# Advanced Exploitation [TOC] ## LAB ### [Steel Mountain](/ViRNEMUbTzibri0epVHm2A) File server -> download nc.exe form machine windows -> Unquoted Service Paths --- ### [Alfred](/x5QzhJXNRpKAyz373nfTpA) web -> could execute PSH and week password Windows -> token (Impersonate token) --- ### [HackPark](/B5OZ2NZrQkaG_EKq7bSm_Q) web -> Week password (web-form) + path traversal + upload vulnerable window schedule -> jobs file name could be modified (insecure permission) --- ### [Game Zone](/76GpFn5KQoq0UVyrowzCBQ) web -> SQLI -> dump DB -> crack the user name and password (login by ssh) ssh tunnel -> access the service which is block by the fire wall (10000/webmin) privilege upgrade -> metasploit --- ### [Skynet](/Fqc7RJoRS2KMo9CZlxupMA) SMB service -> leak information web -> email system (hydra) web -> CMS (have the remote file inclusion vulnerable ) privilege -> linPESC -> exploit kernel --- ### [Daily Bugle](/C0FLXSqURMuFTE1bjGtc6Q) enumerate web directory -> administrator Login Page / (SQLi) -> initial access privilege -> sudo yum --- ### [OverPass2](/wAhWcLpsQGaoN7_55MQAuA) upload web shell -> initial access stabilize shell -> python persistent -> ssh backdoor hack back -> ssh backdoor privilege -> SUID -> bash -p ### [Relevant](/-168LdNzSzu8Sent_07glg) ### [internal](/vYPoLSNiTaSUHrJofYo86w)