Windows Exploitation

Introduction Anyone in the information security or penetration testing field knows how deep a topic, or even a certificate may go, and as we progress deeper into the field; it gets harder to keep track of the knowledge gained. For me personally, notes, cheatsheets, and mind maps are the best way to keep track of things. As far as studies go, the eLearnSecurity Junior Penetration Tester (eJPT) is an entry-level, beginner-friendly, and a great starting pointing to get some fundamentals of networking, programming, and penetration testing; all for an affordable price....

This machine is classified as Medium difficulty by Micah but may seem hard as it takes tons of enumeration against a domain controller with a webserver running. On the webserver, we will find a documents uploads folder, using its naming convention; we will brute for each and every uploaded document as their meta data contains usernames which eventually leads to getting a default password. We will password spray with the enumerated users and find one valid user....

This was classified as an easy box by eks and mrb3n on HackTheBox. We gain our foothold by enumerating SMB as it allows anonymous authentication. We find a few shares, one of which includes a username and encoded password. We will decode the password and use it to gain foothold. For the privilege escalation part, we will get the Kerberos ticket (Kerberoast), crack it and escalate to administrator. OS Difficulty IP Address Status Windows Easy 10....

This box was classified as an easy machine by L4mpje on HackTheBox. Enumerating the box, we will find a SMB share used for backup. We will mount it and find a virtual hard disk file, mount the .vhd, and dump the SAM and SYSTEM files; crack it to get our initial foothold. Enumerating to privilege escalate, we find a strange program, mRemoteNG, and it’s password can be decrypted with mRemoteNG Decryption Tool which will give us the Administrator password....

This box maybe classified as an easy machine but takes prior knowledge to solve, made by egre55 and mrb3n on HackTheBox. We gain our foothold by enumerating RPC where we get usernames, then we will Kerberoast the usernames until we get a Kerberos ticket hash, then crack it and get in as the user. For privilege escalation, we will abuse Access Control List-based permission to add a new user, add the new user to a group that will enable us to get the Administrator hash; we will use Pass-The-Hash and login as Administrator....