Linux – Exploitation
CVE
- Vulnerability Shellshock – CVE-2014-6271
- Apache James Server 2.3.2 – CVE-2015-7611
- WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877
- Subrion CMS 4.2.1 – Arbitrary File Upload (Authenticated) – 2018-19422
- Confluence Server 7.12.4 – ‘OGNL injection’ Remote Code Execution (RCE) (Unauthenticated)
- ZoneMinder (1.29,1.30) Exploitation (Multiple Vulnerabilities)
- SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)
- OpenSMTPD < 6.6.1 – Remote Code Execution (smtp_mailaddr) – CVE-2020-7247
- Grafana 8.3.0 – Directory Traversal and Arbitrary File Read – CVE-2021-43798
- Bludit 3.9.2 – Auth Bruteforce Bypass (CVE-2019-17240)
- Ruby PDFKit command execution – (RCE) – CVE-2022-25765
Windows – Exploitation
- LLMNR / NBT-NS Poisoning (Responder tool)
- Windows Password Hashes
- Windows XP – Get Hashes (Local)
- Mount & Extract Password Hashes From VHD Files
- Connect to Windows Remote Management (WinRM) using Evil WinRM
- Impacket Remote code execution (RCE) on Windows from Linux
CVE
- Microsoft Windows – Code Execution (MS08-067) – CVE-2008-4250
- HFS – Code execution – CVE-2014-6287
- ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE – CVE-2009-2265
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
- Microsoft IIS ScStoragePathFromUrl function buffer overflow – CVE-2017-7269
Active Directory
- Windows Local user & local enumeration
- Domain Enumeration (PowerView & ADRecon)
- Exploiting GPP SYSVOL (Groups.xml)
- Enumerating AD users with LDAP
- Mapping AD relationship using BloodHound
- Kerberoasting Stealing Service Account (SPN) – Remote
- Kerberoasting Stealing Service Account (AS-REP) – Remote
- [Active Directory] DCSync Attack
- [Active Directory] Unconstrained delegation
- [Active Directory] Constrained delegation
- [Active Directory] Printer Passback attack
- [Active Directory] IPv6 DNS takeover via MItM
- [Active Directory] SMB Relay attack
- [Active Directory] URL file attacks
- [Active Directory] Post-Compromise Enumeration
- [Active Directory] Kerberos Golden ticket
Web Application
- Testing Web application authentication tips
- Bypass 30X redirect with BurpSuite
- Server-side HTTP Redirection
- Exploiting pChart 2.1.3 (Directory traversal & XSS)
- PhpTax 0.8 – File Manipulation
- Apache Tomcat Manager .war reverse shell
- Exploiting WebDAV
- PHP 8.1.0-dev Backdoor Remote Code Execution (RCE)
Path Traversal (LFI – RFI)
- Basics of Path Traversal
- Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite
Injection
- Basics Of SQL Injection
- Advanced SQL Injection: Union based
- Blind SQL injection
- Basic XPath Injection
- Basic Command injection
- SMTP Injection attack
Code Injection
File Upload
Access Control
- Access control: Account highjacking with Mutillidae
- Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite
- Execution After Redirect (EAR)
- [Exploitation] Ticket Trick: Exploiting Email Address Verification
Session Management
Authentication
XXE
- XML external entity (XXE) injection
- (XXE) Ladon Framework for Python – XML External Entity Expansion – CVE-2019-1010268
- Exploiting XML External Entities (XXE) in custom application
CMS
- Reverse shell on any CMS
- [Exploitation] Reverse shell Joomla
- LotusCMS 3.0 – ‘eval()’ Remote Command Execution
- WordPress Plugin User Role Editor < 4.24 – Privilege Escalation
- Drupal 7.x Module Services – Remote Code Execution
- Umbraco CMS 7.12.4 – (Authenticated) Remote Code Execution
- Bludit 3.9.2 code execution – Path Traversal (Authenticated) (CVE-2019-16113)
- (2019-17671)[information disclosure] WordPress Core < 5.2.3 – Viewing Unauthenticated/Password/Private Posts
- (CVE-2023-23752)[Exploitation] Joomla! CMS security bypass, Unauthenticated Information Disclosure
- [Exploitation](CVE-2023-41892) Craft CMS code execution (Unauthenticated)
API