[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
Penetration Testing Checklists
Web Application PenTest
Network/System PenTest
Mobile Application PenTest
Red Team (Windows)
01 Reconnaissance
02 Privileges Escalation
03 Lateral Movement
04 AD Attacks
05 Bypass-Evasion
06 Kerberos Attack
99 Basic Command
Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
Lab

Initial low privilege access

  • CVE Exploitation ****
  • RFI, e.g. php-reverse-shell.php
  • Directory traversal password file found
  • FTP access point to upload asp-reverse-shell.asp
  • Macro Exploitation
  • WordPress Admin upload reverse shell at 404 page
  • hydra login password
  • SMTP/POP read an email to obtain a user credential
  • Default user account password (admin/admin, root/root)
**** most of the case for getting the initial low privilege access.

Common Privilege Escalation

Exploitation Type (suggested solution)
  • SMB Exploit (zzz_exploity.py)
  • OS Kernal Exploit (Dirty Cow)
  • Application Vulnerability (reverse tcp shell upload)
  • Seimpersonate group (Juicy Potato)
  • SMB Configuration
    • file upload (reverse TCP shell)
    • password (using default password)
  • ByPass UAC (minitakz)
  • Same password hash using HtB (minitakz)
  • Sudo escape (sudo -l)
  • SUID file permission
  • Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu

Completed Lab

10.11.1.5 (Alice) 10.1.1.7 10.11.1.8 (phoenix) 10.11.1.10 (mike) 10.11.1.13 (disco) 10.11.1.14 (bob) 10.11.1.20 (SV-DC01) 10.11.1.21 (SVCLIENT73) 10.11.1.22 (SVCLIENT08) 10.11.1.24 (SVCLIENT73) 10.1.1.246[IT Dept] (SEAN) 10.1.11.31 (RALPH) 10.11.1.35 (PAIN) 10.11.1.39 (leftturn) 10.11.1.44 10.11.1.50 (bethany) 10.11.1.71 (alpha) 10.11.1.72 (beta) 10.11.1.73 (gamma) 10.11.1.75 (bruce) 10.11.1.79 10.11.1.101 (Harder) 10.11.1.111 10.11.1.115 (Tophat) 10.11.1.116 (Dotty) 10.11.1.118 10.11.1.123 (xor-APP59) 10.11.1.121 (xor-APP23) 10.11.1.122 (xor-APP07) 10.11.1.120 (xor-APP59) 10.11.1.128 (DJ) 10.11.1.133 (gh0st) 10.11.1.136 (sufferance) 10.11.1.141 (fc) 10.11.1.146 (SUSIE) 10.11.1.209 (kraken) 10.11.1.217 (hotline) 10.11.1.220 10.11.1.221 10.11.1.222 10.11.1.223 (jeff) 10.11.1.226 (joe) 10.11.1.227 (jd) 10.11.1.229 (mail) 10.11.1.231 (mailman) 10.11.1.234 (core) 10.11.1.237 (humble) 10.11.1.241 (Parrot)
​
Useful Command/Tools - Previous
Linux
Last modified 1yr ago
Copy link
Contents
Initial low privilege access
Common Privilege Escalation
Completed Lab