The attacking machine uses OpenSSL to simulate Google's SSL certificate information, which can be modified. After generation, an encrypted file named www.google.com.pem will be generated. The private key and certificate can be viewed using the command
After creating the certificate, we can create an HTTP or HTTPS payload using MSF and provide a PEM format certificate for connection verification. This can be combined with other anti-virus evasion techniques. After generation, a malicious file named update.exe will be generated.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
cat www.google.com.pem.After creating the certificate, we can create an HTTP or HTTPS payload using MSF and provide a PEM format certificate for connection verification. This can be combined with other anti-virus evasion techniques. After generation, a malicious file named update.exe will be generated.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Delegation token: Used for interactive session login (e.g., direct login as a local user, remote desktop login). Impersonation token: Used for non-interactive login (using
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
net use to access shared folders).We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the PowerView tool to check the user's GenericAll permissions.
powershell -exec bypass
Import-Module .\PowerView.ps1
//Get the access control list (ACL) of AD objects for user man1, filtering to return items with "GenericAll" permissions
Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} As you can see, the spotless user has GenericAll permissions on the delegate. Therefore, having obtained the spotless user's permissions, we can take over the delegate user's permissions.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
powershell -exec bypass
Import-Module .\PowerView.ps1
//Get the access control list (ACL) of AD objects for user man1, filtering to return items with "GenericAll" permissions
Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} As you can see, the spotless user has GenericAll permissions on the delegate. Therefore, having obtained the spotless user's permissions, we can take over the delegate user's permissions.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Seeing IIS permissions, I tried to escalate them first, then requested system privileges to the client. Various privilege escalation methods were used, but all failed.
I tried uploading an EXE file, but the website blocked my test IP. Changing the IP and refreshing the folder showed the EXE was successfully uploaded, but the file was corrupted.
I discovered the server had Git installed. Testing
What? Wasn't it supposed to be a non-HTTP network? I checked
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
I tried uploading an EXE file, but the website blocked my test IP. Changing the IP and refreshing the folder showed the EXE was successfully uploaded, but the file was corrupted.
I discovered the server had Git installed. Testing
git clone https://github.com/xxx/ successfully downloaded the file C:\ProgramData\.What? Wasn't it supposed to be a non-HTTP network? I checked
netstat -ano...We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
First, version detection: The current version is 6.7.2. Although the scan detected vulnerability 21972, such machines often have a chance of having vulnerability CVE-2021-22005. The reason for trying 22005 is that the privileges obtained from 21972 are not root privileges, and privilege escalation will be required, which is very troublesome.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the same method to access host 141.
Use the trojan you just used to penetrate the domain controller, or generate a new trojan.
Upload it to host 143.
Copy beacon2.exe to host 141.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Use the trojan you just used to penetrate the domain controller, or generate a new trojan.
Upload it to host 143.
Copy beacon2.exe to host 141.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Generate a payload using CS.
Copy the generated txt file and execute it using the terminal of a web crawler like China Chopper or AntSword.
After a short while, you will see that it is online.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Copy the generated txt file and execute it using the terminal of a web crawler like China Chopper or AntSword.
After a short while, you will see that it is online.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Another common cause of false positives is user-defined sanitizers, such as those using regular expressions to validate or filter input. Let's take validation as an example, since it also requires additional consideration of control flow: To properly handle this example, you need to: (1) be able to analyze the impact of the regular expression /^[a-zA-Z0-9_]+$/ on different vulnerabilities; (2) consider the impact of preg_match($pattern, $username) within the if branch. This is called control flow sensitivity.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Here's our memory malware. If you directly use the memory malware, it will only display "you_are_successful!!!!!!!!!", but it won't execute any commands.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
In other words, when the agent performs a certain anti-virus evasion operation,
Here, we need to discuss the
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
xss_manipulator receives the agent's command to perform anti-virus evasion operations on the XSS payload.Here, we need to discuss the
getattr function, which can retrieve attributes or methods from an object based on their string names. If the attribute is a callable method, it can be called directly.We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Brute-force website login To log in to a website server, you need to know the username, password, or both. You can use Hydra to break into a POST form and find the username and password fields and their id/name attributes in the HTTP source.
The command syntax is as follows (assuming the id/name attributes of the username and password fields are userField and passwordField, respectively).
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
The command syntax is as follows (assuming the id/name attributes of the username and password fields are userField and passwordField, respectively).
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Locating directories to frequently used folders and files in the system administration system (SOS) is often surprisingly effective in finding sensitive information. SOS personnel often like to keep a small notebook of passwords for each machine for easier management, as it's common for one SOS person to manage dozens of machines. Remembering so many passwords is not always possible, so most SOS personnel choose to record machine passwords in .txt or .xls files.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
Once logged in, you can upload a WAR file to obtain a webshell and control the machine. Of course, you can also collect a lot of useful information from the host you've gained access to. Ideally, you should also obtain some credentials for later reuse.
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp
We offer professional hacking services, including penetration testing, website privilege escalation, password cracking, and data breach investigations. Inquiries are welcome. @PipiShrimp