Windows, Linux, and Active Directory CTF Notes
  • Table of Content
  • Word of Wisdom
  • Enumeration
    • Initial enums
    • Q check on open port response
    • Q password spray
    • Q SMB NTLMv2 Theft
    • Scan behind a squid proxy
    • Port 80/443 - Web
      • CTF - param abuse
      • GitHub content access
    • Port 21 - FTP
    • Port 22 - SSH
      • Symlink and Debian OpenSSL Predictable PRNG
      • SSH private key crack
      • Create a key copy w/o pwd
    • Port 25 - SMTP
    • Port 53 - DNS
    • Port 69 - UDP/TFTP
      • AT-TFTP Server 1.9
    • Port 79 - Finger
    • Port 88 - Kerberos
    • Port 110 - Pop3
    • Port 111 - Rpcbind/portmapper
    • Port 161 - SNMP
    • Port 139/445 - SMB
    • Port 143/993 - IMAP
    • Port 161/162 - UDP/SNMP
    • Port 389/636 - LDAP
    • Port 873 - rsync
    • Port 2049 - NFS
    • Port 3306 - Mysql
    • Port 1403 - MSSQL
    • Port 5437 - Postgres
    • Port 6379 - Redis
    • Port 3389 - RDP
    • Port 5985,5986 - WinRM
    • Port 1098/1099- Pentesting Java RMI
    • Port Knocking
  • Active Directory
    • Working Directory and Files
    • First Recon
    • User Recon
      • Username bruteforcing
      • Enum SMB Shares
      • SMB Responder
    • Init Cred Acess
      • Kerberos Attack w/o password
      • Password Attack
        • Hydra
      • SYSVOL and NETLOGON
    • Init NTLMv2 Theft
    • Kerberos Quick Win
      • Service Account - Kerberoast
      • SMB Replay
    • Domain Recon
      • AD Interesting file location
    • AD Attack Recon
    • Bloodhound Walkthrough
      • Common Usage
      • Manual Path Analysis
      • AD-Miner
      • ACL Abuse
    • Kerberos Attack
      • Kerberoast
      • ASREProast
      • Get the ticket
      • Pass the ticket
      • Overpass-the-hash Attack
      • Kerberos based Enum and Attack Samples
      • Silver Ticket
        • CTF: Silver Ticket - Privilege Escalation
      • Golden Ticket
        • CTF: Golden Ticket Walkthrough
    • ACL Abuse
      • ForcePasswordChange
      • ACL Abuse and Shadow Credential
      • Resource Based Constrained Delegation
    • Group Policy Abuse
      • GPO modification attack
      • GPP (Group Policy Preference) credential discovery
    • Logon Script Abuse
    • ADCS attacks
    • KrbRelayUp
    • Azure Connect Exploit
    • gMSA account
    • Dumping Domain Credentials
      • Secretdump.py
      • ntdsutil.exe - no credential required
      • Diskshadow - No credential required
      • vssadmin - no credential required
      • Wmic and Vssadmin Shadow Copy
      • Mimikatz
  • Windows Priv
    • Quick win
      • Local Service to SYSTEM
    • Initial Harvesting - Usual Spots
    • UAC Bypass
      • UACME - Best
    • Enable Privileges
    • Local Enumeration
      • Page
      • .Net Version Check
      • File and Directory permissions
    • Other quick wins
    • Service Privilege Escalation
    • Scheduled Tasks
    • Token Abuse
      • SeBackup (with SeRestorePrivilege)
      • SeManageVolumePrivilege
      • SeRetorePrivilege
      • SeTakeOwnership
      • SeDebugPrivilege
    • Runas
    • Potato
    • GMSA password retrieval
    • LAPS password
    • MySQL
      • Write permission
      • Library - MySQL UDF
  • Linux Priv
    • Common Tips
      • Local File Enumeration
    • Quick win - Sudo -l
    • READ Source code & binary
    • Local Enumeration Tools
    • Sudo
      • GTFOBins - Sudo
      • LD_PRELOAD
      • LD_LIBRARY_PATH
      • Sudo via intended functionality
      • Sudo 1.8.27 Security Bypass
      • CVE 2019-18634 (Buf Overflow)
      • CVE 2021-3156 (Heap Overflow)
    • SUID / SGID Files
    • Weak File Permissions
      • Writeable /etc/passwd
      • Readable /etc/shadow
      • Writeable scripts - run by root
    • Cron Jobs
      • PATH environment abuse
      • PATH environment abuse 2
      • Wildcard and cronjob
    • Password Hunting
    • ld.so PrivEsc Example
    • Add more from basic to modern
    • No_root_squash option
    • Ansible
    • YAML
    • Docker
      • Docker escape
      • lxd/lxc group
      • Moby Docker Engine PrivEsc
    • Git
    • Python Code Injection
    • Apache Conf Privilege Escalation
  • Credential Access
    • Default password and common password
    • Password cracking
      • Hash Cracking Techniques
      • Linux shadow
      • Linux shadow passwd
      • Windows - SAM hash
      • Windows - SecureString in Powershell
      • SSH id_rsa
      • Zip
      • PDF
      • Office
      • KeePass database
      • JWT Token
      • VNC
    • Brute-Force attack
    • Password spraying
    • Extract credentials from images
  • Pivoting / Network
    • Ligolo-ng
      • Local ports(127.0.0.1)
    • SSH
      • SSH key gen for remote port forwarding
      • ssh permission
    • Quick port-scan
    • sshuttle
    • Ping check
  • File Transfer
    • Recursive Download
    • Recursive Read
    • Zip/Unzip
  • Web Attacks
    • Web Enumeration
    • File Upload
      • File Upload with reverse shell
      • File Extension Discovery for upload
      • File Upload Bypass
        • .htaccess to allow extension
        • File Upload Bypass Checklist
    • SQL Injection
      • sqlmap
    • LFI/RFI
      • Concept
      • Log poisoning
      • PHP Wrapper
      • Dir Enumeration
    • Command Injection
    • XSS
    • Mass Assignment
    • WebDAV
  • Database Attacks
    • MySQL
      • Privilege Escalation - MySQL 4.x/5.0
    • MSSQL
      • sqsh
      • mssqlclient
      • Responder
      • Directory Enumeration
    • Postgresql
    • Oracle
    • Redis
      • PHP web-shell
      • SSH key push
      • Cron job
      • Load Redis module
    • Mongo
    • KeePass kdbx
    • SQLite
  • Metasploit
    • Basic Usage
    • msfvenom
    • Local Exploit Suggester
    • Update Metasploit
  • File Enum & Hunting
    • Linux - Local Password/Files
    • Win - Local Passwords/Files
    • SSH
    • Binary/Image Analysis
  • Unix Commands
    • awk and sed
    • grep, cut, list size, and sort
    • archive, compress, and extract
  • Code Analysis
    • Framework Checker
    • Access to Source Code
    • Windows exe disassebler
  • Reverse Shell
    • Open Port Check
  • Remote Access & Lateral Movement
  • RCE Collection
    • Linux
      • Shellshock
      • preg_replace() in PHP
      • Asset () in PHP
      • Eval() in Ruby
      • Eval() in Python
      • str() in Python
    • Windows
      • Macro
      • MS17-010
      • ViewState
    • CMS and Platform
      • WebDav
      • Jenkins / askjeeves
      • H2 Database Engine
      • WordPress
      • Tomcat
      • Joomla!
    • Software
      • ClamAV
  • Compiling
    • C# example - Generic
    • C# example - Run
  • Interactive Shell
  • Reverse Shell
  • Post Exploitation
    • Backdoor
    • Secrentsdump.py
    • mimikatz
    • meterpreter - mimikatz
    • samdump2
    • spraykatz
Powered by GitBook
On this page
  • RCP (139, 445) MS-RPC - The Hacker Recipes
  • SMB (139,445) enum4linux ⚙️ - The Hacker Recipes
  • SMB (139,445) - Domain Users
  • Kerberos (88)
  • LDAP TCP (389)
  • LDAP TCP (389) - User Description
  • SSL (443)
  1. Active Directory

User Recon

This section lists AD user recon techniques for common ports. Finding domain users and their credentials is the most important part of the Active Directory penetration testing.

RCP (139, 445) MS-RPC - The Hacker Recipes

# No password
rpcclient -U '' -N $RHOST

# rpcclient userful commands to enumerate users and groups 
>enumdomusers
>enumdomgroups
>querydispinfo
>querydominfo 

# With password
rpcclient -U Throwback.local/BlaireJ 10.200.74.117

# Create a usernames.txt
vi enumdomusers.txt
# Copy and paste it to the enumdomusers.txt

cat enumdomusers.txt | cut -d ':' -f 2 | cut -d '[' -f 2 | cut -d ']' -f 1 > usernames.txt

SMB (139,445) enum4linux ⚙️ - The Hacker Recipes

# Enumeratae AD machine 
enum4linux $RHOST 
enum4linux-ng.py -A $RHOST

# Check if you can collect the usernames
crackmapexec smb $RHOST --users
crackmapexec smb $RHOST -u '' -p '' --users 
crackmapexec smb $RHOST -u 'anyuser' -p '' --users

# Check if you can enumerate users by bruteforcing the RID on the remote target
cme smb rebound.htb -u guest -p '' --shares --rid-brute 10000

# With username and password
cme smb $RHOST -u svc-alfresco -p s3rvice --shares

SMB (139,445) - Domain Users

net rpc group members 'Domain Users' -W 'NORTH' -I $RHOST -U '%'

Kerberos (88)

kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt -d <domain name> --dc $RHOST 
	
# Large list of username only if you cannot find any users
kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d <domain name> --dc $RHOST

See Kerberos attacks section for attack techniques.

LDAP TCP (389)

# Search ldap based information. You might find some juicy info. 
ldapsearch -H ldap://$RHOST -x -s base namingcontexts
ldapsearch -H ldap://$RHOST -x -b " DC=DANTE,DC=local"
ldapsearch -H ldap://$RHOST -D '' -w '' -b "dc=dante,dc=local"
ldapsearch -H ldap://$RHOST -D '' -w '' -b "dc=cascade,dc=local" | grep -iE '(password|pwd|pass|info|desc)'

# Check if you can use username and password
cme ldap $RHOST -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
# Search all objects 
ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "*"

# In case of Additional Security Error (AcceptSecurityContext error, etc.), may add -Y option with GSSAPI. 
ldapsearch -H ldap://dc.absolute.htb -Y GSSAPI -b "cn=users,dc=absolute,dc=htb" users description

LDAP TCP (389) - User Description

# Query to get user descrition via cme ldap and get-desc-users module
cme ldap 192.168.56.11 -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -M get-desc-users

SSL (443)

Check certificate with common name/issuer name

PreviousFirst ReconNextUsername bruteforcing

Last updated 1 year ago