Detection You can often detect blind XXE using the same technique as for XXE SSRF attacks but triggering the out-of-band network interaction to a system that you control. For example, you would def...

Headers: To exploit an XXE Content-Type must be text/xml POST /action HTTP/1.0 Content-Type: text/xml File Reading While exploring an XXE it is important to use the tags provided by the appl...

Nishang If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it): Write-Warning "S...

Basic Enumeration ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS>...

LDAPDOMAINDUMP Dumping useful information from the domain controller via LDAP: ldapdomaindump -u 'htb.local\amanda' -p 'Ashare1972' 10.10.10.103 [*] Connecting to host... [*] Binding to host [+] Bi...

Explanation The Kerberos authentication protocol used by Microsoft is adopted from the Kerberos version 5 authentication protocol created by MIT and has been used as Microsoft’s primary authenticat...

In order to exploit a PATH Hijacking we need to identify two things: 1) That the script can be executed on another user’s context 2) There is a missing relative path on a command or on a libra...

LLMNR (Link-Local Multicast Name Resolution) What is LLMNR? Link-Local Multicast Name Resolution. Used to identify hosts when DNS fails to do so. Previously known as NBT-NS. The main drawb...

Sharphound.exe First upload Sharphound to the system and then run the following commands from a folder where you can write as it will download a .zip file: # For SharpHound.ps1 (each line is a comm...

#Note It is possible that sometimes you need to use the host domain (e.g. sizzle.htb) NTPDATE ntpdate 10.10.11.102 RDATE rdate -n 10.10.11.102 DATE It is also possible to set the date “manually” ...