SQLi Authentication Bypass A SQL query for a normal login, then, looks like this: select * from users where name = 'tom' and password = 'jones'; If we control the value being passed in as $user, ...

Host entries 10.10.10.100 active.htb If Active Directory => NTP Synchronization with the domain controller. Content SMB Enumeration SMB Full share replication to local machine [[SMB Dow...

If we have access to a SYSVOL file, we can extract the “Groups.xml” file and decrypt the cpassword with gpp-decrypt utility: # Contents of Groups.xml cat ./active.htb/Policies/{31B2F340-016D-11D2-9...

SMBMAP smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' --download Shared\\Documents\\Analytics\\Whatif.omv [[Anubis#^cbbd94]] SMBCLIENT Download a Share # First connect to it and then run t...

NMAP Footprinting the Service sudo nmap -p110,143,993,995 -sCV -Pn -n -vvv 10.129.95.171 Connect to the IMAPS/POP3s service openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS se...

SMBMAP Null Session Guest can be exchanged with “” smbmap -u guest -p "" -H <IP> -L Authenticathed smbmap -H <IP> -u 'user' -p 'pass' -d . Command Execution smbmap -H <IP> -u '...

Pass The Hash Attack The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user’s NTLM hash instead of the associated plaintext password. Note t...

Unauthenticated If we get valid users we can try to request TGT tickets to authenticate as another user: Remember to add the name of the domain controller into the /etc/hosts for this command ...

Null Session rpcclient -U "" -N 10.10.10.10 Authenticated rpcclient -U "htb.local\amanda%Ashare1972" 10.10.10.103 Sizzle If an RPC console is prompted then you can execute following commands: En...

Githacker Command to extract the whole git project: githacker --url http://10.10.11.134/.git/ --output-folder results Examples: Epsilon Git Commits Command to list the commits under a git project...