Anonymity
Social Engineering
Information Gathering
-
Active Gathering
- Windows Interesting Files
- Linux Interesting Files
- Testing SSL/TLS certificates (SSLyze)
- HTTP/HTTPS Enumeration using curl
- Find someone Public IP using image URL
- PHPinfo: Information Disclosure
- Get Website components version with Wappalyze
- [Active – Information Gathering] Automated screenshot of websites with goWitness
- [Active – Information Gathering] Check alive URLs from a list using httprobe
- [Active – Information Gathering] Subdomain take over
- [Active – Information Gathering] Finding Sub-Domains with Amass
- [Active – Information Gathering] Finding Sub-Domains with AssetFinder
Services
- 21/tcp FTP – Enumeration
- 25,110,143/tcp SMTP,POP3,IMAP – Enumeration
- 53/tcp DNS – Enumeration
- 53/tcp DNS – Dig enumeration
- 79/tcp finger – Enumeration
- 139,445/tcp – SMB Enumeration
- 135 rpc – [Exploitation] RPC Domain Enumeration
- 1433/tcp MS-SQL – Enumeration MSSQL
- 2049/tcp nfs – Enumeration
Exploitation
Linux – Exploitation
CVE
- Vulnerability Shellshock – CVE-2014-6271
- Apache James Server 2.3.2 – CVE-2015-7611
- WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877
- Subrion CMS 4.2.1 – Arbitrary File Upload (Authenticated) – 2018-19422
- Confluence Server 7.12.4 – ‘OGNL injection’ Remote Code Execution (RCE) (Unauthenticated)
- ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities)
- SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)
- OpenSMTPD < 6.6.1 – Remote Code Execution (smtp_mailaddr) – CVE-2020-7247
- Grafana 8.3.0 – Directory Traversal and Arbitrary File Read – CVE-2021-43798
- Bludit 3.9.2 – Auth Bruteforce Bypass (CVE-2019-17240)
- Ruby PDFKit command execution – (RCE) – CVE-2022-25765
- (CVE-2023-32784)[Credential Dumping] KeePass information disclosure (Password Recovery)
Windows – Exploitation
- LLMNR / NBT-NS Poisoning (Responder tool)
- Windows Password Hashes
- Windows XP – Get Hashes (Local)
- Mount & Extract Password Hashes From VHD Files
- Connect to Windows Remote Management (WinRM) using Evil WinRM
- Impacket Remote code execution (RCE) on Windows from Linux
CVE
- Microsoft Windows – Code Execution (MS08-067) – CVE-2008-4250
- HFS – Code execution – CVE-2014-6287
- ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE – CVE-2009-2265
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
- Microsoft IIS ScStoragePathFromUrl function buffer overflow – CVE-2017-7269
Active Directory
- Windows Local user & local enumeration
- Domain Enumeration (PowerView & ADRecon)
- Exploiting GPP SYSVOL (Groups.xml)
- Enumerating AD users with LDAP
- Mapping AD relationship using BloodHound
- Kerberoasting Stealing Service Account (SPN) – Remote
- Kerberoasting Stealing Service Account (AS-REP) – Remote
- [Active Directory] DCSync Attack
- [Active Directory] Unconstrained delegation
- [Active Directory] Constrained delegation
- [Active Directory] Printer Passback attack
- [Active Directory] IPv6 DNS takeover via MItM
- [Active Directory] SMB Relay attack
- [Active Directory] URL file attacks
- [Active Directory] Post-Compromise Enumeration
- [Active Directory] Kerberos Golden ticket
Web Application
- Testing Web application authentication tips
- Bypass 30X redirect with BurpSuite
- Server-side HTTP Redirection
- Exploiting pChart 2.1.3 (Directory traversal & XSS)
- PhpTax 0.8 – File Manipulation
- Apache Tomcat Manager .war reverse shell
- Exploiting WebDAV
- PHP 8.1.0-dev Backdoor Remote Code Execution (RCE)
File Traversal (LFI – RFI)
- Basics of Path Traversal
- Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite
Injection
- Basics Of SQL Injection
- Advanced SQL Injection: Union based
- Blind SQL injection
- Basic XPath Injection
- Basic Command injection
- SMTP Injection attack
Code Injection
File Upload
Access Control
- Access control: Account highjacking with Mutillidae
- Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite
- Execution After Redirect (EAR)
- [Exploitation] Ticket Trick: Exploiting Email Address Verification
Session Management
Authentication
XXE
- XML external entity (XXE) injection
- (XXE) Ladon Framework for Python – XML External Entity Expansion – CVE-2019-1010268
- Exploiting XML External Entities (XXE) in custom application
- [How to] XXExploit Guide
CMS
- Reverse shell on any CMS
- [Exploitation] Reverse shell Joomla
- LotusCMS 3.0 – ‘eval()’ Remote Command Execution
- WordPress Plugin User Role Editor < 4.24 – Privilege Escalation
- Drupal 7.x Module Services – Remote Code Execution
- Umbraco CMS 7.12.4 – (Authenticated) Remote Code Execution
- Bludit 3.9.2 code execution – Path Traversal (Authenticated) (CVE-2019-16113)
- (2019-17671)[information disclosure] WordPress Core < 5.2.3 – Viewing Unauthenticated/Password/Private Posts
- (CVE-2023-23752)[Exploitation] Joomla! CMS security bypass, Unauthenticated Information Disclosure
- [Exploitation](CVE-2023-41892) Craft CMS code execution (Unauthenticated)
API
Network
Steganography
Social Engineering
Cloud
Azure
Azure Enumeration
Unauthenticated
- [Unauthenticated][Information Gathering] Enumerate Azure Office users
- [Unauthenticated][Information Gathering] Enumerate Azure OWA and EWS using MailSniper
- [Unauthenticated][Information Gathering] Enumerate public resources in Azure using Cloud_Enum
- [Unauthenticated][Information Gathering] OneDrive user enumeration
- [Password Spray] Office Microsoft Online accounts (Azure/O365)
Autenticated
- [Authenticated][Information Gathering] Automated Azure Active Directory enumeration using ROADtools
- [Authenticated][Information Gathering] Automated Microsoft 365 Office enumeration using o365recon
- [Authenticated][Information Gathering] Manual Azure enumeration using Azure Az Powershell Module
- [Authenticated][Information Gathering] Manual Azure Active Directory enumeration using AzureAD Powershell Module
Post-Exploitation
Linux – Post-Exploitation
Enumeration Post-Exploitation
- linux-exploit-suggester – Enumeration Linux kernelLinux-based machine
- LinEnum – Linux Config Enumeration
- Linux Config Enumeration – Linuxprivchecker
- Linux Config Enumeration – Unix-Privesc-CheckLinux
- Enumerate Linux using LinPEAS.sh
SUDO
- [Privilege Escalation] SUDO rights to all the commands on the host
- [Privilege Escalation] Sudo – Environment Variables
SUID & Sudo
- [Privilege Escalation] SUID / SGID Executables – Shared Object Injection
- [Privilege Escalation] SUID / SGID Executables – Known Exploits
- [Privilege Escalation] SUID / SGID Executables – Environment Variables
- Perl – Privilege Escalation
- Nmap – Privilege Escalation
- find – privilege escalation
- service – Privilege Escalation
- apt-get – Privilege escalation
- wget – Privilege Escalation
- HT – privilege escalation
- lxd – privilege escalation
- Linux Restricted Shell Bypass
- Knive – Privilege Escalation
- MOTD – Privilege Escalation
- (CVE-2023–1326)[Privilege Escalation] apport-cli 2.26.0
- [Privilege Escalation] ZoneMinder Scripts Command Injection (local)
Capabilities
- [Privilege Escalation] Linux Capabilities Python
- [Privilege Escalation] Linux Capabilities Perl
- [Privilege Escalation] Linux Capabilities Tar
Scheduled Tasks
- Exploiting the Cron Jobs Misconfigurations (Privilege Escalation)
- Using crontab and command injection privilege escalation
- laravel – schedule task – crontab
CVE
- (CVE-2010-2075)[Command Execution] UnrealIRCD 3.2.8.1 Backdoor
- ssl-heartbleed – CVE-2014-0160
- Chkrootkit 0.49 – Local Privilege Escalation – CVE-2014-0476
- ‘overlayfs’ Local Privilege Escalation – CVE-2015-1328
- (CVE-2016-5195)[Privilege Escalation] – Dirtycow -‘PTRACE_POKEDATA’ Race Condition
- Sudo ALL keyword security bypass – Privilege Escalation – (CVE-2019-14287)
- (CVE-2019-18634)[Privilege Escalation] Sudo 1.8.25p (pwfeedback) Buffer Overflow
- (CVE-2019-14287)[Privilege Escalation] sudo 1.8.27 – Security Bypass
- (CVE-2021-3560)[Local Privilege Escalation] Polkit 0.105-26 0.117-2
- ExifTool 12.23 – Arbitrary Code Execution – (Privilege escalation) – CVE-2021-22204
- Dirty Pipe – Linux Kernel privilege escalation (CVE-2022-0847)
- (CVE-2023-32629 & CVE-2023-2640)[Privilege Escalation] GameOver(lay) Ubuntu Privilege Escalation
- (CVE-2023–1326)[Privilege Escalation] apport-cli 2.26.0
- (CVE-2023-38646)[Privilege Escalation] Metabase Pre-auth RCE
Misconfig
- Disk group privilege escalation
- (Privilege Escalation) Linux Path hijacking
- [Privilege Escalation] Weak File Permissions – /etc/shadow
- [Privilege Escalation] Weak File Permissions – Writable /etc/passwd
- [Privilege Escalation] SSH Keys
- [Privilege Escalation] NFS Squashing (no_root_squash/no_all_squash)
Dumping Credentials
Programming
- Exploiting Python EVAL() Code Injection
- [C] Exploiting system() Calls in C and Command Injection
- [Privilege Escalation] Java Jar file enumeration/Code Review
- [Privilege Escalation] Unquoted Expression Injection Bash
- Exploiting JavaScript EVAL() Code Injection
- Ruby – Insecure Deserialization – YAML (Privilege Escalation – Code Execution)
Windows – Post-Exploitation
CVE Exploits
- Windows MS10_092 – Schelevator – Privilege Escalation
- Windows Exploit MS15-051 – CVE-2015-1701 – Privilege Escalation
- kitrap0d: Windows Kernel Could Allow Elevation of Privilege (MS10-015) – CVE-2010-0232
- Microsoft Windows (x86) – ‘afd.sys’ Local Privilege Escalation (MS11-046) 2011-1249
- Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Local Privilege Escalation (MS16-032) – 2016-0099
- Microsoft Windows Server 2003 SP2 – TCP/IP IOCTL Privilege Escalation (MS14-070) – CVE-2014-4076
- (CVE-2019-1388)[Privilege Escalation] Microsoft Windows Certificate Dialog privilege escalation
- (CVE-2020-1472)[Privilege Escalation] ZeroLogon, Microsoft Windows Netlogon
Enumeration Post-Exploitation
- Windows basic manual post-exploitation recon
- Download files using windows (HTTP, FTP, SMB)
- Local_exploit_suggester – Windows Enum
- Windows-Exploit-Suggester – Windows Enum
- WinPEAS – Windows Enum
- Enumerate Windows Using PowerUP
- SMB server with Impaket-smbserver
- How to enumerate Windows using JAWS
- Windows Exploit Suggester – Next Generation (WES-NG)
- Empire Post-Exploitation Windows
- Sherlock & Empire – Loading Modules Into
- Sherlock – Find missing Windows patches for Local Privilege Escalation
- Watson – Find missing Windows patches for Local Privilege Escalation
- How to use unicorn to spawn a shell
- Exploiting mRemoteNG
- Bind & Reverse Shell using powercat
Dumping Credentials
- [Credential Dumping] Hunting for passwords in usual spots
- Windows Password Hashes
- Windows XP – Get Hashes (Local)
- Windows 7 – Get Hashes (Local)
- Windows 10 – Get Hashes (Local)
- Windows 10 – Get Hashes (Domain)
- Domain Server – Get Hashes
Misconfiguration
DLL hijacking
Service Path Permissions
- [Privilege Escalation] Windows Weak Service Permissions
- [Privilege Escalation] Unquoted Service Path (Windows)
- [Privilege Escalation] Insecure Permissions on Service Executable
- [Privilege Escalation] Insecure Service Permissions BinPath
Registry
- [Privilege Escalation] Abusing AlwaysInstallElevated
- [Privilege escalation] Registry Service Account (regsvc)
- [Privilege Escalation] Registry Windows AutoRun
Impersonation
- [Privilege Escalation] Windows Privileges: SeTakeOwnership
- [Privilege Escalation] Windows Privileges: SeBackupPrivilege / SeRestorePrivilege
Scheduled Tasks
Reverse Engineering
Tools
Vulnerability scanner
Processes
Password
- Cracking Password John The Ripper
- Ssh2john how to
- Fcrackzip – BruteForce ZIP protected files
- Create a wordlist using hashcat
- Password Hash Cracking using Hashcat & John
- Crunch – How to
- [Offline] Cracking passwords with Sucrack
DOS
Network
Wireless
- Nothing here yet
Web Application
Enumeration
Dir search
CMS
SQLi
Social Engineering
Active Directory
- [How to] Kerbrute
- [How to] CrackMapExec
- [How to] Enumerate AD users using Impacket/GetADUsers.py
- [How to] Pth-ToolKit
- [How to] ldapdomaundump
- [How to] windapsearch
- [How to] xfreerdp
- [How to] Evil-WinRM: A Tool for Windows Remote Management Exploitation
- [Active Directory] Dumping credentials with impacket-secretsdump