Powershell-web-access

  • Published on
    Enumeration led me to WordPress, and eventually a username & computer name to authenticate within a web powershell. Then for foothold, we get a web powershell to a reverse shell, privesc with a pivot to msedge.exe, then utilize sam & system hashes to get hive information, which will eventually lead me to root.
  • Published on
    This was an Active Directory Windows machine, started by finding credentials in an image on the website, then dumped information with LDAP for the domain to find a kerberoastable user, then enumerating more shares with cme, find which accounts were active, and then get foothold. For root, we pfx2john, and find a GMSA exploit on powershell, to reset a higher privilege user's password so we can authenticate with our new credentials.