From e386a110d90e144ca8e18bd72a7c2abed42e2c43 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 27 Jul 2022 17:23:30 +0200 Subject: [PATCH] Find DC --- Methodology and Resources/Active Directory Attack.md | 8 ++++++++ Upload Insecure Files/README.md | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 71cba05..a7c3d4c 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -458,6 +458,14 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` +### Other Interesting Commands + +- **Find Domain Controller** + ```ps1 + nslookup domain.com + nslookup -type=srv _ldap._tcp.dc._msdcs..com + ``` + ## Most common paths to AD compromise ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 8a17f57..a6b11a9 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -95,6 +95,15 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi - Picture Metadata, hide the payload inside a comment tag in the metadata. - Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`. +### Picture with custom metadata + +Create a custom picture and insert exif tag with `exiftool`. A list of multiple exif tags can be found at [exiv2.org](https://exiv2.org/tags.html) + +```ps1 +convert -size 110x110 xc:white payload.jpg +exiftool -Copyright="PayloadsAllTheThings" -Artist="Pentest" -ImageUniqueID="Example" payload.jpg +``` + ### Configuration Files If you are trying to upload files to a :