Comment on page


Initial low privilege access

  • CVE Exploitation ****
  • RFI, e.g. php-reverse-shell.php
  • Directory traversal password file found
  • FTP access point to upload asp-reverse-shell.asp
  • Macro Exploitation
  • WordPress Admin upload reverse shell at 404 page
  • hydra login password
  • SMTP/POP read an email to obtain a user credential
  • Default user account password (admin/admin, root/root)
**** most of the case for getting the initial low privilege access.

Common Privilege Escalation

Exploitation Type (suggested solution)
  • SMB Exploit (
  • OS Kernal Exploit (Dirty Cow)
  • Application Vulnerability (reverse tcp shell upload)
  • Seimpersonate group (Juicy Potato)
  • SMB Configuration
    • file upload (reverse TCP shell)
    • password (using default password)
  • ByPass UAC (minitakz)
  • Same password hash using HtB (minitakz)
  • Sudo escape (sudo -l)
  • SUID file permission
  • Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu

Completed Lab (Alice) (phoenix) (mike) (disco) (bob) (SV-DC01) (SVCLIENT73) (SVCLIENT08) (SVCLIENT73)[IT Dept] (SEAN) (RALPH) (PAIN) (leftturn) (bethany) (alpha) (beta) (gamma) (bruce) (Harder) (Tophat) (Dotty) (xor-APP59) (xor-APP23) (xor-APP07) (xor-APP59) (DJ) (gh0st) (sufferance) (fc) (SUSIE) (kraken) (hotline) (jeff) (joe) (jd) (mail) (mailman) (core) (humble) (Parrot)