Windows

Using BloodHound to visualize the attack path:

>runas /netonly/ /user:[Domain]\[UserID] cmd.exe
>net view \\[Domain]\
>SharpHound.exe -d [domain] --domaincontroller [DC IP] --CollectionMethods DCOnly

1. Spawn a CMD shell as a user in that domain using runas and its /netonly/ flag
2. Verify you’ve got valid domain authentiation by using the net binary. If you can see the SYSVOL and NETLOGON folders, you’re good.
3. Run the SharpHound from the other endpoint to collect the data from DC

PS > cmd /c sc query

List the services running in the machine

>systeminfo

List the Network, Hotfix, Hyper-V and other OS information on the machine

PS >Get-WmiObject Win32_Service

List the services on the machine

>net start

List the services on the machine

PS >cd HKLM:\system\currentcontrolset\services
PS HKEY_LOCAL_MACHINE\system\currentcontrolset\services>ls

List services by cd into the registry hive in the PowerShell

>ldapsearch -h [IP] -x -b "DC=cascade,DC=local"

Perform LDAP search by anonymous authentication. -x means simple authentication, -b means search base, -h means the IP of the LDAP server.

>ldapsearch -h [IP] -x -b "DC=cascade,DC=local" "objectclass=user"

Perform LDAP search by anonymous authentication with the filter by user

>Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

Get deleted AD object from “AD Recycle Bin”

>Get-ADObject -filter { SAMAccountName -eq "[accountname]" } -includeDeletedObjects -property *

Get AD account information

Linux

Recon for PrivEsc
1. LinPeas
2. LinEnum
3. Linux Exploit Suggester