> For the complete documentation index, see [llms.txt](https://ret2basic.gitbook.io/ctfnote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ret2basic.gitbook.io/ctfnote/red-teaming.md). # Red Teaming - [Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration.md) - [Service Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration.md) - [SMTP (Port 25)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/smtp-port-25.md) - [Samba (Port 139, 445)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/samba-port-139-445.md) - [SNMP (Port 161,162,10161,10162)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/snmp-port-161-162-10161-10162.md) - [rsync (Port 873)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/rsync-port-873.md) - [NFS (Port 2049)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/nfs-port-2049.md) - [Apache JServ Protocol (Port 8081)](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/apache-jserv-protocol-port-8081.md): Ghostcat - [NetBIOS](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/service-enumeration/netbios.md): Network Basic Input/Output System - [Nmap](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/nmap.md): Search for hosts on a network - [Gobuster / Feroxbuster / FUFF / Wfuzz](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/gobuster-feroxbuster-fuff-wfuzz.md) - [Drupal](https://ret2basic.gitbook.io/ctfnote/red-teaming/enumeration/drupal.md) - [Exploitation](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation.md): Hack The Planet - [Public Exploits](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/public-exploits.md): searchsploit, Github - [PHP Webshells](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/php-webshells.md): wso, p0wny - [Reverse Shell](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/reverse-shell.md) - [TTY](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/tty.md) - [File Transfer](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/file-transfer.md) - [Metasploit](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/metasploit.md) - [Password Spray](https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/password-spray.md) - [Buffer Overflow](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow.md) - [Step 0: Spiking (Optional)](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-0-spiking-optional.md): generic\_send\_tcp - [Step 1: Fuzzing](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-1-fuzzing.md): AAAAAAAA - [Step 2: Finding the Offset](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-2-finding-the-offset.md): pattern\_create and pattern\_offset - [Step 3: Overwriting the EIP](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-3-overwriting-the-eip.md): EIP=0x42424242 - [Step 4: Finding Bad Characters](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-4-finding-bad-characters.md): badchars - [Step 5: Finding the Right Module](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-5-finding-the-right-module.md): JMP ESP - [Step 6: Generating Shellcode and Gaining Root](https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-6-generating-shellcode-and-gaining-root.md): msfvenom - [Privilege Escalation](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation.md) - [Linux Privilege Escalation](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation.md) - [Linux Permissions](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/linux-permissions.md): rwx - [Manual Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/manual-enumeration.md): System, user, network, and password - [Automated Tools](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/automated-tools.md): LinPEAS! - [Kernel Exploits](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/kernel-exploits.md): Dirty Cow! - [Passwords and File Permissions](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/passwords.md): Plaintext passwords vs. password hashes - [SSH Keys](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/ssh-keys.md): id\_rsa, id\_rsa.pub, authorized\_keys - [Sudo](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/sudo.md): sudo -l - [SUID](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/suid.md): find / -perm -u=s -type f 2>/dev/null - [Capabilities](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/capabilities.md): "Better" than SUID but vulnerable in the same way - [Cron Jobs](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/cron-jobs.md): /etc/crontab - [NFS Root Squashing](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/nfs-root-squashing.md): no\_root\_sqush - [Docker](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/docker.md): docker run -v /:/mnt --rm -it bash chroot /mnt sh - [GNU C Library](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/gnu-c-library.md): ldd --version - [Exim](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/exim.md): which exim - [Linux Privilege Escalation Course Capstone](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/linux-privilege-escalation-course-capstone.md): Five boxes from TryHackMe - [Windows Privilege Escalation](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation.md) - [Manual Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/manual-enumeration.md): System, user, network, password, and AV - [Automated Tools](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/tools.md): WinPEAS! - [Kernel Exploits](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/kernel-exploits.md): Kitrap0d! - [Passwords and Port Forwarding](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/passwords-and-port-forwarding.md): plink.exe - [WSL](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/windows-subsystem-for-linux.md): Windows Subsystem for Linux - [Token Impersonation and Potato Attacks](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/token-impersonation-and-potato-attacks.md) - [Meterpreter getsystem](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/meterpreter-getsystem.md): Easy win??? Not really. - [Runas](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/runas.md) - [UAC Bypass](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/uac-bypass.md) - [Registry](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/registry.md) - [Executable Files](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/executable-files-1.md) - [Startup Applications](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/startup-applications.md) - [DLL Hijacking](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/dll-hijacking.md) - [Service Permissions (Paths)](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/service-permissions-paths.md) - [CVE-2019-1388](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/cve-2019-1388.md) - [HiveNightmare](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/hivenightmare.md): aka SeriousSam or CVE-2021–36934 - [Bypass Space Filter](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/crazy-stuff.md): C:\PROGRA~2 - [Post Exploitation](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation.md) - [Linux Post Exploitation](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/linux-post-exploitation.md) - [Add a User](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/linux-post-exploitation/add-a-user.md) - [SSH Key](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/linux-post-exploitation/ssh-key.md) - [Windows Post Exploitation](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/windows-post-exploitation.md) - [windows-resources](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/windows-post-exploitation/windows-resources.md) - [Add a User](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/windows-post-exploitation/add-a-user.md) - [RDP](https://ret2basic.gitbook.io/ctfnote/red-teaming/post-exploitation/windows-post-exploitation/rdp.md) - [Pivoting](https://ret2basic.gitbook.io/ctfnote/red-teaming/pivoting.md) - [Windows: Chisel](https://ret2basic.gitbook.io/ctfnote/red-teaming/pivoting/windows-chisel.md) - [Linux: sshuttle](https://ret2basic.gitbook.io/ctfnote/red-teaming/pivoting/linux-sshuttle.md) - [Active Directory (AD)](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad.md) - [Initial Compromise](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise.md) - [HTA Phishing](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/hta-phishing.md) - [VBA Macro Phishing](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/vba-macro-phishing.md) - [LLMNR Poisoning](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/llmnr-poisoning.md) - [SMB Relay](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/smb-relay.md) - [GPP / cPassword](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/gpp-cpassword.md): gpp-decrypt - [Domain Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/domain-enumeration.md) - [Manual Enumeration](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/domain-enumeration/manual-enumeration.md) - [PowerView](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/domain-enumeration/powerview.md) - [BloodHound](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/domain-enumeration/bloodhound.md) - [Lateral Movement](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement.md) - [PsExec](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/psexec.md) - [WMI](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/wmi.md) - [Runas](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/runas.md) - [Pass the Hash](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/pass-the-hash.md) - [Overpass the Hash](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/overpass-the-hash.md) - [Pass the Ticket](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/lateral-movement/pass-the-ticket.md) - [Kerberos](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/kerberos.md) - [Kerberoast](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/kerberos/kerberoast.md) - [AS-REP Roast](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/kerberos/as-rep-roast.md) - [MS SQL Server](https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/ms-sql-server.md) - [Command & Control (C2)](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2.md) - [Cobalt Strike](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike.md) - [Bypassing Defences](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/bypassing-defences.md) - [Artifact Kit](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/bypassing-defences/artifact-kit.md) - [Resource Kit](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/bypassing-defences/resource-kit.md) - [AMSI Bypass](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/bypassing-defences/amsi-bypass.md) - [PowerPick](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/bypassing-defences/powerpick.md) - [Extending Cobalt Strike](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/extending-cobalt-strike.md) - [Elevate Kit](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/extending-cobalt-strike/elevate-kit.md) - [Malleable C2 Profile](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/cobalt-strike/extending-cobalt-strike/malleable-c2-profile.md) - [Metasploit](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/metasploit.md) - [Payloads](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/metasploit/payloads.md) - [Post Exploitation](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/metasploit/post-exploitation.md) - [Automation](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/metasploit/automation.md) - [C2 Development](https://ret2basic.gitbook.io/ctfnote/red-teaming/command-and-control-c2/c2-development.md) - [Malware Development](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development.md) - ["Hot Dropper"](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/hot-dropper.md) - [PE Format](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/pe-format.md) - [Overview](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/pe-format/overview.md) - [Process Injection](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/process-injection.md) - [Reflective DLL](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/reflective-dll.md) - [x86 <=> x64](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/x86-less-than-greater-than-x64.md) - [Hooking](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/hooking.md) - [VeraCry](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/veracry.md) - [Offensive C#](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/offensive-c.md) - [AV Evasion](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/av-evasion.md) - [AV Evasion with C# and PowerShell](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/av-evasion/av-evasion-with-c-and-powershell.md) - [AMSI Bypass](https://ret2basic.gitbook.io/ctfnote/red-teaming/malware-development/av-evasion/amsi-bypass.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.