- Published on
Enumerated users with crackmapexec, smbclient, and eventually cracked a .pfx file, converted it into a cert.pem and key.pem, then obtained foothold. For root, we have credentials in a LAPS group which provides root.
Crackmapexec
All Posts
- sudo--l (8)
- sqli (7)
- 139445---smb (5)
- ftp (5)
- kerberoast (4)
- rce (4)
- bloodhound (3)
- 389636---ldap (3)
- lfi (3)
- dns (3)
- wordpress (3)
- msfconsole (3)
- openssl (3)
- suid (3)
- routingport-forward (3)
crackmapexec (3)
- powershell-web-access (2)
- passthecert (2)
- directory-traversal (2)
- brute-force (2)
- drupal (2)
- pivoting (2)
- ms15 (2)
- enumeration (2)
- microsoft-iis (2)
- 161---snmp (2)
- juicypotato (2)
- file-upload (2)
- buffer-overflow (2)
- tomcat (2)
- wget (2)
- certificate (2)
- 22---ssh (2)
- default-credentials (2)
- rfi (2)
- 4555 (1)
- gpp (1)
- powershell (1)
- sam-hashes (1)
- migrate (1)
- ipv6-relay-attack (1)
- mimikatz (1)
- golden-ticket-attack (1)
- group-policy-preferences (1)
- impacket (1)
- url-file-attack (1)
- ansible (1)
- certipy (1)
- gdb (1)
- intruder (1)
- screen (1)
- stored-user-agent (1)
- log-file-poisoning (1)
- autologon (1)
- web (1)
- nc (1)
- tls-10---443 (1)
- elastix (1)
- webmin (1)
- eternal-blue (1)
- webconfig (1)
- smtp (1)
- nslookup (1)
- command-injection (1)
- crontab (1)
- xxe (1)
- pwnkit (1)
- groups (1)
- raw-image (1)
- debugfs (1)
- python (1)
- h2 (1)
- 111---portmapper (1)
- 6697---unrealircd (1)
- irc (1)
- ssh-keygen (1)
- hash (1)
- kbdx (1)
- ssrf (1)
- psy-shell (1)
- nmap-vuln (1)
- nmap-suid (1)
- wireshark (1)
- tcpdump (1)
- imagemagick (1)
- exiftool (1)
- neofetch (1)
- ejpt (1)
- prtg-network-monitor (1)
- mime (1)
- changenamesh (1)
- knock (1)
- chkrootkit (1)
- httpfileserver (1)
- pandora-cms (1)
- path (1)
- rocket (1)
- pkexec (1)
- polkit (1)
- base64-decode (1)
- ps-aux (1)
- vnc (1)
- keepass (1)
- smbclientpy (1)
- silver-ticket (1)
- deserialization-attack (1)
- gmsa (1)
- enumerating (1)
- subdomain (1)
- sqlmap (1)
- htaccess (1)
- netstat (1)
- npm (1)
- cgi-bin (1)
- perl (1)
- oracle (1)
- odat (1)
- opt (1)
- firefox-passwords (1)
- program-files (1)
- writeowner (1)
- finger (1)
- password-cracking (1)
- magento (1)
- jamovi (1)
- bolt (1)
- ssti (1)
- chisel (1)
- mongodb (1)
- shocker (1)
- sharepoint (1)
- kdbx (1)
- tar (1)
- evil-winrm (1)
- net-user (1)
- 22-ssh (1)
- heartbleed (1)
- history (1)
- active-directory (1)
- Published on
This was an Active Directory Windows machine, started by finding credentials in an image on the website, then dumped information with LDAP for the domain to find a kerberoastable user, then enumerating more shares with cme, find which accounts were active, and then get foothold. For root, we pfx2john, and find a GMSA exploit on powershell, to reset a higher privilege user's password so we can authenticate with our new credentials.- Published on
SharePoint endpoint enumerated into discovering FTP credentials, cracking the password needed and authenticating with crackmapexec, then privilege escalating with JuicyPotato.