Category: Exploits & Vulns

  • jQuery XSS (CVE-2015-9251)

    jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

  • UAC Bypass – EventVwr

  • Samba RCE (CVE-2008-4250 / MS08-067)

  • Reusing Sudo Tokens

    Privilege escalation on Unix.

  • Polkit’s pkexec utility exploit (CVE-2021-4034)

    A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies.

  • DirtyCow Exploit

  • AS-REP Roasting

  • Zerologon (CVE-2020-1472)

    Zerologon is an elevation of privilege vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. Zerologon (CVE-2020-1472) is a critical vulnerability that affects Windows servers. Given certain circumstances, this vulnerability can allow an attacker to bypass authentication…

  • Overpass the Hash/Pass the Key

    Whereas that hash is used to authenticate in Pass the Hash attacks, in OverPass the Hash attacks, it is used to submit a signed request to the Kerberos Domain Controller (KDC) for a full Kerberos TGT (Ticket Granting Ticket) or service ticket on behalf of that compromised user. That ticket can provide access to a…

  • Escape restricted shells

  • EternalBlue (CVE-2017-0144 / MS17-010)

  • EternalRed / SambaCry (CVE-2017-7494)

  • PrintSpoofer

    Windows privilege escalation technique. From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

  • RottenPotatoNG

    Windows privilege escalation technique.

  • Juicy Potato

    Windows privilege escalation technique.

  • RCE in log4j – CVE-2021-44228

  • Kerberoasting

    Crack the Kerberos service ticket to obtain the clear text password for the service account. The service ticket is encrypted using the SPN’s password hash.

  • Pass-the-Hash

    Pass the hash allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.

  • Windows Unquoted Service Path

    Privilege escalation techniques on Windows.

  • HTML Applications (HTA)

    HTML Applications (.hta) can be used for client-side attacks. They can contain JavaScript or VBScript code. Files are executed directly within Internet Explorer rather than downloaded before manual execution. Compatible with ActiveX. Also works with Microsoft Edge, but applications are downloaded and then run.

  • Bypass Antivirus & Endpoint Detection and Response (EDR)

  • Microsoft Office Macros

    Macros can be used for client-side attacks (malicious document). They are written in Visual Basic Application (VBA).

  • Dependency confusion

    Security researcher hacks Apple, Tesla, Paypal, more, in clever open-source software attack

  • Bypass web filtering

    Depending on the configuration and tool, use IP address instead of server name to bypass web filtering.

  • HTTP Response Splitting / Web Cache Poisoning

    💡 See labs WebSecurityAcademy (PortSwigger) – Web cache poisoning. 💡 See labs WebSecurityAcademy (PortSwigger) – HTTP request smuggling (Exploiting HTTP request smuggling to perform web cache poisoning). HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be…

  • Incubated vulnerability

    Testing for Incubated vulnerability (WSTG-INPV-014) Incubated testing is a complex testing that needs more than one data validation vulnerability to work.

  • OS Command Injection

  • IMAP / SMTP Injection

    This threat affects all the applications that communicate with mail servers (IMAP/SMTP), generally web mail applications. In IMAP/SMTP injection testing, testers check if it possible to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not properly sanitized. An IMAP/SMTP Injection attack breaks the following pattern: Input -> IMAP/SMTP command == IMAP/SMTP…

  • LDAP Injection

    Testing for LDAP Injection (WSTG-INPV-06) Blackhat Europe (PDF) LDAP injection testing is similar to SQL Injection testing. The differences are that testers use the LDAP protocol instead of SQL and the target is an LDAP Server instead of a SQL Server. An LDAP Injection attack breaks the following pattern: Input -> Query LDAP == LDAP…

  • Exploit 47995: Sudo 1.8.25p – Buffer Overflow (CVE-2019-18634)

    If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. https://www.exploit-db.com/exploits/47995 Check if server is vulnerable

  • Exploit 45233: OpenSSH 2.3 < 7.7 - Username Enumeration (CVE-2018-15473)

    Fix for: https://www.exploit-db.com/exploits/45233 Create file ssh-exploit-user-enum.py Run with Python 2 Requires paramiko (pip install paramiko) Exploit 45233 Fix the exploit first, see below. Fixing the exploit for Python3 Fix broken indentation before “pass” in “BadUsername” Replace every occurence of _handler_table by _client_handler_table Replace every occurence of print with print() 45233.py (fixed)

  • Cisco ASA firewall: Cisco CLI “jail break” (CVE-2014-3390)

    Shell access without a reboot https://www.youtube.com/watch?v=KXqrovapQ5A&feature=youtu.be&t=1495