This will be short and sweet and I only post it because it’s hard to find via google but should be base knowledge for any hacker. SysInternals is your friend. If it’s on the box or you can drop it there it gives pretty complete control at a very granular level. Even if you drop […]
Going over some really interesting stuff today on file includes and ran a couple neat exploits on php running on a windows 10 box. LFI/RFI is deadly. Sooo many ways to pop a shell if the url includes ?file= My favorite of the day was using a php wrapper to pass a command to the […]
I just finished an amazing hacking course by TheCyberMentor on udemy. It’s a great deal and provides a really practical introduction to pentesting by a professional. I highly recommend it. Woot!
I’m taking The Cyber Mentor’s Practical Ethical Hacking Course on Udemy and during the scanning and enumeration chapter, we started scanning Kioptrix Level 1. I’ve played around with Kioptrix before and was already prepared to root the machine in a quick two-step, even though that’s not part of the section. To do this root, you’ll […]
Just a small note related to sqlmap culled from working on a CTF style challenge. Not all the tamper scripts in jhaddix’s helpful attack string are still working. Current working command: sqlmap -u http://192.168.1.1 –level=5 –risk=3 -a –text-only –technique=BU –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,randomcomments,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords –random-agent
On a recent hacking challenge I was presented with a privesc scenario where I had already compromised a low privileged user with the tools available in Impacket. The user (a service account) had access to winrm and therefore had a semi-functional shell but no access to rdp or smb shares. The network had a default […]
