Authentication method gssapi-with-mic (krb5.conf file) If we receive the following message while trying to authenticate with any service: debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_in...

UAC can be bypassed in various ways. This post is only a technique that allows an administrator user to bypass UAC by silently elevating our integrity level from medium to high. Most of the public...

PwnKit (ly4k) This PwnKit contains a pretty good PwnKit binary for PKEXEC. In order to exploit it, we need to download the PwnKit.c binary and compile from our Kali: (This is to compile with x32 ...

If a Squid Proxy is enabled we can configure our proxychains to enumerate services behind port tcp-3128, all we need to do is configure the /etc/proxychains.conf file as follows: [ProxyList] # add...

DNS RECORDS Dig Retrieve DNS record dig @10.10.10.224 realcorp.htb # Retrieve DNS record dig @10.10.10.224 realcorp.htb ns # Retrieve Name Servers dig @10.10.10.224 realcorp.htb axfr # Transfer Zo...

Ticketer To generate a Silver ticket we need 3 resources: NTLM Hash DC SID SPN Getting NTLM Hash To create a silver ticket, we use the password hash and not the cleartext password. If a...

JuicyPotato The tool takes advantage of the SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled on the machine to elevate the local privileges to System. Normally, these privileges ...

WFUZZ Basic Fuzzing: wfuzz -c -t 200 --hc 404 -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -u http://10.10.10.203/FUZZ Examples: Worker [[StreamIO#^a1b013]] Subdomain fuzzing: wfuzz...

Connection impacket-mssqlclient sa@10.11.1.31 -p 1433 -db tempdb # Sometimes you need to specify a Windows Authentication impacket-mssqlclient Archetype/sql_svc:M3g4c0rp123@10.129.95.187 -windows-...

Crackmapexec While executing a Password Spraying attack with crackmapexec always run the --continue-on-success flag, sometimes there are some cases when two users can have the same password cr...