I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.
Elliot Alderson – Mr. Robot
Recent Posts
Linux Privilege Escalation: Weak File Permissions – Writable /etc/passwd
The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there. If we have write access to this file as a low level user, we…
Linux Privilege Escalation: Weak File Permissions – Writable /etc/shadow
The /etc/shadow file contains user password hashes and is usually readable only by the root user. When this file is misconfigured, and global write access is allowed, this can allow us to overwrite the root password hash with one that we control. Do do this, let’s first check the file permissions on the /etc/shadow file.…
Pass the Hash Attack with RDP
We can utilize a tool in Kali Linux called xfreerdp to pass stolen NTLM hashes to RDP servers. The syntax would look like this: xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ipAddr>
Attacking Active Directory and Open File Shares: Capturing Password Hashes via Malicious LNK Files
If you’ve seen any of my other guides on attacking Active Directory, you’ll have noticed that I love using Responder or Inveigh to capture NTLMv2 hashes. In this tutorial, we’re still going to leverage these tools, but we’re going to force users to send us their hash in a bit different of a way. Table…
Cracking SSH Keys Using John
Once you’ve come across an SSH key, they are sometimes encrypted and require a password to be passed along with it before you’re able to successfully use it for authentication. When this occurs, we can leverage John to extract the hash used to encrypt this key and attempt to crack it offline. First, we’ll start…
How To Mount & Extract Password Hashes From VHD Files
On an engagement, you may come across VHD files that are not stored properly. This could be open on an exposed NFS or SMB share, or it could even be from a backup file that you exfiltrated. No matter how you come in contact with these files, there are many ways to go through them…
Windows Privilege Escalation: Abusing SeImpersonatePrivilege with Juicy Potato
When you’ve found yourself as a low-level user on a Windows machine, it’s always worthwhile to check what privileges your user account has. If you have the SeImpersonatePrivilege, there is a very simply attack vector that you can leverage to gain SYSTEM level access. Table of Contents Verifying Permissions and Downloading ExploitPerforming the Attack Verifying…
Pentesting Oracle Databases with The Oracle Database Exploitation Tool (ODAT)
When coming across an Oracle database, there is an awesome framework that you can use for pentesting it called The Oracle Database Exploitation Tool (ODAT). This post intends to serve as a guide for leveraging this tool, based on what Ippsec performs during his Silo video. Table of Contents: Installing ODATBruteforcing SIDsBrute Forcing User AccountsGaining…
Enumerating Valid Active Directory Usernames with KerBrute
When you come in contact with a Windows domain, you may want to try and leverage Password Spraying attacks (really, you should –they’re super effective). But how do you get a valid list of usernames to load into your password sprayer? Downloading the Tool You could leverage a tool called KerBrute to pull this off.…
Capturing & Relaying Net-NTLM Hashes Without Kali Linux Using Inveigh
I’ve recently uploaded part three of my LLMNR series. If you’ve missed it, I’ve used Responder and NTLMRelayX with Kali Linux to: Part One: Capture Net-NTLM Hashes.Part Two: Crack Net-NTLM Hashes.Part Three: Relay Net-NTLM Hashes. But what happens if you’re on a red team engagement or are otherwise unable to utilize Kali Linux? Trying to…
Abusing LLMNR/NBT-NS in Active Directory Domains: Part 3 (Relaying Net-NTLM Hashes w/ Responder & NTLMRelayX)
Other Parts in Series: Part One: Capture Net-NTLM Hashes.Part Two: Crack Net-NTLM Hashes.Part Three: Relay Net-NTLM Hashes. In this guide, I will show you how to take these captured NTLMv2 hashes and relay them to vulnerable machines on the same network, completely bypassing the need to crack them! Part 3 Table of Contents: Wait, Am…
Using CrackMapExec to Install Covenant C2 Launchers
CrackMapExec is a wonderful tool to leverage once you have valid domain credentials. If you happen to have elevated domain credentials, the possibilities become endless on what you can do. I was recently on an internal network engagement where I was able to pull down cleartext credentials to a domain admin account. CrackMapExec allowed me…
Performing RDP Man in the Middle (MitM) Attacks Using Seth.sh to Steal Passwords
Are you used to getting inundated with invalid certificate prompts when connecting to a remote machine? Way more often than not do I see self-signed certificates in play when establishing RDP connections. This always left me wondering… Surely this opens the door to a Man in the Middle Attack? Insert Seth! Which is described by…
Abusing CVE-2020-1472 (ZeroLogon)
Secura has a great blog post on this topic already, but I wanted to share my experience with actually playing with their proof-of-concept exploit code. You can read about this exploit on their blog at https://www.secura.com/blog/zero-logon. The exploit abuses the Netlogon Remote Protocol in Windows, which among other things, can be used to update computer…
Bruteforcing Usernames w/ WFuzz
In a recent post, I showed you how to Brute-force Subdomains w/ WFuzz. This time, I’m going to show you how we can use the same tool to brute-force a list of valid users. This guide is going to use Falafel from Hack The Box as an example, but does not intend to serve as…
Performing Kerberoast Attacks in Windows Active Directory
Without Authenticated User: Some user accounts may be configured with ‘Do not require Kerberos preauthentication’ set. For accounts that are configured in this way, we may not need valid user credentials to extract TGTs for cracking. The following tool from Impacket can help with this. ./GetNPUsers.py -dc-ip <targetIP> -request ‘<FQDN>/’ -format hashcat With Authenticated User:…
Cracking Group Policy Preferences File (GPP XML)
There are some great posts out there that already explain what this vulnerability is. I would suggest reading up on it over at https://adsecurity.org/?p=2288. However, if you come across an old GPP XML file, you may be able to extract a password hash from it. The file is typically found at path similar to the…
Bruteforcing Subdomains w/ WFuzz
This guide is going to use CMess from TryHack.me as an example, but does not intend to serve as a walkthrough or write-up of the machine. Before we begin, make sure you can resolve the domain name that we’re targeting. If you’re doing this in a CTF-type environment, you may need to update your /etc/hosts…
File Upload Bypass Techniques
In this guide, I’m going to show you one method to consider when you come across a file upload that only accepts PNG files. This method could theoretically be used for other file-types as well, but I’ll demonstrate uploading a PHP file on a file upload feature that “should” only allow PNG files on Popcorn…
Bypassing XSS Defenses Part 1: Finding Allowed Tags and Attributes
This post intends to serve as a guide for a common bypass technique when you’re up against a web application firewall (WAF). In the event that the WAF limits what tags and attributes are allowed to be passed, we can use BurpSuite’s Intruder functionality to learn which tags are allowed. Table of Contents: Setting the…
Exploiting Cross Site Request Forgery (CSRF) & Bypassing Defenses
Wondering what Cross Site Request Forgery is? Go check out my previous post on this topic at Let’s Talk Basics About Cross Site Request Forgery (CSRF). Ready to learn more about how to exploit it? You’re in the right place. The concepts and examples shown in this post were taken from PortSwigger’s WebSecurity Academy. Table…
Abusing Local Privilege Escalation Vulnerability in Liongard ROAR <1.9.76
Liongard ROAR is an automated documentation system that collects daily snapshots of configuration data for cloud, network, and on-premise systems. In April 2020, a local privilege escalation vulnerability was discovered that would allow an attacker the ability to modify executables placed on a system by the RoarAgent installer. Should those executables be modified to contain…
How to Crack Encrypted 7z Archives
Encrypt Your Internet Connection for as Little as $3/mo with PIA VPN Learn more Disclaimer: This content is intended to be consumed by cyber security professionals, ethical hackers, and penetration testers. Any attacks performed in this video should only be performed in environments that you control or have explicit permission to perform them on. This…
Performing DNS Zone Transfers & Viewing the Results w/ Aquatone
When you find that DNS is running on a box, you may want to check if it’s vulnerable to a DNS Zone Transfer. If it is, and you’re able to successfully perform the attack, it will return a list of all subdomains available on the server — making the enumeration process that much easier. Table…
Abusing LLMNR/NBT-NS in Active Directory Domains: Part 2 (Cracking NTLMv2 Hashes w/ Hashcat)
Other Parts in Series: In my first guide in this series, I showed you how to capture NTLMv2 hashes by utilizing a tool called Responder.py. You can find that here. In this guide, I will show you how to crack those hashes using a tool called Hashcat. Hashcat works best when you run it locally…
Abusing Zoom Webinar/Meeting Software to Steal Windows Credentials
A vulnerability exists within Zoom with the way that it handles UNC paths in its chat feature. UNC (Universal Naming Convention) paths are used by computer systems to reference network resources and typically look like the following: \\computer\share As you can see from the above text, this path is listed out in this blog post…
How To Crack Encrypted ZIP Archives
Thanks for checking out another quick hacking tutorial! This one is super simple, but helpful to know in case you come across a password protected ZIP archive that you need access to. To start, I created a couple text files on my Windows machine and stored them into an encrypted ZIP archive using 7-zip. Let’s…
How To Route Tools (Gobuster) Through a BurpSuite Proxy
There are times where you will need to troubleshoot or route your tools through a proxy in order to get the result you need. This post will serve as a general guide for configuring BurpSuite as a proxy so you can route tools through it easily, and troubleshoot things as needed. In this specific example,…
How to Brute Force Websites & Online Forms Using Hydra
Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More While working through NINEVAH on HackTheBack (Write-Up on this coming in a future post), I came across a couple web forms that I needed to break into. In my opinion, using the Intruder feature within BurpSuite is an easier…
Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes)
Other Parts in Series: Part One: Capture Net-NTLM Hashes.Part Two: Crack Net-NTLM Hashes.Part Three: Relay Net-NTLM Hashes. Welcome to Part 1 of this series. As each part gets released, we’ll dive deeper and deeper into the joys of LLMNR poisoning and I’ll demonstrate just how easy it makes the life of an attacker when this…
Gaining Admin Access to Windows via UtilMan.exe
In this guide, I will demonstrate how easy it is to break into a Windows machine when you have physical access, even if you have a strong password securing the account. We will go from being completely locked out, to having full Administrator access in less than 5 minutes. This is a Beginner level attack…
Stay Involved
Get new content delivered directly to your inbox.
Infinite Logins 