THM Internal This was an amazing challenge! I learned a few new tricks to thought about documenting it here real quick It all started with a WordPress site.... Easy bruteforce with wpscan wpscan --url http://10.10.40.183/wordpress/ -U wp_users.txt -P /usr/share/wordlists/rockyou.txt Lucky weeee. We got the admin password. First thing to do is insert a reverse shell... » read more
Exposing services with reverse SSH tunnels Reverse SSH port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side. -L is a local tunnel (YOU <-- CLIENT). If a site was blocked, you can forward the traffic to a server... » read more
WIP... Here we go... A collection of commands for AD enumeration and exploitation for OSCP preparation. User Enumeration Enumerate users for domain CONTROLLER.local on DC CONTROLLER.local kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/User.txt Ticket harvesting and Passwort Bruteforcing Capture TGTs sent to the KDC every 30 seconds Rubeus.exe harvest /interval:30 User : CONTROLLER-1$@CONTROLLER.LOCAL StartTime :... » read more
This is another challenge from Tryhackme.com I want to showcase since it teaches a few cool techniques for SUID binaries. If you don't know what SUID binaries are, those are executable that allows you to execute a program with permissions of a previously specified user. If you want to know more about Linux permissions check... » read more
This is a pretty easy and quick challenge from the HTM Advent of Cyber series. Even though it's pretty easy it is worth documenting since it makes you using some neat techniques to get those flags. So let's step in! #1 What data was exfiltrated via DNS? In the challenge description, we get a .pcap... » read more