docs.google.com
Open in
urlscan Pro
2404:6800:4006:811::200e
Public Scan
URL:
https://docs.google.com/spreadsheets/u/0/d/1dzvaGlT_0xnT-PGO27Z_4prHgA8PHIpErmoWdlUrSoA/htmlview
Submission: On September 01 via manual from NZ — Scanned from NZ
Submission: On September 01 via manual from NZ — Scanned from NZ
Form analysis 0 forms found in the DOM
Text Content
Planning de Estudio con S4vitar [Preparación OSCP, OSED, OSWE, OSWP, OSEP, eJPT,
eWPT, eWPTXv2, eCPPTv3, eCPTXv2]
* HackTheBox
* VulnHub
* PortSwigger (Web Hacking)
* Otros
ABCDEFGH
1
2
Nuestro buscador para filtrar por máquinas: https://infosecmachines.io/🡰 Usa
este buscador para filtrar por lo que necesites (Técnicas, OS, Dificultad,
Certificaciones, etc.)
3
4
MáquinaDirección IPSistema OperativoDificultadTécnicas VistasLikeWriteupResuelta
5
Tentacle10.10.10.224LinuxDifícilDNS Enumeration (dnsenum)
SQUID Proxy
WPAD Enumeration
OpenSMTPD v2.0.0 Exploit
SSH using Kerberos (gssapi)
Abusing .k5login file
Abusing krb5.keytab fileeCPPTv3
eCPTXv2
OSCP
OSEP
eWPT
eWPTXv2
OSWE
Active Directoryhttps://www.youtube.com/watch?v=hFIWuWVIDekSi
6
Validation10.10.11.116LinuxFácilSQLI (Error Based)
SQLI -> RCE (INTO OUTFILE)
Information LeakageeJPT
eWPThttps://www.youtube.com/watch?v=78i-qbhEUVUSi
7
Mischief10.10.10.92LinuxInsaneSNMP Enumeration
Information Leakage
IPV6
ICMP Data Exfiltration (Python Scapy)OSCP
eWPT
eWPTXv2
eCPPTv3
eCPTXv2
OSWEhttps://www.youtube.com/watch?v=Q6vlt9BlnWgSi
8
Reddish10.10.10.94LinuxInsaneAbusing Node-Red
Chisel & Socat Usage
Redis-Cli Exploitation
Rsync Abusing
Cron Exploitation
Disk Mount
File Transfer Tips
PIVOTING
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=XQQ104hWFXESi
9
Return10.10.11.108WindowsFácilAbusing Printer
Abusing Server Operators Group
Service Configuration ManipulationeJPT
OSCP (Escalada)https://www.youtube.com/watch?v=5QC5lshrDDoSi
10
Horizontall10.10.11.105LinuxFácilInformation Leakage
Port Forwarding
Strapi CMS Exploitation
Laravel ExploitationeWPT
eJPThttps://www.youtube.com/watch?v=s2b-BH0I7R4Si
11
Pressed10.10.11.142LinuxDifícilPassword Guessing
WordPress Abusing RPC Calls
WordPress XML-RPC Create WebShell
PwnKit ExploitOSCP
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=67TQsX88EtMSi
12
Epsilon10.10.11.134LinuxMediaGit Source Leak Exploit (GitHack)
AWS Enumeration
Lambda Function Enumeration
Authentication Bypass
Abusing JWT
Server Side Template Injection (SSTI)
Tar Symlink ExploitationeWPT
eWPTXv2
OSCP
OSWEhttps://www.youtube.com/watch?v=tMsK6ZiB7CQSi
13
Jeeves10.10.10.63WindowsMediaJenkins Exploitation (Groovy Script Console)
RottenPotato (SeImpersonatePrivilege)
PassTheHash (Psexec)
Breaking KeePass
Alternate Data Streams (ADS)OSCP
eJPT
eWPT
eCPPTv3https://www.youtube.com/watch?v=TwJiEWjI6GoSi
14
Pit10.10.10.241LinuxMediaInformation Leakage
SNMP Enumeration (Snmpwalk/Snmpbulkwalk)
SeedDMS Exploitation
SELinux (Extra)
SNMP Code ExecutionOSCP
eWPThttps://www.youtube.com/watch?v=mxHbnV_LB20Si
15
Blackfield10.10.10.192WindowsDifícilSMB Enumeration
Kerberos User Enumeration (Kerbrute)
ASRepRoast Attack (GetNPUsers)
Bloodhound Enumeration
Abusing ForceChangePassword Privilege (net rpc)
Lsass Dump Analysis (Pypykatz)
Abusing WinRM
SeBackupPrivilege Exploitation
DiskShadow
Robocopy Usage
NTDS Credentials Extraction (secretsdump)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=0cPq2UV2vmgSi
16
EarlyAccess10.10.11.110LinuxDifícilXSS Injection
XSS Cookie Stealing
Cookie Hijacking
Code Analysis
Building a Key Generator (PYTHON)
SQLI (Error Based)
LFI && Wrappers
Bash Scripting for Host Discovering
Information Leakage
Pivoting
Abusing Docker
Abusing CapabilitieseCPPTv3
eCPTXv2
OSCP
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=31CvSq9lcqUSi
17
Flustered10.10.11.131LinuxMediaAbusing Squid Proxy
Abusing GlusterFS
Information Leakage
Server Side Template Injection (SSTI)[RCE]
Abusing Azure StorageOSCP
eJPT
eWPT
eWPTXv2
eCPPTv3
OSWEhttps://www.youtube.com/watch?v=MQeB_fItmW8Si
18
Love10.10.10.239WindowsFácilServer Side Request Forgery (SSRF)
Exploiting Voting System
Abusing AlwaysInstallElevated (msiexec/msi file)eJPT
eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=5tEBvG0OnWQSi
19
NodeBlog10.10.11.139LinuxFácilNoSQL Injection (Authentication Bypass)
XXE File Read
NodeJS Deserialization Attack (IIFE Abusing)
Mongo Database EnumerationeJPT
eWPThttps://www.youtube.com/watch?v=MPArplyCIjMSi
20
NunChucks10.10.11.122LinuxFácilNodeJS SSTI (Server Side Template Injection)
AppArmor Profile Bypass (Privilege Escalation)eJPT
eWPThttps://www.youtube.com/watch?v=RRig0TQKYy8Si
21
Bolt10.10.11.114LinuxMediaInformation Leakage
Subdomain Enumeration
SSTI (Server Side Template Injection)
Abusing PassBolt
Abusing GPGeJPT
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=zemqqJMl1VASi
22
GoodGames10.10.11.130LinuxFácilSQLI (Error Based)
Hash Cracking Weak Algorithms
Password Reuse
Server Side Template Injection (SSTI)
Docker Breakout (Privilege Escalation) [PIVOTING]eJPT
eWPT
eCPPTv3
OSCP (Escalada)https://www.youtube.com/watch?v=r3WMeRtwmFcSi
23
Hawk10.10.10.102LinuxMediaOpenSSL Cipher Brute Force and Decryption
Drupal Enumeration/Exploitation
H2 Database ExploitationeJPT
eWPThttps://www.youtube.com/watch?v=qiCozh2m0yESi
24
Monitors10.10.10.238LinuxDifícilInformation Leakage
WordPress Plugin Exploitation (Spritz)
Local File Inclusion (LFI)
Cacti 1.2.12 Exploitation
Apache OfBiz Deserialization Attack (RCE)
Docker Breakout (cap_sys_module Capabilitie) [PRIVILEGE ESCALATION]eCPPTv3
eWPT
eWPTXv2
OSCP
OSWEhttps://www.youtube.com/watch?v=u0eFap03oDYSi
25
Intelligence10.10.10.248WindowsMediaInformation Leakage
Kerberos Enumeration (Kerbrute)
Creating a DNS Record (dnstool.py) [Abusing ADIDNS]
Intercepting Net-NTLMv2 Hashes with Responder
BloodHound Enumeration
Abusing ReadGMSAPassword Rights (gMSADumper)
Pywerview Usage
Abusing Unconstrained Delegation
Abusing AllowedToDelegate Rights (getST.py) (User Impersonation)
Using .ccache file with wmiexec.py (KRB5CCNAME)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=LI8wnTUc5-ISi
26
Scavenger10.10.10.155LinuxDifícilDomain Zone Transfer (AXFR)
SQLI (Error Based) [WHOIS]
PCAP Analysis (Tshark && Wireshark)
Abusing RootkiteWPThttps://www.youtube.com/watch?v=5-L8T8QsxfsSi
27
Driver10.10.11.106WindowsFácilPassword Guessing
SCF Malicious File
Print Spooler Local Privilege Escalation (PrintNightmare) [CVE-2021-1675]OSCP
(Escalada)
eJPThttps://www.youtube.com/watch?v=TY8NgOUVXjMSi
28
Minion10.10.10.57WindowsInsaneServer Side Request Forgery (SSRF) [Internal Port
Discovery]
ICMP Reverse Shell (PowerShell) [Firewall Bypassing]
Alternate Data Streams (ADS)
Firewall Evasion [Firewall Rules Manipulation]eWPTXv2
OSWEhttps://www.youtube.com/watch?v=yCXJI0H0704Si
29
Sizzle10.10.10.103WindowsInsaneSMBCacls Enumeration
Malicious SCF File (Getting NetNTLMv2 Hash)
Ldap Enumeration (LdapDomainDump)
Abusing Microsoft Active Directory Certificate Services
Creating Certificate Signing Requests (CSR) [Openssl]
CLM / AppLocker Break Out (Escaping ConstrainedLanguage)
PSByPassCLM Usage (CLM / AppLocker Break out)
Msbuild (CLM / AppLocker Break Out)
Kerberoasting Attack (Rubeus)
Kerberoasting Attack (Chisel Port Forward - GetUserSPNs.py)
WINRM Connections
BloodHound Enumeration
DCSync Attack (secretsdump.py)
DCSync Attack (Mimikatz)
PassTheHash (wmiexec.py)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=7W2h7qoCShkSi
30
Toolbox10.10.10.236WindowsFácilPostgreSQL Injection (RCE)
Abusing boot2docker [Docker-Toolbox]
PivotingeWPT
OSCP (Intrusión)
eJPT
eCPPTv2https://www.youtube.com/watch?v=0wTYfJsZdKUSi
31
Enterprise10.10.10.61LinuxMediaWordPress Lcars Plugin SQLI Vulnerability
SQL Injection (boolean-based blind, error-based, time-based blind)
WordPress Exploitation [www-data] (Theme Edition - 404.php Template)
Joomla Exploitation [www-data] (Template Manipulation)
Docker Breakout
Ghidra Binary Analysis
Buffer Overflow (No ASLR - PIE enabled) [RET2LIBC] (Privilege Escalation)eWPT
eCPPTv3
eCPTXv2
Buffer Overflowhttps://www.youtube.com/watch?v=2ZzVu5mdzgASi
32
Chaos10.10.10.120LinuxMediaPassword Guessing
Abusing e-mail service (claws-mail)
Crypto Challenge (Decrypt Secret Message - AES Encrypted)
LaTeX Injection (RCE)
Bypassing rbash (Restricted Bash)
Extracting Credentials from Firefox ProfileeWPT
eJPThttps://www.youtube.com/watch?v=-t0CkWmiq6sSi
33
SteamCloud10.10.11.133LinuxFácilKubernetes API Enumeration (kubectl)
Kubelet API Enumeration (kubeletctl)
Command Execution through kubeletctl on the containers
Cluster Authentication (ca.crt/token files) with kubectl
Creating YAML file for POD creation
Executing commands on the new POD
Reverse Shell through YAML file while deploying the PODeWPTXv2
OSWEhttps://www.youtube.com/watch?v=q3mFOd8eRQsSi
34
Seal10.10.10.250LinuxMediaInformation Leakage (GitBucket)
Breaking Parser Logic - Abusing Reverse Proxy / URI Normalization
Exploiting Tomcat (RCE) [Creating malicious WAR]
Abusing existing YML Playbook file [Cron Job]
Ansible-playbook exploitation (sudo privilege)eWPT
eWPTXv2
OSCP (Intrusión)
OSWEhttps://www.youtube.com/watch?v=IShxpoRMxW8Si
35
Hancliffe10.10.11.115WindowsDifícilAbusing URI Normalization
Server Side Template Injection (SSTI) [NUXEO Vulnerability]
Unified Remote 3 Exploitation (RCE)
Decrypt Mozilla protected passwords
Reversing EXE in Ghidra
Buffer Overflow (Socket Reuse Technique) [AVANZADO]Buffer Overflow
OSED
OSCP (Intrusión)
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=A_7Cwl2bBC0Si
36
Antique10.10.11.107LinuxFácilSNMP Enumeration
Network Printer Abuse
CUPS Administration Exploitation (ErrorLog)
EXTRA -> (DirtyPipe)
[CVE-2022-0847]eJPThttps://www.youtube.com/watch?v=pvtergVU__4Si
37
Object10.10.11.132WindowsDifícilJenkins Exploitation (New Job + Abusing Build
Periodically)
Jenkins Exploitation (Abusing Trigger builds remotely using TOKEN)
Firewall Enumeration Techniques
Jenkins Password Decrypt
BloodHound Enumeration
Abusing ForceChangePassword with PowerView
Abusing GenericWrite (Set-DomainObject - Setting Script Logon Path)
Abusing WriteOwner (Takeover Domain Admins Group)OSCP
OSEP
eCPPTv3
OSWE
Active Directoryhttps://www.youtube.com/watch?v=K8d2CmQAV9QSi
38
Stratosphere10.10.10.64LinuxMediaApache Struts Exploitation (CVE-2017-5638)
Python Library Hijacking (Privilege Escalation)eWPT
eJPThttps://www.youtube.com/watch?v=KADZhYY9WpwSi
39
Devzat10.10.11.118LinuxMediaFuzzing Directory .git (GIT Project Recomposition)
Web Injection (RCE)
Abusing InfluxDB (CVE-2019-20933)
Abusing Devzat Chat /file command (Privilege Escalation)
EXTRA (Crypto CTF Challenge | N Factorization)eWPT
eJPThttps://www.youtube.com/watch?v=WXdF3wqwtqQSi
40
Helpline10.10.10.132WindowsDifícilManageEngine ServiceDesk Plus User Enumeration
ManageEngine ServiceDesk Plus Authentication Bypassing
ManageEngine ServiceDesk Plus Remote Code Execution
Disabling Windows Defender (PowerShell)
Mimikatz - Getting NTLM User Hashes (lsadump::sam)
Reading Event Logs with Powershell (RamblingCookieMonster) [Get-WinEventData]
Decrypting EFS files with Mimikatz
Getting the certificate with Mimikatz (crypto::system)
Decrypting the masterkey with Mimikatz (dpapi::masterkey)
Decrypting the private key with Mimikatz (dpapi::capi)
Building a correct PFX with Openssl
Installing the PFX via certutil
Installing VNC in the box via msiexec
Connecting to the VNC service using vncviewer
Converting Secure String File to PlainText
Using RunAs to execute commands as the administratoreWPT
OSCPhttps://www.youtube.com/watch?v=EGlLewVI_M0Si
41
Ransom10.10.11.153LinuxMediaLogin Bypass (Type Juggling Attack)
Decrypting a ZIP file (PlainText Attack - Bkcrack) - CONTI
RANSOMWAREeWPThttps://www.youtube.com/watch?v=_hnKZ1YgzyASi
42
Bankrobber10.10.10.154WindowsInsaneBlind XSS Injection
Stealing the session cookie by XSS injection
SQLI - Error Based
SQLI - File Access
SQLI - Stealing Net-NTLMv2 Hash (impacket-smbserver)
XSS + XSRF => RCE
Abusing a custom binary (Brute Force Pin && Overflow)eWPT
eWPTXv2
OSWE
OSCP (Intrusión)https://www.youtube.com/watch?v=NAKePo2HLjISi
43
Tenet10.10.10.223LinuxMediaPHP Deserialization Attack
Abusing Race ConditioneWPThttps://www.youtube.com/watch?v=Isgpbsi9TpcSi
44
Stacked10.10.11.112LinuxInsaneVirtual Hosting Enumeration
Referer XSS Injection
XSS - Creating JS file (accessing unauthorized resources)
Checking/Reading mail through XSS injection
AWS Enumeration
Lambda Enumeration
Creating a Lambda Function (NodeJS)
Invoking the created lambda function
RCE on LocalStack
Abusing FunctionName Parameter (AWS) by exploiting XSS vulnerability (RCE)
Finding and exploiting custom 0Day [Privilege Escalation]
Root FileSystem Access by abusing DockereWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=L1w3DwxFHFgSi
45
Mantis10.10.10.52WindowsDifícilDatabase Enumeration (DBeaver)
Bloodhound Enumeration (bloodhound-python)
Exploiting MS14-068 (goldenPac.py) [Microsoft Kerberos Checksum Validation
Vulnerability]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=3p0myaukHBkSi
46
TheNotebook10.10.10.230LinuxMediaAbusing JWT (Gaining privileges)
Abusing Upload File
Docker Breakout [CVE-2019-5736 - RUNC] (Privilege Escalation)eWPT
OSCP (Escalada)
OSWEhttps://www.youtube.com/watch?v=dekA2dzLSlESi
47
Travel10.10.10.189LinuxDifícilGit Project Recomposition (.git) [Git-Dumper]
Abusing WordPress (SimplePie + Memcache) [PHP Code Analysis]
Memcache Object Poisoning (Gopherus + Deserialization Attack + RCE)
LDAP Enumeration (Apache Directory Studio - GUI)
Abusing LDAP to add an SSH Key
Abusing LDAP to modify the user group to sudo (Privilege Escalation)eWPT
eWPTXv2
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=B5_NsxWlXTUSi
48
Shocker10.10.10.56LinuxFácilShellShock Attack (User-Agent)
Abusing Sudoers Privilege (Perl)
EXTRA: Creamos nuestro propio CTF en Docker que contemple ShellShockeWPT
eJPThttps://www.youtube.com/watch?v=xaOgoGYyJF4Si
49
SneakyMailer10.10.10.197LinuxMediaInformation Leakage
Mass Emailing Attack with SWAKS
Password Theft
Abusing Pypi Server (Creating a Malicious Pypi Package)
Abusing Sudoers Privilege
(Pip3)OSCPhttps://www.youtube.com/watch?v=QWkM74ZBVO4Si
50
Secret10.10.11.120LinuxFácilCode Analysis
Abusing an API
Json Web Tokens (JWT)
Abusing/Leveraging Core Dump [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=YfVnbzpjz2ISi
51
Giddy10.10.10.104WindowsMediaSQL Injection (XP_DIRTREE) [SQLI] - Get Net-NTLMv2
Hash
Windows Defender Evasion (Ebowla)
Windows Defender Evasion (Building our own C program)
Service Listing Techniques
Abusing Unifi-Video (Privilege Escalation)eWPT
OSCP
OSWEhttps://www.youtube.com/watch?v=2ZnbIAPzmpgSi
52
Haystack10.10.10.115LinuxFácilElasticSearch Enumeration
Information Leakage
Kibana Enumeration
Kibana Exploitation (CVE-2018-17246)
Abusing Logstash (Privilege Escalation)eWPT
OSCP (Escalada)
OSWEhttps://www.youtube.com/watch?v=-Ck0z8N1LxQSi
53
Passage10.10.10.206LinuxMediaCuteNews Exploitation
Code Analysis
USBCreator D-Bus Privilege Escalation
Python Exploit Development (AutoPwn)eWPT
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=O5v3yzvgYjwSi
54
Altered10.10.11.159LinuxDifícilBrute Force Pin / Rate-Limit Bypass [Headers]
Type Juggling Bypassing
SQL Injection (Error Based)
SQLI to RCE -> INTO OUTFILE Query
Dirty Pipe Exploit (But with PAM-Wordle configured)OSCP
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=_8ih4aNNI4MSi
55
Shibboleth10.10.11.124LinuxMediaAbusing IPMI (Intelligent Platform Management
Interface)
Zabbix Exploitation
MariaDB Remote Code Execution (CVE-2021-27928)eWPT
OSCPhttps://www.youtube.com/watch?v=mkB1Vfw35XYSi
56
Tally10.10.10.59WindowsDifícilSharePoint Enumeration
Information Leakage
Playing with mounts (cifs, curlftpfs)
Abusing Keepass
Abusing Microsoft SQL Server (mssqlclient.py - xp_cmdshell RCE)
Abusing SeImpersonatePrivilege
(JuicyPotato)OSCPhttps://www.youtube.com/watch?v=fMZCktwAD2wSi
57
Ellingson10.10.10.139LinuxDifícilAbusing Werkzeug Debugger (RCE)
Binary Exploitation
Advanced Buffer Overflow x64 - ROP / ASLR Bypass (Leaking Libc Address +
Ret2libc + Setuid)Buffer Overflow
eWPT (Intrusión)https://www.youtube.com/watch?v=8dLPT-imMYkSi
58
Quick10.10.10.186LinuxDifícilHTTP/3 Enumeration
Recompiling curl to accept HTTP/3 requests
Information Leakage
Brute force in authentication panel
XSS Injection
Abusing Esigate (ESI Injection - RCE)
Manipulating passwords in the database
Abuing POS Print Server (File Hijacking Attack)eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=C1NZVah39msSi
59
Traverxec10.10.10.165LinuxFácilNostromo Exploitation
Abusing Nostromo HomeDirs Configuration
Exploiting Journalctl (Privilege Escalation)eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=7aCplH8WZm0Si
60
Sink10.10.10.225LinuxInsaneHTTP Request Smuggling Exploitation (Leak Admin
Cookie)
Cookie Hijacking
Information Leakage
AWS Enumeration
AWS Secrets Manager
AWS Key_management Enumeration
AWS KMS Decrypting FileeWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=2qKXz_Rk2YESi
61
Overflow10.10.11.119LinuxDifícilPadding Oracle Attack (Padbuster)
Padding Oracle Attack (Bit Flipper Attack - BurpSuite) [EXTRA]
Cookie Hijacking
SQL Injection (Generic UNION query) [SQLI] - Error Based
Breaking Password
Upload File - Abusing Exiftool (RCE)
DNS Hijacking (Abusing Cron Job)
Ghidra Binary Analysis
Reversing Code (Computing valid PIN)
Buffer Overflow (Controlling the program and manipulating its flow to desired
functions)
Abusing Decryption Function (XOR Trick) [Privilege Escalation]OSWE
eWPT
eWPTXv2
Buffer Overflowhttps://www.youtube.com/watch?v=tEbBDlOFen0Si
62
Fighter10.10.10.72WindowsInsaneAdvanced SQL Injection [SQLI] - MS SQL Server
2014 [Bypass Protection] [Python Scripting] [RCE]
Abusing Cron Jobs
Capcom Rootkit Privilege Escalation
Binary and DLL Analysis in order to get root.txt [Radare2]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=DWF0inlo8ZwSi
63
Tabby10.10.10.194LinuxFácilLocal File Inclusion (LFI)
Abusing Tomcat Virtual Host Manager
Abusing Tomcat Text-Based Manager - Deploy Malicious War (Curl Method)
LXC Exploitation (Privilege Escalation)eWPT
OSCP (Escalada)
eJPT (Intrusión)https://www.youtube.com/watch?v=hKCNrXXLClQSi
64
Backend10.10.11.161LinuxMediaAPI Enumeration
Abusing API - Registering a new user
Abusing API - Logging in as the created user
Enumerating FastApi Endpoints through Docs
Abusing FastAPI - We managed to change the admin password
Abusing FastAPI - We get the ability to read files from the machine (Source
Analysis)
Creating our own privileged JWT
Abusing FastAPI - We achieved remote command execution through the exec endpoint
Information Leakage (Privilege Escalation)eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=OugU0j3_COMSi
65
Hackback10.10.10.128WindowsInsaneSubdomain Enumeration
Information Leakage
Password Fuzzing
Gophish Template Log Poisoning (Limited RCE)
Internal Port Discovery
reGeorg - Accessing internal ports through a SOCKS proxy (proxychains)
Accessing the WinRM service through reGeorg and SOCKS proxy
Abusing Cron Job + SeImpersonatePrivilege Alternative Exploitation
Playing with PIPES - pipeserverimpersonate
Impersonating users and executing commands as the impersonated user
Bypassing Firewall Rules (BlockInbound/BlockOutbound)
Abusing Services
Alternate Data Streams (ADS)eWPT
eWPTXv2
OSWE
OSCP (Escalada)
eCPTXv2https://www.youtube.com/watch?v=UMyJt-fiBz8Si
66
October10.10.10.16LinuxMediaAbusing October CMS (Upload File Vulnerability)
Buffer Overflow - Bypassing ASLR + Ret2libc (x32 bits)
Buffer Overflow - Ret2libc without ASLR (x32 bits EXTRA)eWPT (Intrusión)
Buffer Overflowhttps://www.youtube.com/watch?v=3QZfUBVr-AASi
67
Holiday10.10.10.25LinuxDifícilSQL Injection [SQLI] - Sqlite
XSS Injection - Bypassing Techniques (fromCharCode) + Own Javascript Code +
Session Cookie Theft
Abusing existing parameters - RCE
NodeJS npm - Privilege EscalationeWPT
eWPTXv2
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=ymvb94yAefMSi
68
Blunder10.10.10.191LinuxFácilBludit CMS Exploitation
Bypassing IP Blocking (X-Forwarded-For Header)
Directory Traversal Image File Upload (Playing with .htaccess)
Abusing sudo privilege (CVE-2019-14287)eWPT
OSWE
eWPTXv2https://www.youtube.com/watch?v=C64POGPpankSi
69
Static10.10.10.246LinuxDifícilCompressed File Recomposition (Fixgz)
Abusing TOTP (Python Scripting - NTP protocol)
Playing with Static Routes
XDebug Exploitation (RCE)
Abusing PHP-FPM (RCE) [CVE-2019-11043] (PIVOTING)
Abusing Capabilities (cap_setuid + Path Hijacking | Privilege Escalation)eWPT
eJPT (Rutas Estáticas)
eCPPTv3
eCPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=BmtLkWmJbgkSi
70
Aragog10.10.10.78LinuxMediaXXE (XML External Entity Injection) Exploitation
Modifying a wordpress login to steal credentials (Privilege Escalation)eWPT
OSWE (Intrusión)https://www.youtube.com/watch?v=Q2jTs8QepFQSi
71
Querier10.10.10.125WindowsMediaMacro Inspection (Olevba2)
MSSQL Hash Stealing [Net-NTLMv2] (xp_dirtree)
Abusing MSSQL (xp_cmdshell)
Cached GPP Files (Privilege Escalation)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=hfzYnjBzW_kSi
72
Toby10.10.11.121LinuxInsaneAbusing GOGS (Project Enumeration)
Static Code Analysis (Finding a backdoor with php-malware-scanner)
Code deofuscation
Reverse shell through backdoor
Setting up a SOCKS5 Proxy (Chisel/Proxychains)
Database Enumeration (Accessing GOGS)
Abusing API (Stealing an authentication hash in MYSQL through Wireshark)
Playing with epoch time to generate a potential list of passwords
Cracking Hashes
PIVOTING
Process Enumeration (pspy)
Abusing cron job to obtain a private key
Decrypting database passwords (AES Encryption)
Abusing PAM (Ghidra Analysis)
Getting the root password by abusing time
Advanced persistence techniqueseWPT
OSWE
eWPTXv2
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=TLKid8-aI0ESi
73
Backdoor10.10.11.125LinuxFácilWordPress Local File Inclusion Vulnerability (LFI)
LFI to RCE (Abusing /proc/PID/cmdline)
Gdbserver RCE Vulnerability
Abusing Screen (Privilege Escalation) [Session synchronization]OSCP
eWPT
OSWE
eWPTXv2https://www.youtube.com/watch?v=u5hjJ3p-XfUSi
74
Control10.10.10.167WindowsDifícilSQL Injection [SQLI] - Error Based
Advanced Bash Scripting (EXTRA)
SQLI to RCE (Into Outfile - PHP File Creation)
ConPtyShell (Fully Interactive Reverse Shell for Windows)
Playing with ScriptBlocks and PSCredential to execute commands as another user
AppLocker Bypass
WinPEAS Enumeration
Service ImagePath Hijacking (Privilege Escalation)OSCP
OSWE
eWPThttps://www.youtube.com/watch?v=I1IDYLQeieESi
75
Unobtainium10.10.10.235LinuxDifícilInspecting custom application
Code Analysis
Information Leakage
Local File Inclusion (LFI)
Google CloudStorage Commands Vulnerability (Command Injection) [RCE]
Prototype Pollution Exploitation (Granting us privileges)
Kubernetes (Interacting with the API) [kubectl]
Finding containers with kubectl
PIVOTING
Abusing Prototype Pollution to jump to another container
Listing secrets with kubectl
Creating malicious Pod (Privilege Escalation) [Bad Pods]
Peirates - Kubernetes Penetration Testing Tool [EXTRA]eWPT
eWPTXv2
OSWE
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=zWDLDqis0HsSi
76
Cache10.10.10.188LinuxMediaInformation Leakage (Code Inspection)
Abusing OpenEMR
Broken Access Control
Authentication Bypassing (Abusing the registration panel)
SQL Injection - Error Based [SQLI]
OpenEMR Authentication Exploit (RCE)
Abusing Docker Group (Privilege Escalation)eWPT
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=C0zJUGM00mcSi
77
Sense10.10.10.60LinuxFácilInformation Leakage
PFsense - Abusing RRD Graphs (RCE) [Evasion Techniques]
Python Exploit Development (AutoPwn) [EXTRA]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=mWTmXpQlgCsSi
78
Breadcrumbs10.10.10.228WindowsDifícilLocal File Inclusion (LFI) [Abusing
file_get_contents]
Abusing No Redirect
Forge PHPSESSID and getting valid Cookies
Forge JWT
Uploading WebShell
Obtaining system credentials through the webshell
Abusing Sticky Notes
Binary Analysis (Radare2)
SQL Injection (SQLI) [Error Based]
AES Decrypt (Cyberchief)eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=R89-6VzGgFsSi
79
Search10.10.11.129WindowsDifícilInformation Leakage - Password in picture (wtf?)
RPC Enumeration (rpcclient)
Ldap Enumeration (ldapdomaindump)
Bloodhound Enumeration
Kerberoasting Attack (GetUserSPNs.py)
SMB Password Spray Attack (Crackmapexec)
Unprotecting password-protected Excel (Remove Protection)
Playing with pfx certificates
Gaining access to Windows PowerShell Web Access
Abusing ReadGMSAPassword privilege
Abusing GenericAll privilege (Resetting a user's password)
Gaining access with wmiexecOSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=vTsD0TSgdGgSi
80
Ariekei10.10.10.65LinuxInsaneImageTragick Exploitation (Specially designed
'.mvg' file)
ShellShock Attack (WAF Bypassing)
Abusing Docker privilege
PIVOTINGeCPPTv3
eCPTXv2
eWPT
OSWEhttps://www.youtube.com/watch?v=mjrrfNc454cSi
81
Forge10.10.11.111LinuxMediaBypassing URL Blacklist
Server Side Request Forgery (SSRF)
Abusing Sudoers Privilege (Abusing Python Script)eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=6JWPJ3YgDXcSi
82
SwagShop10.10.10.140LinuxFácilMagento CMS Exploitation (Creating an admin user)
Magento - Froghopper Attack (RCE)
Abusing sudoers (Privilege Escalation)eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=7Lc9taXgLCASi
83
BackendTwo10.10.11.162LinuxMediaAPI Enumeration
Abusing API - Registering a user
Accessing the Docs path of FastAPI
Mass Assignment Attack (Becoming superusers)
Abusing API - Reading system files
Information Leakage
Forge JWT (Assigning us an extra privilege)
Abusing API - Creating a new file to achieve remote command execution (RCE)
Abusing pam_wordle (Privilege Escalation)eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=JLaMxPbdvloSi
84
MultiMaster10.10.10.179WindowsInsaneSQLI (SQL Injection) - Unicode Injection
WAF Bypassing
Advanced Python Scripting - Creation of an automation tool to handle Unicode in
SQL injection
Database enumeration through the previously created utility
Cracking Passwords
Active Directory Enumeration
Enumerating domain information through SQL injection
Obtaining domain RIDs through SQL injection
Applying brute-force attack (SID = SID+RID) to obtain existing domain users
[Python Scripting]
SMB Brute Force Attack (Crackmapexec)
Enumerating AD existing users (rpcclient/rpcenum)
Abusing Remote Management User group
Microsoft Visual Studio 10.0 Exploitation (User Pivoting)
Using libwebsockets in order to connect to a CEF Debugger (RCE)
AMSI Bypass - Playing with Nishang
AMSI Bypass - Bypass-4MSI Alternative (evil-winrm)
DLL Inspection - Information Leakage
BloodHound Enumeration
Abusing the GenericWrite privilege on a user
Making a user vulnerable to an ASREPRoast attack - Disabling Kerberos
Pre-Authentication
Requesting the TGT of the manipulated user
Abusing Server Operators Group
Abusing an existing service by manipulating its binPATH
We change the password of the administrator user after restarting the
manipulated serviceOSCP
OSEP
eCPPTv3
eWPT
eWPTXv2
OSWE
Active Directoryhttps://www.youtube.com/watch?v=z6nmcyk1PboSi
85
Unicode10.10.11.126LinuxMediaJWT Enumeration
JWT - Claim Misuse Vulnerability
JSON Web Key Generator (Playing with mkjwk)
Forge JWT
Open Redirect Vulnerability
Creating a JWT for the admin user
LFI (Local File Inclusion) - Unicode Normalization Vulnerability
Abusing Sudoers Privilege
Playing with pyinstxtractor and pycdc
Bypassing badchars and creating a new passwd archive (Privilege Escalation)eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=ofz_1ncuCm4Si
86
Postman10.10.10.160LinuxFácilRedis Enumeration
Redis Exploitation - Write SSH Key
Webmin Exploitation - Python Scripting
We create our own exploit in Python - AutoPwn [Ruby code adaptation from
Metasploit]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=PE3B3rHVTSwSi
87
Servmon10.10.10.184WindowsFácilNVMS-1000 Exploitation - Directory Traversal
Local File Inclusion (LFI)
Local Port Forwarding - SSH
NSClient++ Exploitation - Privilege EscalationeWPT
OSCPhttps://www.youtube.com/watch?v=UOrtDZsP0aQSi
88
Schooled10.10.10.234LinuxMediaVHost Brute Force
Moodle Enumeration
Moodle - Stored XSS
Stealing a teacher's session cookie
Privilege escalation from teacher role into manager role to RCE [CVE-2020-14321]
Elevating our privilege to Manager in Moodle - User Impersonation
Mass Assignment Attack - Enable Full Permissions
Giving us the ability to install a plugin
Achieving remote command execution through installation of a malicious Plugin
Enumerating the database once we have gained access to the system
Cracking Hashes
Abusing sudoers privilege (pkg install package) [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=HNHvMgQwHQMSi
89
Oz10.10.10.96LinuxDifícilSQL Injection (SQLI)
Server Side Template Injection (SSTI) (RCE)
Abusing Knockd
Network enumeration techniques using bash oneliners
PIVOTING
Portainer 1.11.1 Exploitation - Resetting the admin password
Creating a new container from Portainer (Privilege Escalation)eWPT
eWPTXv2
OSWE
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=nqGs42yM75cSi
90
CTF10.10.10.122LinuxInsaneLDAP Injection
LDAP Injection - Discovering valid usernames
LDAP Injection - Attribute Brute Force [Discovering valid LDAP fields]
LDAP Injection - Obtaining OTP Seed
Generating One-Time Password (OTP) [stoken]
Second Order Ldap Injection
Abusing backup - 7za Symbolic Links (Privilege Escalation)eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=LWh6unoFu8ISi
91
Buff10.10.10.198WindowsFácilGym Management System Exploitation (RCE)
CloudMe Exploitation [Buffer Overflow] [OSCP Like] (Manual procedure) [Python
Scripting]OSCP
eCPPTv3
Buffer Overflowhttps://www.youtube.com/watch?v=TytUFooC3kUSi
92
Kotarak10.10.10.55LinuxDifícilServer Side Request Forgery (SSRF) [Internal Port
Discovery]
Information Leakage [Backup]
Tomcat Exploitation [Malicious WAR]
Dumping hashes [NTDS]
Wget 1.12 Vulnerability [CVE-2016-4971] [Privilege Escalation] (PIVOTING)eWPT
eWPTXv2
OSWE
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=q2Cv2IQUzdwSi
93
Crossfit10.10.10.208LinuxInsaneFTP SSL Certificate Enumeration
XSS Injection
Subdomain Enumeration through the Origin Header [Access-Control-Allow-Origin]
Accessing internal websites through XSS - Creating a javascript file
Registering a new user through XSS - CSRF Protection Bypass
Uploading a webshell with lftp
Cracking Hashes
Abusing Cron Job
php-shellcommand exploitation - escapeArgs option is not working properly
Injecting data into the database to achieve remote command execution (RCE) [User
Pivoting]
Binary Analysis - dbmsg [GHIDRA]
Reversing
Creating an exploit - Abusing Rand [Time travel]
Abusing symbolic links
Injecting our own public key as authorized_keys in /rooteWPTXv2
OSWEhttps://www.youtube.com/watch?v=sIaVrGnzRjMSi
94
CrimeStoppers10.10.10.80LinuxDifícilLocal File Inclusion (LFI)
LFI - Base64 Wrapper [Reading PHP files]
LFI to RCE - ZIP Wrapper
Thunderbird - Password Extraction & Reading Messages (firefoxpwd tool)
Rootkit - apache_modrootme [GHIDRA/Radare2 Analysis] (Privilege Escalation)eWPT
OSWEhttps://www.youtube.com/watch?v=6IO3gAtP3dcSi
95
Nightmare10.10.10.66LinuxInsaneHTML Injection
XSS Injection
SQL Injection (SQLI) - Error Based
OpenSSH <= 6.6 SFTP misconfiguration universal exploit (RCE)
Script Modification
Binary Analysis [GHIDRA/Radare2]
In-depth analysis with Radare2 [Tips and tricks]
Command Injection - User Pivoting
Ubuntu Xenial Privilege Escalation - Kernel ExploitationeWPT
OSWEhttps://www.youtube.com/watch?v=nBDnCjRxmO8Si
96
Pandora10.10.11.136LinuxFácilSNMP Fast Enumeration
Information Leakage
Local Port Forwarding
SQL Injection - Admin Session Hijacking
PandoraFMS v7.0NG Authenticated Remote Code Execution [CVE-2019-20224]
Abusing Custom Binary - PATH Hijacking [Privilege Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=Np_zA-SOwYoSi
97
Bastard10.10.10.9WindowsMediaDrupal Enumeration
Drupal 7.X Module Services - Remote Code Execution [SQL Injection]
Drupal Admin Cookie Hijacking
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code
Execution
SA-CORE-2018-004 - 'Drupalgeddon3' Remote Code Execution
Sherlock Enumeration (Privilege Escalation)
MS15-051-KB3045171 - Kernel Exploitation [Way 1]
Abusing SeImpersonatePrivilege [Way 2]OSCP
eWPThttps://www.youtube.com/watch?v=VHeDNq4OrqISi
98
Safe10.10.10.147LinuxFácilInformation Leakage
Buffer Overflow [x64] [ROP Attacks using PwnTools] [NX Bypass] [ASLR Bypass]
Trying to hijack the argument to the system() function by loading our content in
RDI [Way 1]
Leaking puts and libc address to make a system call with the argument loaded in
RDI [Way 2] [EXTRA]
Abusing keepass to obtain the root password [Privilege Escalation]Buffer
Overflowhttps://www.youtube.com/watch?v=jvoiMos46IYSi
99
RedCross10.10.10.113LinuxMediaSubdomain Enumeration
XSS Injection - Stealing the admin user cookie
Injection RCE
Abusing Custom Binary - Binary Exploitation
Buffer Overflow [x64] [ROP Attacks using PwnTools] [NX Bypass] [ASLR Bypass]
[Privilege Escalation]eWPT
Buffer Overflowhttps://www.youtube.com/watch?v=prg88ajxAPcSi
100
TartarSauce10.10.10.88LinuxMediaRFI (Remote File Inclusion) - Abusing Wordpress
Plugin [Gwolle-gb]
RFI to RCE (Creating our malicious PHP file)
Abusing Sudoers Privilege (Tar Command)
Abusing Cron Job (Privilege Escalation) [Code Analysis] [Bash Scripting]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=nyp6eixPSMASi
101
Cronos10.10.10.13LinuxMediaDomain Zone Transfer (AXFR)
SQLI (Blind Time Based) - Creating a custom Python script
Command Injection
Abusing Cron Job [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=kBw3UyBt7HcSi
102
AdmirerToo10.10.11.137LinuxDifícilSubdomain Enumeration
Adminer Enumeration
SSRF (Server Side Request Forgery) in Adminer [CVE-2021-21311]
Abusing redirect to discover internal services
OpenTSDB Exploitation [CVE-2020-35476] [Remote Code Execution]
Searching for valid metrics
OpenCats PHP Object Injection to Arbitrary File Write
Abusing Fail2ban [Remote Code Execution] (CVE-2021-32749)
Playing with phpggc in order to serialize our data
Abusing whois config file + OpenCats + Fail2ban [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=YmZLdJRBKv0Si
103
Admirer10.10.10.187LinuxFácilInformation Leakage
Admirer Exploitation (Abusing LOAD DATA LOCAL Query)
Abusing Sudoers Privilege [Library Hijacking - Python] (Privilege
Escalation)eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=ofAHf1i8XMQSi
104
Time10.10.10.214LinuxMediaJackson CVE-2019-12384 Exploitation - SSRF to RCE
Abusing Cron Job [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=ESxAyDX2Dg4Si
105
Nineveh10.10.10.43LinuxMediaAbusing http forms with Hydra - Login Brute Force
Local File Inclusion (LFI)
Steganography - id_rsa hidden in image
Abusing phpLiteAdmin v1.9 (Remote Code Execution)
Abusing Knockd - Port Knocking
Chkrootkit 0.49 - Local Privilege Escalation
Using Wrappers - LFI [EXTRA]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=ATDC1eGgnp0Si
106
Fortune10.10.10.127LinuxInsaneCommand Injection
OpenSSL - Creating a new key
OpenSSL - Creating a CSR file (Certificate Signing Request)
OpenSSL - Creating a PEM file
OpenSSL - Creating a PFX file (pkcs12) to import it into the Firefox browser
NFS share mount
Editing our user ID in order to gain access to the NFS directories
Code Analysis - Crypto ChallengeeWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=zYjeNFx-ymgSi
107
Timing10.10.11.135LinuxMediaLocal File Inclusion (LFI)
Using Wrappers - Base64 Wrapper
Code Inspection
Role manipulation
File Upload Exploitation
Abusing Sudoers Privilege - Playing with symbolic linkseWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=5GH6Ze84FTQSi
108
Bounty10.10.10.93WindowsFácilIIS Enumeration
Creating our own extension fuzzer in Python [Python Scripting] [EXTRA]
IIS Exploitation - Executing code via web.config file upload
Abusing SeImpersonatePrivilege - Juicy Potato [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=lVLVaArHL5oSi
109
Curling10.10.10.150LinuxFácilInformation Leakage wtf xd
Joomla Enumeration
Joomla Exploitation [Abusing Templates] [RCE]
Decompression Challenge
Abusing Curl [Playing with Config files] [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=NKKvDtPacOwSi
110
Writer10.10.11.101LinuxMediaRPC Enum
SQLi Bypass Login + SQL Injection [Database Enumeration]
SQLi - File System Enumeration (Abusing load_file)
Python Code Analysis
Command Injection
Cracking Hashes
Postfix Enumeration
Abusing Cron Job [User Pivoting]
Abusing apt config files [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=Eh5ywJJX1oESi
111
Reel10.10.10.77WindowsDifícilMetadata Inspection
SMTP Enumeration (VRFY Manual vs smtp-user-enum)
Crafting a malicious RTF document [PHISHING] [CVE-2017-0199]
Sending an email to get command execution [RCE]
Playing with PSCredential Objects (XML files | PowerShell - Import-CliXml)
ACLs Inspection (Active Directory Enumeration)
Abusing WriteOwner Active Directory Rights
Playing with PowerView (Set-DomainObjectOwner, Add-DomainObjectAcl &
Set-DomainUserPassword)
Abusing WriteDacl Active Directory Rights
Information Leakage [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=ai5_9H-wutwSi
112
Jerry10.10.10.95WindowsFácilInformation Leakage
Abusing Tomcat [Intrusion & Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=bB-M5vPegMkSi
113
Meta10.10.11.140LinuxMediaSubdomain Enumeration
Abusing File Upload
Exiftool Exploitation [RCE]
ImageMagick Exploitation [User Pivoting] - SVG MSL Polyglot File
Abusing Neofetch [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=L58krS9kY_ASi
114
Jail10.10.10.34LinuxInsaneCode Analysis
Binary Exploitation
Buffer Overflow x32 - Socket Re-Use Shellcode Technique
GDB Tips
NFSv3 Privesc
Abusing sudoers privilege (rvim command)
Cracking RAR file
Crypto Challenge (Playing with RsaCtfTool to get the private key)Buffer Overflow
OSCP (Escalada)https://www.youtube.com/watch?v=lCrQLzE-CjISi
115
Tenten10.10.10.10LinuxMediaWordpress Enumeration
CV filename disclosure on Job-Manager Wordpress Plugin [CVE-2015-6668]
Steganography Challenge (Steghide)
Cracking Hashes [Protected SSH Private Key]
Abusing sudoers privilegeeWPT
eJPThttps://www.youtube.com/watch?v=T1pr-A8qA7ISi
116
SecNotes10.10.10.97WindowsMediaUser Enumeration (Wfuzz)
Reflected XSS
Stored XSS
SQL Injection
Cross-Site Request Forgery (CSRF) - Changing a user's password
IIS Exploitation (Uploading WebShell)
Abusing Linux subsystem
Information Leakage [Privilege Escalation]eWPT
OSCPhttps://www.youtube.com/watch?v=JZf7t3UMuVwSi
117
Chatterbox10.10.10.74WindowsMediaAchat 0.150 beta7 - Buffer Overflow (Windows 7
32 bits)
Generating a Shellcode based on our needs + TIPS
Icacls Abuse (Privilege Escalation)
PowerUp Enumeration (Alternative Privilege Escalation)OSCP
Buffer Overflowhttps://www.youtube.com/watch?v=mQnwwu97f1gSi
118
Union10.10.11.128LinuxMediaSQLI (SQL Injection) - UNION Injection
SQLI - Read Files
HTTP Header Command Injection - X-FORWARDED-FOR [RCE]
Abusing sudoers privilege [Privilege Escalation]eWPT
eJPThttps://www.youtube.com/watch?v=i2aHMXFb1YkSi
119
Paper10.10.11.143LinuxFácilInformation Leakage
Abussing WordPress - Unauthenticated View Private/Draft Posts
Abusing Rocket Chat Bot
Polkit (CVE-2021-3560) [Privilege Escalation]eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=7X5p3WmSnIsSi
120
Dab10.10.10.86LinuxDifícilApplying brute force to an authentication panel -
Wfuzz (Discovering valid password)
Applying cookie discovery with Wfuzz (Brute Force)
SSRF - Server Side Request Forgery (Internal Port Discovery) - Wfuzz
Abusing Memcached - Getting stored credentials
Cracking Hashes
SSH User Enumeration - CVE-2018-15473
Abusing SUID Binary
Ltrace/Radare2 Inspection (Password Leaking)
Hijacking dynamically linked shared object library [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=ZmagS_Q_FrYSi
121
Fulcrum10.10.10.62LinuxInsaneAPI Enumeration - Endpoint Brute Force
Advanced XXE Exploitation (XML External Entity Injection)
XXE - Custom Entities
XXE - External Entities
XXE - XML Parameter Entities
XXE - Blind SSRF (Exfiltrate data out-of-band) + Base64 Wrapper [Reading
Internal Files]
XXE + RFI (Remote File Inclusion) / SSRF to RCE
Host Discovery - Bash Scripting
Port Discovery - Bash Scripting
Decrypting PSCredential Password with PowerShell
PIVOTING 1 - Tunneling with Chisel + Evil-WinRM
Gaining access to a Windows system
PowerView.ps1 - Active Directory Users Enumeration (Playing with Get-DomainUser)
Information Leakage - Domain User Password
PIVOTING 2 - Using Invoke-Command to execute commands on another Windows server
Firewall Bypassing (Playing with Test-NetConnection in PowerShell) - DNS Reverse
Shell
Authenticating to the DC shares - SYSVOL Enumeration
Information Leakage - Domain Admin Password
PIVOTING 3 - Using Invoke-Command to execute commands on the Domain Controller
(DC)eWPT
eWPTXv2
eCPPTv3
eCPTXv2
OSWE
OSCP
OSEP
Active Directoryhttps://www.youtube.com/watch?v=O8-l2KNeRkMSi
122
Monteverde10.10.10.172WindowsMediaRPC Enumeration
Credential Brute Force - CrackMapExec
Shell Over WinRM
Abusing Azure Admins Group - Obtaining the administrator's password (Privilege
Escalation)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=-wQFA1zPqIcSi
123
Player10.10.10.145LinuxDifícilSubdomain Enumeration
JWT Enumeration
Information Leakage - Abusing No Redirect
Playing with BFAC (Backup File Artifacts Checker) in order to find a
configuration file
PHP Source Code Analysis
Forge JWT
Abusing ffmpeg AVI Exploit in order to read internal files
Escaping Limited Shell - OpenSSH 7.2p1 (Authenticated) XAuth Command Injection
Abusing Codiad IDE in order to execute commands (RCE - www-data)
Abusing Cron Job (Privilege Escalation)eWPT
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=UEGJKIvx_Y0Si
124
Phoenix10.10.11.149LinuxDifícilAsgaros Forum Exploitation - Unauthenticated
Blind Time Based SQL Injection (SQLI)
Download From Files 1.48 - Arbitrary File Upload (WordPress Plugin Exploitation)
Cracking Hashes
Abusing PAM configuration for the Secure Shell service (SSH)
Abusing Cron Job (Rsync Exploitation) [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=2dI1F8c0al8Si
125
Inception10.10.10.67LinuxMediaDomPDF Exploitation - Local File Inclusion (LFI)
[CVE-2014-2383]
Bash Scripting
Abusing Squid Proxy
Internal Port Discovery via Squid Proxy - Wfuzz
Abusing WebDAV - WebShell (Using davtest)
Creating a Forward Shell (Python Scripting) - Bypassing Firewall Rules
PIVOTING
Host Discovery && Port Discovery - Bash Scripting
Abusing Cron Job - Apt Pre-Invoke Script (Privilege Escalation)eWPT
OSWE
eCPPTv3https://www.youtube.com/watch?v=RcvpSxngnQISi
126
Europa10.10.10.22LinuxMediaSSL Certificate Inspection
Login Bypass - SQLI
SQLI (Blind Time Based) [Python Scripting]
Abusing preg_replace (REGEX Danger) [RCE]
Creating an AutoPwn script for Intrusion [Python Scripting]
Abusing Cron Job [Privilege Escalation]OSCP
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=PpkQW8U0-ccSi
127
Teacher10.10.10.153LinuxFácilInformation Leakage
Abusing Moodle - Login BruteForce (Wfuzz)
Moodle Exploitation - Code Injection (Abusing Math formulas in Quiz component)
[RCE]
Database Enumeration
Cracking Hashes
Abusing Cron Job [Privilege Escalation]eWPT
OSWE
eWPTXv2
OSCPhttps://www.youtube.com/watch?v=SZoH_6maN6kSi
128
Falafel10.10.10.73LinuxDifícilInformation Leakage
SQL Injection (SQLI) - Abusing substring function
Obaining user passwords [Python Scripting]
PHP Type Juggling Exploitation (0e hash collision)
Abusing File Upload - File name truncation (Bordering the limits)
Abusing video group - Taking a screenshot to view a password [GIMP && Playing
with virtual_size]
Abusing disk group to read the flag [debugfs] [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=VMlTK6OkxokSi
129
Optimum10.10.10.8WindowsFácilHttpFileServer 2.3 Exploitation [RCE]
System Recognition - Windows Exploit Suggester
Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098) [Privilege
Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=ggkUREL6djQSi
130
Undetected10.10.11.146LinuxMediaVirtual Hosting Enumeration
Abusing Directory Listing
PHPUnit 5.6 Exploitation (CVE-2017-9841) [RCE]
Backup Inspection
Binary Analysis - GHIDRA
Cracking Hashes
Apache Backdoor Analysis [Privilege Escalation]eWPT
OSWEhttps://www.youtube.com/watch?v=L7MU3DZqIN0Si
131
Worker10.10.10.203WindowsMediaSVN - Subversion Enumeration
Information Leakage
VHost Fuzzing - Gobuster
Azure DevOps Enumeration
Abusing Azure DevOps - Creating a Branch
Abusing Azure DevOps - Playing with existing Pipelines [RCE]
IIS Exploitation
Elevating our Azure DevOps privilege
Abusing Azure DevOps - Creating a new Pipeline
Azure DevOps Exploitation - Creating a malicious YAML file [Privilege
Escalation]OSCP
eWPT
eWPTXv2https://www.youtube.com/watch?v=Bcwl1OfFOfUSi
132
Bart10.10.10.81WindowsMediaSubdomain Enumeration - Gobuster
Information Leakage
Username enumeration - Abusing the Forget Password Option
Simple Chat Exploitation - Creating a new user
Log Poisoning Attack - User Agent [RCE]
Nishang Invoke-PowerShellTcp Shell
Abusing SeImpersonatePrivilege [Privilege Escalation]OSCP
eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=zqwCsqeyNrISi
133
Conceal10.10.10.116WindowsDifícilUDP Scan
SNMP Enumeration
Enumerating Ike Hosts - ike-scan
Installing and configuring Strongswan (IPSEC/VPN) [ipsec.secret/ipsec.conf]
Performing a new scan through IPSEC
Abusing IIS - File Upload via FTP (Malicious ASP file) [RCE]
Nishang Invoke-PowerShellTcp Shell
Abusing SeImpersonatePrivilege [Privilege Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=i2khZEZvoPkSi
134
Arctic10.10.10.11WindowsFácilAdobe ColdFusion 8 Exploitation
Directory Traversal Vulnerability
Cracking Hashes
Abusing Scheduled Tasks - Creating malicious JSP file
Abusing SeImpersonatePrivilege [Privilege Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=cZ-C3d7mux0Si
135
RouterSpace10.10.11.148LinuxFácilMobile Application Penetration Testing
APK Analysis and Debugging
Decoding APK with APKTool
Files Inspection
Installing Anbox on Parrot Security
Setting up a new proxy in Anbox
Installing the APK application and analyzing requests with Burpsuite
Command Injection in one of the found requests [RCE]
LinPeas Recon - Enumeration
Abusing Sudo Version 1.8.31 [Privilege Escalation]eWPT
Mobilehttps://www.youtube.com/watch?v=AWD2eDF1oiwSi
136
Oouch10.10.10.177LinuxDifícilFTP Enumeration
Abusing OAuth Endpoint
Virtual Hosting Enumeration
Breaking OAuth Logic - Authorize as Administrator
Registering a new application - Django Docs
Abusing Authorization Workflow
Token Stealing
Playing with Bearer Tokens - Abusing Authentication
Information Leakage
Host Discovery && Port Discovery - Bash Scripting
PIVOTING
UWSGI Exploitation [RCE] - User Pivoting
Abusing DBUS Message [Privilege Escalation]eWPT
eWPTXv2
eCPPTv3
OSWEhttps://www.youtube.com/watch?v=uIIZG2miowoSi
137
Celestial10.10.10.85LinuxMediaNodeJS Deserialization Attack [RCE]
IIFE Serialization/Deserialization Attack - Explained
Node Reverse Shell
Abusing Cron JobOSWE
eWPT
eWPTXv2
OSCPhttps://www.youtube.com/watch?v=esrAYODKnBYSi
138
Resolute10.10.10.169WindowsMediaRPC Enumeration - Abusing querydispinfo
CrackMapExec SMB Authentication Sprying
Abusing WinRM - EvilWinRM
Information Leakage
LOLBAS
Abusing DnsAdmins Group - dnscmd [Privilege Escalation]
Creating a malicious DLL and injecting it into the dns serviceOSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=h_brlhoSfy8Si
139
Book10.10.10.176LinuxMediaSQL Truncation Attack
Local File Read via XSS in Dynamically Generated PDF - HackTricks
Abusing Cron Job - Logrotate Exploit (Logrotten) [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=d7GcXm_DWHgSi
140
Haircut10.10.10.24LinuxMediaSSRF Attack (Server Side Request Forgery)
Abusing a Curl implementation - Upload malicious PHP file
Command Injection - Alternative Exploitation
GNU Screen 4.5.0 - Local Privilege EscalationOSCP
eWPThttps://www.youtube.com/watch?v=9gurBGeazokSi
141
Acute10.10.11.145WindowsDifícilVirtual Hosting
Information Leakage
Abusing Windows PowerShell Web Access
Real-time monitoring of the victim's screen
Getting remote command execution on another server - PIVOTING
Abusing a PowerShell file to get remote command execution as another user - User
Pivoting
Dump Hives && Get Hashes
Cracking Hashes
Password Reuse
Abusing Cron Job - BAT file [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=ZYW-Cj1yjdQSi
142
Sauna10.10.10.175WindowsFácilInformation Leakage
Ldap Enumeration
Kerberos User Enumeration - Kerbrute
ASRepRoast Attack (GetNPUsers)
Cracking Hashes
System Enumeration - WinPEAS
AutoLogon Credentials
BloodHound - SharpHound.ps1
DCSync Attack - Secretsdump [Privilege Escalation]
PassTheHashOSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=zuMEHLnH_E0Si
143
Lazy10.10.10.18LinuxMediaPadding Oracle Attack (Padbuster)
Bit Fliper Attack (BurpSuite) - Obtaining the admin user's Cookie
Abusing SUID binary
PATH Hijacking [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=1bJryn5mJLMSi
144
Charon10.10.10.31LinuxDifícilSQLI (SQL Injection) - Union Injection
SQLI - WAF Bypass
Cracking Hashes
Uploading a file abusing a hidden property
Filtering Bypass
Abusing RSA - Creating a private key based on a public one
Decrypting a message with the generated private key
Abusing SUID Binary [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=S1L92tszls0Si
145
Feline10.10.10.205LinuxDifícilInformation leakage in error message
RCE by deserialization in Apache Tomcat with PersistentManager - CVE-2020-9484
[RCE]
Playing with Ysoserial - CommonsCollections2
Manipulating our session cookie (JSESSIONID) + Directory Path Traversal
Playing with chisel [Socks Proxy + Proxychains (socks5)]
SaltStack Exploitation - CVE-2020-1651
Gaining root access to a container
Playing with docker.sock file + Abusing Docker API [Privilege Escalation]
PIVOTINGeWPT
eWPTXv2
eCPPTv3
eCPPTXv2
OSWEhttps://www.youtube.com/watch?v=0e91a_Pns2QSi
146
Blue10.10.10.40WindowsFácilSMB Enumeration
Eternalblue Exploitation (MS17-010) [Triple Z Exploit]
Obtaining credentials stored in memory [MIMIKATZ + Windows Defender Evasion]
(EXTRA)
Enabling RDP from CrackMapExec (EXTRA)
Windows Persistence techniques (EXTRA)
Windows Persistence - Playing with debugger [When a user opens a program]
(EXTRA)
Windows Persistence - Playing with Gflags [When a user closes a program] (EXTRA)
Windows Persistence - Playing with WMI Events [Executing tasks at regular
intervals of time] (EXTRA)
Persistence + Windows Defender Evasion [Playing with Ebowla]
(EXTRA)OSCPhttps://www.youtube.com/watch?v=92XycxcAXkISi
147
Catch10.10.11.150LinuxMediaAPK Analysis (apktool, d2j-dex2jar)
JD-GUI - Code Inspection
Information Leakage - Visible Token values
Cachet Framework Exploitation - SQLI
Let's Chat Exploitation - Abusing API (Reading Private Messages)
Cachet Framework Exploitation - Server Side Template Injection (SSTI) [RCE]
Abusing Cron Job [Privilege Escalation]eWPT
eWPTXv2
OSWE
Mobilehttps://www.youtube.com/watch?v=A6oVNwawRzMSi
148
RE10.10.10.144WindowsDifícilCreating a malicious office document (libreoffice) -
Playing with Macros
Macros Obfuscation - Bypassing YARA Rules
ConPtyShell - Enhancing our console mobility
Abusing defined task in the system
Malicious Ace files for WinRAR < 5.70 beta 1 - WinRAR Exploitation
(Evil-WinRAR-Gen)
IIS ASPX WebShell through WinRAR Exploitation
GHIDRA Exploitation - XXE Vulnerability (XML External Entity Injection) [Project
Handling]
Intercepting NetNTLM-v2 hash through the XXE
Cracking Hashes
Abusing WinRM - Evil-WinRM
Playing with Invoke-Command to execute commands as a user whose credentials we
know
PowerUp System Recognition
Abuse UsoSvc - Creating a new user [Privilege Escalation]
Manipulating system logs to grant privileges to the newly created user
(Psexec)OSCPhttps://www.youtube.com/watch?v=KX138goKVC0Si
149
Granny10.10.10.15WindowsFácilAbusing PUT & MOVE Methods - Uploading Aspx
WebShell
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow [RCE]
Token Kidnapping - Churrasco [Privilege Escalation]OSCP
eWPT
eJPThttps://www.youtube.com/watch?v=cMeNaUNKK5YSi
150
Anubis10.10.11.102WindowsInsaneSSL Certificate Inspection - OpenSSL
XSS (Cross-Site Scripting)
ASP SSTI (Server Side Template Injection) (HackingDream ASP Resource) [RCE]
InvokePowerShellTcp.ps1 - PowerShell Reverse Shell
ConPtyShell (AntonioCoco Utility) - Shell Improvement
Certificate Signing Request Inspection - OpenSSL
Chisel + Remote Port Forwarding + Proxychains - Creating a SOCKS5 tunnel
Abusing Software Portal
Traffic inspection with Tcpdump and Tshark
URL Host Manipulation Attack + Intercepting authentications with Netcat
Playing with Responder to get a Net-NTLMv2 hash
Cracking Hashes
SMB enumeration with authenticated user
Jamovi <=1.6.18 Exploitation - Malicious OMV File (XSS Vulnerability -
Cross-Site Scripting Attack)
XSS + NodeJS Command Injection + InvokePowerShellTcp.ps1 (Nishang) Reverse Shell
ConPtyShell (AntonioCoco Utility) - Shell Improvement
Abusing Certificate Services
Playing with Certify.exe to find vulnerable templates
PowerView.ps1 + ADCS.ps1 in order to generate a certificate request and get it
approved by the CA
ADCS.ps1 script manipulation (userprincipalname/samaccountname [Substitution
Applied])
Listing certificates with gci command
Attempting to obtain credentials with Rubeus (asktgt mode) [ERROR - No longer
working]
Exploiting CVE-2021-42278/CVE-2021-42287 (noPac.py) through Proxychains
[Alternative Exploitation]
Synchronizing our time with DC time (rdate) - Headers Information Leakage
Getting an interactive console as the administrator user on the DC
(noPac.py)OSCP (Escalada)
OSEP (Escalada)
eWPT
eWPTXv2
OSWE
eCPTXv2
Active Directoryhttps://www.youtube.com/watch?v=oFBSn4iaLUoSi
151
Grandpa10.10.10.14WindowsFácilMicrosoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl'
Remote Buffer Overflow [RCE]
Token Kidnapping - Churrasco [Privilege Escalation]OSCP
eWPT
eJPThttps://www.youtube.com/watch?v=uIasBAMSWsISi
152
DevOops10.10.10.91LinuxMediaXXE (XML External Entity Injection) Exploitation
Reading internal files through XXE - Private SSH Key
Abusing a Github project - Information Leakage in Project Commits [Privilege
Escalation]eWPT
OSWEhttps://www.youtube.com/watch?v=6zrxDaAmjB8Si
153
Late10.10.11.156LinuxFácilVirtual Hosting Enumeration
Abusing Upload File - Image to Text Flask Utility
SSTI - Server Side Template Injection
Reading files through SSTI - SSH Private Key
Abusing Cron Job [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=XxqXoLZtASYSi
154
Obscurity10.10.10.168LinuxMediaInformation Leakage
Python Source Code Analysis
URL Command Injection
Known Plaintext Attack - Cryptography Challenge
Abusing Sudoers Privilege - Shadow Race Condition [Privilege Escalation]OSWE
eWPT
OSCP (Intrusión)https://www.youtube.com/watch?v=chcJmcDrtW4Si
155
Node10.10.10.58LinuxMediaInformation Leakage
API Enumeration
Cracking Hashes
Cracking ZIP file
Backup Download - Stored credentials
MongoDB Enumeration
Mongo Task Injection - Command Injection [User Pivoting]
SUID Backup Binary Exploitation - Dynamic Analysis (1st way)
SUID Backup Binary Exploitation - Buffer Overflow 32 bits [NX Bypass + ASLR /
Ret2libc] (2nd way)
eJPT (Intrusión)
Buffer Overflowhttps://www.youtube.com/watch?v=0AzaHJZfqwESi
156
Shrek10.10.10.47LinuxDifícilInformation Leakage
Steganography Challenge - Hidden message in the spectrogram of an audio file
(Audacity)
Cryptography Challenge - Elliptic Curve (py-seccure)
Abusing Sudoers Privilege - User Pivoting (Vi)
Abusing Cron Job - Chown Wildcard Exploitation [Privilege Escalation]OSCP
(Escalada)https://www.youtube.com/watch?v=C2VOcO8MdmISi
157
Apocalyst10.10.10.46LinuxMediaWordpress Enumeration
Image Stego Challenge - Steghide
Information Leakage - User Enumeration
WordPress Exploitation - Theme Editor [RCE]
Abusing misconfigured permissions [Privilege Escalation]eJPT
eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=ATqk2HpRp_sSi
158
Waldo10.10.10.87LinuxMediaLFI (Local File Inclusion) - Filter Bypass
Obtaining a user's SSH private key through the LFI
Escaping from a container
Restricted Shell Bypass
Abusing Capabilities (cap_dac_read_search+ei) [Privilege Escalation]eWPT
eJPT
OSCPhttps://www.youtube.com/watch?v=KpYZh3gc79oSi
159
Overgraph10.10.11.157LinuxDifícilVirtual Hosting
Information Leakage
Open Redirect Exploitation
Open Redirect to XSS (Cross-Site Scripting) - Playing with eval/atob
Open Redirect + XSS evasion technique to fetch an external resource (1st way)
[Not working at all]
XSS Exploitation - Loading encoded URL document.body.innerHTML external file
(2nd way) [Success]
Subdomain Enumeration - Gobuster
JS File Inspection - Information Leakage
API Enumeration
Abusing API - Attempting to register a new user
NoSQL Injection - OTP Code Bypass
Abusing API - We have been able to register a new user
Abusing CHAT - A user checks our links
Abusing CHAT - Link Inspection + Open Redirect + XSS
Creating a malicious JS file - Controlling the flow of requests
JWT Inspection
Creating a Bash script to enumerate valid users through the API
Abusing API - We found 3 valid users
Inspecting the LocalStorage
LocalStorage Headers Manipulation - Attempting to impersonate a user [Failed]
LocalStorage Headers Manipulation - Assigning admin privileges to our user
LocalStorage Headers Manipulation - We found a new file upload field
File Upload Attempt (No admintoken header present) [Failed]
CSTI (Client Side Template Injection) Exploitation
Stored/Reflected XSS (Cross-Site Scripting) Attack - AngularJS
AngularJS XSS + LocalStorage Data Fields Exfiltration
GraphQL Enumeration
Abusing GraphQL - Basic Enumeration (Listing the name of all the types being
used)
Abusing GraphQL - Extracting all the types and it's arguments
Abusing GraphQL - Causing errors to list sensitive data
Abusing GraphQL - Enumerating Database Schema via Introspection
GraphQL Voyager - Visualizing the data through Introspection
Abusing GraphQL - Creating our own queries in order to list users information
Abusing LocalStorage - User Impersonation (ID included) [Success]
OpenRedirect + XSS + CSTI + JS Malicious File + GraphQL Concatenaed Attack -
Stealing adminToken
We managed to obtain the adminToken by updating the profile using the previous
attack
Abusing File Upload - FFmpeg Exploitation
External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS
processing
Creating specially designed m3u8 and avi files
Local File Read - Data Exfiltration through FFmpeg exploitation
FFmpeg exploitation - Reading SSH private key (user id_rsa)
Gaining access via SSH as the user 'user'
Abusing Node Project - Manipulating the service logic to inject commands as root
[Unintentional way]
We were able to assign SUID privileges to the system basheWPT
eWPTXv2
OSWE
OSCP (Escalada)https://www.youtube.com/watch?v=cYVf2KVXyFISi
160
Brainfuck10.10.10.17LinuxInsaneTLS Certificate Inspection
WordPress Enumeration
WordPress WP Support Plus Responsive Ticket System Exploitation - Gaining access
as admin user
Information Leakage - Data type conversion for displaying a password in
cleartext
SMTP Enumeration
Crypto Challenge - Vigenère Cipher
Gaining access over SSH
Abusing LXD group [Privilege Escalation] (1st way) [Unintended]
RSA Crypto Challenge (2nd way) [Privilege Escalation]eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=0C8zlzxBv7wSi
161
Flujab10.10.10.124LinuxDifícilSSL Cert Enumeration
Cookies Manipulation - Gaining access to restricted areas of the site
Abusing Mailer Configuration
Mail server hijacking - Intercepting mails with Python
SQLI (SQL Injection) - Error based in registered patient cancelation form
Gaining access as the 'sysadm' user to an Ajenti panel
Ajenti Server Management System Exploitation
Ajenti Exploitation - Creating an authorized public key on the server
Assigning file permissions through the API
Managing authorized access through the 'hosts.allow' file
Escaping Restricted Bash (rbash)
Abusing SUID Binary (GNU Screen) [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=aPbfiHW8GW8Si
162
Silo10.10.10.82WindowsMediaAbusing Oracle Database
Oracle Database Attacking Tool (ODAT) Installation
Oracle DB Exploitation - Identifying valid SIDs (sidguesser)
Oracle DB Exploitation - Discovering valid credentials (passwordguesser)
Oracle DB Exploitation - Attempting a remote file read
Oracle DB Exploitation - Attempting a remote file upload
Oracle DB Exploitation - Attempting execution of a previously uploaded binary
fileOSCPhttps://www.youtube.com/watch?v=_ahxa5Zq5TYSi
163
Heist10.10.10.149WindowsFácilInformation Leakage
Cisco Password Cracker (password7)
SMB Enumeration - CrackMapExec
Getting more valid system users - lookupsid.py
Abusing WinRM - EvilWinRM
Creating a dump file of the Firefox process - Procdump64.exe (Windows
Sysinternals)
Reading the password of the administrator user in the previously performed dump
[Privilege Escalation]OSCPhttps://www.youtube.com/watch?v=EKwRNymiYfYSi
164
APT10.10.10.213WindowsInsaneRPC Enumeration
Abusing RPC - IOXIDResolver.py (Obtaining the IPV6 machine address)
Port scanning with nmap via ipv6
SMB enumeration via ipv6
Cracking ZIP file
NTDS enumeration (secretsdump.py)
Abusing Kerberos - Kerbrute (Valid user enumeration)
SMB Hash Sprying Attempt (Our attack is blocked)
PyKerbrute Script Manipulation - Adapting the script to our needs (Kerberos
attack)
Reg.py - Reading machine registers remotely (Registry Hives Enumeration)
Abusing WinRM - Evil-WinRM
WinPeas - System Enumeration
Windows Defender Evasion
Windows Defender Evasion - Bypass-4MSI to disable AMSI (Evil-WinRM)
Windows Defender Evasion - Playing with Invoke-Binary to load an EXE into memory
(Evil-WinRM)
NTLM clients and services support NTLMv1
Collecting Net-NTLMv1 Hash via Responder (1122334455667788 Challenge)
Cracking Hashes (Net-NTLMv1) [crack.sh]
Secretsdump.py - Dumping the hashes for the rest of the AD users (Using the
DRSUAPI method)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=hh0iNaaCv1ISi
165
Knife10.10.10.242LinuxFácilPHP 8.1.0-dev - 'User-Agent' Remote Code Execution
[RCE]
Abusing Sudoers Privilege (Knife Binary) [Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=NiV52j3fsh8Si
166
Retired10.10.11.154LinuxMediaLFI (Local File Inclusion) - Filter Bypass [Abusing
str_replace]
Buffer Overflow x64 - Full RELRO, NX, PIE, ASLR Bypass [ROP - Abusing a writable
section]
Creating an Autopwn Script [Python Scripting]
Abusing System Services [User Pivoting]
Abusing binfmt_misc [Privilege Escalation]Buffer Overflow
OSCP (Escalada)https://www.youtube.com/watch?v=ys-az6SyheESi
167
BountyHunter10.10.11.100LinuxFácilXXE (XML External Entity Injection)
Exploitation
XXE PHP File Read - Base64 Wrapper
Abusing Sudoers Privilege [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=egcvKwYpi0gSi
168
Unbalanced10.10.10.200LinuxDifícilRsync & EncFS
Encfs2john to obtain a Hash we can crack
Cracking Hashes
Squid Proxy Enumeration
Burpsuite Tip - Upstream Proxy Servers
Squid Cache Manager Enumeration
XPath Injection
XPath Injection - Discovering valid users
XPath Injection - Enumerating the password length of the found users
XPath Injection - Obtaining users' passwords
Creating a Python script to automate XPATH Injection
SSH Brute Force - Hydra
Local Port Forwarding to reach the Pi-Hole web server
Pi-Hole Exploitation CVE-2020-11108 [PIVOTING] - Abusing Static DHCP leases
configuration
Information Leakage [Privilege Escalation]eWPT
eWPTXv2
OSWE
eCPPTv3
eCPTXv2https://www.youtube.com/watch?v=TMQFehvMTvISi
169
Lame10.10.10.3LinuxFácilSamba 3.0.20 < 3.0.25rc3 - Username Map Script [Command
Execution]eJPThttps://www.youtube.com/watch?v=9WY2rSejDOYSi
170
TimeLapse10.10.11.152WindowsFácilSMB Enumeration
Cracking ZIp Password Protected File (fcrackzip)
Cracking and reading .PFX File (crackpkcs12)
Gaining SSL access with Evil-WinRM
Information Leakage - Reading the user's Powershell history (User Pivoting)
Abusing LAPS to get passwords (Get-LAPSPasswords.ps1) [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=NnlYSY83EsASi
171
Legacy10.10.10.4WindowsFácilSMB Enumeration
Eternalblue Exploitation (MS17-010) [Triple Z Exploit]OSCP
eJPThttps://www.youtube.com/watch?v=RuWkPH_VecgSi
172
Devel10.10.10.5WindowsFácilAbusing FTP + IIS Services
Creating an AutoPwn Script [Python Scripting]
Microsoft Windows (x86) – ‘afd.sys’ (MS11-046) [Privilege Escalation]OSCP
eJPThttps://www.youtube.com/watch?v=FdCh0A2gZmkSi
173
Valentine10.10.10.79LinuxFácilSSL Heartbleed Exploitation
Cracking Hashes
Tmux Socket File Session [Privilege Escalation]
Linux Kernel 2.6.22 < 3.9 - Dirty Cow PTRACE_POKEDATA Race Condition privilege
EscalationeWPThttps://www.youtube.com/watch?v=6vvgfbh9cy4Si
174
Talkative10.10.11.155LinuxDifícilJamovi Enumeration
Rj Editor Code Execution (Reverse Shell)
Information Leakage
Bolt - Access to the administration panel
Bolt - PHP File Manipulation (Injecting Malicious Code) [RCE]
PIVOTING
Detecting tasks running on the system - PSPY
Remote Port Forwarding - Chisel
MongoDB - Changing the admin user password
Abusing Rocket.Chat - Creating a new malicious webhook
File Upload Tip - Playing with PwnCat-CS
Docker Breakout - CDK UtilityeWPT
OSWE
eCPPTv3https://www.youtube.com/watch?v=9GNYyb942tISi
175
Forest10.10.10.161WindowsFácilAXFR - Domain Zone Transfer Attack (Failed)
RPC Enumeration - Getting valid domain users
Performing an AS-RepRoast attack with the obtained users
Cracking Hashes
Abusing WinRM - EvilWinRM
Ldap Enumeration - ldapdomaindump
BloodHound Enumeration
Gathering system information with SharpHound.ps1 - PuckieStyle
Representing and visualizing data in BloodHound
Finding an attack vector in BloodHound
Abusing Account Operators Group - Creating a new user
Abusing Account Operators Group - Assigning a group to the newly created user
Abusing WriteDacl in the domain - Granting DCSync Privileges
DCSync Exploitation - Secretsdump.pyOSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=7G5wkoBpFWUSi
176
SolidState10.10.10.51LinuxMediaAbusing James Remote Administration Tool
Changing a user's email password
Information Leakage
Escaping Restricted Bash (rbash)
Creating a bash script in order to detect cron jobs (procmon.sh)
Abusing Cron Job [Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=d3tzLtW6SWESi
177
Wall10.10.10.157LinuxMediaAbusing Basic Auth Path
Abusing Centreon API - User Brute Force (Wfuzz)
Abusing Centreon Login Panel - Python Scripting
Centreon 19.04 Exploitation [RCE]
WAF Testing
WAF Bypassing
Screen 4.5.0 SUID Binary Exploitation [Privilege Escalation]eWPT
OSWEhttps://www.youtube.com/watch?v=MYJbamO88vwSi
178
FluxCapacitor10.10.10.69LinuxMediaFuzzing Parameters - Wfuzz
WAF Bypassing
Command Injection
Abusing Sudoers Privilege [Privilege Escalation]eWPT
OSWEhttps://www.youtube.com/watch?v=VdJbvaGXUAASi
179
Zetta10.10.10.156LinuxDifícilInformation Leakage
FTP RFC2428 Enumeration
Abusing RFC-2428 via EPRT command
Abusing RFC-2428 - Machine IPV6 address information leakage
IPV6 Scanning with nmap
Rsync Enumeration
Abusing Rsync - Brute Force in order to find a valid password [Bash Scripting]
Abusing Rsync - Creating SSH key pairs to gain access to the system
Postgres Enumeration
Enumerating Github Projects
SYSLOG Enumeration
SYSLOG Exploitation - Abusing Priorities + SQL Injection [RCE as Postgres]
Password pattern information leak [Privilege
Escalation]OSCPhttps://www.youtube.com/watch?v=hB0G0Jp_MBgSi
180
Noter10.10.11.160LinuxMediaInformation Leakage - User Enumeration [Brute-Force
Wfuzz]
Finding valid users - Wfuzz
SSTI (Server Side Template Injection) [Failed]
JWT Enumeration
Abusing JWT - Flask-Unsign
Cracking Flask Cookie Secret - Flask-Unsign
Cookie Hijacking
FTP Enumeration
Information Leakage in PDF document
Finding a command injection in the web
RCE in md-to-pdf 4.1.0
Abusing the vulnerable code definition - Alternative Command Injection (RCE)
Abusing MYSQL service running as the root user [Privilege Escalation]
(raptor_udf2.so)eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=FoFQgoDYzogSi
181
ScriptKiddie10.10.10.226LinuxFácilMsfvenom Exploitation [CVE-2020-7384] [RCE]
Abusing Logs + Cron Job [Command Injection / User Pivoting]
Abusing Sudoers Privilege [Msfconsole Privilege Escalation]eJPT
OSCP (Escalada)https://www.youtube.com/watch?v=VXvdwHfYd8MSi
182
Json10.10.10.158WindowsMediaAbusing No Redirect
Json Deserialization Exploitation - ysoserial.net [RCE]
AppLocker Bypass
Abusing SeImpersonatePrivilege - JuicyPotato [Privilege Escalation]
Abusing SeImpersonatePrivilege - Creating a new user
Abusing SeImpersonatePrivilege - Adding the user to the local administrators
group
Abusing SeImpersonatePrivilege - Modifying the registry entry
LocalAccountTokenFilterPolicy
Playing with psexec.py and wmiexec.py
PassTheHash - wmiexec.py
Executing commands with CrackMapExec
Dumping the SAM with CrackMapExec
Enabling RDP with CrackMapExec
Playing with Remmina to gain access to the systemOSCP
eWPThttps://www.youtube.com/watch?v=nAF0JnTGkNMSi
183
Sniper10.10.10.151WindowsMediaLocal File Inclusion (LFI)
Remote File Inclusion (RFI) [Failed]
Remote File Inclusion through SMB Server (net usershare technique) [Success]
Creating a webshell and achieving remote command execution [RCE]
Information Leakage [User Pivoting]
Playing with Chisel and ScriptBlocks using Invoke-Command
Creating a malicious CHM file (Out-CHM.ps1) [Privilege Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=YQn3jAZeZAISi
184
Beep10.10.10.7LinuxFácilElastix 2.2.0 Exploitation - Local File Inclusion (LFI)
Information Leakage
Vtiger CRM Exploitation - Abusing File Upload (1st way) [RCE]
Shellshock Attack (2nd way)
[RCE]eWPThttps://www.youtube.com/watch?v=9BA_s6CGtpYSi
185
Mango10.10.10.162LinuxMediaVirtual Hosting
NoSQL Injection Login Bypass
NoSQL Injection - Dumping Users and Passwords [Python Scripting]
Abusing SUID Binary - JJS [Privilege Escalation]eWPT
OSWEhttps://www.youtube.com/watch?v=w7gO7i212c8Si
186
Bank10.10.10.29LinuxFácilDomain Zone Transfer Attack - AXFR (dig)
Information Leakage
Abusing File Upload [RCE]
Abusing SUID Binary (WTF?) [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=eWZ29FJxEmASi
187
Reel210.10.10.210WindowsDifícilInformation Leakage
OWA Password Spray - SprayingToolkit
Creating a user list - spindrift.py
Applying brute force to OWA - atomizer.py
OWA Phishing - Stealing Net-NTLMv2 Hashes with Responder
Gaining access from PowerShell with Enter-PSSession
ConstrainedLanguage Mode Bypassing Techniques
Playing with Nishang to get a fully interactive console
(Invoke-PowerShellTcpOneLine.ps1)
Powershell filtering methods (EXTRA)
Abusing StickyNotes - Viewing another user password
Abusing defined functions [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=gr78zhxjC7ISi
188
Luke10.10.10.137LinuxMediaFTP Enumeration
Information Leakage
Abusing NodeJS Application
API Enumeration
Abusing Ajenti Administration
PaneleWPThttps://www.youtube.com/watch?v=tIoV_NkruswSi
189
Doctor10.10.10.209LinuxFácilServer Side Template Injection (SSTI)
Exploiting the SSTI by calling Popen without guessing the offset (1st way) [RCE]
Command Injection (2nd way) [RCE]
Abusing adm group - Finding credentials in request logs
Splunk Exploitation (Universal Forwarder Missconfiguration) - SplunkWhisperer2
[Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=2bELzcFGnY4Si
190
StreamIO10.10.10.151WindowsMediaSSL Certificate Enumeration
SMB Enumeration
Kerberos User Enumeration (Kerbrute)
ASREPRoast Attack (Failed)
SQL Injection (MSSQL) - WAF Bypass
NTLM Hash Stealing through SQL Injection (xp_dirtree)
Cracking Hashes
Local File Inclusion (LFI)
LFI + Wrappers (base64 encoding)
Remote File Inclusion (RFI)
RFI + RCE via malicious PHP script
Information Leakage - Database administrator user credentials
Enumerating the database with sqlcmd
Password sprying with CrackMapExec
Abusing WinRM - EvilWinRM
Abusing Firefox Stored Profile Passwords - Firepwd
Bloodhound Enumeration
Playing with SharpHound.ps1 - Puckiestyle
Abusing WriteOwner privilege over a group - PowerView.ps1
Playing with Add-DomainObjectAcl && Add-DomainGroupMember utilities
Getting LAPS Passwords - ldapsearch [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=lP_ylWaw9eUSi
191
Active10.10.10.100WindowsFácilSMB Enumeration
Abusing GPP Passwords
Decrypting GPP Passwords - gpp-decrypt
Kerberoasting Attack (GetUserSPNs.py) [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=cDutnBcTQtMSi
192
Frolic10.10.10.111LinuxFácilWeb Enumeration
Information Leakage
Playing with esoteric languages - Ook! and Brainfuck
Cracking Zip Password Protected Files
PlaySMS Exploitation - 'import.php' Remote Code Execution [RCE]
BufferOverflow 32 bits - Ret2libc [Privilege Escalation]
eWPT
Buffer Overflowhttps://www.youtube.com/watch?v=mL7ADmxL7ssSi
193
Jewel10.10.10.211LinuxMediaGitweb Enumeration
Information Leakage
Cracking Hashes
Searching for vulnerabilities in Ruby on Rails with Brakeman
Deserialization Attack (CVE-2020-8165) - Rails < 5.2.3.4 [RCE]
Creating a new application with Rails
Creating the payload with Ruby console
Abusing Google Authentication (oathtool)
Abusing sudoers privilege (gem command) [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=71wQWq50aNESi
194
Laboratory10.10.10.216LinuxFácilSSL Certificate Enumeration
Gitlab Enumeration
Gitlab Exploitation - Arbitrary file read via the UploadsRewriter when moving an
issue
Gitlab Exploitation - Malicious Marshalled Payload in a session cookie +
Deserialization Attack [RCE]
Abusing gitlab-rails console - Granting administrator privileges to our user
EXTRA - Playing with Vulhub Pre-Built Vulnerable Environments Based on
Docker-Compose
Information Leakage - SSH Access
Abusing SUID Binary + PATH Hijacking [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=kspptAGubDoSi
195
Blocky10.10.10.37LinuxFácilWordPress Enumeration
Information Leakage
Analyzing a jar file - JD-Gui + SSH Access
Abusing Sudoers Privilege [Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=SJf_jAufs-kSi
196
Atom10.10.10.237WindowsMediaSMB Enumeration
EXE Binary Analysis
Abusing electron-updater - Signature Validation Bypass [RCE]
Abusing PortableKanban - Reading the encrypted password
Redis Enumeration - Obtaining the encrypted password of the administrator user
Decrypting obtained passwords + Abusing WinRM (Evil-WinRM) [Privilege
Escalation]OSCPhttps://www.youtube.com/watch?v=FNQw93y3XNESi
197
Joker10.10.10.21LinuxDifícilSQUID Proxy Enumeration
UDP Enumeration
Abusing TFTP - Getting Squid Proxy Credentials
Cracking Hashes
Internal port discovery via SQUID Proxy
Abusing Interactive Console [RCE]
Bypassing iptables rules - UDP Reverse Shell
Abusing Sudoers Privilege [Abusing sudoedit - User Pivoting]
Abusing Cron Job + TAR Wildcards [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=AoZiJaW5tc8Si
198
Netmon10.10.10.152WindowsFácilFTP Enumeration
Information Leakage
Abusing PRTG Network Monitor - Command Injection [RCE]eJPT
eWPT
OSCPhttps://www.youtube.com/watch?v=aPS0VIIL0nQSi
199
Cascade10.10.10.182WindowsMediaRPC Enumeration
User Enumeration via Kerberos - Kerbrute
ASREPRoast Attack - GetNPUsers.py (Failed)
LDAP Enumeration - ldapsearch && ldapdomaindump
SMB Enumeration - smbclient && smbmap
Cracking TightVNC Password - vncpwd
Kerberoasting Attack - GetUserSPNs.py (Failed)
Abusing WinRM - EvilWinRM
Enumerating SQLite3 Database File
Analysis of Windows EXE binary
Installing DotPeek on a Windows virtual machine
Reverse engineering the CBC cipher - Obtaining clear text passwords
Abusing AD Recycle Bin Group - Active Directory Object Recovery (Get-ADObject)
[Privilege Escalation]
EXTRA: Chisel Remote Port Forwarding (RDP + Remmina)OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=utTEk0WNO04Si
200
Delivery10.10.10.222LinuxFácilVirtual Hosting Enumeration
Abusing Support Ticket System
Access to MatterMost
Information Leakage
Database Enumeration - MYSQL
Cracking Hashes
Playing with hashcat rules in order to create passwords
Playing with sucrack to find out a user's passwordeJPT
eWPThttps://www.youtube.com/watch?v=aTOlZz1ucscSi
201
Poison10.10.10.84LinuxMediaLocal File Inclusion (LFI)
LFI to RCE - Log Poisoning
Cracking ZIP file
Abusing VNC - vncviewer [Privilege Escalation]eWPT
eJPThttps://www.youtube.com/watch?v=HYqQCYh0CzASi
202
Scrambled10.10.11.168WindowsMediaWeb Enumeration
Information Leakage
Ldap Enumeration
Kerberos Enumeration
User Enumeration - Kerbrute
Password Brute Force - Kerbrute
SMB Enumeration - Kerberos Authentication [getTGT.py]
ASREPRoast Attack - GetNPUsers.py (Failed)
Kerberoasting Attack - GetUserSPNs.py
Manipulating the GetUserSPNs.py script to make it work the way we want it to
work
Cracking Hashes
Attempting to authenticate to the MSSQL service via kerberos (Failed)
Explaining Kerberos Auth Flow (TGT, TGS, KDC, AS-REQ, AS-REP, TGS-REQ, TGS-REP,
AP-REQ, AP-REP)
Explaining how Silver Ticket Attack works
Forging a new TGS as Administrator user (NTLM Hash, Domain SID and SPN)
[ticketer.py && getPAC.py]
Connecting to the MSSQL service with the newly created ticket
MSSQL Enumeration
Enabling xp_cmdshell component in MSSQL [RCE]
Abusing SeImpersonatePrivilege [JuicyPotatoNG Alternative for Windows Server
2019] (Unintended Way)
Binary and DLL Analysis
Downloading OpenVPN from a Windows machine and configuring it to reverse
downloaded resources
Dnspy Installation
DLL Inspection with Dnspy - Found a backdoor in the code
We realize that serialization and deserialization of data is being used
Creating a malicious base64 serialized Payload with ysoserial.net in order to
get RCE
We send the serialized data to the server [Privilege Escalation]OSCP
OSEP
eCPPTv3
eWPTXv2 (Escalada)
Active Directoryhttps://www.youtube.com/watch?v=osmFGqnFe8cSi
203
Remote10.10.10.180WindowsFácilWeb Enumeration
NFS Enumeration - Showmount
Information Leakage
Abusing Umbraco Admin Panel
Umbraco CMS - Remote Code Execution by authenticated administrators
Obtaining the TeamViewer password from the system registers (AES128 - CBC)
[Privilege Escalation]eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=YCApOqCgoC4Si
204
Nibbles10.10.10.75LinuxFácilAbusing Nibbleblog - Remote Code Execution via File
Upload
Abusing Sudoers Privilege [Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=vAhrLjw1JEASi
205
OpenSource10.10.11.164LinuxFácilWeb Enumeration
Github Project Enumeration
Information Leakage
Abusing File Upload - Replacing Python Files [RCE]
Local File Inclusion (LFI)
Shell via Flask Debug - Finding out the PIN (Werkzeug Debugger) [Unintended Way]
Playing with Chisel - Remote Port Forwarding [PIVOTING]
Abusing Gitea + Information Leakage
Abusing Cron Job + Git Hooks [Privilege Escalation]eWPT
eWPTXv2
OSWE
eCPPTv3
OSCPhttps://www.youtube.com/watch?v=Be5wJyhgB_ASi
206
Faculty10.10.11.169LinuxMediaWeb Enumeration
SQL Injection (SQLI) - Manual Blind Time Based [Python Scripting]
Information Leakage - Error Messages
Login bypass - SQLI
Abusing MPDF - Local File Inclusion (LFI)
Abusing meta-git command - RCE via insecure command formatting
Abusing gdb capabilitie (cap_sys_ptrace+ep) [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=AnVAmSH81DQSi
207
Trick10.10.11.166LinuxFácilDNS Enumeration
Domain Zone Transfer Attack (AXFR)
SQL Injection (SQLI) - Manual Blind SQLI with Conditional Responses [Python
Scripting - AutoPwn]
Local File Inclusion (LFI) + Wrappers
Subdomain Discovery
Local File Inclusion (LFI) + Restriction bypassing
SMTP Enumeration (VRFY - Discovering valid users)
LFI to RCE - Nginx Log Poisoning
Abusing Sudoers Privilege (fail2ban command)eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=NZY6rLNJEAwSi
208
Moderators10.10.11.173LinuxDifícilWeb Enumeration
Information Leakage
Insecure Direct Object Reference (IDOR) in order to discover valid reports
Abusing File Upload - Uploading a PHP file disguised as PDF + Obfuscated Web
Shell (Weevely3)
Abusing Internal Web Server
Wordpress Brandfolder 3.0 Plugin Exploitation - Local/Remote File Inclusion
(User Pivoting)
Changing admin user password in wordpress via MYSQL (Wordpress Password Hash
Generator)
Virtual Box Image Enumeration
Cracking VirtualBox Encryption (virtualbox2hashcat)
Creating a new virtual machine in VirtualBox and installing the extension pack
Decrypting the VirtualBox VDI Image with VBoxManage
Mounting the VirtualBox VDI Image (qemu-nbd)
Cracking the LUKS v2 Password (bruteforce-luks-static-linux-amd64)
Mounting the Luks Drive (cryptsetup)
Finding a password among the mounted files
Abusing sudoers privilege [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=oYmY8HPYWJYSi
209
Shared10.10.11.172LinuxMediaWeb Enumeration
SQL Injection (SQLI) in a Cookie
Cracking Hashes
Abusing Cron Job
iPython Arbitrary Code Execution - CVE-2022-21699 (User Pivoting)
Information Leakage
Abusing Redis - Sandbox Escape (CVE-2022-0543) [Privilege Escalation]eWPT
OSCPhttps://www.youtube.com/watch?v=MGL6PK5s2yUSi
210
RedPanda10.10.11.170LinuxFácilServer Side Template Injection (SSTI)
SSTI - Bypassing special character restriction
SSTI - Creation of a Python script to automate java injection (RCE)
Creating a Bash script for process monitoring with user included
Abusing log file + Image etadata + XML External Entity Injection (XXE)
[Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=Ugz1RcYLd5MSi
211
Squashed10.10.11.191LinuxFácilNFS Enumeration
Abusing owners assigned to NFS shares by creating new users on the system (Get
Access to Web Root)
Creating a web shell to gain system access
Abusing .Xauthority file (Pentesting X11)
Taking a screenshot of another user's
displayOSCPhttps://www.youtube.com/watch?v=maTw2StNFI4Si
212
Carpediem10.10.11.167LinuxDifícilWeb Enumeration
Parameter Fuzzing with Wfuzz
Mass Assignment Attack - Giving admin privileges to our user
Creating a HTML form with OpenAI in order to exploit file uploading
Information Leakage - Reading sensitive files with hardcoded passwords
Trudesk API Enumeration
Trudesk API Enumeration - Finding valid tickets + Xargs Tip (Fast ticket
discovery)
Setting up Zoiper
Making a call from Zoiper to obtain access credentials
Abusing Capabilities (tcpdump)
Abusing Weak Cipher Suite - TLS_RSA_WITH_AES_256_CBC_SHA256 (TLSv1.2 Traffic)
Importing the certificate into Wireshark and decrypting traffic
Backdrop Enumeration && Backdrop Exploitation
Abusing Backdrop - Installing a new module
Abusing a cron job on a container [Container privilege escalation]
Abusing CVE-2022-0492 (Container Escape via Cgroups) [Privilege Escalation]eWPT
eWPTXv2
OSWE
eCPPTv3
eCPTXv2
OSCPhttps://www.youtube.com/watch?v=dkJQMRJHeKgSi
213
Support10.10.11.174WindowsFácilSMB Enumeration
EXE Binary Analysis
Debugging with DNSpy
Setting breakpoints and getting an LDAP password in clear text (DNSpy)
Kerberos User Enumeration (kerbrute)
Ldap Enumeration (ldapsearch)
Information Leakage
Abusing Remote Management Users group (Evil-WinRM)
SharpHound + BloodHound Enumeration
Abusing Shared Support Accounts (GenericAll) (rbcd Attack) [Resource Based
Constrained Delegation]
Resource Based Constrained Delegation Attack - Creating a Computer Object
(powermad.ps1)
Resource Based Constrained Delegation Attack - PowerView.ps1
Resource Based Constrained Delegation Attack - Getting the impersonated service
ticket (getST.py)
Using the ticket to gain Administrator access [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=AlrB-uBUuTASi
214
Outdated10.10.11.175WindowsMediaSMB Enumeration
Follina Exploitation (CVE-2022-30190) + Nishang PowerShell TCP Shell [Remote
Code Execution]
SharpHound + BloodHound DC Enumeration
Abusing AddKeyCredentialLink Privilege [Invoke-Whisker.ps1 - Shadow Credentials]
Getting the user's NTLM Hash with Rubeus
Abusing WinRM - EvilWinRM
Abusing WSUS Administrators Group
WSUS Exploitation - Creating a malicious patch for deployment [Privilege
Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=3xU66O-1pWUSi
215
Health10.10.11.176LinuxMediaWeb Enumeration
Abusing WebHook Setup
Creating a PHP file to apply a Redirect and point to internal machine services
[Restriction Bypassing]
Gogs v0.5.5 Exploitation - SQL Injection [CVE-2014-8682]
Running Gogs v0.5.5 Locally for successful exploitation
Creating a SQL injection that allows us to obtain the salt and password of a
user
Hash restructuring in order to crack it
SSRF (Server Side Request Forgery) + SQL Injection
Cracking Hashes
Abusing Cron Job (Database Manipulation) [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=7wwOejPwwYUSi
216
Shoppy10.10.11.180LinuxFácilVirtual Hosting
Subdomain Enumeration
NoSQL Injection (Admin Auth Bypass)
Abusing the Shoppy App search engine (NoSQL Injection) - Obtaining the password
of DB users
Cracking Hashes Online
Log into Mattermost + Information Leakage
Abusing Sudoers Privilege
Binary Analysis - GHIDRA (Reverse Engineering)
Abusing docker group [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=1pddk1u9jnQSi
217
UpDown10.10.11.177LinuxMediaWeb Enumeration
Subdomain Discovery (gobuster)
Finding .git directory with nmap (http-enum)
Playing with git-dumper in order to get the files of the project
PHP Source Analysis
Information Leakage
Abusing HTACCESS Policies
Abusing File Upload (ZIP file + PHP File + Restriction Bypass + PHAR Wrapper)
Playing with dfunc-bypasser in order to find functions through which we can
execute commands
Abusing proc_open and executing commands [RCE]
Abusing SUID Binary (Command injection in Python2 Input function) [User
Pivoting]
Abusing Sudoers Privilege (easy_install binary) [Privilege Escalation]OSWE
eWPT
eWPTXv2
OSCPhttps://www.youtube.com/watch?v=36Ua0nrwc7gSi
218
Ambassador10.10.11.183LinuxMediaWeb Enumeration
Grafana v8.2.0 Exploitation [CVE-2021-43798] (Unauthorized Arbitrary File Read
Vulnerability)
Enumerating a sqlite3 file [Extracting mysql login credentials]
System Github Project Enumeration
Hashicorp Consul Exploitation (Command Execution via API) [Privilege
Escalation]eWPT
OSCPhttps://www.youtube.com/watch?v=fli1xeT3c-sSi
219
Photobomb10.10.11.182LinuxFácilVirtual Hosting
Web Enumeration
Information Leakage - Credentials in Javascript File
Abusing Image Download Utility (Command Injection) [RCE]
Abusing Sudoers privilege + PATH Hijacking (find command) [1st way] [Privilege
Escalation]
Abusing Sudoers privilege + PATH Hijacking ( ] command ) [2st way] [Privilege
Escalation]OSCP
eWPThttps://www.youtube.com/watch?v=rAY1GMvrO0gSi
220
Precious10.10.11.189LinuxFácilPdfkit v0.8.6 Exploitation - Command Injection
(CVE-2022-25765)
Advanced Python Scripting - Autopwn Script [EXTRA]
Information Leakage [User Pivoting]
Abusing sudoers privilege + Yaml Deserialization Attack [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=0WA4b3P5ZMMSi
221
Mentor10.10.11.193LinuxMediaVirtual Hosting
Subdomain Enumeration
API Enumeration
Abusing API
SNMP Enumeration (snmpwalk && snmpbulkwalk) + Community String Brute Force
Information Leakage
Abusing JWT
API Exploitation (Command Injection)
Chisel Tunnel + Postgresql Service Enumeration + Information Leakage
Abusing Sudoers Privilege [Privilege Escalation]eWPT
OSWE
eCPPTv3https://www.youtube.com/watch?v=dEP6h3jxLRISi
222
Inject10.10.11.204LinuxFácilWeb Enumeration
Local File Inclusion + Directory Listing
Information Leakage
Spring Cloud Exploitation (CVE-2022-22963) [Spring4Shell]
Abusing Cron Job
Malicious Ansible Playbook (Privilege Escalation)eWPT
OSCP (Escalada)https://www.youtube.com/watch?v=5gfA_wIaNRsSi
223
Sau10.10.11.224LinuxFácilrequests-baskets 1.2.1 Exploitation (SSRF - Server Side
Request Forgery)
Maltrail 0.53 Exploitation (RCE - Username Injection)
Abusing sudoers privilege (systemctl) [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=gfupbVibReMSi
224
Zipping10.10.11.229LinuxMediaFile uploading abuse (%00 Injection) [Failed]
ZipSlip Exploitation Technique for internal reading of files
SQL Injection + Regular Expression Bypass (%0a) + RCE through into outfile
instruction
Custom binary abuse + Malicious Shared Object (.so) Injection [Privilege
Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=YVdVKoqeoHsSi
225
Bookworm10.10.11.215LinuxInsaneXSS Injection + CSP Bypass
Abusing File Upload + Indirect XSS Injection
IDOR Exploitation
Profile and order enumeration via XSS
XSS + LFI aiming to read private files from the server
Information Leakage through LFI
Abusing Internal Javascript Web Application
Abusing ebook-convert [User Pivoting]
Abusing Symlinks + ebook-convert for Arbitrary Write
Abusing sudoers privilege
SQL Injection + PostScript Injection for privileged writing to system [Privilege
Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.youtube.com/watch?v=hC8XnmxzwJ8Si
226
Clicker10.10.11.232LinuxMediaAbusing a game via the browser console
Abusing NFS + Information Leakage
Code Analysis
Mass Assignment Exploitation in order to elevate our user privileges
Bypass Check via Netline Injection
RCE through nickname manipulation + Mass Assignment Attack
Abusing Custom Binary
Binary Analysis with Ghidra (Reversing) [User Pivoting]
Abusing Sudoers
XXE Exploitation [Privilege Escalation]eWPT
OSWE
OSEDhttps://www.youtube.com/watch?v=gGyfo3jkzDkSi
227
Keeper10.10.11.227LinuxFácilAbusing Request Tracker
Information Leakage
Obtaining KeePass password through memory dump [Privilege
Escalation]eJPThttps://www.youtube.com/watch?v=lhVQxvz9Sh8Si
228
Drive10.10.11.235LinuxDifícilIDOR Exploitation + OOP Python Scripting
Information Leakage
Sqlite3 file enumeration
Cracking Hashes
Gitea Enumeration + Information Leakage
Abusing Custom Binary
Binary Analysis with GHIDRA
Exploiting SUID binary + Command injection through sqlite3 extension loading
[Privilege Escalation]eWPT
OSWE
OSEDhttps://www.youtube.com/watch?v=VrscVIpSyV0Si
229
Builder10.10.11.10LinuxMediaJenkins Exploitation - CVE-2024-23897 in order to
read arbitrary files (RCE)
Cracking Hashes
Abusing the Jenkins cipher to crack the password [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=wVSW6uMVe_wSi
230
Hospital10.10.11.241WindowsMediaSMB Enumeration
Abusing File Upload (.phar extension + Python Scripting)
Abusing PHP Disable Functions in order to RCE
GameOver(lay) Exploitation (Privilege Escalation)
Cracking Hashes
Enumerating domain users (rpcclient)
Testing ASREPRoast attack (impacket-GetNPUsers)
Fraudulent sending of eps file by mail through RoundCube
Abusing XAMPP for privilege escalationOSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=CecJxqA2WPoSi
231
Surveillance10.10.11.245LinuxMediaCraftCMS Exploitation (CVE-2023-41892) - RCE
Information Leakage
Cracking Hashes
ZoneMinder + Sudoers Exploitation (Privilege
Escalation)eWPThttps://www.youtube.com/watch?v=JIEsfS6noWkSi
232
TwoMillion10.10.10.11LinuxFácilBuilding a Python3 Stealth port scanner with
Scapy
Abusing declared Javascript functions from the browser console
Abusing the API to generate a valid invite code
Abusing the API to elevate our privilege to administrator
Command injection via poorly designed API functionality
Information Leakage
Privilege Escalation via Kernel Exploitation (CVE-2023-0386) - OverlayFS
VulnerabilityeWPT
OSWEhttps://www.youtube.com/watch?v=Nm9HwJerMqsSi
233
Broker10.10.11.243LinuxFácilCredential guessing
ActiveMQ Exploitation - Deserialization Attack (CVE-2023-46604) [RCE]
Abusing sudoers privilege (nginx) [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=o6aRIbFuKNASi
234
Monitored10.10.11.248LinuxMediaNagios Enumeration
API Enumeration
SNMP Enumeration
Abusing API
Nagios XI Exploitation (CVE-2023-40931)
SQL Injection Manual Exploitation
Abusing API Key to create new administrator user (Mass Assignment Attack)
Creating a new command and service in Nagios to get a reverse shell
Abusing Sudoers [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.youtube.com/watch?v=oO9tvq9_HU8Si
235
Devvortex10.10.11.242LinuxFácilSubdomain Enumeration
Abusing Joomla
Joomla Exploitation (CVE-2023-23752)
Customizing administration template to achieve RCE
Database Enumeration (User Pivoting)
Abusing sudoers privilege (apport-cli) [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=GMVmxYnHsLASi
236
Napper10.10.11.240WindowsDifícilIIS Enumeration
Subdomain Enumeration
Information Leakage
Abusing NAPLISTENER Backdoor
Creating a reverse shell payload in C#
Creating an executable from C# code with mcs
Elasticsearch Enumeration
Binary Analysis with GHIDRA
Ghidra extensions installation
Creation of script in Go to decrypt a message by abusing a given seed
Using RunasCs to execute commands as another user + UAC Bypass [Privilege
Escalation]OSEDhttps://www.youtube.com/watch?v=yKNxdxixfHgSi
237
Bizness10.10.11.252 LinuxFácilApache OFBiz Exploitation (Authentication Bypass)
Analysis of OFBiz code to understand the hashed storage mechanism
Adapting found hashes to a crackable format
Cracking Hashes [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=Xw2Ojg26v2gSi
238
Manager10.10.11.236WindowsMediaSMB Enumeration
User Enumeration [1st way] - RID Cycling Attack (rpcclient)
User Enumeration [2nd way] - RID Cycling Attack (CrackMapExec)
User Enumeration [3rd way] - Kerberos User Enumeration (Kerbrute)
Ldap Enumeration (ldapdomaindump)
Credentials Brute Force (CrackMapExec)
MSSQL Enumeration (mssqlclient.py)
Abusing MSSQL (xp_dirtree)
Information Leakage
Abusing WinRM to get an interactive console
DC Enumeration (adPEAS) - Powershell tool to automate Active Directory
enumeration
Abusing Advice Directory Certificate Services (ADCS)
ESC7 exploitation case with certipy [Privilege Escalation]OSCP
OSEP
eCPPTv3
Active Directoryhttps://www.youtube.com/watch?v=6uzYhgtDPTMSi
239
Wifinetic10.10.11.247LinuxFácilFTP Enumeration
Information Leakage
SSH Brute Force with CrackMapExec
Abusing Capabilities - Reaver
Abusing an AP's WPS to get the root password [Privilege Escalation]
Trying to change the password and showing how the WPS Pin is still giving the
new passwordOSWPhttps://www.youtube.com/watch?v=MTcZbk0QzB8Si
240
Analysis10.10.11.250WindowsDifícilSMB Enumeration
Virtual Hosting
Subdomain Enumeration
Kerberos - User Brute Force Enumeration (kerbrute)
Web Fuzzing
LDAP Injection
Creating a Python script to easily exploit LDAP injection
Discovering valid users through LDAP injection
Enumerating user description through LDAP injection + Information Leakage
Testing ASREPRoast attack (impacket-GetNPUsers)
Testing Kerberoasting attack (impacket-GetUsersSPNs)
Exploitation of a customized analysis panel
Creating a PHP webshell for command execution + Reverse Shell with Nishang
System enumeration with WinPeas
Obtaining user credentials stored in the autologon registry
Abusing Snort (Loading Dynamic Modules) [Privilege Escalation]
Creation of malicious DLL with msfvenom for loading into snortOSCP
OSEP
eCPPTv3
eWPT
eWPTXv2
OSWE
Active Directoryhttps://www.youtube.com/watch?v=1X6Ak_IBDrMSi
241
Analytics10.10.11.233LinuxFácilSubdomain Enumeration
Metabase Exploitation (CVE-2023-38646)
Docker Container Information Leakage
Kernel Exploitation - GameOver(lay) / Abusing OverlayFS [Privilege
Escalation]eWPThttps://www.youtube.com/watch?v=FCk5K7sm5uoSi
242
Pov10.10.11.251WindowsMediaSubdomain Enumeration
LFI through CV Download
Abusing ViewState IIS Parameter + web.config secrets in order to achieve RCE
Playing with ysoserial.net to create a serialized payload
Reading a powershell credential and decrypting the contents of the PSCredential
object
RunasCs.exe to execute command as another user whose credentials are known to us
Abusing SeDebugPrivilege [Privilege Escalation]
Playing with chisel + WinRM for a more stable shell
Using psgetsys.ps1 to execute commands as the administrator user through memory
injectioneWPT
OSWE
OSCPhttps://www.youtube.com/watch?v=wxoaRHCfGHASi
ABCDEFGH
1
2
Máquina
Sistema Operativo
DificultadTécnicas VistasLikeEnlace a la máquinaWriteupResuelta
3
DarkHole: 2LinuxFácilInformation Leakage
Github Project Enumeration
SQLI (SQL Injection)
Chisel (Remote Port Forwarding) + Abusing Internal Web Server
Bash History - Information Leakage [User Pivoting]
Abusing Sudoers Privilege [Privilege Escalation]eWPT
eJPThttps://www.vulnhub.com/entry/darkhole-2,740/https://www.youtube.com/watch?v=xYLNxmuH9SgSi
4
IMFLinuxMediaInformation Leakage
Abusing Web Page - User Enumeration Vulnerability (Login)
SQLI (SQL Injection) [Boolean Based Blind] + Python Scripting [Manual]
Abusing Image Upload Form [RCE] + WAF Bypass
Custom Binary Exploitation - Ghidra Anlysis
Custom Binary Exploitation - Buffer Overflow x32 bits (ret2reg technique)
[Privilege Escalation]eWPT
eWPTXv2
OSWE
Buffer
Overflowhttps://www.vulnhub.com/entry/imf-1,162/https://www.youtube.com/watch?v=kpdDTkRzYbwSi
5
Symfonos 1LinuxFácilNote: On this machine we have configured an internal network
to Pivot to Symfonos2
SMB Enumeration
Information Leakage
WordPress Enumeration
Abusing WordPress Plugin - Mail Masta 1.0
Local File Inclusion (LFI)
Bash Scripting - Creating our own file reader utility
LFI + Abusing SMTP service to achieve RCE
Abusing SUID privilege + PATH Hijacking [Privilege Escalation]
EXTRA: Pivoting Lab with Symfonos 2eWPT
eJPT
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/symfonos-1,322/https://www.youtube.com/watch?v=L1jSoCcvRY4Si
6
Symfonos 2LinuxMediaEXTRA: Creation of bash script to discover computers on the
internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 1)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 1)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Port enumeration with nmap through proxychains
SMB Enumeration
FTP Exploitation - Abusing SITE CPFR/CPTO
Abusing FTP & SMB - Obtaining files from the machine
SSH Connection via Proxychains
SSH + Local Port Forwarding in order to access internal LibreNMS
Playing with socat to define connection flow
LibreNMS Exploitation (User Pivoting) [RCE]
Abusing sudoers privilege (mysql) [Privilege Escalation]eWPT
eJPT
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/symfonos-2,331/https://www.youtube.com/watch?v=L1jSoCcvRY4Si
7
Symfonos 3LinuxMediaNote: On this machine we have configured 2 internal networks
to Pivot to Symfonos 5 + Windows Machine
Web Enumeration
Shellshock Attack - User Agent [RCE]
Creating an AutoPwn script - Python Scripting
Processes and commands enumeration - Pspy
Intercepting FTP authentication credentials - Tcpdump
Abusing write permissions in Python libraries + Abusing Cron Job [Privilege
Escalation]
EXTRA: Pivoting Lab with Hades-PC (Windows 10 Personal Computer in VMWare)
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 3)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 3)
EXTRA: Port enumeration with nmap through proxychains
EXTRA: SMB & WinRM Enumeration - CrackMapExec
EXTRA: Password Spraying - CrackMapExec (Looking for valid credentials)
EXTRA: Abusing WinRM through proxychains - EvilWinRM
EXTRA: Pivoting Lab with Symfonos 5eWPT
eJPT
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/symfonos-31,332/https://www.youtube.com/watch?v=E4eUdAd6tAMSi
8
Symfonos 5LinuxMediaEXTRA: Creating a double socks5 tunnel with chisel
EXTRA: Redirecting request flow with socat to make services accessible
EXTRA: Powershell script to find computers in the internal network
EXTRA: Playing with xargs to increase the speed of port scanning with the Dual
Proxy
Web Enumeration
Ldap Injection - Login Bypass
Local File Inclusion (LFI)
Ldap Enumeration - ldapsearch
Gaining SSH access through a dual socks5 proxy
Abusing sudoers privilege [dpkg] [Privilege Escalation]
EXTRA: Managing connection flow with netsh from the Windows machine
EXTRA: Playing with netsh + socat + Socks5 Proxy (chisel) to make the second
internal network accessible
EXTRA: Reverse shells and resource offloading through 2 internal networkseWPT
eJPT
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/symfonos-52,415/https://www.youtube.com/watch?v=E4eUdAd6tAMSi
9
Symfonos 6LinuxMediaNote: On this machine we have configured an internal network
to Pivot to Empire: Breakout
Web Enumeration
FlySpray Exploitation
Abusing FlySpray - Cross Site Scripting (XSS)
Getting the administrator to create a new privileged user through XSS
Information Leakage
Gitlab Enumeration
Abusing API + Preg_Replace to achieve RCE on the creation of a new post
Abusing sudoers privilege (go) [Privilege Escalation]
EXTRA: System Enumeration with Pwncat-CS
EXTRA: Pivoting Lab with BreakouteWPT
eWPTXv2
OSWE
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/symfonos-61,458/https://www.youtube.com/watch?v=sjUgh__UtvsSi
10
Empire: BreakoutLinuxFácilEXTRA: Creation of bash script to discover computers
on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 6)
EXTRA: Local Port Forwarding - Playing with SSH (From attacker machine)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 6)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Port scanning with nmap through proxychains + Xargs
Dealing with esoteric language - Brainfuck
RPC Enumeration
RPC RID Cycling Attack (Manual brute force) - Discovering valid system users
RPC lookupnames + Xargs Speed Boost TIP - Discovering valid system users
(Alternative way)
Abusing Usermin Panel [RCE]
Controlling the flow of connections and sending a reverse shell
Abusing TAR cap_dac_read_search capabilitie [Privilege Escalation]eWPT
eWPTXv2
eCPPT
eCPTXv2
OSWEhttps://www.vulnhub.com/entry/empire-breakout,751/https://www.youtube.com/watch?v=sjUgh__UtvsSi
11
ICA: 1LinuxFácilReconfiguring machine interfaces for correct IP assignment via
dhcp [Small bypass to circumvent the password]
Abusing qdPM 9.2 - Password Exposure (Unauthenticated)
Remote connection to the MYSQL service and obtaining user credentials
SSH brute force with Hydra
Abusing relative paths in a SUID binary - Path Hijacking [Privilege
Escalation]eJPThttps://www.vulnhub.com/entry/ica-1,748/https://www.youtube.com/watch?v=FvXg6U1wBY4Si
12
Corrosion 2LinuxFácilNote: On this machine we have configured an internal
network to Pivot to Corrosion 1
Web Enumeration
Information Leakage + Cracking ZIP File
Abusing Tomcat - Creating a malicious WAR file [RCE]
Abusing SUID Binary - Reading privileged files
Cracking Hashes
Manipulating the code of a Python library with incorrectly configured
permissions [Privilege Escalation]
EXTRA: Pivoting Lab with Corrosion 1eJPT
eCPPTv2https://www.vulnhub.com/entry/corrosion-2,745/https://www.youtube.com/watch?v=Mc4FuBRyybcSi
13
Corrosion 1LinuxMediaEXTRA: Creation of bash script to discover computers on the
internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel (From Corrosion 2)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 6)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Port scanning with nmap through proxychains + Xargs
EXTRA: Fuzzing with gobuster through a Socks5 Proxy
Local File Inclusion (LFI)
LFI + RCE via SSH Log Poisoning (auth.log)
EXTRA: Reverse shell playing with socat to make the shell travel from an
intermediary computer to us
Cracking ZIP file
EXTRA: SSH over Proxychains
Abusing sudoers privilege + Creating and compiling malicious C file [Privilege
Escalation]eCPPTv2
eWPThttps://www.vulnhub.com/entry/corrosion-1,730/https://www.youtube.com/watch?v=Mc4FuBRyybcSi
14
BuffEMRLinuxFácilFTP Enumeration
Information Leakage
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
Buffer Overflow x32 - Stack based [Linux x86 shellcode - execve("/bin/bash",
["/bin/bash", "-p"], NULL) - 33 bytes]eWPT
Buffer
Overflowhttps://www.vulnhub.com/entry/buffemr-101,717/https://www.youtube.com/watch?v=LxYMz6wvfWUSi
15
Venom: 1LinuxFácilCracking Hashes
RPC Enumeration
FTP Enumeration
RPC RID Cycling Attack (Manual brute force) + Xargs Boost Speed Tip -
Discovering valid system users
Crypto Challenge - Vigenere Cipher
Subrion CMS v4.2.1 Exploitation - Arbitrary File Upload (Phar files) [RCE]
Listing system files and discovering privileged information
Abusing SUID binary (find) [Privilege Escalation]eJPT
eWPThttps://www.vulnhub.com/entry/venom-1,701/https://www.youtube.com/watch?v=4wl9MjByHNwSi
16
Durian: 1LinuxFácilWeb Enumeration
Local File Inclusion (LFI)
LFI to RCE - Abusing /proc/self/fd/X + Log Poisoning
Abusing capabilities (cap_setuid+ep on gdb binary) [Privilege Escalation]eJPT
eWPThttps://www.vulnhub.com/entry/durian-1,553/https://www.youtube.com/watch?v=4VnatIievBESi
17
SolsticeLinuxFácilNote: On this machine we have configured an internal network
to Pivot to Joestar
Web Enumeration
Local File Inclusion (LFI)
LFI to RCE - Log Poisoning (Apache Logs)
Abusing Internal Web Service running as Root [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal
networkeWPThttps://www.vulnhub.com/entry/sunset-solstice,499/https://www.youtube.com/watch?v=6gfo7qMpJOISi
18
JoestarLinuxMediaEXTRA: Remote Port Forwarding - Playing with Chisel (From
Solstice)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Solstice)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Fuzzing with gobuster through a Socks5 Proxy
Web Enumeration
Information Leakage
Gas Station ATGs Enumeration (SCADA)
Abusing a gas tank system - Enumerating tank inventories
Abusing a tank system - Sending an instruction that exposes a port through which
we can connect to the machine
EXTRA: File transfer using socat to control the flow of connections
Abusing LXD group [Privilege Escalation]OSCP
(Escalada)https://www.vulnhub.com/entry/bizarre-adventure-joestar,590/https://www.youtube.com/watch?v=6gfo7qMpJOISi
19
DarkHole: 1LinuxFácilWeb Enumeration
Abusing password change panel - Password change for admin user
Abusing File Upload - Uploading malicious PHAR archive
Abusing custom SUID binary - User Pivoting
Abusing sudoers privilege - Python script manipulation [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/darkhole-1,724/https://www.youtube.com/watch?v=UXo-Iy8ehj8Si
20
AragogLinuxFácilNote: On this machine we have configured 6 machines and 4
internal networks to Pivot to Brainpan
WordPress Enumeration + Virtual Hosting
Using wpscan + API TOKEN for vulnerability discovery in wordpress
File Manager WordPress Plugin Exploitation - Unauthenticated Arbitrary File
Upload leading to RCE
Uploading a web shell to the server
Enumerating the Apache web server directory structure
MYSQL Database Enumeration
Cracking Hashes + Password reuse
Abusing Cron Job [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal networkeWPT
OSCPhttps://www.vulnhub.com/entry/harrypotter-aragog-102,688/https://www.youtube.com/watch?v=Q7UeWILja-gSi
21
NaginiLinuxMediaEXTRA: Remote Port Forwarding - Playing with Chisel (From
Solstice)
EXTRA: Socks5 connection with Chisel (Pivoting) (From Solstice)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Fuzzing with gobuster through a Socks5 Proxy
EXTRA: Port scanning with nmap through proxychains + Xargs
HTTP3 Enumeration - Quiche Installation
Server Side Request Forgery (SSRF)
EXTRA: Playing with socat to reach our web server by going through an
intermediate machine
Joomla Enumeration - Joomscan
Joomla Enumeration - Readable config file is found
SSRF + MYSQL Enumeration through gopher link - Gopherus
Changing the Joomla administrator user password via Gopherus and SSRF
Joomla Exploitation - Abusing available templates
EXTRA: Joomla Exploitation - Reverse shell passing through an intermediary
machine using socat
Information Leakage
Abusing SUID Binary (User Pivoting)
Getting stored Firefox credentials - Firepwd [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal networkeWPT
eWPTXv2
OSWE
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/harrypotter-nagini,689/https://www.youtube.com/watch?v=Q7UeWILja-gSi
22
FawkesLinuxMediaEXTRA: Running chisel as a client from the Nagini machine to
reach the Fawkes machine
EXTRA: Creating a new socks5 connection through a new port
EXTRA: FTP connection in passive mode when going through proxychains
Binary Enumeration - Buffer Overflow (x32) Stack Based
EXTRA: Execution of the Buffer Overflow sending the reverse shell through 2
machines until it reaches us
Abusing Sudoers Privilege in a container
Intercepting the traffic with tcpdump - Discovering credentials in FTP
authentication
SSH Credential Reuse - Escaping the Container
Abusing sudo 1.8.27 version (CVE-2021-3156) [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Jumping to Windows Dumbledore-PC machine
EXTRA: Running chisel as a client from the Fawkes machine to reach the
Dumbledore-PC machine
EXTRA: Creating a new socks5 connection through a new port
EXTRA: Eternalblue (MS17-010) Exploitation in order to gain access to the
Dumbledore-PC machine
EXTRA: Uploading Chisel to the Windows machine
EXTRA: Creating a new SOCKS5 connection to gain access to the Matrix 1 machine
(Triple SOCKS5 Proxy)
EXTRA: Host discovery from Windows MSDOS + ARP command
eCPPTv2
eCPTXv2
Buffer
Overflowhttps://www.vulnhub.com/entry/harrypotter-fawkes,686/https://www.youtube.com/watch?v=Q7UeWILja-gSi
23
Matrix: 1LinuxFácilCrypto Challenge
Creating a password dictionary using crunch
EXTRA: Applying brute force with Hydra by going through a triple SOCKS5 proxy
Escaping from a restrictive shell
Abusing sudoers privilege [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Jumping into the Brainpan machine
eCPPTv2
eCPTXv2https://www.vulnhub.com/entry/matrix-1,259/https://www.youtube.com/watch?v=Q7UeWILja-gSi
24
BrainpanWindowsMediaWeb Enumeration - BurpSuite Intruder Attack (Due to certain
timeout problems using multiple proxies)
EXE Binary Analysis - Immunity Debugger [Buffer Overflow x32 Stack Based]
EXTRA: Playing with netsh to control connection flow in Windows
EXTRA: Reverse shell going through 4 machines using 4 SOCKS proxies
eCPPTv2
eCPTXv2
Buffer
Overflowhttps://www.vulnhub.com/entry/brainpan-1,51/https://www.youtube.com/watch?v=Q7UeWILja-gSi
25
Djinn: 3LinuxMediaApplying brute force to discover valid credentials on a custom
application [Python Scripting]
Server Side Template Injection (SSTI) - Exploit the SSTI by calling
subprocess.Popen
Uncompiling pyc files with uncompyle6
Python script analysis + Abusing cron job [User Pivoting]
Abusing sudoers privilege in order to create a new user and read /etc/sudoers
file by assigning --gid 0
Creating a user that exists as described in the sudoers file but does not exist
on the system
Abusing sudoers privilege (apt-get) for the newly created user [Privilege
Escalation]eWPT
OSCPhttps://vulnhub.com/entry/djinn-3,492/https://www.youtube.com/watch?v=CpFdlFRyzqcSi
26
SafeHarbor: 1LinuxMediaBasic SQL Injection (SQLI)
Local File Inclusion (LFI) + Wrappers (Enumerating sensitive files)
Remote File Inclusion (RFI) + Filter Bypass
Enumeration of existing containers with ARP command
Playing with chisel to reach the Docker containers from our host machine (Socks
+ Proxychains)
Enumeration of existing database in another container
Host discovery going through SOCKS connection + Xargs trick to speed up scanning
ElasticSearch Exploitation - Remote Code Execution
Abusing Docker API in order to create a new container [Privilege Escalation]eWPT
eCPPTv2https://www.vulnhub.com/entry/safeharbor-1,377/https://www.youtube.com/watch?v=tKWuxNnEHHUSi
27
DevGuru: 1LinuxMediaWeb Enumeration
Extracting the contents of .git directory - GitDumper
Extracting the contents of .git directory - GitExtractor
Information Leakage
Gaining access to a Adminer 4.7.7 panel
Generating a new bcrypt hash for a user in order to gain access to OctoberCMS
backend
OctoberCMS Exploitation - Markup + PHP Code Injection
Abusing Adminer to gain access to Gitea
Abusing Git Hooks (pre-receive) - Code Execution (User Pivoting)
Abusing sudoers privilege (ALL, !root) NOPASSWD + Sudo version (u#-1) in order
to become rooteWPT
OSWE
OSCPhttps://www.vulnhub.com/entry/devguru-1,620/https://www.youtube.com/watch?v=OyYZA0H0AyASi
28
Inferno: 1.1LinuxMediaNote: On this machine we have configured an internal
network to Pivot to Empire: Masashi: 1
Web Enumeration
Basic Web Authentication Brute Force - Hydra
Authenticated Codiad Exploitation - Remote Code Execution
Information Leakage
Abusing sudoers privilege in order to assign a new privilege in sudoers
[Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of a bash script to discover the open ports of the computers
discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel
EXTRA: Socks5 connection with Chisel (Pivoting)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Fuzzing with gobuster through a Socks5 ProxyeWPT
eCPPTv2https://www.vulnhub.com/entry/inferno-11,603/https://www.youtube.com/watch?v=d5GXWOcwrKMSi
29
Masashi: 1LinuxFácilCreating a customized dictionary with cewl
SSH Brute Force - Hydra
Abusing Sudoers Privilege (Privilege Escalation)eWPT
eCPPTv2https://www.vulnhub.com/entry/masashi-1,599/https://www.youtube.com/watch?v=d5GXWOcwrKMSi
30
HA: NatrajLinuxFácilWeb Enumeration
Local File Inclusion (LFI)
Log Poisoning Attack (RCE)
Overwriting Apache configuration files (User Pivoting)
Abusing Sudoers Privilege (nmap) [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/ha-natraj,489/https://www.youtube.com/watch?v=eKAMpQhZ81ESi
31
Casino Royale: 1LinuxMediaWeb Enumeration
Abusing PokerMax - SQLI (SQL Injection)
Manual Blind SQLI (SQL Injection) - Python Scripting
Pokermax players management
Virtual Hosting
Snowfox CMS Exploitation - Cross-Site Request Forgery (Add Admin) [CSRF]
Abusing the SMTP service to send a fraudulent email in order to exploit the CSRF
Information Leakage
XXE Attack - XML External Entity Injection (Reading internal files)
FTP Brute Force - Hydra
Uploading malicious PHP file + Bypassing Restiction
Information Leakage - Reading config files
Abusing SUID privilege [Privilege Escalation]eWPT
eWPTXv2
OSWEhttps://www.vulnhub.com/entry/casino-royale-1,287/https://www.youtube.com/watch?v=ZvVbDArEjBMSi
32
Sputnik: 1LinuxFácilWeb Enumeration
Github Project Enumeration - Information Leakage
Splunk Enumeration
Splunk Exploitation - Weaponizing Splunk with reverse and bind shells
(Installing a new malicious application)
Abusing sudoers privilege (ed command)eWPT
OSCPhttps://www.vulnhub.com/entry/sputnik-1,301/https://www.youtube.com/watch?v=Cab33avTlN8Si
33
Insanity: 1LinuxFácilFTP Enumeration
Virtual Hosting
Brute force on authentication panel - Hydra
SquirrelMail Enumeration
SQLI (SQL Injection) visible from SquirrelMail INBOX
Obtaining clear text credentials stored in Firefox (firepwd) [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/insanity-1,536/https://www.youtube.com/watch?v=ptZqz9a86B0Si
34
The Planets: EarthLinuxFácilWeb Enumeration
Information Leakage
Playing with XOR - Crypto Challenge
Abusing Admin Command Tool - Bypassing IP address restriction for Reverse Shell
Abusing SUID Privilege [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/the-planets-earth,755/https://www.youtube.com/watch?v=E68j-8k0XuoSi
35
Hack Me Please: 1LinuxFácilWeb Enumeration
SeedDMS Enumeration
Information Leakage
Database Enumeration - MYSQL
Manipulating values stored in the database
SeedDMS Remote Command Execution
Password reuse - User Migration
Abusing Sudoers Privilege [Privilege Escalation]eWPT
eJPThttps://www.vulnhub.com/entry/hack-me-please-1,731/https://www.youtube.com/watch?v=B4BMMb5cwjISi
36
Shuriken: 1LinuxMediaWeb Enumeration
JS Code Inspection
Information Leakage
Local File Inclusion (LFI + Base64 Wrapper)
Virtual Hosting
Subdomain Enumeration
Abusing LFI - Reading Apache config files
Cracking Hashes
ClipBucket v4.0 Exploitation - Malicious PHP File Upload
Abusing sudoers privilege (npm) [User Migration]
Process Monitoring - PSPY
Abusing Cron Job - Analyzing Bash script
Abusing Wildcards (tar command) [Privilege Escalation]eWPT
OSCP
OSWEhttps://www.vulnhub.com/entry/shuriken-1,600/https://www.youtube.com/watch?v=illwVObIX0QSi
37
Prime: 2LinuxFácilWeb Enumeration
WordPress Enumeration
GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
LFI to RCE through uploaded webshell
Abusing SMB shared files in order to gain SSH access
Abusing lxd group [Privilege Escalation]eWPT
OSCP
(Escalada)https://www.vulnhub.com/entry/prime-2021-2,696/https://www.youtube.com/watch?v=WprcnQUsO0YSi
38
Momentum: 2LinuxFácilWeb Enumeration
Information Leakage - We find a backup file stored on the server
We create a specially designed request to ajax.php for uploading a file
Fuzzing Admin Cookie - BurpSuite Intruder Sniper Attack
Abusing Sudoers Privilege [Command Injection during the execution of a Python
script] [Privilege Escalation]eWPT
OSWEhttps://www.vulnhub.com/entry/momentum-2,702/https://www.youtube.com/watch?v=ejjCStCm6k0Si
39
Hacker Kid: 1.0.1LinuxMedia
Web Enumeration
Information Leakage
Fuzzing GET parameter - Wfuzz (Range Payload)
Subdomain Enumeration (dig)
XXE (XML External Entity Injection) Attack
XXE + Base64 Wrapper in order to read .bashrc
SSTI (Server Side Template Injection - Tornado Injection (RCE)
Abusing Capabilities (Python2.7 cap_sys_ptrace+ep) - Injecting BIND TCP
shellcode into root process [Privilege Escalation]
eWPT
OSWE
OSCP
(Escalada)https://www.vulnhub.com/entry/hacker-kid-101,719/https://www.youtube.com/watch?v=QRgig7825QgSi
40
AdmX 1.0.1LinuxFácilWeb Enumeration
Fixing web hardcoded private IP address - BurpSuite Match and Replace Rules
Abusing xmlrpc.php - Creating a Bash script to discover valid credentials
Logging into the administration panel and tweaking existing themes
(TwentyNineteen) [RCE]
Abusing Sudoers privilege - Command injection through interactive MYSQL
[Privilege Escalation]eWPT
OSWEhttps://download.vulnhub.com/admx/AdmX_new.7zhttps://www.youtube.com/watch?v=8jx2NJJcDyYSi
41
Momentum: 1LinuxFácilWeb Enumeration
Abusing CryptoJS - Decryption Process
SSH Credentials Guessing
Abusing Internal Service (Redis) + Information Leakage [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/momentum-1,685/https://www.youtube.com/watch?v=Q68_PnfCxn8Si
42
Sunset: SunriseLinuxFácilWeb Enumeration
Abusing Weborf 0.12.2 - Directory Traversal
Web Fuzzing - Wfuzz
Information Leakage
Database Enumeration
Abusing sudoers privilege (wine) + Msfvenom malicious EXE binary [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/sunset-sunrise,406/https://www.youtube.com/watch?v=24bWx8GsgK8Si
43
Leeroy: 1LinuxMediaWeb Enumeration
Virtual Hosting
WordPress Enumeration
Abusing WordPress Plugin - WP with Spritz 1.0 Remote File Inclusion (RFI)
Local File Inclusion (LFI)
Information Leakage
Abusing Jenkins - Remote Code Execution (Script Console Groovy Scripts) [RCE]
Decrypting credentials.xml Jenkins encrypted password
[hudson.util.Secret.decrypt() Utility]
Abusing sudoers privilege [Domain hijacking + Apache2 HTTPS Configuration
(default-ssl.conf)] [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.vulnhub.com/entry/leeroy-1,611/https://www.youtube.com/watch?v=dV1XrUJ_zcUSi
44
Presidential 1LinuxMediaWeb Enumeration
Information Leakage
Virtual Hosting
Subdomain Enumeration
Abusing phpMyAdmin - LFI to RCE (abusing PHP ID sessions)
Cracking Hashes (User Pivoting)
Abusing Capabilities (tar cap_dac_read_search+ep) [Privilege Escalation]eWPT
OSWE
eWPTXv2
OSCPhttps://cloud.caerdydd.wales/index.php/s/dxo7t46rwCGoMMrhttps://www.youtube.com/watch?v=wT4vJRzwxYkSi
45
Election: 1LinuxFácilWeb Enumeration
Information Leakage - Log Exposure
Abusing SUID Binary (Serv-U FTP Server < 15.1.7) [Privilege Escalation]eJPT
(Intrusión)
OSCP
(Escalada)https://www.vulnhub.com/entry/election-1,503/https://www.youtube.com/watch?v=ut75fw5wVh0Si
46
Loly: 1LinuxFácilWeb Enumeration
WordPress Enumeration
Abusing xmlrpc.php in order to obtain valid credentials (Advanced Bash
Scripting)
Abusing AdRotate Manage Media [RCE]
Kernel Exploitation (Linux Kernel < 4.13.9 - Local Privilege Escalation)eWPT
OSCP
(Escalada)https://www.vulnhub.com/entry/loly-1,538/https://www.youtube.com/watch?v=RrE0eWde0BASi
47
HackNos: Player
V1.1LinuxMedia
Note: On this machine we have configured an internal network to Pivot to
Wireless: 1
Web Enumeration
WordPress Enumeration
Information Leakage
JQ Filtering Tips
WP Support Plus Responsive Ticket System - WordPress Plugin Exploitation
(Privilege Escalation)
Abusing WordPress Header.php file [RCE]
Abusing sudoers privilege (find command) [User Pivoting]
Abusing sudoers privilege (ruby command) [User Pivoting]
Abusing sudoers privilege (gcc command) [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of an advanced bash script to discover the open ports of the
computers discovered in the internal network
EXTRA: Remote Port Forwarding - Playing with Chisel
EXTRA: Socks5 connection with Chisel (Pivoting)
EXTRA: FoxyProxy + Socks5 Tunnel
EXTRA: Fuzzing with gobuster through a SSH Local Port Forwarding Tunnel
eWPT
eCPPTv2https://www.vulnhub.com/entry/hacknos-player-v11,459/https://www.youtube.com/watch?v=6oyv75uwW60Si
48
Wireless: 1LinuxMediaInformation Leakage
Javascript Challenge
Abusing VOIP Monitor (Reading VOIP logs)
Decoding SMS PDU messages - VOIP logs
Virtual Hosting
Subdomain Enumeration through SSH Local Port Forwarding Tunnel
CMS Made Simple 2.2.9 Exploitation - Unauthenticated SQL Injection
RCE through CMS Made Simple Custom Tags - PHP Code Execution
EXTRA: Reverse Shell + SOCAT in order to control the flow of connections
(PIVOTING)
Creating a custom dictionary with cewl + SSH Brute Force (Hydra)
Abusing LXD group (Privilege Escalation)eWPT
eCPPTv2https://www.vulnhub.com/entry/wireless-1,669/https://www.youtube.com/watch?v=6oyv75uwW60Si
49
SecureCode: 1LinuxMediaWeb Enumeration
Information Leakage
PHP Code Analysis
Database Enumeration
SQLI (SQL Injection) Conditional Based [Status Code Response] + Bypass
Restriction (mysqli_real_escape_string)
Obtaining database values (Python Scripting - AutoPwn SQLI)
Abusing SQLI in order to change the admin password
Abusing File Upload (Content-Type Manipulation + PHAR extension) [RCE]eWPT
eWPTXv2
OSWEhttps://www.vulnhub.com/entry/securecode-1,651/https://www.youtube.com/watch?v=zMRYFFZF_JISi
50
BlackMarket: 1LinuxFácilWeb Enumeration
Creating our own dictionary with cewl
FTP Brute Force - HYDRA
SQLI (SQL Injection) - Error Based (Manual)
Cracking Hashes
Gaining access to squirrelmail
Playing with quipquip - Deciphering a message
Steganography challenge
Abusing a backdoor previously created by an attacker [RCE]
Information Leakage (User Pivoting)
Abusing sudoers privilege [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/blackmarket-1,223/https://www.youtube.com/watch?v=4KjGetmsOusSi
51
Wayne Manor: 1LinuxFácilVirtual Hosting
Port Knocking
FTP Enumeration
Information Leakage
Web Enumeration
BatFlat 1.3.6 CMS Exploitation (Remote Code Execution)
Python Code Analysis + Debugging with Burpsuite
Adapting the exploit to centralize the reverse shell
Detecting cron jobs running on the system (procmon.sh) [Bash Scripting]
Abusing Cron Job + Tar wildcard exploitation [User Pivoting]
Abusing sudoers privilege (service command) [Privilege Escalation]eWPT
OSCP
[Escalada]https://www.vulnhub.com/entry/wayne-manor-1,681/https://www.youtube.com/watch?v=q7VpXo2PkzkSi
52
BoredHackerBlog
Cloud AVLinuxFácilAbusing Cloud Anti-Virus Web Scanner Service
SQLI (SQL Injection) - SQLite Boolean Blind Based Injection [Python Scripting]
Obtaining invitation codes through SQL injection
Command Injection when scanning a file
Abusing SUID binary via unsanitized argument injection [Privilege
Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/https://www.youtube.com/watch?v=mL5UuQkT-woSi
53
Cheesey
CheeseyJackLinuxFácilWeb Enumeration
NFS Enumeration
Creating a custom dictionary with cewl
Login Panel Brute Force [Python Scripting]
Abusing qdPM 9.1 (PHP file upload) [RCE]
Abusing sudoers privilege [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/cheesey-cheeseyjack,578/https://www.youtube.com/watch?v=WrgxaGxI228Si
54
Cereal: 1LinuxMediaFTP Enumeration
Virtual Hosting
Subdomain Enumeration
Information Leakage - Backup File Discovery
PHP Deserialization Attack [RCE]
Cron Job Enumeration (pspy)
Abusing Cron Job (Chown Symlink) [Privilege Escalation]eWPT
OSWE
OSCPhttps://www.vulnhub.com/entry/cereal-1,703/https://www.youtube.com/watch?v=Y9Y_icaPaqESi
55
Tomato: 1LinuxFácilWeb Enumeration
Local File Inclusion (LFI) through info.php file
LFI to RCE (Way 1) [Abusing PHP filters chain]
LFI to RCE (Way 2) [Log Poisoning via SSH logs]
Linux Kernel < 4.13.9 Ubuntu 16.04 Exploitation [Privilege Escalation]eWPT
OSCPhttps://www.vulnhub.com/entry/tomato-1,557/https://www.youtube.com/watch?v=9g0UHbjcnwASi
56
Infovore: 1LinuxMediaWeb Enumeration
LFI (Local File Inclusion)
Abusing file_uploads visible in info.php (LFI2RCE via phpinfo() + Race
Condition)
System Enumeration (Linpeas)
Cracking Protected Private SSH Key
Abusing ssh key pair trust to escape the container
Abusing docker group [Privilege Escalation]eWPT
eWPTXv2
OSWE
OSCPhttps://www.vulnhub.com/entry/infovore-1,496/https://www.youtube.com/watch?v=aDXChigtu9gSi
57
Wpwn: 1LinuxFácilNote: On this machine we have configured an internal network to
Pivot to DMV: 1
Web Enumeration
WordPress Enumeration
Substitution filtering from BurpSuite to make the WordPress page work properly
WordPress Plugin Social Warfare < 3.5.3 Exploitation (RFI to RCE)
EXTRA: Building a similar lab from Docker
Password Reuse (User Pivoting)
Abusing sudo group [Privilege Escalation]
EXTRA: Creation of bash script to discover computers on the internal network
EXTRA: Creation of bash script to discover the open ports of the computers
discovered in the internal network
Playing with SSH in order to apply local port forwardingeWPT
eCPPTv2https://www.vulnhub.com/entry/wpwn-1,537/https://www.youtube.com/watch?v=5rFoXvD4E-wSi
58
DMV: 1LinuxFácilWeb Enumeration
Youtube-dll Web Utility Exploitation (Command Injection + SOCAT in order to jump
to the new sub-network)
PwnKit CVE-2021-4034 Exploitation [Privilege Escalation]eWPT
eCPPTv2https://www.vulnhub.com/entry/dmv-1,462/https://www.youtube.com/watch?v=5rFoXvD4E-wSi
59
MyExpense: 1LinuxMediaWeb Enumeration
Enabling disabled button in the user registration form
XSS (Cross-Site Scripting)
CSRF (Cross-Site Request Forgery)
XSS + Javascript file in order to steal the user's session cookie
XSS + CSRF in order to activate new registered users
XSS vulnerability in message management system
Stealing session cookies with XSS vulnerability in message handling system
Cookie Hijacking
SQL Injection (Union Query Based)
Cracking Hashes
Logging in as the boss and sending us the corresponding moneyeWPT
eWPTXv2
OSWEhttps://www.vulnhub.com/entry/myexpense-1,405/https://www.youtube.com/watch?v=ivrWhnAH2acSi
60
PowerGrid: 1.0.1LinuxMediaWeb Enumeration
Brute Force Basic Authentication (Python Scripting)
Abusing Roundcube 1.2.2 (RCE)
Decrypting PGP message
Abusing sudoers privilege assigned to a user in a container (rsync command)
Jumping to host machine by abusing SSH key pair authority [Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/powergrid-101,485/https://www.youtube.com/watch?v=1NmYPIO1kSASi
61
Five86-1LinuxFácilWeb Enumeration
OpenNetAdmin 18.1.1 Exploitation [RCE]
Creating custom dictionaries with crunch
Cracking Hashes
Abusing Sudoers privilege (cp command) [User Pivoting]
Information Leakage
Abusing SUID Binary [WTF Privilege
Escalation]eWPThttps://www.vulnhub.com/entry/five86-1,417/-Si
ABCDE
1
2
VulnerabilidadTécnicaWriteupLikeResuelta
3
SQL InjectionSQL injection vulnerability in WHERE clause allowing retrieval of
hidden datahttps://www.youtube.com/watch?v=C-FiImhUviMeWPT
eWPTXv2
OSWESi
4
SQL injection vulnerability allowing login bypass
5
SQL injection UNION attack, determining the number of columns returned by the
query
6
SQL injection UNION attack, finding a column containing text
7
SQL injection UNION attack, retrieving data from other tables
8
SQL injection UNION attack, retrieving multiple values in a single column
9
SQL injection attack, querying the database type and version on Oracle
10
SQL injection attack, querying the database type and version on MySQL and
Microsoft
11
SQL injection attack, listing the database contents on non-Oracle databases
12
SQL injection attack, listing the database contents on Oracle
13
Blind SQL injection with conditional responses
14
Blind SQL injection with conditional errors
15
Blind SQL injection with time delays
16
Blind SQL injection with time delays and information retrieval
17
Blind SQL injection with out-of-band interaction
18
Blind SQL injection with out-of-band data exfiltration
19
SQL Injection with filter bypass via XML encoding
20
XML External Entity (XXE) InjectionExploiting XXE using external entities to
retrieve fileshttps://www.youtube.com/watch?v=UfILDa_qStQeWPT
eWPTXv2
OSWESi
21
Exploiting XXE to perform SSRF attacks
22
Blind XXE with out-of-band (OOB) interaction
23
Blind XXE with out-of-band (OOB) interaction via XML parameter entities
24
Exploiting blind XXE to exfiltrate data using a malicious external DTD
25
Exploiting blind XXE to retrieve data via error messages
26
Exploiting XInclude to retrieve files
27
Exploiting XXE via image file upload
28
Directory TraversalFile path traversal, simple
casehttps://www.youtube.com/watch?v=64XIkIyCIRoeWPTSi
29
File path traversal, traversal sequences blocked with absolute path bypass
30
File path traversal, traversal sequences stripped non-recursively
31
File path traversal, traversal sequences stripped with superfluous URL-decode
32
File path traversal, validation of start of path
33
File path traversal, validation of file extension with null byte bypass
34
Server-side Request Forgery (SSRF)Basic SSRF against the local
serverhttps://www.youtube.com/watch?v=xQ2rivaFcsEeWPT
eWPTXv2
OSWESi
35
Basic SSRF against another back-end system
36
SSRF with blacklist-based input filter
37
SSRF with filter bypass via open redirection vulnerability
38
Blind SSRF with out-of-band (OOB) detection
39
SSRF with whitelist-based input filter
40
Blind SSRF with Shellshock exploitation
ABCDEFGHI
1
MÁQUINAS ADICIONALES CON LAS QUE PODER PRACTICAR
2
3
MáquinaSistema OperativoDificultadTécnicas VistasLikeWriteupLink de
DescargaCreadoresResuelta
4
NaughtyLinuxInsaneSCTP Port Scan (nmap)
Using socat to access services
Special Virtual Hosting
Headers Discovery (Python Fuzzing Script) - Header Authentication
Advanced Cryptography Challenge
Limited Shell Bypass (lshell) - ED Command
Abusing Unix Socket Files
Abusing PTRACE_SCOPE (Privilege Escalation)eWPT
eWPTXv2
OSWE
OSCPhttps://bit.ly/3iSUNci [Formato PDF]
https://www.youtube.com/watch?v=m_y7nnj8UYA [Formato
Vídeo]https://bit.ly/3v1FcwPS4vitar / Wh1tedrvg0nSi