Linux - Exploitation
CVE
- Vulnerability Shellshock - CVE-2014-6271
- Apache James Server 2.3.2 - CVE-2015-7611
- WordPress Plugin: Plainview Activity Monitor - (Authenticated) Command Injection - CVE-2018-15877
- Subrion CMS 4.2.1 - Arbitrary File Upload (Authenticated) - 2018-19422
- Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
- ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities)
- SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)
- OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247
- Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - CVE-2021-43798
- Bludit 3.9.2 - Auth Bruteforce Bypass (CVE-2019-17240)
- Ruby PDFKit command execution - (RCE) – CVE-2022-25765
Windows - Exploitation
- LLMNR / NBT-NS Poisoning (Responder tool)
- Windows Password Hashes
- Windows XP - Get Hashes (Local)
- Mount & Extract Password Hashes From VHD Files
- Connect to Windows Remote Management (WinRM) using Evil WinRM
- Impacket Remote code execution (RCE) on Windows from Linux
CVE
- Microsoft Windows - Code Execution (MS08-067) - CVE-2008-4250
- HFS - Code execution - CVE-2014-6287
- ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE - CVE-2009-2265
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
- Microsoft IIS ScStoragePathFromUrl function buffer overflow - CVE-2017-7269
Active Directory
- Windows Local user & local enumeration
- Domain Enumeration (PowerView & ADRecon)
- Exploiting GPP SYSVOL (Groups.xml)
- Enumerating AD users with LDAP
- Mapping AD relationship using BloodHound
- Kerberoasting Stealing Service Account (SPN) - Remote
- Kerberoasting Stealing Service Account (AS-REP) - Remote
- [Active Directory] DCSync Attack
- [Active Directory] Unconstrained delegation
Web Application
- Testing Web application authentication tips
- Bypass 30X redirect with BurpSuite
- Server-side HTTP Redirection
- Exploiting pChart 2.1.3 (Directory traversal & XSS)
- PhpTax 0.8 - File Manipulation
- Apache Tomcat Manager .war reverse shell
- Exploiting WebDAV
- PHP 8.1.0-dev Backdoor Remote Code Execution (RCE)
Path Traversal (LFI - RFI)
- Basics of Path Traversal
- Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite
Injection
- Basics Of SQL Injection
- Advanced SQL Injection: Union based
- Blind SQL injection
- Basic XPath Injection
- Basic Command injection
- SMTP Injection attack
File Upload
Access Control
- Access control: Account highjacking with Mutillidae
- Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite
- Execution After Redirect (EAR)
- [Exploitation] Ticket Trick: Exploiting Email Address Verification
Session Management
Authentication
XXE
- XML external entity (XXE) injection
- (XXE) Ladon Framework for Python - XML External Entity Expansion - CVE-2019-1010268
- Exploiting XML External Entities (XXE) in custom application
CMS
- Reverse shell on any CMS
- LotusCMS 3.0 - 'eval()' Remote Command Execution
- WordPress Plugin User Role Editor < 4.24 - Privilege Escalation
- Drupal 7.x Module Services - Remote Code Execution
- Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution
- Bludit 3.9.2 code execution - Path Traversal (Authenticated) (CVE-2019-16113)
- (2019-17671)[information disclosure] WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts