Exploitation

Linux – Exploitation

• FTP Anonymous login
• FreeBSD 9.0 < 9.1 – ‘mmap/ptrace’ Local Privilege Escalation

CVE

• Vulnerability Shellshock – CVE-2014-6271
• Apache James Server 2.3.2 – CVE-2015-7611
• WordPress Plugin: Plainview Activity Monitor – (Authenticated) Command Injection – CVE-2018-15877

Windows – Exploitation

• LLMNR / NBT-NS Poisoning (Responder tool)
• Windows Password Hashes
• Windows XP – Get Hashes (Local)
• Mount & Extract Password Hashes From VHD Files
• Connect to Windows Remote Management (WinRM) using Evil WinRM
• Impacket Remote code execution (RCE) on Windows from Linux

CVE

• Microsoft Windows – Code Execution (MS08-067) – CVE-2008-4250
• HFS – Code execution – CVE-2014-6287
• ColdFusion 8 FCKeditor CurrentFolder directory traversal / File Upload / RCE – CVE-2009-2265
• PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service

Active Directory

• Exploiting GPP SYSVOL (Groups.xml)
• Enumerating AD users with LDAP
• Mapping AD relationship using BloodHound
• Kerberoasting Stealing Service Account (SPN) – Remote
• Kerberoasting Stealing Service Account (AS-REP) – Remote

Web Application

• Testing Web application authentication tips
• Bypass 30X redirect with BurpSuite
• Server-side HTTP Redirection
• Exploiting pChart 2.1.3 (Directory traversal & XSS)
• PhpTax 0.8 – File Manipulation
• Apache Tomcat Manager .war reverse shell

Path Traversal (LFI – RFI)

• Basics of Path Traversal
• Testing LFI to RCE using auth.log (SSH) poisoning with Mutillidae & BurpSuite

Injection

• Basics Of SQL Injection
• Advanced SQL Injection: Union based
• Blind SQL injection
• Basic XPath Injection
• Basic Command injection
• SMTP Injection attack

File Upload

• Local file upload – Magic byte change file type

Access Control

• Access control: Account highjacking with Mutillidae
• Access control RFI & Reading file function exploitation + reverse shell with Mutillidae and BurpSuite

Session Management

• Session Management DVWA
• Attacking & Securing Session Management

Authentication

• Testing Web application authentication tips

CMS

• Reverse shell on any CMS
• LotusCMS 3.0 – ‘eval()’ Remote Command Execution
• WordPress Plugin User Role Editor < 4.24 – Privilege Escalation
• Drupal 7.x Module Services – Remote Code Execution
• Umbraco CMS 7.12.4 – (Authenticated) Remote Code Execution

Network

• SSH Port Forwarding

Social Engineering

• How to use Veil to create payloads