Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page
  • Forest Enumeration
  • ACLs Enumeration
  • Constrained delegation
  • Unconstraint delegation
  • RBCD

Was this helpful?

  1. CheatSheet
  2. AD

Powerview

Forest Enumeration

Get-DomainTrust -API

Get-NetForest

Get-DomainTrust

Get-DomainTrustMapping

Get-DomainUser -Domain corp1.com

Find-ForeignGroup -Verbose

Get-DomainForeignGroupMember -Domain "test.lab"

ACLs Enumeration


Find-InterestingDomainAcl -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs

Get-DomainObjectAcl -Identity "Managers" -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convertfrom-Sid $_.SecurityIdentifier);$_}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "LAPS Password Readers"}

Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convertfrom-Sid $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match 'Will'}

Constrained delegation

Get-NetUser -trustedToAuth -Domain eu.local

Get-DomainUser -TrustedToAuth -Domain test.corp 2>$null

Get-DomainComputer -TrustedToAuth -Domain test.corp 2>$null

Unconstraint delegation

Get-DomainComputer -Unconstrained

RBCD

Get-NetComputer us-jump3 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

PreviousBloodhound cypher queryNextPrivilege Escalation

Last updated 21 days ago

Was this helpful?