Initial low privilege access

  • CVE Exploitation ****

  • RFI, e.g. php-reverse-shell.php

  • Directory traversal password file found

  • FTP access point to upload asp-reverse-shell.asp

  • Macro Exploitation

  • WordPress Admin upload reverse shell at 404 page

  • hydra login password

  • SMTP/POP read an email to obtain a user credential

  • Default user account password (admin/admin, root/root)

**** most of the case for getting the initial low privilege access.

Common Privilege Escalation

Exploitation Type (suggested solution)

  • SMB Exploit (

  • OS Kernal Exploit (Dirty Cow)

  • Application Vulnerability (reverse tcp shell upload)

  • Seimpersonate group (Juicy Potato)

  • SMB Configuration

    • file upload (reverse TCP shell)

    • password (using default password)

  • ByPass UAC (minitakz)

  • Same password hash using HtB (minitakz)

  • Sudo escape (sudo -l)

  • SUID file permission

  • Docker escape (Docker PE /usr/bin/docker run –it –v /root:/fkclai ubuntu

Completed Lab (Alice) (phoenix) (mike) (disco) (bob) (SV-DC01) (SVCLIENT73) (SVCLIENT08) (SVCLIENT73)[IT Dept] (SEAN) (RALPH) (PAIN) (leftturn) (bethany) (alpha) (beta) (gamma) (bruce) (Harder) (Tophat) (Dotty) (xor-APP59) (xor-APP23) (xor-APP07) (xor-APP59) (DJ) (gh0st) (sufferance) (fc) (SUSIE) (kraken) (hotline) (jeff) (joe) (jd) (mail) (mailman) (core) (humble) (Parrot)

Last updated