Methodology
  • ๐Ÿ˜ƒWelcome
    • Bullet Proof Strategy
    • ๐Ÿ‘๏ธEnumeration
      • ๐Ÿ‘๏ธโ€๐Ÿ—จ๏ธ๐Ÿ‘๐Ÿ—จ Enumeration Cheatsheet
      • SNMP Enumeration
      • IRC Enumeration
      • LDAP Enumeration
      • RPC Enumeration
      • DNS Enumeration
      • Rsync Enumeration
      • IDENT Enumeration
      • SMB Enumeration
        • Copy of SMBPass Change
      • Web Enumeration
        • Methodology
        • Enumerating Patterns Trick
      • Kerberos Enumeration
    • ๐Ÿ‘บExploitation
      • Passwords Attacks
        • Decrypting VNC passwords
        • Decrypting Jenkins passwords
        • MongoDB Decryption
      • Web Applications
        • My little cheatsheet
        • Login Portal Strat
        • SQL injection
        • Local File Inclusion
        • WebDav
        • Wordpress
        • phpmyadmin
        • Bypassing Proxies
        • Node.Js Command Injection
        • Weak Cookies and Parameters
        • PHP Web Shells
        • Code Injection
        • Werkzeug
        • Collection of Vulnerable Apps
          • RaspAP 2.5 Authenticated RCE
          • ZenPhoto 1.4.1.4 RCE
          • Sonatype Nexus 3.21.1
          • Argus Surveillance DVR 4.0
          • SmarterMail + .Net Remote
          • H2 Web Console
          • Exhibitor for Zookeper (Exhibitor Web)
          • Subrion 4.2.1
          • RestStack API 3100
          • Kibana 5.6.15 < 6.6.1
          • Authenticated NodeBB Plugin Emoji 3.2.1
        • Discovering Hidden Parameters
        • ๐Ÿ•ด๏ธJenkins
      • Vulnerable Services
        • Authenticated MSSQL Shell
        • Authenticated PostgresSQL
        • Authenticated MongoDB
        • ClamAV - Milter 0.91.2
        • Unreal Tournament 99
        • MS17-10 Eternal Blue
        • REDIS Exploitation
        • OpenSMTPD < 6.6.2
        • James Adminitrator Remoting 2.3.2
      • Client Side Attacks
        • .ODT File Macros
      • Evil-WinRM
      • Methodology
      • Reversing
        • .net binaries
      • Enumerating Firewall
    • ๐Ÿ‘ฝPrivilege Escalation
      • Windows
        • Enumeration
        • Enumerate Permissions on Folders and Binaries
          • Insecure File Permissions
          • Modifiable Binary Path
          • Unquoted Service Path
        • Meterpreter Session Injection /Migration
        • โฒ๏ธScheduled Apps (CronJobs)
        • ๐Ÿฅ”Impersonation Attacks
        • ๐Ÿ—’๏ธDLL Hijacking
        • Passwords
          • Runas
            • Runas but Powershell
          • Autologon Credentials
        • AlwaysInstallElevated
        • Windows XP SP0/SP1
        • W10 Version 1803
        • Windows Vista x86 SP1
        • ๐Ÿ‘ปSMB Ghost
        • Local Service / Network Service Users
        • Dangerous Privileges
          • SeLoadDriver Privilege
          • SeRestore Privilege
          • ๐Ÿฅ”SeImpersonatePrivilege
          • SeBackUp Privilege
        • Bypassing AV
        • Port Forwarding to access Internal services
        • Start Up Apps
        • Other Users
        • Resources
        • M16-032
        • Upgrading Powershell to Meterpreter
      • Linux
        • Enumerating SUID binaries
          • Find SUID
          • CP SUID
          • dosbox SUID
          • start-stop-daemon SUID
          • gcore SUID
        • Fail2Ban Group
        • Upgrading TTY Shells
        • Git Repository
        • Escaping RBASH
        • Docker
        • Init, Init.d , systemd
        • Shared Objects .so Hijacking
        • Sudo Version - CVE 2021-4034
        • Tar Wilcard Injection
        • Tips to become root
        • Python based applications escalation
        • Internal Services
          • mySQL
            • MySQL User Defined Function
        • Writable Passwd
        • Exiftool Priv Esc
        • Glusterd + Docker Container Breakout
        • choom
        • Slack
      • File Transfer Methods
        • Windows
        • Linux
      • Pivoting
    • ๐Ÿ’€Elevated Post Exploitation
    • ๐ŸŸฆActive Directory
      • Attack Vectors
        • LLMNR Poisoning
        • ASREPRoast
        • Spraying
          • SMBPass Change
        • Building Userbase
        • NTLM Relay Attack
        • IPv6 Takeover
      • Post Exploitation - Enumeration
        • Bloodhound
        • Enumeration - Powerview
      • Exploitation
        • Kerberoasting
        • GMSA Password Read
        • Account Operators
        • WriteDACL over DCSync
        • GenericWrite GPO
        • PS-Remoting
        • LAPS Password Read
        • Abusing ACLs
          • GenericWrite/GenericAll/AllExtendedRights over Users
        • Groups.xml
        • Azure AD Sync Dump
        • AD Recycle Bin Group
        • Get-ChangesAll
        • WriteOwner Over Domain Admins
        • Allowed to Delegate To:
        • Force Change Password
      • Resources
    • ๐Ÿ˜ŽWalkthroughs
      • ๐ŸชจProving Grounds
      • ๐Ÿ“—Hack The Box
        • Windows
        • Linux
    • Cert Pictures :)
    • ๐ŸPython Lessons
      • Jenkins Script Groovy Console Exploit in Python
      • Kerbrute Automation
    • ๐ŸšBash Lessons
    • C# Programming
      • Process Injection Code
Powered by GitBook
On this page
  • Discovering New Targets
  • Routing
  • Port Scan
  • Proxying
  • Port Forwarding with Metasploit
  1. Welcome
  2. Privilege Escalation

Pivoting

PreviousLinuxNextElevated Post Exploitation

Last updated 2 years ago

Discovering New Targets

The trick here is to look for more IP addresses that are hidden. Look for ones that we didn't get from the initial ping sweep.

Meterpreter session

Look for more interfaces

ifconfig 
arp
route

Shell

Look at ALL the output.

ipconfig /all 
ipconfig /displaydns
netstat -ano

Ping Sweep

use post/multi/gather/ping_sweep
set the RHOSTS 101010/24

ARP Scanner

Meterpreter

run arp_scanner -r 10.10.10.0/24

Routing 

meterpreter > run autoroute -s 172.30.111.0/24
use autoroute module

Port Scan

Run tcp portscan change threads to 10, and change ports to smaller.

Proxying

search socks server
use
set port
edit /etc/proxychains4.conf
edit the last line to
socks4 127.0.0.1 1080
or socks5

Start by saying proxychain and then the command

we can also use proxychains to start our web browser.

Port Forwarding with Metasploit

Lets say we want to access a web server on port 80 on the victim machine.

portfwd add -l 8080 -p 80 <ip of victim that has the web server>
๐Ÿ˜ƒ
๐Ÿ‘ฝ
PivotingOSCP
Pivoting - Port forwarding - Tunneling ยท Total OSCP Guide
Tunneling with Chisel and SSF0xdf hacks stuff
Logo
Logo
Logo