Pentesting Windows Server 2016 : Three Methods: TryHackMe OSCP Retro

Рет қаралды 7,179

Motasem Hamdan | Cyber Security & Tech

Күн бұрын

Пікірлер: 12

@ahashef 3 жыл бұрын

Just rooted this box... I had the same issue with the pho reverse shell. In fact when you inject it in the theme editor, by a time the editor closes the session. And it seems like the session ends when you try to run a shell. To be honest, this one and Corp were the one I did not enjoy in the Offensive Path.

@MotasemHamdan 3 жыл бұрын

Congrats

@s1ked_416 10 ай бұрын

I love how you just struggle typing the C:\ directory in cmd bruh lol 20:30, especially the backward slash literally above the Enter Key. But other than that, good good video :)

@Cossaw 3 жыл бұрын

Awesome, thanks for all the help and clarity so far! I have a question for you: Out of what's been taught in the offensive pentesting path so far - What tools and methodologies are generally speaking the more useful in the real world for pentesting? And if there's something important that hasn't been taught so far; What would that be? Again, these videos are awesome!

@younesmohssen8158 3 жыл бұрын

So just a question, did you create dockers with the same windows build and tried the kernel exploits on the dockers first? Or did you just choose one by a little luck and a little enum and it worked?

@s1ked_416 10 ай бұрын

for the purpose of the video, he said that you should normally recreate the build on your own machine in a realistic scenario, but because this is THM room, you don't have to do such thing

@gianniloco8691 3 жыл бұрын

Hi nice video btw. One question, Im given this (retro)win server machine as a task and I have to access the machine by looking for vulns with nmap, finding the exploit on exploit db, and execute it with metasploit. How can i do this without using the retro page? Thanks!

@s1ked_416 10 ай бұрын

the thing is that you won't be able to do it without the retro page, because the dictionary doesn't have the password that's only included through the retro page

@dennisbiddulph4725 3 жыл бұрын

if you dont have a rdp pwd or admin access , how would u exploit , priv escalation is quite easy , but the admin acess or rdp pwd

@s1ked_416 10 ай бұрын

you won't be able to do the rdp access without the passwd that was found. Another way would be WP exploitation, but you have a limited amount of time till the shell dies, because the thing doesn't like it. So if you want constant stable connection, you need to RDP, but you can technically still do it through the reverse shell, but it's gonna be a hassle to deal with... If you use winPEAS it shows there are other exploits like DLL Hijacking or other some service that is vulnerable to an "unquoted service path attack". Those are the only things that I remember that you can exploit from the top of my head. This is due to enumeration. But typically you want an easy win, and this box shows that kernel bypass is your best bet to getting there fast.