HTTP htaccess Attack with Medusa We will attempt to gain access to an htaccess-protected folder, /admin, on that server. Next, we will launch medusa and initiate the attack against the htaccess-p...

We will use a port forwarding tool called rinetd to redirect traffic on our Kali Linux server. This tool is easy to configure, available in the Kali Linux repositories, and is easily installed with...

When attempting to exploit system-level software (such as drivers or the kernel itself), we must pay careful attention to several factors including the target’s operating system, version, and archi...

A common way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system. For example, consider a scenario in which a software dev...

Scenario: CVE-2017-1000112 Kernel exploits are an excellent way to escalate privileges, but success may depend on matching not only the target’s kernel version but also the operating system flavor...

Users User Privileges whoami /priv whoami /groups Network Privileges net user net group `domain` net localgroup `local` net localgroup <Group Name> net accounts `domain` net accounts /domain...

First, on Windows systems, we should check the status of the \_AlwaysInstallElevated registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user ...

Enumerating Installed Applications and Patch Levels wmic product get name, version, vendor List system-wide updates with Win32_QuickFixEngineering (qfe) wmic qfe get Caption, Description, HotFixI...

Distribution ls /etc/*-release cat /etc/os-release cat /etc/issue uname -a cat /proc/version Interesting files cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts ls -lh /var/mail/ ls -...

List Cron Jobs cat /etc/crontab && ls -al /etc/cron* Find World-Writable Cron jobs find /etc/cron* -type f -perm -o+w -exec ls -l {} \; Find Cron Jobs Owned by Other Users find /etc/cro...