Lab
CVE Exploitation ****
RFI, e.g. php-reverse-shell.php
Directory traversal password file found
FTP access point to upload asp-reverse-shell.asp
Macro Exploitation
WordPress Admin upload reverse shell at 404 page
hydra login password
SMTP/POP read an email to obtain a user credential
Default user account password (admin/admin, root/root)
**** most of the case for getting the initial low privilege access.
Exploitation Type (suggested solution)
SMB Exploit (zzz_exploity.py)
OS Kernal Exploit (Dirty Cow)
Application Vulnerability (reverse tcp shell upload)
Seimpersonate group (Juicy Potato)
SMB Configuration
file upload (reverse TCP shell)
password (using default password)
ByPass UAC (minitakz)
Same password hash using HtB (minitakz)
Sudo escape (sudo -l)
SUID file permission
Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu
10.11.1.5 (Alice) 10.1.1.7 10.11.1.8 (phoenix) 10.11.1.10 (mike) 10.11.1.13 (disco) 10.11.1.14 (bob) 10.11.1.20 (SV-DC01) 10.11.1.21 (SVCLIENT73) 10.11.1.22 (SVCLIENT08) 10.11.1.24 (SVCLIENT73) 10.1.1.246[IT Dept] (SEAN) 10.1.11.31 (RALPH) 10.11.1.35 (PAIN) 10.11.1.39 (leftturn) 10.11.1.44 10.11.1.50 (bethany) 10.11.1.71 (alpha) 10.11.1.72 (beta) 10.11.1.73 (gamma) 10.11.1.75 (bruce) 10.11.1.79 10.11.1.101 (Harder) 10.11.1.111 10.11.1.115 (Tophat) 10.11.1.116 (Dotty) 10.11.1.118 10.11.1.123 (xor-APP59) 10.11.1.121 (xor-APP23) 10.11.1.122 (xor-APP07) 10.11.1.120 (xor-APP59) 10.11.1.128 (DJ) 10.11.1.133 (gh0st) 10.11.1.136 (sufferance) 10.11.1.141 (fc) 10.11.1.146 (SUSIE) 10.11.1.209 (kraken) 10.11.1.217 (hotline) 10.11.1.220 10.11.1.221 10.11.1.222 10.11.1.223 (jeff) 10.11.1.226 (joe) 10.11.1.227 (jd) 10.11.1.229 (mail) 10.11.1.231 (mailman) 10.11.1.234 (core) 10.11.1.237 (humble) 10.11.1.241 (Parrot)
