XXS Public Example + PHP Filter RCE

Methodology and Resources/Active Directory Attack.md

@@ -3663,9 +3663,10 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
     NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
     NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
     ```
-* Using [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) for SCCM retrieval and decryption
+* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
     ```ps1
     .\SharpDPAPI.exe SCCM
+    .\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
     ```
 * Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
     ```ps1
@@ -4048,4 +4049,6 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
 * [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
 * [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
-* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
+* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
+* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
+* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)

Methodology and Resources/Methodology and enumeration.md

@@ -41,6 +41,8 @@
   gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
   ```
 
+* Perform Google Dorks search
+
 
 ## Active recon
 
@@ -74,7 +76,7 @@
 
 ### Web discovery
 
-* Locate `robots.txt` file
+* Locate `robots.txt`, `security.txt`, `sitemap.xml` files
 * Retrieve comments in source code
 * Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls)
 * Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
@@ -109,7 +111,10 @@
 
 ## Looking for Web vulnerabilities
 
-* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, ....
+* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
+* Test for Business Logic weaknesses
+  * High or negative numerical values
+  * Try all the features and click all the buttons
 * [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
 
 * Subscribe to the site and pay for the additional functionality to test

Methodology and Resources/Windows - Privilege Escalation.md

@@ -14,8 +14,8 @@
     * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
     * [SAM and SYSTEM files](#sam-and-system-files)
-    * [LAPS Settings](#laps-settings)
     * [HiveNightmare](#hivenightmare)
+    * [LAPS Settings](#laps-settings)
     * [Search for file contents](#search-for-file-contents)
     * [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
     * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
@@ -405,15 +405,6 @@ samdump2 SYSTEM SAM -o sam.txt
 
 Either crack it with `john -format=NT /root/sam.txt`, [hashcat](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat) or use Pass-The-Hash.
 
-### LAPS Settings
-
-Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
-
-* LAPS Enabled: AdmPwdEnabled
-* LAPS Admin Account Name: AdminAccountName
-* LAPS Password Complexity: PasswordComplexity
-* LAPS Password Length: PasswordLength
-* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
 
 ### HiveNightmare
 
@@ -443,6 +434,16 @@ mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\W
 mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
 ```
 
+### LAPS Settings
+
+Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
+
+* LAPS Enabled: AdmPwdEnabled
+* LAPS Admin Account Name: AdminAccountName
+* LAPS Password Complexity: PasswordComplexity
+* LAPS Password Length: PasswordLength
+* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
+
 
 ### Search for file contents
 
@@ -452,6 +453,10 @@ findstr /si password *.xml *.ini *.txt *.config
 findstr /spin "password" *.*
 ```
 
+Also search in remote places such as SMB Shares and SharePoint.
+* Search passwords in SharePoint: [nheiniger/SnaffPoint](https://github.com/nheiniger/SnaffPoint)
+* Search passwords in SMB Shares: [SnaffCon/Snaffler](https://github.com/SnaffCon/Snaffler)
+
 ### Search for a file with a certain filename
 
 ```powershell
@@ -477,12 +482,6 @@ reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
 
-### Read a value of a certain sub key
-
-```powershell
-REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
-```
-
 ### Passwords in unattend.xml
 
 Location of the unattend.xml files.

XXE Injection/README.md

@@ -139,11 +139,9 @@ We try to display the content of the file `/etc/passwd`
 
 :warning: `SYSTEM` and `PUBLIC` are almost synonym.
 
-```xml
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE foo [  
-  <!ELEMENT foo ANY >
-  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
+```ps1
+<!ENTITY % xxe PUBLIC "Random Text" "URL">
+<!ENTITY xxe PUBLIC "Any TEXT" "URL">
 ```
 
 ### Classic XXE Base64 encoded