Nishang If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it): Write-Warning "S...

Basic Enumeration ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS>...

LDAPDOMAINDUMP Dumping useful information from the domain controller via LDAP: ldapdomaindump -u 'htb.local\amanda' -p 'Ashare1972' 10.10.10.103 [*] Connecting to host... [*] Binding to host [+] Bi...

Explanation The Kerberos authentication protocol used by Microsoft is adopted from the Kerberos version 5 authentication protocol created by MIT and has been used as Microsoft’s primary authenticat...

In order to exploit a PATH Hijacking we need to identify two things: 1) That the script can be executed on another user’s context 2) There is a missing relative path on a command or on a libra...

LLMNR (Link-Local Multicast Name Resolution) What is LLMNR? Link-Local Multicast Name Resolution. Used to identify hosts when DNS fails to do so. Previously known as NBT-NS. The main drawb...

Sharphound.exe First upload Sharphound to the system and then run the following commands from a folder where you can write as it will download a .zip file: # For SharpHound.ps1 (each line is a comm...

#Note It is possible that sometimes you need to use the host domain (e.g. sizzle.htb) NTPDATE ntpdate 10.10.11.102 RDATE rdate -n 10.10.11.102 DATE It is also possible to set the date “manually” ...

User create If we are able to create a user it is as simple as using the net.exe windows utility: net user shuciran shucir4n /add Add user to a group If there is a group in the domain with some pr...

Another interesting attack vector that can lead to privilege escalation on Windows operating systems revolves around unquoted service paths. We can use this attack when we have write permissions to...