Documentation Index
Fetch the complete documentation index at: https://rootea.es/llms.txt
Use this file to discover all available pages before exploring further.
Scrambled
| · | · |
|---|---|
| Operating system | Windows |
| Difficulty | Medium |
| IP | 10.10.11.168 |
| Retirement date | — |
| Skills | Web Enumeration Information Leakage Ldap Enumeration Kerberos Enumeration User Enumeration - Kerbrute Password Brute Force - Kerbrute SMB Enumeration - Kerberos Authentication [getTGT.py] ASREPRoast Attack - GetNPUsers.py (Failed) Kerberoasting Attack - GetUserSPNs.py Manipulating the GetUserSPNs.py script to make it work the way we want it to work Cracking Hashes Attempting to authenticate to the MSSQL service via kerberos (Failed) Explaining Kerberos Auth Flow (TGT, TGS, KDC, AS-REQ, AS-REP, TGS-REQ, TGS-REP, AP-REQ, AP-REP) Explaining how Silver Ticket Attack works Forging a new TGS as Administrator user (NTLM Hash, Domain SID and SPN) [ticketer.py && getPAC.py] Connecting to the MSSQL service with the newly created ticket MSSQL Enumeration Enabling xp_cmdshell component in MSSQL [RCE] Abusing SeImpersonatePrivilege [JuicyPotatoNG Alternative for Windows Server 2019] (Unintended Way) Binary and DLL Analysis Downloading OpenVPN from a Windows machine and configuring it to reverse downloaded resources Dnspy Installation DLL Inspection with Dnspy - Found a backdoor in the code We realize that serialization and deserialization of data is being used Creating a malicious base64 serialized Payload with ysoserial.net in order to get RCE We send the serialized data to the server [Privilege Escalation] |