https://chw41.github.io/tags/offsec/Recent content in Offsec on chw㉿world:~$Hugozh-twMon, 09 Mar 2026 00:00:00 +0000https://chw41.github.io/b1og/oswe-web-300-instructional-notes---part-1/Mon, 09 Mar 2026 00:00:00 +0000https://chw41.github.io/b1og/oswe-web-300-instructional-notes---part-1/<h1 id="oswe-web-300-instructional-notes---part-1"> [OSWE, WEB-300] Instructional notes - Part 1 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oswe-web-300-instructional-notes---part-1">[OSWE, WEB-300] Instructional notes - Part 1</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#introduction">Introduction</a></li> <li><a href="#tools--methodologies">Tools &amp; Methodologies</a> <ul> <li><a href="#web-traffic-inspection">Web Traffic Inspection</a> <ul> <li><a href="#burp-suite-proxy">Burp Suite Proxy</a></li> </ul> </li> <li><a href="#interacting-with-web-listeners-using-python">Interacting with Web Listeners using Python</a></li> <li><a href="#source-code-recovery">Source Code Recovery</a> <ul> <li><a href="#managed-net-code">Managed .NET Code</a></li> <li><a href="#decompiling-java-classes">Decompiling Java Classes</a></li> </ul> </li> <li><a href="#source-code-analysis-methodology">Source Code Analysis Methodology</a> <ul> <li><a href="#an-approach-to-analysis">An Approach to Analysis</a></li> <li><a href="#using-an-ide">Using an IDE</a></li> <li><a href="#common-http-routing-patterns">Common HTTP Routing Patterns</a></li> <li><a href="#analyzing-source-code-for-vulnerabilities">Analyzing Source Code for Vulnerabilities</a></li> </ul> </li> <li><a href="#debugging">Debugging</a> <ul> <li><a href="#remote-debugging">Remote Debugging</a></li> </ul> </li> </ul> </li> <li><a href="#manageengine-applications-manager-amuserresourcessyncservlet-sql-injection-rce">ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE</a> <ul> <li><a href="#vulnerability-discovery">Vulnerability Discovery</a> <ul> <li><a href="#servlet-mappings">Servlet Mappings</a></li> <li><a href="#source-code-recovery-1">Source Code Recovery</a></li> <li><a href="#analyzing-the-source-code">Analyzing the Source Code</a></li> <li><a href="#enabling-database-logging">Enabling Database Logging</a></li> <li><a href="#triggering-the-vulnerability">Triggering the Vulnerability</a></li> </ul> </li> <li><a href="#how-houdini-escapes">How Houdini Escapes</a> <ul> <li><a href="#using-chr-and-string-concatenation">Using CHR and String Concatenation</a></li> <li><a href="#it-makes-lexical-sense">It Makes Lexical Sense</a></li> </ul> </li> <li><a href="#blind-bats">Blind Bats</a></li> <li><a href="#accessing-the-file-system">Accessing the File System</a> <ul> <li><a href="#reverse-shell-via-copy-to">Reverse Shell Via Copy To</a></li> </ul> </li> <li><a href="#postgresql-extensions">PostgreSQL Extensions</a> <ul> <li><a href="#build-environment">Build Environment</a></li> <li><a href="#testing-the-extension">Testing the Extension</a></li> <li><a href="#loading-the-extension-from-a-remote-location">Loading the Extension from a Remote Location</a></li> </ul> </li> <li><a href="#udf-reverse-shell">UDF Reverse Shell</a> <ul> <li><a href="#more-shells">More Shells!!!</a></li> <li><a href="#large-object-reverse-shell">Large Object Reverse Shell</a></li> </ul> </li> </ul> </li> <li><a href="#dotnetnuke-cookie-deserialization-rce">DotNetNuke Cookie Deserialization RCE</a></li> <li><a href="#link-to-">Link to: &#34;[OSWE, WEB-300] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSWE, WEB-300] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSWE, WEB-300] Instructional notes - Part 4&#34;</a></li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/penetration-testing-notes/Sat, 28 Feb 2026 00:00:00 +0000https://chw41.github.io/b1og/penetration-testing-notes/<h1 id="penetration-testing-notes"> Penetration Testing Notes </h1><p>This page groups my <strong>penetration testing</strong> notes into one route: <strong>reconnaissance, enumeration, exploitation, privilege escalation, Active Directory, tunneling, and attack-chain development</strong>.</p> <p>The goal is not to define penetration testing in abstract terms.<br> The goal is to connect the notes and labs that I actually use while studying and practicing offensive security.</p> <h2 id="penetration-testing-workflow"> Penetration Testing Workflow </h2><p>My notes follow a simple sequence:</p> <ol> <li>Reconnaissance and service discovery.</li> <li>Enumeration and attack surface validation.</li> <li>Exploitation and foothold.</li> <li>Privilege escalation.</li> <li>Pivoting, tunneling, and post-exploitation.</li> <li>Active Directory and multi-host attack chains.</li> </ol> <h2 id="core-study-notes"> Core Study Notes </h2><p>The main body of my penetration testing notes is the OSCP PEN-200 series:</p>https://chw41.github.io/b1og/red-team-notes/Sat, 28 Feb 2026 00:00:00 +0000https://chw41.github.io/b1og/red-team-notes/<h1 id="red-team-notes"> Red Team Notes </h1><p>This page collects the parts of my site that are most relevant to <strong>red team</strong> work: <strong>OPSEC, lateral movement, credential attacks, Active Directory abuse, persistence, tunneling, and operator workflow</strong>.</p> <p>I am not using this page as a vague introduction to red teaming.<br> I am using it to connect the posts that best reflect how offensive operations scale from a single foothold into a broader attack path.</p>https://chw41.github.io/b1og/web-security-notes/Sat, 28 Feb 2026 00:00:00 +0000https://chw41.github.io/b1og/web-security-notes/<h1 id="web-security-notes"> Web Security Notes </h1><p>This page is the central hub for my <strong>web security</strong> notes, labs, and practical exploitation writeups.<br> It connects the topics I study and use most often in offensive security work: <strong>web reconnaissance, request analysis, XSS, CSRF, SQL injection, SSTI, SSRF, IDOR, patching, and web exploitation workflow</strong>.</p> <p>If you want background about me, certifications, and work history, see the <a href="https://chw41.github.io/4b0u7/">About</a> page.</p> <h2 id="what-this-page-covers"> What This Page Covers </h2><p>This hub is built around three things:</p>https://chw41.github.io/b1og/oswa-web-200-instructional-notes---part-2/Thu, 05 Feb 2026 00:00:00 +0000https://chw41.github.io/b1og/oswa-web-200-instructional-notes---part-2/<h1 id="oswa-web-200-instructional-notes---part-2"> [OSWA, WEB-200] Instructional notes - Part 2 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oswa-web-200-instructional-notes---part-2">[OSWA, WEB-200] Instructional notes - Part 2</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSWA, WEB-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#server-side-template-injection---discovery-and-exploitation">Server-side Template Injection - Discovery and Exploitation</a> <ul> <li><a href="#templating-engines">Templating Engines</a> <ul> <li><a href="#introduction-to-templating-engines">Introduction to Templating Engines</a></li> </ul> </li> <li><a href="#twig---discovery-and-exploitation-php">Twig - Discovery and Exploitation (PHP)</a> <ul> <li><a href="#twig---discovery">Twig - Discovery</a></li> <li><a href="#twig---exploitation">Twig - Exploitation</a></li> </ul> </li> <li><a href="#apache-freemarker---discovery-and-exploitation-java">Apache Freemarker - Discovery and Exploitation (Java)</a> <ul> <li><a href="#freemarker---discovery">Freemarker - Discovery</a></li> <li><a href="#freemarker---exploitation">Freemarker - Exploitation</a></li> </ul> </li> <li><a href="#pug---discovery-and-exploitation-javascript">Pug - Discovery and Exploitation (JavaScript)</a> <ul> <li><a href="#pug---discovery">Pug - Discovery</a></li> <li><a href="#pug---exploitation">Pug - Exploitation</a></li> </ul> </li> <li><a href="#jinja---discovery-and-exploitation-python">Jinja - Discovery and Exploitation (Python)</a> <ul> <li><a href="#jinja---discovery">Jinja - Discovery</a></li> <li><a href="#jinja---exploitation">Jinja - Exploitation</a></li> </ul> </li> <li><a href="#mustache-and-handlebars---discovery-and-exploitation-java-net-php">Mustache and Handlebars - Discovery and Exploitation (Java, .Net, PHP)</a> <ul> <li><a href="#mustache-and-handlebars---discovery">Mustache and Handlebars - Discovery</a></li> </ul> </li> <li><a href="#mustache-and-handlebars---exploitation">Mustache and Handlebars - Exploitation</a> <ul> <li></li> </ul> </li> <li><a href="#craft-cms-with-sprout-forms---case-study">Craft CMS with Sprout Forms - Case Study</a> <ul> <li><a href="#craft-cms-with-sprout-forms---discovery">Craft CMS with Sprout Forms - Discovery</a></li> <li><a href="#craft-cms-with-sprout-forms---exploitation">Craft CMS with Sprout Forms - Exploitation</a></li> </ul> </li> </ul> </li> <li><a href="#command-injection">Command Injection</a> <ul> <li><a href="#discovery-of-command-injection">Discovery of Command Injection</a> <ul> <li><a href="#where-is-command-injection-most-common">Where is Command Injection Most Common?</a></li> <li><a href="#about-the-chaining-of-commands--system-calls">About the Chaining of Commands &amp; System Calls</a></li> </ul> </li> <li><a href="#dealing-with-common-protections">Dealing with Common Protections</a> <ul> <li><a href="#typical-input-normalization---sending-clean-payloads">Typical Input Normalization - Sending Clean Payloads</a></li> <li><a href="#typical-input-sanitization---blocklisted-strings-bypass">Typical Input Sanitization - Blocklisted Strings Bypass</a></li> <li><a href="#blind-os-command-injection-bypass">Blind OS Command Injection Bypass</a></li> </ul> </li> <li><a href="#enumeration-and-exploitation">Enumeration and Exploitation</a> <ul> <li><a href="#enumerating-command-injection-capabilities">Enumerating Command Injection Capabilities</a></li> <li><a href="#obtaining-a-shell---netcat">Obtaining a Shell - Netcat</a></li> <li><a href="#obtaining-a-shell---python">Obtaining a Shell - Python</a></li> <li><a href="#obtaining-a-shell---nodejs">Obtaining a Shell - Node.js</a></li> <li><a href="#obtaining-a-shell---php">Obtaining a Shell - PHP</a></li> <li><a href="#obtaining-a-shell---perl">Obtaining a Shell - Perl</a></li> <li><a href="#file-transfer">File Transfer</a></li> <li><a href="#writing-a-web-shell">Writing a Web Shell</a></li> </ul> </li> </ul> </li> <li><a href="#server-side-request-forgery">Server-side Request Forgery</a> <ul> <li><a href="#introduction-to-ssrf">Introduction to SSRF</a> <ul> <li><a href="#interacting-with-the-vulnerable-server">Interacting with the Vulnerable Server</a></li> <li><a href="#interacting-with-back-end-systems-and-private-ip-ranges">Interacting with Back-end Systems and Private IP Ranges</a></li> </ul> </li> <li><a href="#testing-for-ssrf">Testing for SSRF</a> <ul> <li><a href="#discovering-ssrf-vulnerabilities">Discovering SSRF Vulnerabilities</a></li> <li><a href="#calling-home-to-kali">Calling Home to Kali</a></li> </ul> </li> <li><a href="#exploiting-ssrf">Exploiting SSRF</a> <ul> <li><a href="#retrieving-data">Retrieving Data</a></li> <li><a href="#instance-metadata-in-cloud">Instance Metadata in Cloud</a></li> <li><a href="#bypassing-authentication-in-microservices">Bypassing Authentication in Microservices</a></li> <li><a href="#alternative-url-schemes">Alternative URL Schemes</a></li> </ul> </li> </ul> </li> <li><a href="#insecure-direct-object-referencing-idor">Insecure Direct Object Referencing (IDOR)</a> <ul> <li><a href="#introduction-to-idor">Introduction to IDOR</a> <ul> <li><a href="#static-file-idor">Static File IDOR</a></li> <li><a href="#database-object-referencing-id-based-idor">Database Object Referencing (ID-Based) IDOR</a></li> </ul> </li> <li><a href="#exploiting-idor-in-the-sandbox">Exploiting IDOR in the Sandbox</a> <ul> <li><a href="#exploiting-static-file-idor">Exploiting Static File IDOR</a></li> <li><a href="#exploiting-id-based-idor">Exploiting ID-Based IDOR</a></li> <li><a href="#exploiting-more-complex-idor">Exploiting More Complex IDOR</a></li> </ul> </li> </ul> </li> <li><a href="#tools">Tools</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oswa-web-200-instructional-notes---part-1/Thu, 29 Jan 2026 00:00:00 +0000https://chw41.github.io/b1og/oswa-web-200-instructional-notes---part-1/<h1 id="oswa-web-200-instructional-notes---part-1"> [OSWA, WEB-200] Instructional notes - Part 1 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oswa-web-200-instructional-notes---part-1">[OSWA, WEB-200] Instructional notes - Part 1</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#web-application-enumeration-methodology">Web Application Enumeration Methodology</a> <ul> <li><a href="#web-application-reconnaissance">Web Application Reconnaissance</a></li> <li><a href="#web-application-enumeration">Web Application Enumeration</a> <ul> <li><a href="#accessing-the-enumeration-sandbox-application">Accessing the Enumeration Sandbox Application</a></li> <li><a href="#discovering-running-services">Discovering Running Services</a></li> <li><a href="#banner-grabbing">Banner Grabbing</a></li> <li><a href="#manual-http-endpoint-discovery">Manual HTTP Endpoint Discovery</a></li> <li><a href="#information-disclosure">Information Disclosure</a></li> <li><a href="#components-with-vulnerabilities">Components with Vulnerabilities</a></li> </ul> </li> <li><a href="#sourcing-wordlists">Sourcing Wordlists</a></li> <li><a href="#types-of-attacks">Types of Attacks</a></li> </ul> </li> <li><a href="#introduction-to-burp-suite">Introduction to Burp Suite</a></li> <li><a href="#cross-site-scripting-introduction-and-discovery">Cross-Site Scripting Introduction and Discovery</a> <ul> <li><a href="#javascript-basics-for-offensive-uses">JavaScript Basics for Offensive Uses</a> <ul> <li><a href="#syntax-overview">Syntax Overview</a></li> <li><a href="#useful-apis">Useful APIs</a></li> </ul> </li> <li><a href="#cross-site-scripting---discovery">Cross-Site Scripting - Discovery</a> <ul> <li><a href="#reflected-server-xss">Reflected Server XSS</a></li> <li><a href="#stored-server-xss">Stored Server XSS</a></li> <li><a href="#reflected-client-xss">Reflected Client XSS</a></li> <li><a href="#stored-client-xss">Stored Client XSS</a></li> </ul> </li> </ul> </li> <li><a href="#cross-site-scripting-exploitation-and-case-study">Cross-Site Scripting Exploitation and Case Study</a> <ul> <li><a href="#cross-site-scripting---exploitation">Cross-Site Scripting - Exploitation</a> <ul> <li><a href="#moving-the-payload-to-an-external-resource">Moving the Payload to an External Resource</a></li> <li><a href="#stealing-session-cookies">Stealing Session Cookies</a></li> <li><a href="#stealing-local-secrets">Stealing Local Secrets</a></li> <li><a href="#keylogging">Keylogging</a></li> <li><a href="#stealing-saved-passwords">Stealing Saved Passwords</a></li> <li><a href="#phishing-users">Phishing Users</a></li> </ul> </li> <li><a href="#case-study-shopizer-reflected-xss">Case Study: Shopizer Reflected XSS</a> <ul> <li><a href="#discovering-the-vulnerability">Discovering the Vulnerability</a></li> <li><a href="#loading-remote-scripts">Loading Remote Scripts</a></li> <li><a href="#exploiting-reflected-xss">Exploiting Reflected XSS</a></li> </ul> </li> </ul> </li> <li><a href="#cross-origin-attacks">Cross-Origin Attacks</a> <ul> <li><a href="#same-origin-policy">Same-Origin Policy</a> <ul> <li><a href="#introduction-to-the-same-origin-policy">Introduction to the Same-Origin Policy</a></li> </ul> </li> <li><a href="#samesite-cookies">SameSite Cookies</a></li> <li><a href="#cross-site-request-forgery-csrf">Cross-Site Request Forgery (CSRF)</a> <ul> <li><a href="#detecting-and-preventing-csrf">Detecting and Preventing CSRF</a></li> <li><a href="#exploiting-csrf">Exploiting CSRF</a></li> </ul> </li> <li><a href="#case-study-apache-ofbiz">Case Study: Apache OFBiz</a> <ul> <li><a href="#apache-ofbiz---discovery">Apache OFBiz - Discovery</a></li> <li><a href="#apache-ofbiz---exploitation">Apache OFBiz - Exploitation</a></li> <li><a href="#revising-the-csrf-payload">Revising the CSRF Payload</a></li> </ul> </li> <li><a href="#cross-origin-resource-sharing-cors">Cross-Origin Resource Sharing (CORS)</a> <ul> <li><a href="#anatomy-of-the-cors-request">Anatomy of the CORS Request</a></li> <li><a href="#response-headers">Response Headers</a></li> </ul> </li> <li><a href="#exploiting-weak-cors-policies">Exploiting Weak CORS Policies</a></li> </ul> </li> <li><a href="#introduction-to-sql">Introduction to SQL</a> <ul> <li><a href="#basic-sql-syntax">Basic SQL Syntax</a></li> <li><a href="#manual-database-enumeration">Manual Database Enumeration</a></li> <li><a href="#enumerating-mysql-databases">Enumerating MySQL Databases</a></li> <li><a href="#enumerating-microsoft-sql-server-databases">Enumerating Microsoft SQL Server Databases</a></li> <li><a href="#enumerating-postgresql-databases">Enumerating PostgreSQL Databases</a></li> <li><a href="#enumerating-oracle-databases">Enumerating Oracle Databases</a></li> </ul> </li> <li><a href="#sql-injection">SQL Injection</a> <ul> <li><a href="#introduction-to-sql-injection">Introduction to SQL Injection</a> <ul> <li><a href="#what-is-sql-injection">What is SQL Injection?</a></li> </ul> </li> <li><a href="#testing-for-sql-injection">Testing for SQL Injection</a> <ul> <li><a href="#string-delimiters">String Delimiters</a></li> <li><a href="#closing-out-strings-and-functions">Closing Out Strings and Functions</a></li> <li><a href="#sorting">Sorting</a></li> <li><a href="#fuzzing">Fuzzing</a></li> </ul> </li> <li><a href="#exploiting-sql-injection">Exploiting SQL Injection</a> <ul> <li><a href="#error-based-payloads">Error-based Payloads</a></li> <li><a href="#union-based-payloads">UNION-based Payloads</a></li> <li><a href="#stacked-queries">Stacked Queries</a></li> <li><a href="#reading-and-writing-files">Reading and Writing Files</a></li> <li><a href="#remote-code-execution">Remote Code Execution</a></li> </ul> </li> <li><a href="#database-dumping-with-automated-tools">Database dumping with Automated Tools</a></li> </ul> </li> <li><a href="#directory-traversal-attacks">Directory Traversal Attacks</a> <ul> <li><a href="#directory-traversal-overview">Directory Traversal Overview</a></li> <li><a href="#understanding-suggestive-parameters">Understanding Suggestive Parameters</a></li> <li><a href="#relative-vs-absolute-pathing">Relative vs. Absolute Pathing</a></li> <li><a href="#fuzzing-the-path-parameter">Fuzzing the Path Parameter</a></li> </ul> </li> <li><a href="#xml-external-entities">XML External Entities</a> <ul> <li><a href="#introduction-to-xml">Introduction to XML</a> <ul> <li><a href="#xml-entitie">XML Entitie</a></li> </ul> </li> <li><a href="#understanding-xml-external-entity-processing-vulnerabilities">Understanding XML External Entity Processing Vulnerabilities</a></li> <li><a href="#testing-for-xxe">Testing for XXE</a> <ul> <li><a href="#retrieving-files">Retrieving Files</a></li> </ul> </li> <li><a href="#error-based-testing">Error-based Testing</a></li> <li><a href="#out-of-band-testing">Out-of-Band Testing</a></li> </ul> </li> <li><a href="#server-side-template-injection---discovery-and-exploitation">Server-side Template Injection - Discovery and Exploitation</a></li> <li><a href="#link-to-">Link to: &#34;[OSWA, WEB-200] Instructional notes - Part 2&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-cheat-sheet/Mon, 22 Dec 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-cheat-sheet/<h1 id="oscp-pen-200-cheat-sheet"> [OSCP, PEN-200] Cheat Sheet </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-cheat-sheet">[OSCP, PEN-200] Cheat Sheet</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#recon">Recon</a> <ul> <li><a href="#ip">IP</a> <ul> <li><a href="#nmap">Nmap</a></li> <li><a href="#rustscan">Rustscan</a></li> </ul> </li> <li><a href="#path">Path</a> <ul> <li><a href="#dirb">Dirb</a></li> <li><a href="#dirsearch">Dirsearch</a></li> <li><a href="#gobuster">Gobuster</a></li> <li><a href="#ffuf">ffuf</a></li> <li><a href="#hakrawler">hakrawler</a></li> <li><a href="#subdomain">Subdomain</a></li> <li><a href="#windows-path-traversal">windows path traversal</a></li> </ul> </li> <li><a href="#ftp">ftp</a></li> <li><a href="#http-proxy">Http-proxy</a></li> <li><a href="#rync">Rync</a></li> <li><a href="#windows--samba">Windows &amp; Samba</a> <ul> <li><a href="#enum4linux">Enum4linux</a></li> <li><a href="#smbclient">smbclient</a></li> <li><a href="#rpc">RPC</a></li> <li><a href="#winrm-59855986">WinRM (5985/5986)</a></li> <li><a href="#sql-server">SQL Server</a></li> <li><a href="#ldap">Ldap</a></li> <li><a href="#webdav">Webdav</a></li> <li><a href="#hydra">hydra</a></li> </ul> </li> <li><a href="#hash">Hash</a> <ul> <li><a href="#hashcat">Hashcat</a></li> </ul> </li> <li><a href="#wordlists">Wordlists</a></li> <li><a href="#sql">SQL</a> <ul> <li><a href="#sqlite3">Sqlite3</a></li> </ul> </li> </ul> </li> <li><a href="#intranet-penetration">Intranet Penetration</a> <ul> <li><a href="#crackmapexec">crackmapexec</a></li> <li><a href="#netexec-nxc">NetExec (NXC)</a> <ul> <li><a href="#enum">Enum</a></li> <li><a href="#password">Password</a></li> <li><a href="#user">User</a></li> </ul> </li> <li><a href="#winrm">winrm</a></li> <li><a href="#sharphound">Sharphound</a></li> <li><a href="#bloodhound">Bloodhound</a> <ul> <li><a href="#shadow-credentials">Shadow Credentials</a></li> <li><a href="#ad-cs-template-vul">AD CS template vul</a></li> <li><a href="#recyclebin">RecycleBin</a></li> </ul> </li> <li><a href="#ntlm-theft">Ntlm-theft</a></li> </ul> </li> <li><a href="#ad">AD</a> <ul> <li><a href="#--as-rep-roasting">- AS-REP Roasting</a></li> <li><a href="#--kerbrute-passwordspray">- Kerbrute passwordspray</a></li> <li><a href="#--kerberoasting">- Kerberoasting</a></li> </ul> </li> <li><a href="#vuln">Vuln</a> <ul> <li> <ul> <li><a href="#wpscan">WPscan</a></li> <li><a href="#file-crack">File crack</a></li> </ul> </li> </ul> </li> <li><a href="#exploit">Exploit</a> <ul> <li><a href="#searchsploit">Searchsploit</a></li> <li><a href="#reverse-shell">Reverse Shell</a> <ul> <li><a href="#php-shell">PHP shell</a></li> <li><a href="#linux">Linux</a></li> <li><a href="#windows">Windows</a></li> <li><a href="#msfvenom">msfvenom</a></li> </ul> </li> <li><a href="#bind-shell">Bind Shell</a></li> <li><a href="#interactive-shell">Interactive shell</a></li> </ul> </li> <li><a href="#privileges-escalation">Privileges Escalation</a> <ul> <li><a href="#linux-1">Linux</a> <ul> <li><a href="#system">System</a></li> <li><a href="#writable-file">Writable File</a></li> <li><a href="#linpeas">LinPEAS</a></li> <li><a href="#sudo">Sudo</a></li> <li><a href="#etcpasswd">/etc/passwd</a></li> <li><a href="#suid">SUID</a></li> <li><a href="#cron">Cron</a></li> </ul> </li> <li><a href="#windows-1">Windows</a> <ul> <li><a href="#whoami-priv">whoami /priv</a></li> <li><a href="#group-policy-object-gpo-abuse">Group Policy Object (GPO) Abuse</a></li> <li><a href="#dpapi">DPAPI</a></li> <li><a href="#writedacl">WriteDacl</a></li> <li><a href="#powerupps1">PowerUp.ps1</a></li> <li><a href="#binary-hijacking">Binary Hijacking</a></li> <li><a href="#dll-hijacking">DLL Hijacking</a></li> <li><a href="#unquoted-service-paths">Unquoted Service Paths</a></li> <li><a href="#osversion">OSVersion</a></li> <li><a href="#keepass">KeePass</a></li> <li><a href="#history">History</a></li> <li><a href="#event-viewer">Event Viewer</a></li> <li><a href="#config-file">config file</a></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-8/Thu, 20 Mar 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-8/<h1 id="oscp-pen-200-instructional-notes---part-8"> [OSCP, PEN-200] Instructional notes - Part 8 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-8">[OSCP, PEN-200] Instructional notes - Part 8</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-back-to--2">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-back-to--3">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-back-to--4">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-back-to--5">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-back-to--6">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#attacking-aws-cloud-infrastructure">Attacking AWS Cloud Infrastructure</a> <ul> <li><a href="#about-the-public-cloud-labs">About the Public Cloud Labs</a></li> <li><a href="#leaked-secrets-to-poisoned-pipeline---lab-design">Leaked Secrets to Poisoned Pipeline - Lab Design</a> <ul> <li><a href="#accessing-the-labs">Accessing the Labs</a></li> </ul> </li> <li><a href="#enumeration">Enumeration</a> <ul> <li><a href="#enumerating-jenkins">Enumerating Jenkins</a></li> <li><a href="#enumerating-the-git-server">Enumerating the Git Server</a></li> <li><a href="#enumerating-the-application">Enumerating the Application</a></li> </ul> </li> <li><a href="#discovering-secrets">Discovering Secrets</a> <ul> <li><a href="#downloading-the-bucket">Downloading the Bucket</a></li> <li><a href="#searching-for-secrets-in-git">Searching for Secrets in Git</a></li> </ul> </li> <li><a href="#poisoning-the-pipeline">Poisoning the Pipeline</a> <ul> <li><a href="#enumerating-the-repositories">Enumerating the Repositories</a></li> <li><a href="#modifying-the-pipeline">Modifying the Pipeline</a></li> </ul> </li> </ul> </li> <li><a href="#assembling-the-pieces">Assembling the Pieces</a> <ul> <li><a href="#enumerating-the-public-network">Enumerating the Public Network</a> <ul> <li><a href="#mailsrv1">MAILSRV1</a></li> <li><a href="#2-nmap-掃描-mailsrv1">2. Nmap 掃描 MAILSRV1</a></li> <li><a href="#3-研究-hmailserver-的潛在漏洞">3. 研究 hMailServer 的潛在漏洞</a></li> <li><a href="#websrv1">WEBSRV1</a></li> </ul> </li> <li><a href="#attacking-a-public-machine">Attacking a Public Machine</a> <ul> <li><a href="#initial-foothold">Initial Foothold</a></li> <li><a href="#a-link-to-the-past">A Link to the Past</a></li> </ul> </li> <li><a href="#gaining-access-to-the-internal-network">Gaining Access to the Internal Network</a> <ul> <li><a href="#domain-credentials">Domain Credentials</a></li> <li><a href="#phishing-for-access">Phishing for Access</a></li> </ul> </li> <li><a href="#enumerating-the-internal-network">Enumerating the Internal Network</a> <ul> <li><a href="#situational-awareness">Situational Awareness</a></li> <li><a href="#services-and-sessions">Services and Sessions</a></li> </ul> </li> <li><a href="#attacking-an-internal-web-application">Attacking an Internal Web Application</a> <ul> <li><a href="#speak-kerberoast-and-enter">Speak Kerberoast and Enter</a></li> <li><a href="#abuse-a-wordpress-plugin-for-a-relay-attack">Abuse a WordPress Plugin for a Relay Attack</a></li> </ul> </li> <li><a href="#gaining-access-to-the-domain-controller">Gaining Access to the Domain Controller</a> <ul> <li><a href="#cached-credentials">Cached Credentials</a></li> <li><a href="#lateral-movement">Lateral Movement</a></li> </ul> </li> <li><a href="#report">Report</a> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-7/Wed, 19 Mar 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-7/<h1 id="oscp-pen-200-instructional-notes---part-7"> [OSCP, PEN-200] Instructional notes - Part 7 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-7">[OSCP, PEN-200] Instructional notes - Part 7</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-back-to--2">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-back-to--3">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-back-to--4">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-back-to--5">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#lateral-movement-in-active-directory">Lateral Movement in Active Directory</a> <ul> <li><a href="#active-directory-lateral-movement-techniques">Active Directory Lateral Movement Techniques</a> <ul> <li><a href="#wmi-and-winrm">WMI and WinRM</a></li> <li><a href="#psexec">PsExec</a></li> <li><a href="#pass-the-hash">Pass the Hash</a></li> <li><a href="#overpass-the-hash">Overpass the Hash</a></li> <li><a href="#pass-the-ticket">Pass the Ticket</a></li> <li><a href="#dcom">DCOM</a></li> </ul> </li> <li><a href="#active-directory-persistence">Active Directory Persistence</a> <ul> <li><a href="#golden-ticket">Golden Ticket</a></li> <li><a href="#shadow-copies">Shadow Copies</a></li> </ul> </li> </ul> </li> <li><a href="#enumerating-aws-cloud-infrastructure">Enumerating AWS Cloud Infrastructure</a> <ul> <li><a href="#about-the-public-cloud-labs">About the Public Cloud Labs</a></li> <li><a href="#reconnaissance-of-cloud-resources-on-the-internet">Reconnaissance of Cloud Resources on the Internet</a> <ul> <li><a href="#accessing-the-lab">Accessing the Lab</a></li> <li><a href="#domain-and-subdomain-reconnaissance">Domain and Subdomain Reconnaissance</a></li> <li><a href="#service-specific-domains">Service-specific Domains</a></li> </ul> </li> <li><a href="#reconnaissance-via-cloud-service-providers-api">Reconnaissance via Cloud Service Provider's API</a> <ul> <li><a href="#preparing-the-lab---configure-aws-cli">Preparing the Lab - Configure AWS CLI</a></li> <li><a href="#publicly-shared-resources">Publicly Shared Resources</a></li> <li><a href="#obtaining-account-ids-from-s3-buckets">Obtaining Account IDs from S3 Buckets</a></li> <li><a href="#enumerating-iam-users-in-other-accounts">Enumerating IAM Users in Other Accounts</a></li> </ul> </li> <li><a href="#initial-iam-reconnaissance">Initial IAM Reconnaissance</a></li> <li><a href="#accessing-the-lab-1">Accessing the Lab</a> <ul> <li><a href="#examining-compromised-credentials">Examining Compromised Credentials</a></li> <li><a href="#scoping-iam-permissions">Scoping IAM permissions</a></li> </ul> </li> <li><a href="#iam-resources-enumeration">IAM Resources Enumeration</a> <ul> <li><a href="#choosing-between-a-manual-or-automated-enumeration-approach">Choosing Between a Manual or Automated Enumeration Approach</a></li> <li><a href="#processing-api-response-data-with-jmespath">Processing API Response data with JMESPath</a></li> <li><a href="#running-automated-enumeration-with-pacu">Running Automated Enumeration with Pacu</a></li> <li><a href="#extracting-insights-from-enumeration-data">Extracting Insights from Enumeration Data</a></li> </ul> </li> </ul> </li> <li><a href="#attacking-aws-cloud-infrastructure">Attacking AWS Cloud Infrastructure</a></li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-6/Tue, 18 Mar 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-6/<h1 id="oscp-pen-200-instructional-notes---part-6"> [OSCP, PEN-200] Instructional notes - Part 6 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-6">[OSCP, PEN-200] Instructional notes - Part 6</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-back-to--2">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-back-to--3">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-back-to--4">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#active-directory-introduction-and-enumeration">Active Directory Introduction and Enumeration</a> <ul> <li><a href="#active-directory---introduction">Active Directory - Introduction</a> <ul> <li><a href="#enumeration---defining-our-goals">Enumeration - Defining our Goals</a></li> <li><a href="#active-directory---manual-enumeration">Active Directory - Manual Enumeration</a></li> <li><a href="#enumerating-active-directory-using-powershell-and-net-classes">Enumerating Active Directory using PowerShell and .NET Classes</a></li> <li><a href="#adding-search-functionality-to-our-script">Adding Search Functionality to our Script</a></li> <li><a href="#ad-enumeration-with-powerview">AD Enumeration with PowerView</a></li> </ul> </li> <li><a href="#manual-enumeration---expanding-our-repertoire">Manual Enumeration - Expanding our Repertoire</a> <ul> <li><a href="#enumerating-operating-systems">Enumerating Operating Systems</a></li> <li><a href="#getting-an-overview---permissions-and-logged-on-users">Getting an Overview - Permissions and Logged on Users</a></li> <li><a href="#enumeration-through-service-principal-names">Enumeration Through Service Principal Names</a></li> <li><a href="#enumerating-object-permissions">Enumerating Object Permissions</a></li> <li><a href="#enumerating-domain-shares">Enumerating Domain Shares</a></li> </ul> </li> <li><a href="#active-directory---automated-enumeration">Active Directory - Automated Enumeration</a> <ul> <li><a href="#collecting-data-with-sharphound">Collecting Data with SharpHound</a></li> <li><a href="#analysing-data-using-bloodhound">Analysing Data using BloodHound</a></li> </ul> </li> </ul> </li> <li><a href="#attacking-active-directory-authentication">Attacking Active Directory Authentication</a> <ul> <li><a href="#understanding-active-directory-authentication">Understanding Active Directory Authentication</a> <ul> <li><a href="#ntlm-authentication">NTLM Authentication</a></li> <li><a href="#kerberos-authentication">Kerberos Authentication</a></li> <li><a href="#cached-ad-credentials">Cached AD Credentials</a></li> </ul> </li> <li><a href="#performing-attacks-on-active-directory-authentication">Performing Attacks on Active Directory Authentication</a> <ul> <li><a href="#password-attacks-password-spraying">Password Attacks (Password Spraying)</a></li> <li><a href="#as-rep-roasting">AS-REP Roasting</a></li> <li><a href="#kerberoasting">Kerberoasting</a></li> <li><a href="#silver-tickets">Silver Tickets</a></li> <li><a href="#domain-controller-synchronization">Domain Controller Synchronization</a></li> </ul> </li> </ul> </li> <li><a href="#lateral-movement-in-active-directory">Lateral Movement in Active Directory</a></li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-5/Mon, 17 Mar 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-5/<h1 id="oscp-pen-200-instructional-notes---part-5"> [OSCP, PEN-200] Instructional notes - Part 5 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-5">[OSCP, PEN-200] Instructional notes - Part 5</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-back-to--2">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-back-to--3">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#port-redirection-and-ssh-tunneling">Port Redirection and SSH Tunneling</a> <ul> <li><a href="#-ssh-tunneling-instructional-notes---part-4">… SSH Tunneling (Instructional notes - Part 4)</a></li> <li><a href="#port-forwarding-with-windows-tools">Port Forwarding with Windows Tools</a> <ul> <li><a href="#sshexe">ssh.exe</a></li> <li><a href="#plink">Plink</a></li> <li><a href="#netsh">Netsh</a></li> </ul> </li> </ul> </li> <li><a href="#tunneling-through-deep-packet-inspection">Tunneling Through Deep Packet Inspection</a> <ul> <li><a href="#http-tunneling-theory-and-practice">HTTP Tunneling Theory and Practice</a> <ul> <li><a href="#http-tunneling-fundamentals">HTTP Tunneling Fundamentals</a></li> <li><a href="#http-tunneling-with-chisel">HTTP Tunneling with Chisel</a></li> </ul> </li> <li><a href="#dns-tunneling-theory-and-practice">DNS Tunneling Theory and Practice</a> <ul> <li><a href="#dns-tunneling-fundamentals">DNS Tunneling Fundamentals</a></li> <li><a href="#dns-tunneling-with-dnscat2">DNS Tunneling with dnscat2</a></li> </ul> </li> </ul> </li> <li><a href="#the-metasploit-framework">The Metasploit Framework</a> <ul> <li><a href="#getting-familiar-with-metasploit">Getting Familiar with Metasploit</a> <ul> <li><a href="#setup-and-work-with-msf">Setup and Work with MSF</a></li> <li><a href="#auxiliary-modules">Auxiliary Modules</a></li> <li><a href="#exploit-modules">Exploit Modules</a></li> </ul> </li> <li><a href="#using-metasploit-payloads">Using Metasploit Payloads</a> <ul> <li><a href="#staged-vs-non-staged-payloads">Staged vs Non-Staged Payloads</a></li> <li><a href="#meterpreter-payload">Meterpreter Payload</a></li> <li><a href="#executable-payloads">Executable Payloads</a></li> </ul> </li> <li><a href="#performing-post-exploitation-with-metasploit">Performing Post-Exploitation with Metasploit</a> <ul> <li><a href="#core-meterpreter-post-exploitation-features">Core Meterpreter Post-Exploitation Features</a></li> <li><a href="#pivoting-with-metasploit">Pivoting with Metasploit</a></li> <li><a href="#automating-metasploit">Automating Metasploit</a></li> </ul> </li> </ul> </li> <li><a href="#active-directory-introduction-and-enumeration">Active Directory Introduction and Enumeration</a></li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-4/Sun, 16 Mar 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-4/<h1 id="oscp-pen-200-instructional-notes---part-4"> [OSCP, PEN-200] Instructional notes - Part 4 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-4">[OSCP, PEN-200] Instructional notes - Part 4</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-back-to--2">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#linux-privilege-escalation">Linux Privilege Escalation</a> <ul> <li><a href="#enumerating-linux">Enumerating Linux</a> <ul> <li><a href="#understanding-files-and-users-privileges-on-linux">Understanding Files and Users Privileges on Linux</a></li> <li><a href="#manual-enumeration">Manual Enumeration</a></li> <li><a href="#automated-enumeration">Automated Enumeration</a></li> </ul> </li> <li><a href="#exposed-confidential-information">Exposed Confidential Information</a> <ul> <li><a href="#inspecting-user-trails">Inspecting User Trails</a></li> <li><a href="#inspecting-service-footprints">Inspecting Service Footprints</a></li> </ul> </li> <li><a href="#insecure-file-permissions">Insecure File Permissions</a> <ul> <li><a href="#abusing-cron-jobs">Abusing Cron Jobs</a></li> <li><a href="#abusing-password-authentication">Abusing Password Authentication</a></li> </ul> </li> <li><a href="#insecure-system-components">Insecure System Components</a> <ul> <li><a href="#abusing-setuid-binaries-and-capabilities">Abusing Setuid Binaries and Capabilities</a></li> <li><a href="#abusing-sudo">Abusing Sudo</a></li> <li><a href="#exploiting-kernel-vulnerabilities">Exploiting Kernel Vulnerabilities</a></li> </ul> </li> </ul> </li> <li><a href="#port-redirection-and-ssh-tunneling">Port Redirection and SSH Tunneling</a> <ul> <li><a href="#why-port-redirection-and-tunneling">Why Port Redirection and Tunneling?</a></li> <li><a href="#port-forwarding-with-linux-tools">Port Forwarding with Linux Tools</a> <ul> <li><a href="#a-simple-port-forwarding-scenario">A Simple Port Forwarding Scenario</a></li> <li><a href="#setting-up-the-lab-environment">Setting Up the Lab Environment</a></li> <li><a href="#port-forwarding-with-socat">Port Forwarding with Socat</a></li> </ul> </li> <li><a href="#ssh-tunneling">SSH Tunneling</a> <ul> <li><a href="#ssh-local-port-forwarding">SSH Local Port Forwarding</a></li> <li><a href="#ssh-dynamic-port-forwarding">SSH Dynamic Port Forwarding</a></li> <li><a href="#ssh-remote-port-forwarding">SSH Remote Port Forwarding</a></li> <li><a href="#ssh-remote-dynamic-port-forwarding">SSH Remote Dynamic Port Forwarding</a></li> <li><a href="#using-sshuttle">Using sshuttle</a></li> </ul> </li> <li><a href="#port-forwarding-with-windows-tools">Port Forwarding with Windows Tools</a></li> </ul> </li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--3">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-3/Mon, 17 Feb 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-3/<h1 id="oscp-pen-200-instructional-notes---part-3"> [OSCP, PEN-200] Instructional notes - Part 3 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-3">[OSCP, PEN-200] Instructional notes - Part 3</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#link-back-to-">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 1&#34;</a></li> <li><a href="#link-back-to--1">Link back to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#password-attacks">Password Attacks</a> <ul> <li><a href="#working-with-password-hashes">Working with Password Hashes</a> <ul> <li><a href="#-instructional-notes---part-2">... (Instructional notes - Part 2)</a></li> <li><a href="#windows-credential-guard">Windows Credential Guard</a></li> </ul> </li> </ul> </li> <li><a href="#windows-privilege-escalation">Windows Privilege Escalation</a> <ul> <li><a href="#enumerating-windows">Enumerating Windows</a> <ul> <li><a href="#understanding-windows-privileges-and-access-control-mechanisms">Understanding Windows Privileges and Access Control Mechanisms</a></li> <li><a href="#situational-awareness">Situational Awareness</a></li> <li><a href="#hidden-in-plain-view">Hidden in Plain View</a></li> <li><a href="#information-goldmine-powershell">Information Goldmine PowerShell</a></li> <li><a href="#automated-enumeration">Automated Enumeration</a></li> </ul> </li> <li><a href="#leveraging-windows-services">Leveraging Windows Services</a> <ul> <li><a href="#service-binary-hijacking">Service Binary Hijacking</a></li> <li><a href="#dll-hijacking">DLL Hijacking</a></li> <li><a href="#unquoted-service-paths">Unquoted Service Paths</a></li> </ul> </li> <li><a href="#abusing-other-windows-components">Abusing Other Windows Components</a> <ul> <li><a href="#scheduled-tasks">Scheduled Tasks</a></li> <li><a href="#using-exploits">Using Exploits</a></li> <li><a href="#sigmapotato">SigmaPotato</a></li> </ul> </li> </ul> </li> <li><a href="#linux-privilege-escalation">Linux Privilege Escalation</a></li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-to--3">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--4">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-2/Thu, 02 Jan 2025 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-2/<h1 id="oscp-pen-200-instructional-notes---part-2"> [OSCP, PEN-200] Instructional notes - Part 2 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-2">[OSCP, PEN-200] Instructional notes - Part 2</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#exploits">Exploits</a> <ul> <li><a href="#locating-public-exploits">Locating Public Exploits</a> <ul> <li><a href="#--a-word-of-caution">- A Word of Caution</a></li> <li><a href="#--online-exploit-resources">- Online Exploit Resources</a></li> <li><a href="#--offline-exploit-resources">- Offline Exploit Resources</a></li> <li><a href="#--exploiting-a-target">- Exploiting a Target</a></li> </ul> </li> <li><a href="#fixing-exploits">Fixing Exploits</a> <ul> <li><a href="#fixing-memory-corruption-exploits">Fixing Memory Corruption Exploits</a></li> <li><a href="#cross-compiling-exploit-code-交叉編譯漏洞">Cross-Compiling Exploit Code 交叉編譯漏洞</a></li> <li><a href="#fixing-the-exploit">Fixing the Exploit</a></li> </ul> </li> </ul> </li> <li><a href="#antivirus-evasion">Antivirus Evasion</a> <ul> <li><a href="#av-engines-and-components">AV Engines and Components</a></li> <li><a href="#detection-methods">Detection Methods</a> <ul> <li><a href="#xxd">xxd</a></li> <li><a href="#sha256sum--shasum">sha256sum / shasum</a></li> </ul> </li> <li><a href="#bypassing-antivirus-detections">Bypassing Antivirus Detections</a> <ul> <li><a href="#1-on-disk-evasion">1. On-Disk Evasion</a></li> <li><a href="#2-in-memory-evasion">2. In-Memory Evasion</a></li> <li><a href="#av-evasion-example">AV Evasion Example</a></li> <li><a href="#automating-the-process">Automating the Process</a></li> </ul> </li> </ul> </li> <li><a href="#password-attacks">Password Attacks</a> <ul> <li><a href="#attacking-network-services-logins">Attacking Network Services Logins</a> <ul> <li><a href="#1-ssh-and-rdp-logins-hydra">1. SSH and RDP logins (hydra)</a></li> <li><a href="#2-http-post-login-forms">2. HTTP POST login forms</a></li> </ul> </li> <li><a href="#password-cracking-fundamentals">Password Cracking Fundamentals</a> <ul> <li><a href="#encryption-hashes-and-cracking">Encryption, Hashes and Cracking</a></li> <li><a href="#mutating-wordlists">Mutating Wordlists</a></li> <li><a href="#cracking-methodology">Cracking Methodology</a></li> <li><a href="#password-manager">Password Manager</a></li> <li><a href="#ssh-private-key-passphrase">SSH Private Key Passphrase</a></li> </ul> </li> <li><a href="#working-with-password-hashes">Working with Password Hashes</a> <ul> <li><a href="#ntlm-vs-net-ntlmv2">NTLM vs. Net-NTLMv2</a></li> <li><a href="#cracking-ntlm">Cracking NTLM</a></li> <li><a href="#passing-ntlm">Passing NTLM</a></li> <li><a href="#cracking-net-ntlmv2">Cracking Net-NTLMv2</a></li> <li><a href="#relaying-net-ntlmv2">Relaying Net-NTLMv2</a></li> <li><a href="#windows-credential-guard">Windows Credential Guard</a></li> </ul> </li> </ul> </li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-to--3">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-to--4">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--5">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-1/Sun, 03 Nov 2024 00:00:00 +0000https://chw41.github.io/b1og/oscp-pen-200-instructional-notes---part-1/<h1 id="oscp-pen-200-instructional-notes---part-1"> [OSCP, PEN-200] Instructional notes - Part 1 </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#oscp-pen-200-instructional-notes---part-1">[OSCP, PEN-200] Instructional notes - Part 1</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#recon">Recon</a> <ul> <li><a href="#whois">Whois</a></li> <li><a href="#google-hacking">Google Hacking</a></li> <li><a href="#open-source-code">Open-Source Code</a></li> <li><a href="#dns">DNS</a> <ul> <li><a href="#1-host">1. host</a></li> <li><a href="#2-dnsrecon">2. dnsrecon</a></li> <li><a href="#3-dnsrecon-與-host-差異">3. dnsrecon 與 host 差異</a></li> <li><a href="#xfreerdp-rdp-tool">xfreerdp (RDP Tool)</a></li> <li><a href="#4-nslookup">4. nslookup</a></li> </ul> </li> <li><a href="#netcat">Netcat</a></li> <li><a href="#iptables-監控流量-not-available-on-macos">iptables 監控流量 (not available on macOS)</a></li> <li><a href="#nmap">Nmap</a></li> <li><a href="#test-netconnection---windows-nmap">Test-NetConnection - Windows nmap</a></li> <li><a href="#smb-enumeration-identifying-netbios">SMB Enumeration (identifying NetBIOS)</a> <ul> <li><a href="#nbtscan">nbtscan</a></li> <li><a href="#net-view---windows-nbtscan">net view - Windows nbtscan</a></li> <li><a href="#enum4linux">enum4linux</a></li> </ul> </li> <li><a href="#smtp-enumeration">SMTP Enumeration</a> <ul> <li><a href="#python-script-the-smtp-user-enumeration">Python script the SMTP user enumeration</a></li> <li><a href="#telnet-windows-test-netconnection-cant-interacting-with-smtp">telnet (Windows Test-NetConnection can't interacting with SMTP)</a></li> </ul> </li> <li><a href="#snmp-enumeration">SNMP Enumeration</a> <ul> <li><a href="#snmp-mib-tree">SNMP MIB Tree</a></li> <li><a href="#onesixtyone-snmp-scanner">onesixtyone (SNMP scanner)</a></li> <li><a href="#snmpwalk-query-and-retrieve-snmp">snmpwalk (query and retrieve SNMP)</a></li> </ul> </li> </ul> </li> <li><a href="#vulnerability-scanning">Vulnerability Scanning</a> <ul> <li><a href="#nmap---nse-vulnerability-scripts">Nmap - NSE Vulnerability Scripts</a></li> </ul> </li> <li><a href="#web-application-assessment">Web Application Assessment</a> <ul> <li><a href="#directory-brute-force">Directory Brute Force</a></li> <li><a href="#http-headers">HTTP headers</a></li> </ul> </li> <li><a href="#cross-site-scripting">Cross-Site Scripting</a> <ul> <li><a href="#identifying-xss-vulnerabilities">Identifying XSS Vulnerabilities</a></li> <li><a href="#privilege-escalation-via-xss">Privilege Escalation via XSS</a></li> </ul> </li> <li><a href="#web-application-attacks">Web Application Attacks</a> <ul> <li><a href="#directory-traversal">Directory Traversal</a></li> <li><a href="#file-inclusion-vulnerabilities">File Inclusion Vulnerabilities</a> <ul> <li><a href="#1-local-file-inclusion-lfi">1. Local File Inclusion (LFI)</a></li> <li><a href="#2-php-wrappers">2. PHP Wrappers</a></li> <li><a href="#3-remote-file-inclusion-rfi">3. Remote File Inclusion (RFI)</a></li> </ul> </li> <li><a href="#file-upload-vulnerabilities">File Upload Vulnerabilities</a> <ul> <li><a href="#1-using-executable-files">1. Using Executable Files</a></li> <li><a href="#2-using-non-executable-files">2. Using Non-Executable Files</a></li> </ul> </li> <li><a href="#command-injection">Command Injection</a> <ul> <li><a href="#powershell-or-cmd-reverse-shell">PowerShell or CMD reverse shell</a></li> </ul> </li> <li><a href="#sql-injection">SQL Injection</a> <ul> <li><a href="#manual-sql-exploitation">Manual SQL Exploitation</a></li> <li><a href="#manual-and-automated-code-execution">Manual and Automated Code Execution</a></li> </ul> </li> <li><a href="#client-side-attacks">Client-side Attacks</a> <ul> <li><a href="#--exiftool-metadata-tag">- exiftool: metadata tag</a></li> <li><a href="#--theharvester-osint-tool">- theHarvester: OSINT tool</a></li> <li><a href="#--html-application-hta">- HTML Application (HTA)</a></li> <li><a href="#--canarytokens">- Canarytokens</a></li> <li><a href="#--exploiting-microsoft-office-macro">- Exploiting Microsoft Office (Macro)</a></li> <li><a href="#--obtaining-code-execution-via-windows-library-files-webdav--link">- Obtaining Code Execution via Windows Library Files (Webdav &amp; .link)</a></li> </ul> </li> </ul> </li> <li><a href="#link-to-">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 2&#34;</a></li> <li><a href="#link-to--1">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 3&#34;</a></li> <li><a href="#link-to--2">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 4&#34;</a></li> <li><a href="#link-to--3">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 5&#34;</a></li> <li><a href="#link-to--4">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 6&#34;</a></li> <li><a href="#link-to--5">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 7&#34;</a></li> <li><a href="#link-to--6">Link to: &#34;[OSCP, PEN-200] Instructional notes - Part 8&#34;</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>