Windows, Linux, and Active Directory CTF Notes
  • Table of Content
  • Word of Wisdom
  • Enumeration
    • Initial enums
    • Q check on open port response
    • Q password spray
    • Q SMB NTLMv2 Theft
    • Scan behind a squid proxy
    • Port 80/443 - Web
      • CTF - param abuse
      • GitHub content access
    • Port 21 - FTP
    • Port 22 - SSH
      • Symlink and Debian OpenSSL Predictable PRNG
      • SSH private key crack
      • Create a key copy w/o pwd
    • Port 25 - SMTP
    • Port 53 - DNS
    • Port 69 - UDP/TFTP
      • AT-TFTP Server 1.9
    • Port 79 - Finger
    • Port 88 - Kerberos
    • Port 110 - Pop3
    • Port 111 - Rpcbind/portmapper
    • Port 161 - SNMP
    • Port 139/445 - SMB
    • Port 143/993 - IMAP
    • Port 161/162 - UDP/SNMP
    • Port 389/636 - LDAP
    • Port 873 - rsync
    • Port 2049 - NFS
    • Port 3306 - Mysql
    • Port 1403 - MSSQL
    • Port 5437 - Postgres
    • Port 6379 - Redis
    • Port 3389 - RDP
    • Port 5985,5986 - WinRM
    • Port 1098/1099- Pentesting Java RMI
    • Port Knocking
  • Active Directory
    • Working Directory and Files
    • First Recon
    • User Recon
      • Username bruteforcing
      • Enum SMB Shares
      • SMB Responder
    • Init Cred Acess
      • Kerberos Attack w/o password
      • Password Attack
        • Hydra
      • SYSVOL and NETLOGON
    • Init NTLMv2 Theft
    • Kerberos Quick Win
      • Service Account - Kerberoast
      • SMB Replay
    • Domain Recon
      • AD Interesting file location
    • AD Attack Recon
    • Bloodhound Walkthrough
      • Common Usage
      • Manual Path Analysis
      • AD-Miner
      • ACL Abuse
    • Kerberos Attack
      • Kerberoast
      • ASREProast
      • Get the ticket
      • Pass the ticket
      • Overpass-the-hash Attack
      • Kerberos based Enum and Attack Samples
      • Silver Ticket
        • CTF: Silver Ticket - Privilege Escalation
      • Golden Ticket
        • CTF: Golden Ticket Walkthrough
    • ACL Abuse
      • ForcePasswordChange
      • ACL Abuse and Shadow Credential
      • Resource Based Constrained Delegation
    • Group Policy Abuse
      • GPO modification attack
      • GPP (Group Policy Preference) credential discovery
    • Logon Script Abuse
    • ADCS attacks
    • KrbRelayUp
    • Azure Connect Exploit
    • gMSA account
    • Dumping Domain Credentials
      • Secretdump.py
      • ntdsutil.exe - no credential required
      • Diskshadow - No credential required
      • vssadmin - no credential required
      • Wmic and Vssadmin Shadow Copy
      • Mimikatz
  • Windows Priv
    • Quick win
      • Local Service to SYSTEM
    • Initial Harvesting - Usual Spots
    • UAC Bypass
      • UACME - Best
    • Enable Privileges
    • Local Enumeration
      • Page
      • .Net Version Check
      • File and Directory permissions
    • Other quick wins
    • Service Privilege Escalation
    • Scheduled Tasks
    • Token Abuse
      • SeBackup (with SeRestorePrivilege)
      • SeManageVolumePrivilege
      • SeRetorePrivilege
      • SeTakeOwnership
      • SeDebugPrivilege
    • Runas
    • Potato
    • GMSA password retrieval
    • LAPS password
    • MySQL
      • Write permission
      • Library - MySQL UDF
  • Linux Priv
    • Common Tips
      • Local File Enumeration
    • Quick win - Sudo -l
    • READ Source code & binary
    • Local Enumeration Tools
    • Sudo
      • GTFOBins - Sudo
      • LD_PRELOAD
      • LD_LIBRARY_PATH
      • Sudo via intended functionality
      • Sudo 1.8.27 Security Bypass
      • CVE 2019-18634 (Buf Overflow)
      • CVE 2021-3156 (Heap Overflow)
    • SUID / SGID Files
    • Weak File Permissions
      • Writeable /etc/passwd
      • Readable /etc/shadow
      • Writeable scripts - run by root
    • Cron Jobs
      • PATH environment abuse
      • PATH environment abuse 2
      • Wildcard and cronjob
    • Password Hunting
    • ld.so PrivEsc Example
    • Add more from basic to modern
    • No_root_squash option
    • Ansible
    • YAML
    • Docker
      • Docker escape
      • lxd/lxc group
      • Moby Docker Engine PrivEsc
    • Git
    • Python Code Injection
    • Apache Conf Privilege Escalation
  • Credential Access
    • Default password and common password
    • Password cracking
      • Hash Cracking Techniques
      • Linux shadow
      • Linux shadow passwd
      • Windows - SAM hash
      • Windows - SecureString in Powershell
      • SSH id_rsa
      • Zip
      • PDF
      • Office
      • KeePass database
      • JWT Token
      • VNC
    • Brute-Force attack
    • Password spraying
    • Extract credentials from images
  • Pivoting / Network
    • Ligolo-ng
      • Local ports(127.0.0.1)
    • SSH
      • SSH key gen for remote port forwarding
      • ssh permission
    • Quick port-scan
    • sshuttle
    • Ping check
  • File Transfer
    • Recursive Download
    • Recursive Read
    • Zip/Unzip
  • Web Attacks
    • Web Enumeration
    • File Upload
      • File Upload with reverse shell
      • File Extension Discovery for upload
      • File Upload Bypass
        • .htaccess to allow extension
        • File Upload Bypass Checklist
    • SQL Injection
      • sqlmap
    • LFI/RFI
      • Concept
      • Log poisoning
      • PHP Wrapper
      • Dir Enumeration
    • Command Injection
    • XSS
    • Mass Assignment
    • WebDAV
  • Database Attacks
    • MySQL
      • Privilege Escalation - MySQL 4.x/5.0
    • MSSQL
      • sqsh
      • mssqlclient
      • Responder
      • Directory Enumeration
    • Postgresql
    • Oracle
    • Redis
      • PHP web-shell
      • SSH key push
      • Cron job
      • Load Redis module
    • Mongo
    • KeePass kdbx
    • SQLite
  • Metasploit
    • Basic Usage
    • msfvenom
    • Local Exploit Suggester
    • Update Metasploit
  • File Enum & Hunting
    • Linux - Local Password/Files
    • Win - Local Passwords/Files
    • SSH
    • Binary/Image Analysis
  • Unix Commands
    • awk and sed
    • grep, cut, list size, and sort
    • archive, compress, and extract
  • Code Analysis
    • Framework Checker
    • Access to Source Code
    • Windows exe disassebler
  • Reverse Shell
    • Open Port Check
  • Remote Access & Lateral Movement
  • RCE Collection
    • Linux
      • Shellshock
      • preg_replace() in PHP
      • Asset () in PHP
      • Eval() in Ruby
      • Eval() in Python
      • str() in Python
    • Windows
      • Macro
      • MS17-010
      • ViewState
    • CMS and Platform
      • WebDav
      • Jenkins / askjeeves
      • H2 Database Engine
      • WordPress
      • Tomcat
      • Joomla!
    • Software
      • ClamAV
  • Compiling
    • C# example - Generic
    • C# example - Run
  • Interactive Shell
  • Reverse Shell
  • Post Exploitation
    • Backdoor
    • Secrentsdump.py
    • mimikatz
    • meterpreter - mimikatz
    • samdump2
    • spraykatz
Powered by GitBook
On this page
  • IP Range
  • Rustscan
  • Nmap
  • nmapAutomator
  • Autorecon
  • NmapAutomator
  • Sparta
  1. Enumeration

Initial enums

This will capture initial reconnaissance data from target network and hosts. We run the commands below for almost all CTF environments all the time.

IP Range

netdiscover -r 10.10.10.0/24 
nmap -sn 10.11.1.1-255 | grep "Nmap scan report for" | cut -d " " -f 5
nmap -sP -PR -n 10.11.1.1-254 | grep "Nmap scan report for" | cut -d" " -f5

Rustscan

# Export RHOST=<IP Address>

rustscan $RHOST -t 500 -b 1500 -- -A
-t: the number of threads
-b: sets the rate at which packets are sen
--: to separate a command for nmap
-A: all in nmap option

Nmap

nmap -sC -sV -oA nmap/init $RHOST
sudo nmap -p- -sV -vv --open --reason $RHOST
sudo nmap -vv -sC -sV -p- -oA nmap/all --max-retries 0 $RHOST

# OneTwoPunch
https://raw.githubusercontent.com/superkojiman/onetwopunch/master/onetwopunch.sh
onetwopunch.sh ip.txt tcp

# Scan for UDP
nmap 10.11.1.111 -sU
unicornscan -mU -v -I 10.11.1.111

# Connect to tcp/udp if one is open
nc 10.10.10.10 80
nc -u 10.11.1.111 48772

nmapAutomator

sudo nmapAutomator -H $RHOST -t All -o nmapautomator/

Autorecon

sudo -E su -p
autorecon.py -vv -o autorecon/ 10.10.10.143
/opt/enum/AutoRecon/autorecon.py -vv -o autorecon/ $RHOST

NmapAutomator

nmapAutomator.sh -H $RHOST -t All

Sparta

# This may be run for assurance.
https://github.com/SECFORCE/sparta

/cd /opt/enum/sparta
python3 sparta.py

PreviousEnumerationNextQ check on open port response

Last updated 1 year ago