I assume you landed on DC since both of machines are windows Servers right ?
 
phant0m сказал(а):
It's kinda unclear what you want to do. If pc is joined to domain, and you are logged in as standard domain user, you cannot elevate with UAC bypass, since it requires administrator credentials for elevation.

If you are logged as normal user (LOCAL not DOMAIN) you can ascend easily. I assume you landed on DC since both of machines are windows Servers right ?
yes , this user in DC , and we landed on DC , this user dont have admin access , we get dc server with domain user , ok? we just need shell as admin
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх