Skip to content

Instantly share code, notes, and snippets.

View Retoxx2's full-sized avatar

Brandon (Retoxx) Woods Retoxx2

1 follower · 6 following
  • Bay Area, California
  • 06:32 (UTC -07:00)
View GitHub Profile
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active September 6, 2024 13:56
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@gianpaolof
gianpaolof / gist:bae3ec809c1bff32c7361a617c577710
Last active August 30, 2024 15:36
Turn on/off Fast boot on windows 10 via powershell
Turn on
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 1 /F
Turn off
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html