If you can authenticate to LDAP, either anonymously or with credentials, you can pull everything from it like such: Alternatively, to get all users, you can use (the slash after domain is very important): To query for users that don’t require Kerberos preauthentication, see AS-REP-Roasting: Then, to get a ticket-granting-ticket (TGT) (note: this does seem…

Kerberos authentication is a ticketing system giving users various permissions to access various systems. Kerberos uses Service Principal Names (SPNs) as account identifiers. If you can authenticate to Active Directory, you can request a ticket for a given SPN. Retrieve SPNs with impacket-GetUserSPNs. Obtaining this ticket, you can then try to crack it using hashcat…

Getting ready for the OSCP… Again… Linking some resources here. Good OSCP guidance: https://johnjhacking.com/blog/oscp-reborn-2023 This, in turn links to several other good resources. NMAPAutomator: https://github.com/21y4d/nmapAutomator/ GTFO and LOL bins: Reverse Shell generator (you shouldn’t need this, but it can be a good reference for those pesky one-liners): https://www.revshells.com/ Playing with Active Directory: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md PrivEsc classes:…

Useful things for attacking Windows systems. If RDP is available, NMAP can glean some super useful information with its rdp-ntlm-info NSE script. If NetBIOS and/or SMB is enabled, enum4linux is your friend. It may even be able to enumerate local users for you. nbtscan is also useful for learning the server’s hostname. Smbclient can be…

SetUID is a file permission that allows a binary to be run as the owner of the file. Specifically, if a binary is SetUID root, we can likely exploit the functionality of that binary to gain root access to the system it’s on. To find all SetUID binaries on a given system, run Check out…

I had another box to hack, but the initial access portion was a mix of default creds and unrestricted file uploads. I have like 3 posts going over just that, so I’m skipping that part. What I’d like to focus on is Linux capabilities. From the man page: Cool, and capabilities can be applied to…

AND ANOTHER ONE! These are the worst. Very little attack surface. Let’s dirbust it. Okay, we have a few directories to look at. Robots.txt even gives us a bit of a hint. After a LOT of trial and error, we finally hit it with nonstandard wordlists from dirbuster instead of dirb and found something. Okay,…

Here we go again. Don’t know what 33060 is, but let’s look at the web server. Okay, so we have a couple of pages to look at. /admin, /store, and /gym (discovered in robots.txt) all have login forms. Admin/admin works on /store, then we get a way to edit books available in the store, including…

Another target. Let’s begin. Let’s run nmap service discovery to make sure. Great, OpenSSH and MySQL. No known-to-me vulnerabilities in either. Guess we’re bruteforcing. Sweet, MySQL creds are ‘root’ and ‘prettywoman’. Thanks, I know what I am. Next up is a bit of a read. I connect to MySQL and poke at the data. Alright,…

Let’s go! Let’s see what’s on the web server. Alright, dirbusting it is. Okay, what’s in robots.txt? Okay, going to that directory. If we click on OS, we get a set of links to URLs like: Let’s try to do some command injection with the following: It works! Unfortunately, I can’t show you the output…