Scan Network Range Shuciran@htb[/htb]$ sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 10.129.2.4 10.129.2.10 10.129.2.11 10.129.2.18 10.129.2.19 10.129.2.20 10.129.2.28 Nmap Styl...

Port Type Usage 20 TCP FTP Data 21 TCP FTP Control 22 TCP/UDP Secure Shell (SSH)...

Wrappers data Represent a string on the web page http://10.11.0.22/menu.php?file=data:text/plain,hello world Shell with data http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_ex...

RFI Remote File Inclusion bypassing .htaccess If by any chance you are able to upload a file remotely within a server but you can’t see the content due to a php restriction: Try by using another ...

Host: 10.10.11.175 If Active Directory => Synchronize your NTP with the domain controller: nptdate 10.10.11.175 Content SMB Enumeration Follina Exploitation Reverse Shell with Invoke-P...

C# Compilation Project If we get a C# project not compiled, for example SharpWSUS we can compile it with Visual Studio on a Windows machine, follow this steps: Download the project onto your mach...

ConPTY 1) Download the Invoke-ConPTYShell.ps1 script in our local machine. 2) Modify the final line on the script as follows exchange the IP and remote Port of our local machine as well as the stt...

Server-side template injection vulnerabilities can expose websites to a variety of attacks depending on the template engine in question and how exactly the application uses it. In certain rare circ...

Host entries 10.10.10.203 N/A If Active Directory => Synchronize your NTP with the domain controller: nptdate 10.10.10.103 Content SVN - Subversion Enumeration Information Leakage VHos...

WINRM Certificate We can authenticate via WINRM by creating a certificate, this is an AD CS feature. As we can check on this notes all we need to do is follow this steps: Pre-requisites: Access...