Beginning

Capture Everything:

whoami && ipconfig && type proof.txt
whoami && ifconfig && type proof.txt
  1. Make Directories

  2. Nmap Scan -Pn

nmap -Pn ip_address

Other method:

nmap -n -v -sT -A  192.168.1.249
  1. Run nmapAutomator Script to automate enum:

/usr/local/bin/nmapAutomator.sh -H 192.168.1.1 -t All

Link: https://github.com/21y4d/nmapAutomatorarrow-up-right

Or Run Auto Recon (with Sudo Priv):

python3 -m pip install -r ../AutoRecon-main/requirements.txt --break-system-pack 

Link: https://github.com/Tib3rius/AutoReconarrow-up-right

  1. Nmap detailed with Service Scan

We'll use -sV to enable service and version detection as well as -sC to use Nmap's default scripts. In addition, we'll enter -oN to create an output file containing the scan results.

sudo nmap -sC -sV -oN nmap_results.txt 192.168.247.242
  1. If Http service found, run GoBuster Basics

Others:

Or use this:

  1. If you have version of service (or even if not), use exploitdb or searchsploit to know if there are exploits available.

  1. If Wordpress, use:

  1. Get Wordpress Plugins details:

  1. Once you file any creds, or useful information, add them to the list of things and keep going!

  2. Trying different usernames & passwords using crackmap

Then check permissions:

Login with local creds:

Phishing:

the victim will look at lnk file in home directory of webdav

create a shortcut file with below command:

And put this content on config.Library-ms:

Few more helpful stuff

Git Commands:

Using git_dumper download whole .git folder

Powershell reverse shell

Search for sensitive extensions:

Before you do anything else, run:

Move to a different user

Transferring Files

Download into windows victim:

On kali:

On Victim (Windows):

Note: Ensure you give exact full path

On Victim (Linux):

Reverse Shell:

Then get meterpreter to catch the session:

Or using Meterpreter (not allowed in OSCP)

Then setup SOCKS Proxy:

Ensure you edit /etc/proxychains4.conf file manually

Using nmap to scap:

Some more commands:

Get Windows System Info:

Enable RDP Service

Create new User and Add to Admin group:

Using Potatos

Connect to RDP:

PowerUP

Jaws Powershell PrivEsc Windows:

Enable SSH Service in Kali:

start the SSH service:

Check if it’s running:

Then do a reverse tunnel back to kali:

Switching to Root user if you have SU rights:

Install Python package systemwide;

Cracking NTLM Hashes:

RunAs Command:

Quick Sharphound:

Windows Quick Checks

Last updated