Shuciran Pentesting Notes

Cascade (Medium)

Host entries: 10.10.10.182 cascade.local casc-dc1.cascade.local domaindnszones.cascade.local forestdnszones.cascade.local hostmaster.cascade.local casc-dc1 dead:beef::e476:800b:b47d:c174 cascad...

Search (Hard)

Host entries: 10.10.11.129 search.htb research.search.htb If Active Directory => NTP Synchronization with the domain controller. Content Reconnaissance Initial reconnaissance for T...

Reel (Hard)

Host entries: 10.10.10.77 reel.htb.local htb.local If Active Directory => NTP Synchronization with the domain controller. Content Metadata Inspection with exiftool Crafting a malicio...

Resolute (Medium)

Host entries: 10.10.10.169 megabank.local resolute.megabank.local If Active Directory => NTP Synchronization with the domain controller. Content Reconnaissance Initial reconnaissan...

StreamIO (Medium)

Host entries: 10.10.10.125 watch.streamio.htb streamio.htb alpblog.streamio.htb If Active Directory => NTP Synchronization with the domain controller. Content LFI using PHP wrappers Sou...

Querier (Medium)

Host entries: 10.10.10.125 QUERIER querier.htb.local querier.htb If Active Directory => NTP Synchronization with the domain controller. Content SMB Null Session Macro identification on X...

Escape (Medium)

Host entries: 10.10.11.202 sequel.htb dc.sequel.htb If Active Directory => NTP Synchronization with the domain controller. Content SMB Enumeration MSSQL Server Procedures Searching MSS...

DCSync Attack

DCSync Attack Another way to achieve persistence in an Active Directory infrastructure is to steal the password hashes for all administrative users in the domain. To do this, we could move lateral...

Subversion (tcp-3690)

Enumeration commands svn ls svn://10.10.10.203 #list svn log svn://10.10.10.203 #Commit history svn checkout svn://10.10.10.203 #Download the repository svn up -r 2 #Go to revision 2 inside the ch...

MYSQL (tcp-3306)

Connection Common command to connect MariaDB and MySQL databases (avoid -p if you want to be prompted for the password): mysql -h 10.129.5.43 -u root -p 'th1s!smypassw0rd' MySQL Basic Commands: ...