Exploitation

Linux - Exploitation

• FTP Anonymous login
• FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation

CVE

• Vulnerability Shellshock - CVE-2014-6271
• Apache James Server 2.3.2 - CVE-2015-7611
• WordPress Plugin: Plainview Activity Monitor - (Authenticated) Command Injection - CVE-2018-15877
• Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
• ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities)
• SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)
• OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247

Windows - Exploitation

• LLMNR / NBT-NS Poisoning (Responder tool)
• Windows Password Hashes
• Windows XP - Get Hashes (Local)
• Mount & Extract Password Hashes From VHD Files
• Connect to Windows Remote Management (WinRM) using Evil WinRM
• Impacket Remote code execution (RCE) on Windows from Linux

CVE

• Microsoft Windows - Code Execution (MS08-067) - CVE-2008-4250
• HFS - Code execution - CVE-2014-6287
• ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE - CVE-2009-2265
• PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
• Microsoft IIS ScStoragePathFromUrl function buffer overflow - CVE-2017-7269

Active Directory

• Windows Local user & local enumeration
• Domain Enumeration (PowerView & ADRecon)
• Exploiting GPP SYSVOL (Groups.xml)
• Enumerating AD users with LDAP
• Mapping AD relationship using BloodHound
• Kerberoasting Stealing Service Account (SPN) - Remote
• Kerberoasting Stealing Service Account (AS-REP) - Remote

Web Application

• Testing Web application authentication tips
• Bypass 30X redirect with BurpSuite
• Server-side HTTP Redirection
• Exploiting pChart 2.1.3 (Directory traversal & XSS)
• PhpTax 0.8 - File Manipulation
• Apache Tomcat Manager .war reverse shell
• Exploiting WebDAV

Path Traversal (LFI - RFI)

• Basics of Path Traversal
• Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite

Injection

• Basics Of SQL Injection
• Advanced SQL Injection: Union based
• Blind SQL injection
• Basic XPath Injection
• Basic Command injection
• SMTP Injection attack

File Upload

• Local file upload - Magic byte change file type

Access Control

• Access control: Account highjacking with Mutillidae
• Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite

Session Management

• Session Management DVWA
• Attacking & Securing Session Management

Authentication

• Testing Web application authentication tips

XXE

• XML external entity (XXE) injection
• (XXE) Ladon Framework for Python - XML External Entity Expansion - CVE-2019-1010268

CMS

• Reverse shell on any CMS
• LotusCMS 3.0 - 'eval()' Remote Command Execution
• WordPress Plugin User Role Editor < 4.24 - Privilege Escalation
• Drupal 7.x Module Services - Remote Code Execution
• Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution

Network

• SSH Port Forwarding

Social Engineering

• How to use Veil to create payloads