Cristian Cornea
Notes
JScript (.js) Dropper
HTML Smuggling (download automatically malicious file through JavaScript
Special XSS Payload (obfuscated)
Cross-Site Websocket Hijacking
Host Header Injection to Manipulate Forgot Password
Localhost (especially for SSRF) bypass blacklist
WAF Bypass
x86 Msfvenom Encoders (good ones!)
TMUX Hijacking
Hidden Windows Text Stream
Find:
Read:
DirtyCOW Exploit (Linux Kernel version from 2.6.22 to 3.9)
https://github.com/FireFart/dirtycow/blob/master/dirty.c
Oracle Enumeration TNS Listener (port 1521)
https://github.com/quentinhardy/odat
Buffer Overflow Bad Chars
JS Meterpreter Payload
Compile on Linux for Windows x86
From MSSQL Injection to RCE
https://www.tarlogic.com/en/blog/red-team-tales-0x01/
Windows Kernel Vulnerabilities Finder - Sherlock (PowerShell)
PowerShell one-liners (incl. file transfers)
Much Better PowerShell Reverse Shell One-Liner
Post-Exploitation Enumerate all users of Domain
Windows XP SP0/SP1 Privilege Escalation:
SUID Flag on /usr/bin/cp command Privilege Escalation
Writable /etc/passwd Privilege Escalation
Bypass robots.txt "You are not a search engine. Permission denied."
ShellShock PHP < 5.6.2
Privilege Escalation through SeImpersonatePrivilege permission (JuicyPotato)
https://github.com/ohpe/juicy-potato/releases https://www.absolomb.com/2018-05-04-HackTheBox-Tally/
Memcached Pentest & Enumeration
https://www.hackingarticles.in/penetration-testing-on-memcached-server/
Tunneling Post-Exploitation (PortForwarding) through Chisel
https://github.com/jpillora/chisel
Active Directory Users & Groups Enumeration
Tunelling on Windows
Windows Architecture and Version
Windows Service Start Mode
Windows check permissions over a file/executable with 'icacls'
Permissions: F - full access M - modify access RX - read & execute access R - read access W - write-only access
Powershell Running Services
Client-Side .hta (HTML-based Internet Explorer only) Code Execution
Fingerprinting Client-Side Victim
https://github.com/fingerprintjs/fingerprintjs2
Scan Security Headers
PowerShell to retrieve Active Directory objects (including deleted)
Get-ADObject
Decode LDAP Passwords
https://dotnetfiddle.net/2RDoWz
mysql command line alternative
TTY Shell that works almost every time on Linux
Kerberos check for valid usernames or bruteforce user/pass with kerbrute
https://github.com/TarlogicSecurity/kerbrute
Crawls web pages for keywords
TeamViewer Privilege Escalation -> CVE-2019-189888
PowerShell Reverse Shell
Pull the shell:
Wget Alternative for Windows in PowerShell
CVE-2019-10-15 Sudo < 1.2.28 Privilege Escalation
sudo -u#-1 /bin/bash
Adminer Database Management Tool Exploit Bypass Login
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
Alternate data streams of empty or incomplete file on SMB
allinfo *file*
SMB Recursively List Files
recurse on
ls
Telnet > Netcat
When connecting to a service, where possible, choose TELNET over Netcat
/etc/update-motd.d Privilege Escalation
https://blog.haao.sh/writeups/fowsniff-writeup/
SSH into Victim without password
From the attacker machine generate RSA keypair:
ssh-keygen -t rsa
Copy the public key (id_rsa.pub) into the
.ssh/authorized_keys
file of the victimSSH with the -i argument (id_rsa)
Really Good Privilege Escalation Scripts
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
XMPP Authentication Crack
CTF Docs
Test for LDAP NULL BIND
Extract VBA Script from document
Decode Rubber Ducky USB .bin payloads
Crack Android lockscreen from system files (gesture.key)
XOR Analysis
Cryptanalysis
RSA Cracking Tools
Morse Code Audio Decode
Text to 21 Common Ciphers
Crypto Example Challs
Shift in Python
Predict encoding type
Get data, process and respond over a socket
Extract domain names & hosts from PCAP
Domain Names
Hosts
Manual UNION SQLite Injection
Table
Columns (as command)
Values (payload depends on the columns structure)
SQL Injection Little Tips
--
-> Linux
--+
-> Windows
%23 (#)
-> Hash
%2527 (')
-> bypass urldecode(urldecode(htmlspecialchars(, ENT_QUOTES)));
Manual UNION SQL Injection
Table
Columns
Values
Using Newline
Bypass preg_replace
Known Plaintext ZIP
Download pkcrack
Syntax
Python Functions
Files: https://www.w3schools.com/python/python_ref_file.asp Strings: https://www.w3schools.com/python/python_ref_string.asp Keyworks: https://www.w3schools.com/python/python_ref_keywords.asp Random: https://www.w3schools.com/python/module_random.asp
PHP Functions
Files: https://www.w3schools.com/php/php_ref_filesystem.asp Directories: https://www.w3schools.com/php/php_ref_directory.asp Errors: https://www.w3schools.com/php/php_ref_error.asp Network: https://www.w3schools.com/php/php_ref_network.asp Misc: https://www.w3schools.com/php/php_ref_misc.asp
PHP Jail Escape
With file_get_contents()
With readfile()
With popen()
With highlight_file()
With highlight_source()
With Finfo()
XPATH Dump
LFI Retrieve File without executing it
Useful PCAP Reader
ZIP Format Signatures
HEADER
FOOTER
JWT KID Value Exploitation
Sign with public file from server
SQL Injection
Blind XXE to SSRF
ON TARGET
INSIDE DTD FILE
Hidden terminal input history
Search file by name pattern
Search string
Check SUDO privileges/rights
Last updated