Lab

Initial low privilege access

  • CVE Exploitation ****

  • RFI, e.g. php-reverse-shell.php

  • Directory traversal password file found

  • FTP access point to upload asp-reverse-shell.asp

  • Macro Exploitation

  • WordPress Admin upload reverse shell at 404 page

  • hydra login password

  • SMTP/POP read an email to obtain a user credential

  • Default user account password (admin/admin, root/root)

**** most of the case for getting the initial low privilege access.

Common Privilege Escalation

Exploitation Type (suggested solution)

  • SMB Exploit (zzz_exploity.py)

  • OS Kernal Exploit (Dirty Cow)

  • Application Vulnerability (reverse tcp shell upload)

  • Seimpersonate group (Juicy Potato)

  • SMB Configuration

    • file upload (reverse TCP shell)

    • password (using default password)

  • ByPass UAC (minitakz)

  • Same password hash using HtB (minitakz)

  • Sudo escape (sudo -l)

  • SUID file permission

  • Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu

Completed Lab

10.11.1.5 (Alice) 10.1.1.7 10.11.1.8 (phoenix) 10.11.1.10 (mike) 10.11.1.13 (disco) 10.11.1.14 (bob) 10.11.1.20 (SV-DC01) 10.11.1.21 (SVCLIENT73) 10.11.1.22 (SVCLIENT08) 10.11.1.24 (SVCLIENT73) 10.1.1.246[IT Dept] (SEAN) 10.1.11.31 (RALPH) 10.11.1.35 (PAIN) 10.11.1.39 (leftturn) 10.11.1.44 10.11.1.50 (bethany) 10.11.1.71 (alpha) 10.11.1.72 (beta) 10.11.1.73 (gamma) 10.11.1.75 (bruce) 10.11.1.79 10.11.1.101 (Harder) 10.11.1.111 10.11.1.115 (Tophat) 10.11.1.116 (Dotty) 10.11.1.118 10.11.1.123 (xor-APP59) 10.11.1.121 (xor-APP23) 10.11.1.122 (xor-APP07) 10.11.1.120 (xor-APP59) 10.11.1.128 (DJ) 10.11.1.133 (gh0st) 10.11.1.136 (sufferance) 10.11.1.141 (fc) 10.11.1.146 (SUSIE) 10.11.1.209 (kraken) 10.11.1.217 (hotline) 10.11.1.220 10.11.1.221 10.11.1.222 10.11.1.223 (jeff) 10.11.1.226 (joe) 10.11.1.227 (jd) 10.11.1.229 (mail) 10.11.1.231 (mailman) 10.11.1.234 (core) 10.11.1.237 (humble) 10.11.1.241 (Parrot)