Lab - 130n@calvinlai.com

Initial low privilege access
CVE Exploitation ****
RFI, e.g. php-reverse-shell.php
Directory traversal password file found
FTP access point to upload asp-reverse-shell.asp
Macro Exploitation
WordPress Admin upload reverse shell at 404 page
hydra login password
SMTP/POP read an email to obtain a user credential
Default user account password (admin/admin, root/root)
**** most of the case for getting the initial low privilege access.
Common Privilege Escalation
Exploitation Type (suggested solution)
SMB Exploit (zzz_exploity.py)
OS Kernal Exploit (Dirty Cow)
Application Vulnerability (reverse tcp shell upload)
Seimpersonate group (Juicy Potato)
SMB Configuration 
file upload (reverse TCP shell)
password (using default password)
ByPass UAC (minitakz)
Same password hash using HtB (minitakz)
Sudo escape (sudo -l)
SUID file permission
Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu
Completed Lab
10.11.1.5 (Alice) 10.1.1.7 10.11.1.8 (phoenix) 10.11.1.10 (mike) 10.11.1.13 (disco) 10.11.1.14 (bob) 10.11.1.20 (SV-DC01) 10.11.1.21 (SVCLIENT73) 10.11.1.22 (SVCLIENT08) 10.11.1.24 (SVCLIENT73) 10.1.1.246[IT Dept] (SEAN) 10.1.11.31 (RALPH) 10.11.1.35 (PAIN) 10.11.1.39 (leftturn) 10.11.1.44 10.11.1.50 (bethany) 10.11.1.71 (alpha) 10.11.1.72 (beta) 10.11.1.73 (gamma) 10.11.1.75 (bruce) 10.11.1.79 10.11.1.101 (Harder) 10.11.1.111 10.11.1.115 (Tophat) 10.11.1.116 (Dotty) 10.11.1.118 10.11.1.123 (xor-APP59) 10.11.1.121 (xor-APP23) 10.11.1.122 (xor-APP07) 10.11.1.120 (xor-APP59) 10.11.1.128 (DJ) 10.11.1.133 (gh0st) 10.11.1.136 (sufferance) 10.11.1.141 (fc) 10.11.1.146 (SUSIE) 10.11.1.209 (kraken) 10.11.1.217 (hotline) 10.11.1.220 10.11.1.221 10.11.1.222 10.11.1.223 (jeff) 10.11.1.226 (joe) 10.11.1.227 (jd) 10.11.1.229 (mail) 10.11.1.231 (mailman) 10.11.1.234 (core) 10.11.1.237 (humble) 10.11.1.241 (Parrot)
​

Useful Command/Tools - Previous

Linux

Last modified 2yr ago

Copy link

Outline

Initial low privilege access

Common Privilege Escalation

Completed Lab