Pentesting on Amit Agarwal Linux Blog /categories/pentesting/ Recent content in Pentesting on Amit Agarwal Linux Blog Hugo -- gohugo.io en Tue, 30 Dec 2025 00:00:00 +0530 Abusing Active Directory Certificate Services with Certipy: From Initial Access to Beyond Root /2025/12/30/2025-12-30-hacklab-ad_certificate/ Tue, 30 Dec 2025 00:00:00 +0530 /2025/12/30/2025-12-30-hacklab-ad_certificate/ This post covers an alternative attack path in an Active Directory lab using AD CS misconfigurations. It walks through Certipy-based enumeration, certificate abuse, domain escalation, and advanced post-compromise recon beyond Domain Admin. Building and Breaking a Vulnerable Active Directory Lab: Full Exploitation Walkthrough /2025/12/29/2025-12-29-hacklab-ad/ Mon, 29 Dec 2025 00:00:00 +0530 /2025/12/29/2025-12-29-hacklab-ad/ This post shows how to build a vulnerable Active Directory lab and then exploit it step by step, with real commands, real attack paths, and real lessons. Mobile_App_Mindmap /2025/08/28/2025-08-28-Mobile_App_Mindmap/ Thu, 28 Aug 2025 00:00:00 +0530 /2025/08/28/2025-08-28-Mobile_App_Mindmap/ <iframe src="/mobilehacking.html" style="width:100%;height:600px;border:none;"></iframe> Cyborg Room Walkthrough /2024/11/17/2024-11-17-TryHackMe-Cyborg/ Sun, 17 Nov 2024 00:00:00 +0530 /2024/11/17/2024-11-17-TryHackMe-Cyborg/ <h1 id="room-overview">Room Overview</h1> <p><strong>Room URL:</strong> <a href="https://tryhackme.com/r/room/cyborgt8">Cyborg</a></p> <p><strong>Room IP:</strong> <code>10.10.79.217</code> - This will be different for you.</p> <h2 id="recon">Recon</h2> <p>We begin our reconnaissance phase by scanning the target using Nmap. This helps us identify the open ports and services running on the machine.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Starting Nmap 7.60 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-10-28 16:28 GMT </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> ip-10-10-79-217.eu-west-1.compute.internal <span class="o">(</span>10.10.79.217<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.018s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">998</span> closed ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab <span class="o">(</span>EdDSA<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Apache2 Ubuntu Default Page: It works </span></span><span class="line"><span class="cl">MAC Address: 02:1F:A9:A5:69:89 <span class="o">(</span>Unknown<span class="o">)</span> </span></span><span class="line"><span class="cl">Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 8.96 seconds </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-enumeration">Web Enumeration</h2> <p>Next, we perform directory enumeration using Gobuster to find hidden directories on the web server.</p> Preparation and Review of eMAPT (INE security FKA eLearnSecurity Mobile Application Penetration Tester /2024/04/05/2024-04-05-eMAPT/ Fri, 05 Apr 2024 00:00:00 +0530 /2024/04/05/2024-04-05-eMAPT/ <p>I started thinking about Mobile pentesting sometime back. Finally in Feb/2024, I paid for the yearly subscription for <a href="https://ine.com/">INE</a> and added <strong>eMAPT</strong> to my cart. If you dont know about eMAPT cert, then head over to <a href="https://security.ine.com/certifications/emapt-certification/">eMAPT certification</a>. And as per their home page</p> <blockquote> <p>The Mobile Application Penetration Tester (eMAPT) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.</p> </blockquote> <p>And on Apr/05/2024, I got My Certificate. <img src="https://api.accredible.com/v1/frontend/credential_website_embed_image/certificate/100329258" alt="My Certificate"></p>