NTLM Relay to Domain Admin
Short post outlining a technique used on a recent engagement where I was tasked with gaining domain admin privs starting from an unauthenticated standpoint.
- Windows 25
- HackTheBox 19
- Snippets 12
- Linux 12
- Cheat sheets 5
- Priv Esc 5
- Enumeration 5
- Shells 4
- Active Directory 3
- Defence 3
- Web Apps 2
- Tools 2
- Password Attacks 1
- Python 1
- XSS 1
- Networking 1
- Review 1
Windows
HackTheBox - Worker
Worker was an interesting 30 point box created by ekenas that introduces some cool technologies such as SVN and Azure Devops.
HackTheBox - Cascade
Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
HackTheBox - Sauna
Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.
HackTheBox - Monteverde
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Active Directory Domain Enumeration Part 2
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
HackTheBox - Resolute
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
Covenant C2
In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.
HackTheBox - Cybernetics Review
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.
SDDL Security Descriptors
Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.
Active Directory Security Checklist
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
HackTheBox - Sniper
Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.
HackTheBox - Forest
Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.
HackTheBox - Bankrobber
Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.
HackTheBox - Json
Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.
HackTheBox - RE
RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.
Windows User Rights Assignment
Table of reference for Windows user rights assignment.
Windows Security Identifiers
Instead of having to check the Microsoft docs every time I needed to identify a mysterious SID, I decided to type up the table here so I can reference it easily when required.
Windows Event Monitoring
Collection of Windows PowerShell Event log commands and Windows Event ID tables.
Miscellaneous Snippets
Collection of references, commands, scripts, and tool usage examples for various things.
Windows Snippets
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Active Directory Domain Enumeration
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
Shell Upgrade Cheat Sheet
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
DLL Shells
Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.
.lnk Command Execution
In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.
HackTheBox
HackTheBox - Worker
Worker was an interesting 30 point box created by ekenas that introduces some cool technologies such as SVN and Azure Devops.
HackTheBox - Compromised
Compromised was a fun 40 point box created by D4nch3n that covered some interesting tools and techniques. Let’s jump in.
HackTheBox - Cascade
Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
HackTheBox - Sauna
Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.
HackTheBox - Monteverde
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
HackTheBox - Resolute
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
HackTheBox - Sniper
Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.
HackTheBox - Forest
Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.
HackTheBox - Bankrobber
Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.
HackTheBox - Json
Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.
HackTheBox - RE
RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.
HackTheBox - AI
AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
HackTheBox - Player
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
HackTheBox - Bitlab
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
HackTheBox - Craft
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
HackTheBox - Wall
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
HackTheBox - Chainsaw
Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.
HackTheBox - Jarvis
Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.
HackTheBox - Ellingson
Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in to the box. We then needed to crack some hashes to get user and pwn a SUID binary to get root.
Snippets
Azure AZ-500 Notes
Notes relating to Azure security technologies and services, based around revision I did in preparation for the Azure AZ-500 exam.
Android Snippets
Collection of notes regarding Android application analysis and testing.
Azure Snippets
Collection of information and tools for Azure configuration reviews and security testing.
Tmux Snippets
Collection of simple/handy commands and my .tmux.conf.
ASM Snippets
Some snippets based on ASM and binary exploitation.
Mobile Snippets
Collection of notes for Android/iOS pentesting, and MDM configuration reviews.
Binary Exploitation Snippets
Collection of random commands/code snippets/resources relating to binary exploitation.
Code Review Snippets
Some notes regarding code reviews.
Vim Snippets
Collection of random snippets including my .vimrc and commands for file/string manipulation in Vim.
Linux Snippets
Small collection of Linux privilege escalation scripts, references and commands.
Windows Snippets
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Python Snippets
Collection of basic Python code templates I’ve developed and/or used on various occasions.
Linux
HackTheBox - Compromised
Compromised was a fun 40 point box created by D4nch3n that covered some interesting tools and techniques. Let’s jump in.
HackTheBox - AI
AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
HackTheBox - Player
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
HackTheBox - Bitlab
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
HackTheBox - Craft
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
HackTheBox - Wall
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
HackTheBox - Chainsaw
Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.
HackTheBox - Jarvis
Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.
HackTheBox - Ellingson
Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in to the box. We then needed to crack some hashes to get user and pwn a SUID binary to get root.
Miscellaneous Snippets
Collection of references, commands, scripts, and tool usage examples for various things.
Linux Snippets
Small collection of Linux privilege escalation scripts, references and commands.
Shell Upgrade Cheat Sheet
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Cheat sheets
MIME Type Cheatsheet
Table of common MIME types as reference when testing file upload functionality, see iana media types for more info.
Shell Upgrade Cheat Sheet
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Meterpreter Cheat Sheet
Cheat sheet for useful meterpreter commands, modules, and scripts.
File transfer cheat sheet for Windows and Linux operating systems.
Cheat sheet for common reverse shells, mainly one liners.
Priv Esc
Linux Snippets
Small collection of Linux privilege escalation scripts, references and commands.
Windows Snippets
Small collection of Windows privilege escalation scripts, references, binaries and commands.
.lnk Command Execution
In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.
Abusing Windows Credentials
During a pentest there is a high chance you’ll stumble across user hashes and credentials. Knowing how to leverage these findings is essential.
Enumeration
Active Directory Domain Enumeration Part 2
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
Miscellaneous Snippets
Collection of references, commands, scripts, and tool usage examples for various things.
Linux Snippets
Small collection of Linux privilege escalation scripts, references and commands.
Windows Snippets
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Active Directory Domain Enumeration
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
Shells
Shell Upgrade Cheat Sheet
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
DLL Shells
Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.
Meterpreter Cheat Sheet
Cheat sheet for useful meterpreter commands, modules, and scripts.
Active Directory
Active Directory Domain Enumeration Part 2
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
Active Directory Security Checklist
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
Active Directory Domain Enumeration
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
Defence
Active Directory Security Checklist
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
Indicators of Compromise
Top 15 IoCs
Below are the Top 15 Indicators of Compromise from DarkReading that I’ve compressed as a quick reference guide.
Windows Event Monitoring
Collection of Windows PowerShell Event log commands and Windows Event ID tables.
Web Apps
Miscellaneous Snippets
Collection of references, commands, scripts, and tool usage examples for various things.
Advanced XSS
Building on basic XSS.
Tools
Release: headi
headi is a simple HTTP header injection tool written in Go. It automates the process of attempting to bypass forbidden errors on application resources by utilising specific HTTP headers (listed in the following section).
Password Attacks
Abusing Windows Credentials
During a pentest there is a high chance you’ll stumble across user hashes and credentials. Knowing how to leverage these findings is essential.
Python
Python Snippets
Collection of basic Python code templates I’ve developed and/or used on various occasions.
XSS
Advanced XSS
Building on basic XSS.
Networking
Networking Snippets
Collection of snippets for basic network configuration and IP/CIDR ranges.
Review
HackTheBox - Cybernetics Review
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.