So,<\/p>\n
Recently I have spent alot of time on Local Lockdown testing and 98 times out of a 100 they allow VBScript to be run. Very bad mistake.<\/p>\n
With VBScript it is possible to do lots of wonderful this that a normal locked down user wouldn’t, i.e.<\/p>\n
Here is a few cool ways I was able to leverage VBScript to get me more information that I should have had access to.<\/p>\n
LDAP Query that Returns Excel Doc:<\/p>\n
On Error Resume Next\r\n\r\nCounter = 2\r\nWorksheets(\"Sheet1\").cells(1, 1).Value = \"Username\"\r\nWorksheets(\"Sheet1\").cells(1, 2).Value = \"Group\"\r\n\r\nConst E_ADS_RPOPERTY_NOT_FOUND = &H8000500D\r\nSet objou = GetObject(\"LDAP:\/\/ou=users,dc=microsoft,dc=com\")\r\nobjou.Filter = Array(\"user\") \r\n\r\nFor Each objUser in objou\r\nWorksheets(\"Sheet1\").cells(Counter, 1).Value = (objUser.cn)\r\narrMemberOf = objUser.GetEx(\"memberOf\")\r\n\r\nIf Err.Number <> E_ADS_RPOPERTY_NOT_FOUND Then\r\nFor Each Group In arrMemberOf\r\nWorksheets(\"Sheet1\").cells(Counter, 1).Value = (objUser.cn)\r\nWorksheets(\"Sheet1\").cells(Counter, 2).Value = (vbTab & Group)\r\nCounter = Counter + 1\r\nNext\r\nElse\r\nWorksheets(\"Sheet1\").cells(Counter, 1).Value = (objUser.cn)\r\nWorksheets(\"Sheet1\").cells(Counter, 2).Value = (vbTab & \"attribnotset\")\r\nCounter = Counter + 1\r\nErr.Clear\r\nEnd If\r\nNext<\/pre>\nCheck Service Permissions: (still in working progress)<\/p>\n
On Error Resume Next\r\n\r\nobjFileName = \"services.txt\"\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet objFile = objFSO.CreateTextFile((objFileName))\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\n\r\nSet services = CreateObject(\"System.Collections.ArrayList\")\r\narrComputers = Array(\"localhost\")\r\n\r\nFor Each strComputer In arrComputers\r\n WScript.Echo\r\n WScript.Echo \"==========================================\"\r\n WScript.Echo \"Computer: \" & strComputer\r\n WScript.Echo \"==========================================\"\r\n\r\n Set objWMIService = GetObject(\"winmgmts:{impersonationLevel=Impersonate}!\\\\\" & strComputer & \"\\root\\CIMV2\")\r\n Set colItems = objWMIService.ExecQuery(\"SELECT * FROM Win32_Service\")\r\n\r\n For Each objItem In colItems \r\n\tpat = \".*.exe\"\r\n\tstrFileName = objItem.PathName\r\n\r\n\tSet myRegExp = New RegExp\r\n\tmyRegExp.IgnoreCase = True\r\n\tmyRegExp.Global = True\r\n\tmyRegExp.Pattern = \".*.exe\"\r\n\r\n\tSet myMatches = myRegExp.Execute(strFileName)\r\n\tFor Each myMatch in myMatches\r\n\tservices.Add myMatch.Value\r\n\tNext\r\n Next\r\n\r\nNext\r\n\r\nFor Each service in services\r\n\tSet myRegExp = New RegExp\r\n\tmyRegExp.IgnoreCase = True\r\n\tmyRegExp.Global = True\r\n\tmyRegExp.Pattern = chr(34)\r\n\r\nserfor = myRegExp.Replace(service, \"\")\r\n\r\nSet oExec = objShell.Exec(\"cacls \" & chr(34) & serfor & chr(34))\r\n Do While Not oExec.StdOut.AtEndOfStream\r\n str = oExec.StdOut.ReadAll\r\n objFile.WriteLine(str)\r\n Loop\r\nSet oExec = nothing\r\n\r\nNext<\/pre>\nReading Registry Keys:<\/p>\n
Dim Shell, Reg \r\n'RegKey = \"HKLM\\Software\\test\\testkey\"\r\nRegKey = UserInput( \"Enter Registry Path:\" )\r\nSet Shell = CreateObject(\"WScript.Shell\")\r\nReg = Shell.RegRead(RegKey)\r\nMsgBox Reg<\/pre>\nRunning an Application With Parameters (think when no command prompt is available)<\/p>\n
Set Shell = CreateObject(\"WScript.Shell\")\r\nShell.Run(\"\"\"C:\\windows\\system32\\cmd.exe\"\" \/c net users\")<\/pre>\nNothing too great but handy to have when you need them \ud83d\ude42<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
So, Recently I have spent alot of time on Local Lockdown testing and 98 times out of a 100 they allow VBScript to be run. Very bad mistake. With VBScript it is possible to do lots of wonderful this that a normal locked down user wouldn’t, i.e. Access Registry Execute Programs Get File Permissions Query… Continue reading VB Script!<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/1"}],"collection":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1"}],"version-history":[{"count":3,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/1\/revisions"}],"predecessor-version":[{"id":34,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=\/wp\/v2\/posts\/1\/revisions\/34"}],"wp:attachment":[{"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hackwhackandsmack.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}