Placing files in writeable paths The following folders are by default writable by normal users (depends on Windows version - This is from W10 1803) C:\Windows\Tasks C:\Windows\Temp C:\windows\tra...

Passive Enumeration Domain.Glass Third-party providers such as domain.glass can provide information about the company’s infrastructure. GrayHatWarfare We can do many different searches, disco...

Basic Enumeration The site flaws.cloud is hosted as an S3 bucket. This is a great way to host a static site, similar to hosting one via github pages. Some interesting facts about S3 hosting: When ...

Host entries 10.10.10.62 upload.fulcrum.local dc.fulcrum.local If Active Directory => NTP Synchronization with the domain controller. Content API Enumeration - Endpoint Brute Force Advan...

Host: 10.10.11.102 windcorp.htb www.windcorp.htb If Active Directory => Synchronize your NTP with the domain controller: #Note This command does not work correctly on this machine, we circumven...

Host entries: 10.10.11.145 atsserver.acute.local If Active Directory => NTP Synchronization with the domain controller. Content Information Leakage Abusing Windows PowerShell Web Acce...

Content Parsing NMAP output FTP Enumeration (no files) SMBCacls Enumeration SMB Share with writting Permissions (SCF Attack) Hashcat cracking (NTLMv2) Ldap Enumeration (LdapDomainDump...

Host entries: 10.10.11.168 scrm.local dc1.scrm.local If Active Directory => NTP Synchronization with the domain controller. Content LDAP Enumeration Web Enumeration Information Le...

Host entries: 10.10.10.182 cascade.local casc-dc1.cascade.local domaindnszones.cascade.local forestdnszones.cascade.local hostmaster.cascade.local casc-dc1 dead:beef::e476:800b:b47d:c174 cascad...

Host entries: 10.10.11.129 search.htb research.search.htb If Active Directory => NTP Synchronization with the domain controller. Content Reconnaissance Initial reconnaissance for T...