-
Notifications
You must be signed in to change notification settings - Fork 106
Restoring
A restore file is automatically generated even when something goes wrong in the exploitation chain. After the privileges are no longer needed, you can run the same command with the --restore option and specify the restore file. This will ignore all the other command line options except the --server option which can still be used to manually specify a domain controller address:
(aclpwn) user@localhost:~/aclpwn$ python aclpwn.py -f s2012exc -ft computer -d testsegment.local --restore aclpwn-20181129-182321.restore
Please supply the password or LM:NTLM hashes for the account S2012EXC.TESTSEGMENT.LOCAL:
[-] Removing ACE using manual approach
[+] Domain Sync privileges restored successfully
Most restores are pretty straightforward, any access that was granted is reversed. For some access types, this means editing the security descriptor set on the object. When restoring this, aclpwn uses one of the two options.
- Both the original and modified security descriptors are saved in the state file. If the security descriptor is identical to the one which was present directly after the modification, aclpwn will write back the original security descriptor. It will indicate this with the "SD restore approach" message.
- If the security descriptor was modified in the meanwhile, aclpwn will manually try to removed the ACEs that were added to it. It will indicate this with the "Removing ACE using manual approach" message.
If a restore operation is not succesful, you will be prompted to attempt to continue anyway restoring other parts of the chain. Depending on why the restore was unsuccesful, this may or may not work.