Anonymity
Social Engineering
Information Gathering
-
Active Gathering
- Windows Interesting Files
- Linux Interesting Files
- Testing SSL/TLS certificates (SSLyze)
- HTTP/HTTPS Enumeration using curl
- Find someone Public IP using image URL
- PHPinfo: Information Disclosure
- Get Website components version with Wappalyze
- [Active - Information Gathering] Automated screenshot of websites with goWitness
- [Active - Information Gathering] Check alive URLs from a list using httprobe
- [Active - Information Gathering] Subdomain take over
- [Active - Information Gathering] Finding Sub-Domains with Amass
- [Active - Information Gathering] Finding Sub-Domains with AssetFinder
Services
- 21/tcp FTP - Enumeration
- 25,110,143/tcp SMTP,POP3,IMAP - Enumeration
- 53/tcp DNS - Enumeration
- 53/tcp DNS - Dig enumeration
- 79/tcp finger - Enumeration
- 139,445/tcp - SMB Enumeration
- 135 rpc - [Exploitation] RPC Domain Enumeration
- 1433/tcp MS-SQL - Enumeration MSSQL
- 2049/tcp nfs - Enumeration
Exploitation
Linux - Exploitation
CVE
- Vulnerability Shellshock - CVE-2014-6271
- Apache James Server 2.3.2 - CVE-2015-7611
- WordPress Plugin: Plainview Activity Monitor - (Authenticated) Command Injection - CVE-2018-15877
- Subrion CMS 4.2.1 - Arbitrary File Upload (Authenticated) - 2018-19422
- Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
- ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities)
- SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)
- OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247
- Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - CVE-2021-43798
- Bludit 3.9.2 - Auth Bruteforce Bypass (CVE-2019-17240)
- Ruby PDFKit command execution - (RCE) – CVE-2022-25765
- (CVE-2023-32784)[Credential Dumping] KeePass information disclosure (Password Recovery)
Windows - Exploitation
- LLMNR / NBT-NS Poisoning (Responder tool)
- Windows Password Hashes
- Windows XP - Get Hashes (Local)
- Mount & Extract Password Hashes From VHD Files
- Connect to Windows Remote Management (WinRM) using Evil WinRM
- Impacket Remote code execution (RCE) on Windows from Linux
CVE
- Microsoft Windows - Code Execution (MS08-067) - CVE-2008-4250
- HFS - Code execution - CVE-2014-6287
- ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE - CVE-2009-2265
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
- Microsoft IIS ScStoragePathFromUrl function buffer overflow - CVE-2017-7269
Active Directory
- Windows Local user & local enumeration
- Domain Enumeration (PowerView & ADRecon)
- Exploiting GPP SYSVOL (Groups.xml)
- Enumerating AD users with LDAP
- Mapping AD relationship using BloodHound
- Kerberoasting Stealing Service Account (SPN) - Remote
- Kerberoasting Stealing Service Account (AS-REP) - Remote
- [Active Directory] DCSync Attack
- [Active Directory] Unconstrained delegation
- [Active Directory] Printer Passback attack
- [Active Directory] SMB Relay attack
- [Active Directory] URL file attacks
- [Active Directory] Post-Compromise Enumeration
- [Active Directory] Kerberos Golden ticket
Web Application
- Testing Web application authentication tips
- Bypass 30X redirect with BurpSuite
- Server-side HTTP Redirection
- Exploiting pChart 2.1.3 (Directory traversal & XSS)
- PhpTax 0.8 - File Manipulation
- Apache Tomcat Manager .war reverse shell
- Exploiting WebDAV
- PHP 8.1.0-dev Backdoor Remote Code Execution (RCE)
File Traversal (LFI - RFI)
- Basics of Path Traversal
- Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite
Injection
- Basics Of SQL Injection
- Advanced SQL Injection: Union based
- Blind SQL injection
- Basic XPath Injection
- Basic Command injection
- SMTP Injection attack
Code Injection
File Upload
Access Control
- Access control: Account highjacking with Mutillidae
- Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite
- Execution After Redirect (EAR)
- [Exploitation] Ticket Trick: Exploiting Email Address Verification
Session Management
Authentication
XXE
- XML external entity (XXE) injection
- (XXE) Ladon Framework for Python - XML External Entity Expansion - CVE-2019-1010268
- Exploiting XML External Entities (XXE) in custom application
- [How to] XXExploit Guide
CMS
- Reverse shell on any CMS
- [Exploitation] Reverse shell Joomla
- LotusCMS 3.0 - 'eval()' Remote Command Execution
- WordPress Plugin User Role Editor < 4.24 - Privilege Escalation
- Drupal 7.x Module Services - Remote Code Execution
- Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
- Bludit 3.9.2 code execution - Path Traversal (Authenticated) (CVE-2019-16113)
- (2019-17671)[information disclosure] WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
- (CVE-2023-23752)[Exploitation] Joomla! CMS security bypass, Unauthenticated Information Disclosure
- [Exploitation](CVE-2023-41892) Craft CMS code execution (Unauthenticated)
API
Network
Steganography
Social Engineering
Post-Exploitation
Linux - Post-Exploitation
Enumeration Post-Exploitation
- linux-exploit-suggester - Enumeration Linux kernelLinux-based machine
- LinEnum - Linux Config Enumeration
- Linux Config Enumeration - Linuxprivchecker
- Linux Config Enumeration - Unix-Privesc-CheckLinux
- Enumerate Linux using LinPEAS.sh
Linux Shell Escape Sequences
- [Privilege Escalation] SUDO rights to all the commands on the host
- [Privilege Escalation] Sudo - Environment Variables
- Perl - Privilege Escalation
- Nmap - Privilege Escalation
- find - privilege escalation
- service - Privilege Escalation
- apt-get - Privilege escalation
- wget - Privilege Escalation
- HT – privilege escalation
- lxd - privilege escalation
- Linux Restricted Shell Bypass
- Knive - Privilege Escalation
- MOTD - Privilege Escalation
- (CVE-2023–1326)[Privilege Escalation] apport-cli 2.26.0
Cron
- Exploiting the Cron Jobs Misconfigurations (Privilege Escalation)
- Using crontab and command injection privilege escalation
- laravel – schedule task – crontab
CVE
- (CVE-2010-2075)[Command Execution] UnrealIRCD 3.2.8.1 Backdoor
- ssl-heartbleed - CVE-2014-0160
- Chkrootkit 0.49 - Local Privilege Escalation - CVE-2014-0476
- 'overlayfs' Local Privilege Escalation - CVE-2015-1328
- (CVE-2016-5195)[Privilege Escalation] - Dirtycow -'PTRACE_POKEDATA' Race Condition
- ExifTool 12.23 - Arbitrary Code Execution - (Privilege escalation) - CVE-2021-22204
- Dirty Pipe - Linux Kernel privilege escalation (CVE-2022-0847)
- Sudo ALL keyword security bypass - Privilege Escalation - (CVE-2019-14287)
- (CVE-2021-3560)[Local Privilege Escalation] Polkit 0.105-26 0.117-2
- (CVE-2023-32629 & CVE-2023-2640)[Privilege Escalation] GameOver(lay) Ubuntu Privilege Escalation
- (CVE-2023–1326)[Privilege Escalation] apport-cli 2.26.0
Misconfig
- Disk group privilege escalation
- (Privilege Escalation) Linux Path hijacking
- Ruby - Insecure Deserialization – YAML (Privilege Escalation - Code Execution)
- [Credential Dumping] Extracting Credentials from Configuration Files
- [Privilege Escalation] Weak File Permissions - /etc/shadow
- [Privilege Escalation] Weak File Permissions - Writable /etc/passwd
- [Privilege Escalation] SUID / SGID Executables - Shared Object Injection
- [Privilege Escalation] SUID / SGID Executables - Known Exploits
- [Privilege Escalation] SUID / SGID Executables - Environment Variables
- [Privilege Escalation] SSH Keys
- [Privilege Escalation] NFS Squashing (no_root_squash/no_all_squash)
Programming
Windows - Post-Exploitation
CVE Exploits
- Windows MS10_092 - Schelevator - Privilege Escalation
- Windows Exploit MS15-051 - CVE-2015-1701 - Privilege Escalation
- kitrap0d: Windows Kernel Could Allow Elevation of Privilege (MS10-015) - CVE-2010-0232
- Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) 2011-1249
- Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) - 2016-0099
- Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) – CVE-2014-4076
- (CVE-2019-1388)[Privilege Escalation] Microsoft Windows Certificate Dialog privilege escalation
- (CVE-2020-1472)[Privilege Escalation] ZeroLogon, Microsoft Windows Netlogon
Enumeration Post-Exploitation
- [Credential Dumping] Hunting for passwords in usual spots
- Windows basic manual post-exploitation recon
- Download files using windows (HTTP, FTP, SMB)
- Local_exploit_suggester - Windows Enum
- Windows-Exploit-Suggester - Windows Enum
- WinPEAS - Windows Enum
- Enumerate Windows Using PowerUP
- SMB server with Impaket-smbserver
- How to enumerate Windows using JAWS
- Windows Exploit Suggester - Next Generation (WES-NG)
- Empire Post-Exploitation Windows
- Sherlock & Empire - Loading Modules Into
- Sherlock - Find missing Windows patches for Local Privilege Escalation
- Watson - Find missing Windows patches for Local Privilege Escalation
- How to use unicorn to spawn a shell
- Exploiting mRemoteNG
- Bind & Reverse Shell using powercat
Windows Hashes
- Windows Password Hashes
- Windows XP - Get Hashes (Local)
- Windows 7 – Get Hashes (Local)
- Windows 10 – Get Hashes (Local)
- Windows 10 – Get Hashes (Domain)
- Domain Server – Get Hashes
Misconfiguration
- Windows Weak Service Permissions
- Privilege Escalation - Unquoted Service Path (Windows)
- [Privilege Escalation] Windows Schedule Tasks: Weak Permissions
- [Privilege Escalation] Abusing AlwaysInstallElevated
- [Privilege Escalation] Insecure Permissions on Service Executable
- [Privilege Escalation] Insecure Service Permissions
- [Privilege Escalation] Windows Privileges: SeTakeOwnership
- [Privilege Escalation] Windows Privileges: SeBackupPrivilege / SeRestorePrivilege
Reverse Engineering
Tools
Vulnerability scanner
Processes
Password
- Cracking Password John The Ripper
- Ssh2john how to
- Fcrackzip - BruteForce ZIP protected files
- Create a wordlist using hashcat
- Password Hash Cracking using Hashcat & John
- Crunch - How to
- [Offline] Cracking passwords with Sucrack
DOS
Network
Wireless
- Nothing here yet
Web Application
Enumeration
Dir search
CMS
SQLi
Social Engineering
Active Directory
- [How to] Kerbrute
- [How to] CrackMapExec
- [How to] Enumerate AD users using Impacket/GetADUsers.py
- [How to] Pth-ToolKit
- [How to] ldapdomaundump
- [How to] windapsearch
- [How to] xfreerdp
- [How to] Evil-WinRM: A Tool for Windows Remote Management Exploitation
- [Active Directory] Dumping credentials with impacket-secretsdump