{"newData":[{"certification":"eWPT\neJPT","ip":"https://www.vulnhub.com/entry/darkhole-2,740/","name":"DarkHole: 2","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Information Leakage\nGithub Project Enumeration\nSQLI (SQL Injection)\nChisel (Remote Port Forwarding) + Abusing Internal Web Server\nBash History - Information Leakage [User Pivoting]\nAbusing Sudoers Privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=xYLNxmuH9Sg"},{"certification":"eWPT\neWPTXv2\nOSWE\nBuffer Overflow","ip":"https://www.vulnhub.com/entry/imf-1,162/","name":"IMF","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Information Leakage\nAbusing Web Page - User Enumeration Vulnerability (Login)\nSQLI (SQL Injection) [Boolean Based Blind] + Python Scripting [Manual]\nAbusing Image Upload Form [RCE] + WAF Bypass\nCustom Binary Exploitation - Ghidra Anlysis\nCustom Binary Exploitation - Buffer Overflow x32 bits (ret2reg technique) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=kpdDTkRzYbw"},{"certification":"eWPT\neJPT\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/symfonos-1,322/","name":"Symfonos 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Note: On this machine we have configured an internal network to Pivot to Symfonos2\nSMB Enumeration\nInformation Leakage\nWordPress Enumeration\nAbusing WordPress Plugin - Mail Masta 1.0\nLocal File Inclusion (LFI)\nBash Scripting - Creating our own file reader utility\nLFI + Abusing SMTP service to achieve RCE\nAbusing SUID privilege + PATH Hijacking [Privilege Escalation]\nEXTRA: Pivoting Lab with Symfonos 2","video":"https://www.youtube.com/watch?v=L1jSoCcvRY4"},{"certification":"eWPT\neJPT\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/symfonos-2,331/","name":"Symfonos 2","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 1)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 1)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Port enumeration with nmap through proxychains\nSMB Enumeration\nFTP Exploitation - Abusing SITE CPFR/CPTO\nAbusing FTP \u0026 SMB - Obtaining files from the machine\nSSH Connection via Proxychains\nSSH + Local Port Forwarding in order to access internal LibreNMS\nPlaying with socat to define connection flow\nLibreNMS Exploitation (User Pivoting) [RCE]\nAbusing sudoers privilege (mysql) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=L1jSoCcvRY4"},{"certification":"eWPT\neJPT\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/symfonos-31,332/","name":"Symfonos 3","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Note: On this machine we have configured 2 internal networks to Pivot to Symfonos 5 + Windows Machine\nWeb Enumeration\nShellshock Attack - User Agent [RCE]\nCreating an AutoPwn script - Python Scripting\nProcesses and commands enumeration - Pspy\nIntercepting FTP authentication credentials - Tcpdump\nAbusing write permissions in Python libraries + Abusing Cron Job [Privilege Escalation]\nEXTRA: Pivoting Lab with Hades-PC (Windows 10 Personal Computer in VMWare)\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 3)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 3)\nEXTRA: Port enumeration with nmap through proxychains\nEXTRA: SMB \u0026 WinRM Enumeration - CrackMapExec\nEXTRA: Password Spraying - CrackMapExec (Looking for valid credentials)\nEXTRA: Abusing WinRM through proxychains - EvilWinRM\nEXTRA: Pivoting Lab with Symfonos 5","video":"https://www.youtube.com/watch?v=E4eUdAd6tAM"},{"certification":"eWPT\neJPT\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/symfonos-52,415/","name":"Symfonos 5","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Creating a double socks5 tunnel with chisel \nEXTRA: Redirecting request flow with socat  to make services accessible\nEXTRA: Powershell script to find computers in the internal network\nEXTRA: Playing with xargs to increase the speed of port scanning with the Dual Proxy\nWeb Enumeration\nLdap Injection - Login Bypass\nLocal File Inclusion (LFI)\nLdap Enumeration - ldapsearch\nGaining SSH access through a dual socks5 proxy\nAbusing sudoers privilege [dpkg] [Privilege Escalation]\nEXTRA: Managing connection flow with netsh from the Windows machine\nEXTRA: Playing with netsh + socat + Socks5 Proxy (chisel) to make the second internal network accessible\nEXTRA: Reverse shells and resource offloading through 2 internal networks","video":"https://www.youtube.com/watch?v=E4eUdAd6tAM"},{"certification":"eWPT\neWPTXv2\nOSWE\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/symfonos-61,458/","name":"Symfonos 6","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Note: On this machine we have configured an internal network to Pivot to Empire: Breakout\nWeb Enumeration\nFlySpray Exploitation\nAbusing FlySpray - Cross Site Scripting (XSS)\nGetting the administrator to create a new privileged user through XSS\nInformation Leakage\nGitlab Enumeration\nAbusing API + Preg_Replace to achieve RCE on the creation of a new post\nAbusing sudoers privilege (go) [Privilege Escalation]\nEXTRA: System Enumeration with Pwncat-CS\nEXTRA: Pivoting Lab with Breakout","video":"https://www.youtube.com/watch?v=sjUgh__Utvs"},{"certification":"eWPT\neWPTXv2\neCPPT\neCPTXv2\nOSWE","ip":"https://www.vulnhub.com/entry/empire-breakout,751/","name":"Empire: Breakout","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"EXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel (From Symfonos 6)\nEXTRA: Local Port Forwarding - Playing with SSH (From attacker machine)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 6)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Port scanning with nmap through proxychains + Xargs\nDealing with esoteric language - Brainfuck\nRPC Enumeration\nRPC RID Cycling Attack (Manual brute force) - Discovering valid system users\nRPC lookupnames + Xargs Speed Boost TIP - Discovering valid system users (Alternative way)\nAbusing Usermin Panel [RCE]\nControlling the flow of connections and sending a reverse shell\nAbusing TAR cap_dac_read_search capabilitie [Privilege Escalation]","video":"https://www.youtube.com/watch?v=sjUgh__Utvs"},{"certification":"eJPT","ip":"https://www.vulnhub.com/entry/ica-1,748/","name":"ICA: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Reconfiguring machine interfaces for correct IP assignment via dhcp [Small bypass to circumvent the password]\nAbusing qdPM 9.2 - Password Exposure (Unauthenticated)\nRemote connection to the MYSQL service and obtaining user credentials\nSSH brute force with Hydra\nAbusing relative paths in a SUID binary - Path Hijacking [Privilege Escalation]","video":"https://www.youtube.com/watch?v=FvXg6U1wBY4"},{"certification":"eJPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/corrosion-2,745/","name":"Corrosion 2","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Note: On this machine we have configured an internal network to Pivot to Corrosion 1\nWeb Enumeration\nInformation Leakage + Cracking ZIP File\nAbusing Tomcat - Creating a malicious WAR file [RCE]\nAbusing SUID Binary - Reading privileged files\nCracking Hashes\nManipulating the code of a Python library with incorrectly configured permissions [Privilege Escalation]\nEXTRA: Pivoting Lab with Corrosion 1","video":"https://www.youtube.com/watch?v=Mc4FuBRyybc"},{"certification":"eCPPTv2\neWPT","ip":"https://www.vulnhub.com/entry/corrosion-1,730/","name":"Corrosion 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel (From Corrosion 2)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Symfonos 6)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Port scanning with nmap through proxychains + Xargs\nEXTRA: Fuzzing with gobuster through a Socks5 Proxy\nLocal File Inclusion (LFI)\nLFI + RCE via SSH Log Poisoning (auth.log)\nEXTRA: Reverse shell playing with socat to make the shell travel from an intermediary computer to us\nCracking ZIP file\nEXTRA: SSH over Proxychains\nAbusing sudoers privilege + Creating and compiling malicious C file [Privilege Escalation]","video":"https://www.youtube.com/watch?v=Mc4FuBRyybc"},{"certification":"eWPT\nBuffer Overflow","ip":"https://www.vulnhub.com/entry/buffemr-101,717/","name":"BuffEMR","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"FTP Enumeration\nInformation Leakage\nOpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)\nBuffer Overflow x32 - Stack based [Linux x86 shellcode - execve(\"/bin/bash\", [\"/bin/bash\", \"-p\"], NULL) - 33 bytes]","video":"https://www.youtube.com/watch?v=LxYMz6wvfWU"},{"certification":"eJPT\neWPT","ip":"https://www.vulnhub.com/entry/venom-1,701/","name":"Venom: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Cracking Hashes\nRPC Enumeration\nFTP Enumeration\nRPC RID Cycling Attack (Manual brute force) + Xargs Boost Speed Tip - Discovering valid system users\nCrypto Challenge - Vigenere Cipher\nSubrion CMS v4.2.1 Exploitation - Arbitrary File Upload (Phar files) [RCE]\nListing system files and discovering privileged information\nAbusing SUID binary (find) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=4wl9MjByHNw"},{"certification":"eJPT\neWPT","ip":"https://www.vulnhub.com/entry/durian-1,553/","name":"Durian: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nLocal File Inclusion (LFI)\nLFI to RCE - Abusing /proc/self/fd/X + Log Poisoning\nAbusing capabilities (cap_setuid+ep on gdb binary) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=4VnatIievBE"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/sunset-solstice,499/","name":"Solstice","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Note: On this machine we have configured an internal network to Pivot to Joestar\nWeb Enumeration\nLocal File Inclusion (LFI)\nLFI to RCE - Log Poisoning (Apache Logs)\nAbusing Internal Web Service running as Root [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network","video":"https://www.youtube.com/watch?v=6gfo7qMpJOI"},{"certification":"OSCP (Escalada)","ip":"https://www.vulnhub.com/entry/bizarre-adventure-joestar,590/","name":"Joestar","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Remote Port Forwarding - Playing with Chisel (From Solstice)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Solstice)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Fuzzing with gobuster through a Socks5 Proxy\nWeb Enumeration\nInformation Leakage\nGas Station ATGs Enumeration (SCADA)\nAbusing a gas tank system - Enumerating tank inventories\nAbusing a tank system - Sending an instruction that exposes a port through which we can connect to the machine\nEXTRA: File transfer using socat to control the flow of connections\nAbusing LXD group [Privilege Escalation]","video":"https://www.youtube.com/watch?v=6gfo7qMpJOI"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/darkhole-1,724/","name":"DarkHole: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nAbusing password change panel - Password change for admin user\nAbusing File Upload - Uploading malicious PHAR archive\nAbusing custom SUID binary - User Pivoting\nAbusing sudoers privilege - Python script manipulation [Privilege Escalation]","video":"https://www.youtube.com/watch?v=UXo-Iy8ehj8"},{"certification":"eWPT\nOSCP","ip":"https://www.vulnhub.com/entry/harrypotter-aragog-102,688/","name":"Aragog","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Note: On this machine we have configured 6 machines and 4 internal networks to Pivot to Brainpan\nWordPress Enumeration + Virtual Hosting\nUsing wpscan + API TOKEN for vulnerability discovery in wordpress\nFile Manager WordPress Plugin Exploitation - Unauthenticated Arbitrary File Upload leading to RCE\nUploading a web shell to the server\nEnumerating the Apache web server directory structure\nMYSQL Database Enumeration\nCracking Hashes + Password reuse\nAbusing Cron Job [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network","video":"https://www.youtube.com/watch?v=Q7UeWILja-g"},{"certification":"eWPT\neWPTXv2\nOSWE\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/harrypotter-nagini,689/","name":"Nagini","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Remote Port Forwarding - Playing with Chisel (From Solstice)\nEXTRA: Socks5 connection with Chisel (Pivoting) (From Solstice)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Fuzzing with gobuster through a Socks5 Proxy\nEXTRA: Port scanning with nmap through proxychains + Xargs\nHTTP3 Enumeration - Quiche Installation\nServer Side Request Forgery (SSRF)\nEXTRA: Playing with socat to reach our web server by going through an intermediate machine\nJoomla Enumeration - Joomscan\nJoomla Enumeration - Readable config file is found\nSSRF + MYSQL Enumeration through gopher link - Gopherus\nChanging the Joomla administrator user password via Gopherus and SSRF\nJoomla Exploitation - Abusing available templates\nEXTRA: Joomla Exploitation - Reverse shell passing through an intermediary machine using socat\nInformation Leakage\nAbusing SUID Binary (User Pivoting)\nGetting stored Firefox credentials - Firepwd [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network","video":"https://www.youtube.com/watch?v=Q7UeWILja-g"},{"certification":"\neCPPTv2\neCPTXv2\nBuffer Overflow","ip":"https://www.vulnhub.com/entry/harrypotter-fawkes,686/","name":"Fawkes","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"EXTRA: Running chisel as a client from the Nagini machine to reach the Fawkes machine\nEXTRA: Creating a new socks5 connection through a new port\nEXTRA: FTP connection in passive mode when going through proxychains\nBinary Enumeration - Buffer Overflow (x32) Stack Based\nEXTRA: Execution of the Buffer Overflow sending the reverse shell through 2 machines until it reaches us\nAbusing Sudoers Privilege in a container\nIntercepting the traffic with tcpdump - Discovering credentials in FTP authentication\nSSH Credential Reuse - Escaping the Container\nAbusing sudo 1.8.27 version (CVE-2021-3156) [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Jumping to Windows Dumbledore-PC machine\nEXTRA: Running chisel as a client from the Fawkes machine to reach the Dumbledore-PC machine\nEXTRA: Creating a new socks5 connection through a new port\nEXTRA: Eternalblue (MS17-010) Exploitation in order to gain access to the Dumbledore-PC machine\nEXTRA: Uploading Chisel to the Windows machine\nEXTRA: Creating a new SOCKS5 connection to gain access to the Matrix 1 machine (Triple SOCKS5 Proxy)\nEXTRA: Host discovery from Windows MSDOS + ARP command","video":"https://www.youtube.com/watch?v=Q7UeWILja-g"},{"certification":"\neCPPTv2\neCPTXv2","ip":"https://www.vulnhub.com/entry/matrix-1,259/","name":"Matrix: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Crypto Challenge\nCreating a password dictionary using crunch\nEXTRA: Applying brute force with Hydra by going through a triple SOCKS5 proxy\nEscaping from a restrictive shell\nAbusing sudoers privilege [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Jumping into the Brainpan machine","video":"https://www.youtube.com/watch?v=Q7UeWILja-g"},{"certification":"\neCPPTv2\neCPTXv2\nBuffer Overflow","ip":"https://www.vulnhub.com/entry/brainpan-1,51/","name":"Brainpan","os":"Windows","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration - BurpSuite Intruder Attack (Due to certain timeout problems using multiple proxies)\nEXE Binary Analysis - Immunity Debugger [Buffer Overflow x32 Stack Based]\nEXTRA: Playing with netsh to control connection flow in Windows\nEXTRA: Reverse shell going through 4 machines using 4 SOCKS proxies","video":"https://www.youtube.com/watch?v=Q7UeWILja-g"},{"certification":"eWPT\nOSCP","ip":"https://vulnhub.com/entry/djinn-3,492/","name":"Djinn: 3","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Applying brute force to discover valid credentials on a custom application [Python Scripting]\nServer Side Template Injection (SSTI) - Exploit the SSTI by calling subprocess.Popen\nUncompiling pyc files with uncompyle6\nPython script analysis + Abusing cron job [User Pivoting]\nAbusing sudoers privilege in order to create a new user and read /etc/sudoers file by assigning --gid 0\nCreating a user that exists as described in the sudoers file but does not exist on the system\nAbusing sudoers privilege (apt-get) for the newly created user [Privilege Escalation]","video":"https://www.youtube.com/watch?v=CpFdlFRyzqc"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/safeharbor-1,377/","name":"SafeHarbor: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Basic SQL Injection (SQLI)\nLocal File Inclusion (LFI) + Wrappers (Enumerating sensitive files)\nRemote File Inclusion (RFI) + Filter Bypass\nEnumeration of existing containers with ARP command\nPlaying with chisel to reach the Docker containers from our host machine (Socks + Proxychains)\nEnumeration of existing database in another container\nHost discovery going through SOCKS connection + Xargs trick to speed up scanning\nElasticSearch Exploitation - Remote Code Execution\nAbusing Docker API in order to create a new container [Privilege Escalation]","video":"https://www.youtube.com/watch?v=tKWuxNnEHHU"},{"certification":"eWPT\nOSWE\nOSCP","ip":"https://www.vulnhub.com/entry/devguru-1,620/","name":"DevGuru: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nExtracting the contents of .git directory - GitDumper\nExtracting the contents of .git directory - GitExtractor\nInformation Leakage\nGaining access to a Adminer 4.7.7 panel\nGenerating a new bcrypt hash for a user in order to gain access to OctoberCMS backend\nOctoberCMS Exploitation - Markup + PHP Code Injection\nAbusing Adminer to gain access to Gitea\nAbusing Git Hooks (pre-receive) - Code Execution (User Pivoting)\nAbusing sudoers privilege (ALL, !root) NOPASSWD + Sudo version (u#-1) in order to become root","video":"https://www.youtube.com/watch?v=OyYZA0H0AyA"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/inferno-11,603/","name":"Inferno: 1.1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Note: On this machine we have configured an internal network to Pivot to Empire: Masashi: 1\nWeb Enumeration\nBasic Web Authentication Brute Force - Hydra\nAuthenticated Codiad Exploitation - Remote Code Execution\nInformation Leakage\nAbusing sudoers privilege in order to assign a new privilege in sudoers [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of a bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel\nEXTRA: Socks5 connection with Chisel (Pivoting)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Fuzzing with gobuster through a Socks5 Proxy","video":"https://www.youtube.com/watch?v=d5GXWOcwrKM"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/masashi-1,599/","name":"Masashi: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Creating a customized dictionary with cewl\nSSH Brute Force - Hydra\nAbusing Sudoers Privilege (Privilege Escalation)","video":"https://www.youtube.com/watch?v=d5GXWOcwrKM"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/ha-natraj,489/","name":"HA: Natraj","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nLocal File Inclusion (LFI)\nLog Poisoning Attack (RCE)\nOverwriting Apache configuration files (User Pivoting)\nAbusing Sudoers Privilege (nmap) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=eKAMpQhZ81E"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"https://www.vulnhub.com/entry/casino-royale-1,287/","name":"Casino Royale: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nAbusing PokerMax - SQLI (SQL Injection)\nManual Blind SQLI (SQL Injection) - Python Scripting\nPokermax players management\nVirtual Hosting\nSnowfox CMS Exploitation - Cross-Site Request Forgery (Add Admin) [CSRF]\nAbusing the SMTP service to send a fraudulent email in order to exploit the CSRF\nInformation Leakage\nXXE Attack - XML External Entity Injection (Reading internal files)\nFTP Brute Force - Hydra\nUploading malicious PHP file + Bypassing Restiction\nInformation Leakage - Reading config files\nAbusing SUID privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=ZvVbDArEjBM"},{"certification":"eWPT\nOSCP","ip":"https://www.vulnhub.com/entry/sputnik-1,301/","name":"Sputnik: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nGithub Project Enumeration - Information Leakage\nSplunk Enumeration\nSplunk Exploitation - Weaponizing Splunk with reverse and bind shells (Installing a new malicious application)\nAbusing sudoers privilege (ed command)","video":"https://www.youtube.com/watch?v=Cab33avTlN8"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/insanity-1,536/","name":"Insanity: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"FTP Enumeration\nVirtual Hosting\nBrute force on authentication panel - Hydra\nSquirrelMail Enumeration\nSQLI (SQL Injection) visible from SquirrelMail INBOX\nObtaining clear text credentials stored in Firefox (firepwd) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=ptZqz9a86B0"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/the-planets-earth,755/","name":"The Planets: Earth","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nInformation Leakage\nPlaying with XOR - Crypto Challenge\nAbusing Admin Command Tool - Bypassing IP address restriction for Reverse Shell\nAbusing SUID Privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=E68j-8k0Xuo"},{"certification":"eWPT\neJPT","ip":"https://www.vulnhub.com/entry/hack-me-please-1,731/","name":"Hack Me Please: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nSeedDMS Enumeration\nInformation Leakage\nDatabase Enumeration - MYSQL\nManipulating values stored in the database\nSeedDMS Remote Command Execution\nPassword reuse - User Migration\nAbusing Sudoers Privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=B4BMMb5cwjI"},{"certification":"eWPT\nOSCP\nOSWE","ip":"https://www.vulnhub.com/entry/shuriken-1,600/","name":"Shuriken: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nJS Code Inspection\nInformation Leakage\nLocal File Inclusion (LFI + Base64 Wrapper)\nVirtual Hosting\nSubdomain Enumeration\nAbusing LFI - Reading Apache config files\nCracking Hashes\nClipBucket v4.0 Exploitation - Malicious PHP File Upload\nAbusing sudoers privilege (npm) [User Migration]\nProcess Monitoring - PSPY\nAbusing Cron Job - Analyzing Bash script\nAbusing Wildcards (tar command) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=illwVObIX0Q"},{"certification":"eWPT\nOSCP (Escalada)","ip":"https://www.vulnhub.com/entry/prime-2021-2,696/","name":"Prime: 2","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nWordPress Enumeration\nGraceMedia Media Player 1.0 - Local File Inclusion (LFI)\nLFI to RCE through uploaded webshell\nAbusing SMB shared files in order to gain SSH access\nAbusing lxd group [Privilege Escalation]","video":"https://www.youtube.com/watch?v=WprcnQUsO0Y"},{"certification":"eWPT\nOSWE","ip":"https://www.vulnhub.com/entry/momentum-2,702/","name":"Momentum: 2","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nInformation Leakage - We find a backup file stored on the server\nWe create a specially designed request to ajax.php for uploading a file\nFuzzing Admin Cookie - BurpSuite Intruder Sniper Attack\nAbusing Sudoers Privilege [Command Injection during the execution of a Python script] [Privilege Escalation]","video":"https://www.youtube.com/watch?v=ejjCStCm6k0"},{"certification":"eWPT\nOSWE\nOSCP (Escalada)","ip":"https://www.vulnhub.com/entry/hacker-kid-101,719/","name":"Hacker Kid: 1.0.1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nInformation Leakage\nFuzzing GET parameter - Wfuzz (Range Payload)\nSubdomain Enumeration (dig)\nXXE (XML External Entity Injection) Attack\nXXE + Base64 Wrapper in order to read .bashrc\nSSTI (Server Side Template Injection - Tornado Injection (RCE)\nAbusing Capabilities (Python2.7 cap_sys_ptrace+ep) - Injecting BIND TCP shellcode into root process [Privilege Escalation]","video":"https://www.youtube.com/watch?v=QRgig7825Qg"},{"certification":"eWPT\nOSWE","ip":"https://download.vulnhub.com/admx/AdmX_new.7z","name":"AdmX 1.0.1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nFixing web hardcoded private IP address - BurpSuite Match and Replace Rules\nAbusing xmlrpc.php - Creating a Bash script to discover valid credentials\nLogging into the administration panel and tweaking existing themes (TwentyNineteen) [RCE]\nAbusing Sudoers privilege - Command injection through interactive MYSQL [Privilege Escalation]","video":"https://www.youtube.com/watch?v=8jx2NJJcDyY"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/momentum-1,685/","name":"Momentum: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nAbusing CryptoJS - Decryption Process\nSSH Credentials Guessing\nAbusing Internal Service (Redis) + Information Leakage [Privilege Escalation]","video":"https://www.youtube.com/watch?v=Q68_PnfCxn8"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/sunset-sunrise,406/","name":"Sunset: Sunrise","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nAbusing Weborf 0.12.2 - Directory Traversal\nWeb Fuzzing - Wfuzz\nInformation Leakage\nDatabase Enumeration\nAbusing sudoers privilege (wine) + Msfvenom malicious EXE binary [Privilege Escalation]","video":"https://www.youtube.com/watch?v=24bWx8GsgK8"},{"certification":"eWPT\nOSWE\nOSCP","ip":"https://www.vulnhub.com/entry/leeroy-1,611/","name":"Leeroy: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nVirtual Hosting\nWordPress Enumeration\nAbusing WordPress Plugin - WP with Spritz 1.0 Remote File Inclusion (RFI)\nLocal File Inclusion (LFI)\nInformation Leakage\nAbusing Jenkins - Remote Code Execution (Script Console Groovy Scripts) [RCE]\nDecrypting credentials.xml Jenkins encrypted password [hudson.util.Secret.decrypt() Utility]\nAbusing sudoers privilege [Domain hijacking + Apache2 HTTPS Configuration (default-ssl.conf)] [Privilege Escalation]","video":"https://www.youtube.com/watch?v=dV1XrUJ_zcU"},{"certification":"eWPT\nOSWE\neWPTXv2\nOSCP","ip":"https://cloud.caerdydd.wales/index.php/s/dxo7t46rwCGoMMr","name":"Presidential 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nInformation Leakage\nVirtual Hosting\nSubdomain Enumeration\nAbusing phpMyAdmin - LFI to RCE (abusing PHP ID sessions)\nCracking Hashes (User Pivoting)\nAbusing Capabilities (tar cap_dac_read_search+ep) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=wT4vJRzwxYk"},{"certification":"eJPT (Intrusión)\nOSCP (Escalada)","ip":"https://www.vulnhub.com/entry/election-1,503/","name":"Election: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nInformation Leakage - Log Exposure\nAbusing SUID Binary (Serv-U FTP Server \u003c 15.1.7) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=ut75fw5wVh0"},{"certification":"eWPT\nOSCP (Escalada)","ip":"https://www.vulnhub.com/entry/loly-1,538/","name":"Loly: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nWordPress Enumeration\nAbusing xmlrpc.php in order to obtain valid credentials (Advanced Bash Scripting)\nAbusing AdRotate Manage Media [RCE]\nKernel Exploitation (Linux Kernel \u003c 4.13.9 - Local Privilege Escalation)","video":"https://www.youtube.com/watch?v=RrE0eWde0BA"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/hacknos-player-v11,459/","name":"HackNos: Player\nV1.1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Note: On this machine we have configured an internal network to Pivot to Wireless: 1\nWeb Enumeration\nWordPress Enumeration\nInformation Leakage\nJQ Filtering Tips\n WP Support Plus Responsive Ticket System - WordPress Plugin Exploitation (Privilege Escalation)\nAbusing WordPress Header.php file [RCE]\nAbusing sudoers privilege (find command) [User Pivoting]\nAbusing sudoers privilege (ruby command) [User Pivoting]\nAbusing sudoers privilege (gcc command) [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of an advanced bash script to discover the open ports of the computers discovered in the internal network\nEXTRA: Remote Port Forwarding - Playing with Chisel\nEXTRA: Socks5 connection with Chisel (Pivoting)\nEXTRA: FoxyProxy + Socks5 Tunnel\nEXTRA: Fuzzing with gobuster through a SSH Local Port Forwarding Tunnel","video":"https://www.youtube.com/watch?v=6oyv75uwW60"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/wireless-1,669/","name":"Wireless: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Information Leakage\nJavascript Challenge\nAbusing VOIP Monitor (Reading VOIP logs)\nDecoding SMS PDU messages - VOIP logs\nVirtual Hosting\nSubdomain Enumeration through SSH Local Port Forwarding Tunnel\nCMS Made Simple 2.2.9 Exploitation - Unauthenticated SQL Injection\nRCE through CMS Made Simple Custom Tags - PHP Code Execution\nEXTRA: Reverse Shell + SOCAT in order to control the flow of connections (PIVOTING)\nCreating a custom dictionary with cewl + SSH Brute Force (Hydra)\nAbusing LXD group (Privilege Escalation)","video":"https://www.youtube.com/watch?v=6oyv75uwW60"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"https://www.vulnhub.com/entry/securecode-1,651/","name":"SecureCode: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nInformation Leakage\nPHP Code Analysis\nDatabase Enumeration\nSQLI (SQL Injection) Conditional Based [Status Code Response] + Bypass Restriction (mysqli_real_escape_string)\nObtaining database values (Python Scripting - AutoPwn SQLI)\nAbusing SQLI in order to change the admin password\nAbusing File Upload (Content-Type Manipulation + PHAR extension) [RCE]","video":"https://www.youtube.com/watch?v=zMRYFFZF_JI"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/blackmarket-1,223/","name":"BlackMarket: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nCreating our own dictionary with cewl\nFTP Brute Force - HYDRA\nSQLI (SQL Injection) - Error Based (Manual)\nCracking Hashes\nGaining access to squirrelmail\nPlaying with quipquip - Deciphering a message\nSteganography challenge\nAbusing a backdoor previously created by an attacker [RCE]\nInformation Leakage (User Pivoting)\nAbusing sudoers privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=4KjGetmsOus"},{"certification":"eWPT\nOSCP [Escalada]","ip":"https://www.vulnhub.com/entry/wayne-manor-1,681/","name":"Wayne Manor: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Virtual Hosting\nPort Knocking\nFTP Enumeration\nInformation Leakage\nWeb Enumeration\nBatFlat 1.3.6 CMS Exploitation (Remote Code Execution)\nPython Code Analysis + Debugging with Burpsuite\nAdapting the exploit to centralize the reverse shell\nDetecting cron jobs running on the system (procmon.sh) [Bash Scripting]\nAbusing Cron Job + Tar wildcard exploitation [User Pivoting]\nAbusing sudoers privilege (service command) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=q7VpXo2Pkzk"},{"certification":"eWPT\neWPTXv2\nOSWE\nOSCP","ip":"https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/","name":"BoredHackerBlog\nCloud AV","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Abusing Cloud Anti-Virus Web Scanner Service\nSQLI (SQL Injection) - SQLite Boolean Blind Based Injection [Python Scripting]\nObtaining invitation codes through SQL injection\nCommand Injection when scanning a file\nAbusing SUID binary via unsanitized argument injection [Privilege Escalation]","video":"https://www.youtube.com/watch?v=mL5UuQkT-wo"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/cheesey-cheeseyjack,578/","name":"Cheesey\nCheeseyJack","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nNFS Enumeration\nCreating a custom dictionary with cewl\nLogin Panel Brute Force [Python Scripting]\nAbusing qdPM 9.1 (PHP file upload) [RCE]\nAbusing sudoers privilege [Privilege Escalation]","video":"https://www.youtube.com/watch?v=WrgxaGxI228"},{"certification":"eWPT\nOSWE\nOSCP","ip":"https://www.vulnhub.com/entry/cereal-1,703/","name":"Cereal: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"FTP Enumeration\nVirtual Hosting\nSubdomain Enumeration\nInformation Leakage - Backup File Discovery\nPHP Deserialization Attack [RCE]\nCron Job Enumeration (pspy)\nAbusing Cron Job (Chown Symlink) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=Y9Y_icaPaqE"},{"certification":"eWPT\nOSCP","ip":"https://www.vulnhub.com/entry/tomato-1,557/","name":"Tomato: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nLocal File Inclusion (LFI) through info.php file\nLFI to RCE (Way 1) [Abusing PHP filters chain]\nLFI to RCE (Way 2) [Log Poisoning via SSH logs]\nLinux Kernel \u003c 4.13.9 Ubuntu 16.04 Exploitation [Privilege Escalation]","video":"https://www.youtube.com/watch?v=9g0UHbjcnwA"},{"certification":"eWPT\neWPTXv2\nOSWE\nOSCP","ip":"https://www.vulnhub.com/entry/infovore-1,496/","name":"Infovore: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nLFI (Local File Inclusion)\nAbusing file_uploads visible in info.php (LFI2RCE via phpinfo() + Race Condition)\nSystem Enumeration (Linpeas)\nCracking Protected Private SSH Key\nAbusing ssh key pair trust to escape the container\nAbusing docker group [Privilege Escalation]","video":"https://www.youtube.com/watch?v=aDXChigtu9g"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/wpwn-1,537/","name":"Wpwn: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Note: On this machine we have configured an internal network to Pivot to DMV: 1\nWeb Enumeration\nWordPress Enumeration\nSubstitution filtering from BurpSuite to make the WordPress page work properly\nWordPress Plugin Social Warfare \u003c 3.5.3 Exploitation (RFI to RCE)\nEXTRA: Building a similar lab from Docker\nPassword Reuse (User Pivoting)\nAbusing sudo group [Privilege Escalation]\nEXTRA: Creation of bash script to discover computers on the internal network\nEXTRA: Creation of bash script to discover the open ports of the computers discovered in the internal network\nPlaying with SSH in order to apply local port forwarding","video":"https://www.youtube.com/watch?v=5rFoXvD4E-w"},{"certification":"eWPT\neCPPTv2","ip":"https://www.vulnhub.com/entry/dmv-1,462/","name":"DMV: 1","os":"Linux","platform":"VulnHub","state":"Easy","techniques":"Web Enumeration\nYoutube-dll Web Utility Exploitation (Command Injection + SOCAT in order to jump to the new sub-network)\nPwnKit CVE-2021-4034 Exploitation [Privilege Escalation]","video":"https://www.youtube.com/watch?v=5rFoXvD4E-w"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"https://www.vulnhub.com/entry/myexpense-1,405/","name":"MyExpense: 1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nEnabling disabled button in the user registration form\nXSS (Cross-Site Scripting)\nCSRF (Cross-Site Request Forgery)\nXSS + Javascript file in order to steal the user's session cookie\nXSS + CSRF in order to activate new registered users\nXSS vulnerability in message management system\nStealing session cookies with XSS vulnerability in message handling system\nCookie Hijacking\nSQL Injection (Union Query Based)\nCracking Hashes\nLogging in as the boss and sending us the corresponding money","video":"https://www.youtube.com/watch?v=ivrWhnAH2ac"},{"certification":"eWPT","ip":"https://www.vulnhub.com/entry/powergrid-101,485/","name":"PowerGrid: 1.0.1","os":"Linux","platform":"VulnHub","state":"Medium","techniques":"Web Enumeration\nBrute Force Basic Authentication (Python Scripting)\nAbusing Roundcube 1.2.2 (RCE)\nDecrypting PGP message\nAbusing sudoers privilege assigned to a user in a container (rsync command)\nJumping to host machine by abusing SSH key pair authority [Privilege Escalation]","video":"https://www.youtube.com/watch?v=1NmYPIO1kSA"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"","name":"SQL Injection","os":"","platform":"PortSwigger","state":"","techniques":"SQL injection vulnerability in WHERE clause allowing retrieval of hidden data\nSQL injection vulnerability allowing login bypass\nSQL injection UNION attack, determining the number of columns returned by the query\nSQL injection UNION attack, finding a column containing text\nSQL injection UNION attack, retrieving data from other tables\nSQL injection UNION attack, retrieving multiple values in a single column\nSQL injection attack, querying the database type and version on Oracle\nSQL injection attack, querying the database type and version on MySQL and Microsoft\nSQL injection attack, listing the database contents on non-Oracle databases\nSQL injection attack, listing the database contents on Oracle\nBlind SQL injection with conditional responses\nBlind SQL injection with conditional errors\nBlind SQL injection with time delays\nBlind SQL injection with time delays and information retrieval\nBlind SQL injection with out-of-band interaction\nBlind SQL injection with out-of-band data exfiltration\nSQL Injection with filter bypass via XML encoding","video":"https://www.youtube.com/watch?v=C-FiImhUviM"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"","name":"XML External Entity (XXE) Injection","os":"","platform":"PortSwigger","state":"","techniques":"Exploiting XXE using external entities to retrieve files\nExploiting XXE to perform SSRF attacks\nBlind XXE with out-of-band (OOB) interaction\nBlind XXE with out-of-band (OOB) interaction via XML parameter entities\nExploiting blind XXE to exfiltrate data using a malicious external DTD\nExploiting blind XXE to retrieve data via error messages\nExploiting XInclude to retrieve files\nExploiting XXE via image file upload","video":"https://www.youtube.com/watch?v=UfILDa_qStQ"},{"certification":"eWPT","ip":"","name":"Directory Traversal","os":"","platform":"PortSwigger","state":"","techniques":"File path traversal, simple case\nFile path traversal, traversal sequences blocked with absolute path bypass\nFile path traversal, traversal sequences stripped non-recursively\nFile path traversal, traversal sequences stripped with superfluous URL-decode\nFile path traversal, validation of start of path\nFile path traversal, validation of file extension with null byte bypass","video":"https://www.youtube.com/watch?v=64XIkIyCIRo"},{"certification":"eWPT\neWPTXv2\nOSWE","ip":"","name":"Server-side Request Forgery (SSRF)","os":"","platform":"PortSwigger","state":"","techniques":"Basic SSRF against the local server\nBasic SSRF against another back-end system\nSSRF with blacklist-based input filter\nSSRF with filter bypass via open redirection vulnerability\nBlind SSRF with out-of-band (OOB) detection\nSSRF with whitelist-based input filter\nBlind SSRF with Shellshock exploitation","video":"https://www.youtube.com/watch?v=xQ2rivaFcsE"},{"certification":"Like eCPPTv3\neCPTXv2\nOSCP\nOSEP\neWPT\neWPTXv2\nOSWE\nActive Directory eJPT\neWPT OSCP\neWPT\neWPTXv2\neCPPTv3\neCPTXv2\nOSWE \neCPPTv3\neCPTXv2 eJPT\nOSCP (Escalada) eWPT\neJPT OSCP\neWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSCP\nOSWE OSCP\neJPT\neWPT\neCPPTv3 OSCP\neWPT OSCP\nOSEP\neCPPTv3\nActive Directory eCPPTv3\neCPTXv2\nOSCP\neWPT\neWPTXv2\nOSWE OSCP\neJPT\neWPT\neWPTXv2\neCPPTv3\nOSWE eJPT\neWPT\nOSCP (Escalada) eJPT\neWPT eJPT\neWPT eJPT\neWPT\neWPTXv2\nOSWE eJPT\neWPT\neCPPTv3\nOSCP (Escalada) eJPT\neWPT eCPPTv3\neWPT\neWPTXv2\nOSCP\nOSWE OSCP\nOSEP\neCPPTv3\nActive Directory eWPT OSCP (Escalada)\neJPT eWPTXv2\nOSWE OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSCP (Intrusión)\neJPT\neCPPTv2 eWPT\neCPPTv3\neCPTXv2\nBuffer Overflow eWPT\neJPT eWPTXv2\nOSWE eWPT\neWPTXv2\nOSCP (Intrusión)\nOSWE Buffer Overflow\nOSED\nOSCP (Intrusión)\neWPT\neWPTXv2\nOSWE eJPT OSCP\nOSEP\neCPPTv3\nOSWE\nActive Directory eWPT\neJPT eWPT\neJPT eWPT\nOSCP eWPT eWPT\neWPTXv2\nOSWE\nOSCP (Intrusión) eWPT eWPT\neWPTXv2\nOSWE OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSCP (Escalada)\nOSWE eWPT\neWPTXv2\nOSWE\nOSCP (Escalada) eWPT\neJPT OSCP eWPT\neWPTXv2\nOSWE eWPT\nOSCP\nOSWE eWPT\nOSCP (Escalada)\nOSWE eWPT\nOSWE\nOSCP (Escalada) OSCP\neWPT\neWPTXv2\nOSWE eWPT\nOSCP OSCP Buffer Overflow\neWPT (Intrusión) eWPT\neWPTXv2\nOSWE eWPT\nOSCP (Escalada) eWPT\neWPTXv2\nOSWE OSWE\neWPT\neWPTXv2\nBuffer Overflow eWPT\neWPTXv2\nOSWE\nOSCP eWPT\nOSCP (Escalada)\neJPT (Intrusión) eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP (Escalada)\neCPTXv2 eWPT (Intrusión)\nBuffer Overflow eWPT\neWPTXv2\nOSWE\nOSCP (Escalada) eWPT\nOSWE\neWPTXv2 eWPT\neJPT (Rutas Estáticas)\neCPPTv3\neCPTXv2\nOSWE\nOSCP eWPT\nOSWE (Intrusión) OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSWE\neWPTXv2\neCPPTv3\neCPTXv2 OSCP\neWPT\nOSWE\neWPTXv2 OSCP\nOSWE\neWPT eWPT\neWPTXv2\nOSWE\neCPPTv3\neCPTXv2 eWPT\nOSWE\nOSCP (Escalada) eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE\nOSCP OSCP\nOSEP\neCPPTv3\nActive Directory eCPPTv3\neCPTXv2\neWPT\nOSWE eWPT\nOSWE\nOSCP eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE OSCP\nOSEP\neCPPTv3\neWPT\neWPTXv2\nOSWE\nActive Directory eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE eWPT\nOSCP eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE\neCPPTv3\neCPTXv2 eWPT\neWPTXv2\nOSWE OSCP\neCPPTv3\nBuffer Overflow eWPT\neWPTXv2\nOSWE\neCPPTv3\neCPTXv2 eWPTXv2\nOSWE eWPT\nOSWE eWPT\nOSWE OSCP\neWPT OSCP\neWPT Buffer Overflow eWPT\nBuffer Overflow eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE eWPT\nOSWE\nOSCP eWPT\nOSWE\nOSCP eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE eWPT\nOSWE\nOSCP eWPT eWPT\neWPTXv2\nOSWE\nOSCP OSCP\nOSEP\neCPPTv3\nActive Directory eJPT eWPT\nOSWE\nOSCP Buffer Overflow\nOSCP (Escalada) eWPT\neJPT eWPT\nOSCP OSCP\nBuffer Overflow eWPT\neJPT eWPT\nOSCP (Escalada) eWPT\nOSWE\nOSCP eWPT\neWPTXv2\neCPPTv3\neCPTXv2\nOSWE\nOSCP\nOSEP\nActive Directory OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSWE\nOSCP (Escalada) eWPT\nOSWE\nOSCP eWPT\nOSWE\neCPPTv3 OSCP\neWPT\neWPTXv2\nOSWE eWPT\nOSWE\neWPTXv2\nOSCP eWPT\neWPTXv2\nOSWE OSCP\neWPT eWPT\nOSWE OSCP\neWPT\neWPTXv2 OSCP\neWPT\neWPTXv2\nOSWE OSCP\neWPT OSCP\neWPT eWPT\nMobile eWPT\neWPTXv2\neCPPTv3\nOSWE OSWE\neWPT\neWPTXv2\nOSCP OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSWE\nOSCP OSCP\neWPT OSCP\nOSEP\neCPPTv3\nActive Directory OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\nOSWE\nOSCP eWPT\nOSWE\nOSCP eWPT\neWPTXv2\neCPPTv3\neCPPTXv2\nOSWE OSCP eWPT\neWPTXv2\nOSWE\nMobile OSCP OSCP\neWPT\neJPT OSCP (Escalada)\nOSEP (Escalada)\neWPT\neWPTXv2\nOSWE\neCPTXv2\nActive Directory OSCP\neWPT\neJPT eWPT\nOSWE eWPT\nOSWE\nOSCP OSWE\neWPT\nOSCP (Intrusión) \neJPT (Intrusión)\nBuffer Overflow OSCP (Escalada) eJPT\neWPT\nOSCP (Escalada) eWPT\neJPT\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP (Escalada) eWPT\nOSCP (Escalada) eWPT\neWPTXv2\nOSWE\nOSCP OSCP OSCP OSCP\nOSEP\neCPPTv3\nActive Directory eJPT Buffer Overflow\nOSCP (Escalada) eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\neCPPTv3\neCPTXv2 eJPT OSCP\nOSEP\neCPPTv3\nActive Directory OSCP\neJPT OSCP\neJPT eWPT eWPT\nOSWE\neCPPTv3 OSCP\nOSEP\neCPPTv3\nActive Directory eJPT eWPT\nOSWE eWPT\nOSWE OSCP eWPT\neWPTXv2\nOSWE\nOSCP eJPT\nOSCP (Escalada) OSCP\neWPT OSCP\neWPT eWPT eWPT\nOSWE eWPT OSCP\nOSEP\neCPPTv3\nActive Directory eWPT eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE\nOSCP\nOSEP\neCPPTv3\nActive Directory OSCP\nOSEP\neCPPTv3\nActive Directory \neWPT\nBuffer Overflow eWPT\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP eJPT OSCP eWPT\neWPTXv2\nOSWE\nOSCP eJPT\neWPT\nOSCP OSCP\nOSEP\neCPPTv3\nActive Directory eJPT\neWPT eWPT\neJPT OSCP\nOSEP\neCPPTv3\neWPTXv2 (Escalada)\nActive Directory eWPT\nOSCP (Escalada) eJPT eWPT\neWPTXv2\nOSWE\neCPPTv3\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE eWPT\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP OSCP eWPT\neWPTXv2\nOSWE\neCPPTv3\neCPTXv2\nOSCP OSCP\nOSEP\neCPPTv3\nActive Directory OSCP\nOSEP\neCPPTv3\nActive Directory eWPT\neWPTXv2\nOSWE\nOSCP eWPT\nOSWE\nOSCP OSWE\neWPT\neWPTXv2\nOSCP eWPT\nOSCP OSCP\neWPT eWPT eWPT\nOSWE\neCPPTv3 eWPT\nOSCP (Escalada) eWPT eWPT\neWPTXv2\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE\nOSCP eWPT\nOSWE\nOSED eJPT eWPT\nOSWE\nOSED eWPT OSCP\nOSEP\neCPPTv3\nActive Directory eWPT eWPT\nOSWE eWPT eWPT\neWPTXv2\nOSWE eWPT OSED eWPT OSCP\nOSEP\neCPPTv3\nActive Directory OSWP OSCP\nOSEP\neCPPTv3\neWPT\neWPTXv2\nOSWE\nActive Directory eWPT eWPT\nOSWE\nOSCP eWPT\neJPT eWPT\neJPT eWPT\nOSCP eJPT eWPT\neWPTXv2\nOSWE\nOSCP eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE OSCP\nOSEP\neCPPTv3\neCPTXv2\nActive Directory eWPT\neJPT eJPT\nOSCP OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory eWPT\nOSWE\nOSCP eWPT\nOSWE eWPT\nOSWE eWPT\nOSWE\neWPTXv2 eWPT\nOSWE\neWPTXv2 eWPT\nOSWE eWPT\neWPTXv2\nOSWE\neCPPTv3 OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory eWPT\nOSWE eWPT eWPT\neJPT OSCP eWPT\nOSWE eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE\nOSED\nBuffer Overflow eWPT\neWPTXv2\nOSWE OSCP\nActive Directory OSCP\nActive Directory OSWE\neWPT\neWPTXv2 eWPT\neWPTXv2\nOSWE eWPT eWPT\neWPTXv2\nOSWE eWPT\neJPT eWPT eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE eWPT\neWPTXv2\nOSWE eJPT eWPT\neWPTXv2\nOSWE eWPT eWPT\neJPT eWPT\neWPTXv2\nOSWE OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory OSCP\nOSEP\neCPPTv3\neCPTXv3\neWPT\neWPTXv2\nOSWE\nActive Directory eJPT OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory eWPT\neJPT eWPT\neWPTXv2\nOSWE eJPT\neWPT eWPT OSED\nBuffer Overflow eWPT\neJPT eJPT eJPT eWPT eWPT\neJPT eWPT eWPT\neJPT OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory eWPT\neWPTX\nOSWE eWPT eWPT\neJPT eWPT\neWPTXv2 OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory","ip":"Dirección IP 10.10.10.224 10.10.11.116 10.10.10.92 10.10.10.94 10.10.11.108 10.10.11.105 10.10.11.142 10.10.11.134 10.10.10.63 10.10.10.241 10.10.10.192 10.10.11.110 10.10.11.131 10.10.10.239 10.10.11.139 10.10.11.122 10.10.11.114 10.10.11.130 10.10.10.102 10.10.10.238 10.10.10.248 10.10.10.155 10.10.11.106 10.10.10.57 10.10.10.103 10.10.10.236 10.10.10.61 10.10.10.120 10.10.11.133 10.10.10.250 10.10.11.115 10.10.11.107 10.10.11.132 10.10.10.64 10.10.11.118 10.10.10.132 10.10.11.153 10.10.10.154 10.10.10.223 10.10.11.112 10.10.10.52 10.10.10.230 10.10.10.189 10.10.10.56 10.10.10.197 10.10.11.120 10.10.10.104 10.10.10.115 10.10.10.206 10.10.11.159 10.10.11.124 10.10.10.59 10.10.10.139 10.10.10.186 10.10.10.165 10.10.10.225 10.10.11.119 10.10.10.72 10.10.10.194 10.10.11.161 10.10.10.128 10.10.10.16 10.10.10.25 10.10.10.191 10.10.10.246 10.10.10.78 10.10.10.125 10.10.11.121 10.10.11.125 10.10.10.167 10.10.10.235 10.10.10.188 10.10.10.60 10.10.10.228 10.10.11.129 10.10.10.65 10.10.11.111 10.10.10.140 10.10.11.162 10.10.10.179 10.10.11.126 10.10.10.160 10.10.10.184 10.10.10.234 10.10.10.96 10.10.10.122 10.10.10.198 10.10.10.55 10.10.10.208 10.10.10.80 10.10.10.66 10.10.11.136 10.10.10.9 10.10.10.147 10.10.10.113 10.10.10.88 10.10.10.13 10.10.11.137 10.10.10.187 10.10.10.214 10.10.10.43 10.10.10.127 10.10.11.135 10.10.10.93 10.10.10.150 10.10.11.101 10.10.10.77 10.10.10.95 10.10.11.140 10.10.10.34 10.10.10.10 10.10.10.97 10.10.10.74 10.10.11.128 10.10.11.143 10.10.10.86 10.10.10.62 10.10.10.172 10.10.10.145 10.10.11.149 10.10.10.67 10.10.10.22 10.10.10.153 10.10.10.73 10.10.10.8 10.10.11.146 10.10.10.203 10.10.10.81 10.10.10.116 10.10.10.11 10.10.11.148 10.10.10.177 10.10.10.85 10.10.10.169 10.10.10.176 10.10.10.24 10.10.11.145 10.10.10.175 10.10.10.18 10.10.10.31 10.10.10.205 10.10.10.40 10.10.11.150 10.10.10.144 10.10.10.15 10.10.11.102 10.10.10.14 10.10.10.91 10.10.11.156 10.10.10.168 10.10.10.58 10.10.10.47 10.10.10.46 10.10.10.87 10.10.11.157 10.10.10.17 10.10.10.124 10.10.10.82 10.10.10.149 10.10.10.213 10.10.10.242 10.10.11.154 10.10.11.100 10.10.10.200 10.10.10.3 10.10.11.152 10.10.10.4 10.10.10.5 10.10.10.79 10.10.11.155 10.10.10.161 10.10.10.51 10.10.10.157 10.10.10.69 10.10.10.156 10.10.11.160 10.10.10.226 10.10.10.158 10.10.10.151 10.10.10.7 10.10.10.162 10.10.10.29 10.10.10.210 10.10.10.137 10.10.10.209 10.10.10.151 10.10.10.100 10.10.10.111 10.10.10.211 10.10.10.216 10.10.10.37 10.10.10.237 10.10.10.21 10.10.10.152 10.10.10.182 10.10.10.222 10.10.10.84 10.10.11.168 10.10.10.180 10.10.10.75 10.10.11.164 10.10.11.169 10.10.11.166 10.10.11.173 10.10.11.172 10.10.11.170 10.10.11.191 10.10.11.167 10.10.11.174 10.10.11.175 10.10.11.176 10.10.11.180 10.10.11.177 10.10.11.183 10.10.11.182 10.10.11.189 10.10.11.193 10.10.11.204 10.10.11.224 10.10.11.229 10.10.11.215 10.10.11.232 10.10.11.227 10.10.11.235 10.10.11.10 10.10.11.241 10.10.11.245 10.10.10.11 10.10.11.243 10.10.11.248 10.10.11.242 10.10.11.240 10.10.11.252  10.10.11.236 10.10.11.247 10.10.11.250 10.10.11.233 10.10.11.251 10.10.11.11 10.10.11.20 10.10.11.14 10.10.10.245 10.10.11.13 10.10.11.12 10.10.11.18 10.10.11.4 10.10.11.23 10.10.11.249 10.10.11.22 10.10.11.8 10.10.11.253 10.10.11.28 10.10.11.59 10.10.11.30 10.10.11.211 10.10.11.34 10.10.11.3 10.10.11.32 10.10.11.25 10.10.11.230 10.10.11.26 10.10.11.196 10.10.11.216 10.10.11.9 10.10.11.194 10.10.11.26 10.10.11.26 10.10.11.85 10.10.11.214 10.10.11.217 10.10.11.36 10.10.11.104 10.10.11.86 10.10.11.195 10.10.11.195 10.10.11.210 10.10.11.37 10.10.11.213 10.10.11.239 10.10.11.38 10.10.11.19 10.10.11.3 10.10.11.5 10.10.10.48 10.10.11.41 10.10.11.219 10.10.11.198 10.10.11.44 10.10.10.83 10.10.10.197 10.10.10.197 10.10.10.68 10.10.10.117 10.10.11.47 10.10.10.146 10.10.10.146 10.10.10.229 10.10.11.42 10.10.11.42 10.10.11.42 10.10.11.62 10.10.11.64 10.10.11.58","name":"Nuestro buscador para filtrar por máquinas: https://hackingvault.com Máquina Tentacle Validation Mischief Reddish Return Horizontall Pressed Epsilon Jeeves Pit Blackfield EarlyAccess Flustered Love NodeBlog NunChucks Bolt GoodGames Hawk Monitors Intelligence Scavenger Driver Minion Sizzle Toolbox Enterprise Chaos SteamCloud Seal Hancliffe Antique Object Stratosphere Devzat Helpline Ransom Bankrobber Tenet Stacked Mantis TheNotebook Travel Shocker SneakyMailer Secret Giddy Haystack Passage Altered Shibboleth Tally Ellingson Quick Traverxec Sink Overflow Fighter Tabby Backend Hackback October Holiday Blunder Static Aragog Querier Toby Backdoor Control Unobtainium Cache Sense Breadcrumbs Search Ariekei Forge SwagShop BackendTwo MultiMaster Unicode Postman Servmon Schooled Oz CTF Buff Kotarak Crossfit CrimeStoppers Nightmare Pandora Bastard Safe RedCross TartarSauce Cronos AdmirerToo Admirer Time Nineveh Fortune Timing Bounty Curling Writer Reel Jerry Meta Jail Tenten SecNotes Chatterbox Union Paper Dab Fulcrum Monteverde Player Phoenix Inception Europa Teacher Falafel Optimum Undetected Worker Bart Conceal Arctic RouterSpace Oouch Celestial Resolute Book Haircut Acute Sauna Lazy Charon Feline Blue Catch RE Granny Anubis Grandpa DevOops Late Obscurity Node Shrek Apocalyst Waldo Overgraph Brainfuck Flujab Silo Heist APT Knife Retired BountyHunter Unbalanced Lame TimeLapse Legacy Devel Valentine Talkative Forest SolidState Wall FluxCapacitor Zetta Noter ScriptKiddie Json Sniper Beep Mango Bank Reel2 Luke Doctor StreamIO Active Frolic Jewel Laboratory Blocky Atom Joker Netmon Cascade Delivery Poison Scrambled Remote Nibbles OpenSource Faculty Trick Moderators Shared RedPanda Squashed Carpediem Support Outdated Health Shoppy UpDown Ambassador Photobomb Precious Mentor Inject Sau Zipping Bookworm Clicker Keeper Drive Builder Hospital Surveillance TwoMillion Broker Monitored Devvortex Napper Bizness Manager Wifinetic Analysis Analytics Pov BoardLight Editorial Mailing Cap Runner IClean Usage Jab PermX Crafty Blazorized Headless Perfection Sea Strutted MonitorsThree MonitorsTwo Trickster Office Sightless GreenHorn CozyHosting Compiled Stocker Jupiter MagicGardens Soccer Fuse Cicada Awkward PC Topology Yummy Previse MetaTwo BroScience Interface OnlyForYou Instant Format Codify Chemistry Blurry Axlle Freelancer Mirai Certified Pilgrimage Encoding Alert Olympus Sneaky Popcorn Bashed Irked LinkVortex Networked Luanne Spectra Administrator Cat Dog Code Nocturnal Puppy","os":"Sistema Operativo Linux Linux Linux Linux Windows Linux Linux Linux Windows Linux Windows Linux Linux Windows Linux Linux Linux Linux Linux Linux Windows Linux Windows Windows Windows Windows Linux Linux Linux Linux Windows Linux Windows Linux Linux Windows Linux Windows Linux Linux Windows Linux Linux Linux Linux Linux Windows Linux Linux Linux Linux Windows Linux Linux Linux Linux Linux Windows Linux Linux Windows Linux Linux Linux Linux Linux Windows Linux Linux Windows Linux Linux Linux Windows Windows Linux Linux Linux Linux Windows Linux Linux Windows Linux Linux Linux Windows Linux Linux Linux Linux Linux Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Windows Linux Linux Windows Windows Linux Linux Linux Windows Windows Linux Linux Linux Linux Windows Linux Linux Linux Linux Linux Linux Windows Linux Windows Windows Windows Windows Linux Linux Linux Windows Linux Linux Windows Windows Linux Linux Linux Windows Linux Windows Windows Windows Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Windows Windows Windows Linux Linux Linux Linux Linux Windows Windows Windows Linux Linux Windows Linux Linux Linux Linux Linux Linux Windows Windows Linux Linux Linux Windows Linux Linux Windows Windows Linux Linux Linux Linux Windows Linux Windows Windows Linux Linux Windows Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Windows Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Windows Linux Linux Linux Linux Linux Windows Linux Windows Linux Windows Linux Windows Linux Linux Windows Linux Linux Linux Linux Windows Linux Windows Windows Linux Linux Linux Linux Linux Linux Linux Windows Linux Linux Linux Windows Linux Linux Linux Linux Windows Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Windows Windows Linux Windows Linux Linux Linux Linux Linux Linux Linux Linux Linux Linux Otro Otro Windows Linux Linux Linux Linux Windows","platform":"HackTheBox","state":"Insane","techniques":"🡰 Usa este buscador para filtrar por lo que necesites (Técnicas, OS, Dificultad, Certificaciones, etc.) Técnicas Vistas DNS Enumeration (dnsenum)\nSQUID Proxy\nWPAD Enumeration\nOpenSMTPD v2.0.0 Exploit\nSSH using Kerberos (gssapi)\nAbusing .k5login file\nAbusing krb5.keytab file SQLI (Error Based)\nSQLI -\u003e RCE (INTO OUTFILE)\nInformation Leakage SNMP Enumeration\nInformation Leakage\nIPV6\nICMP Data Exfiltration (Python Scapy) Abusing Node-Red\nChisel \u0026 Socat Usage\nRedis-Cli Exploitation\nRsync Abusing\nCron Exploitation\nDisk Mount\nFile Transfer Tips\nPIVOTING Abusing Printer\nAbusing Server Operators Group\nService Configuration Manipulation Information Leakage\nPort Forwarding\nStrapi CMS Exploitation\nLaravel Exploitation Password Guessing\nWordPress Abusing RPC Calls\nWordPress XML-RPC Create WebShell\nPwnKit Exploit Git Source Leak Exploit (GitHack)\nAWS Enumeration\nLambda Function Enumeration\nAuthentication Bypass\nAbusing JWT\nServer Side Template Injection (SSTI)\nTar Symlink Exploitation Jenkins Exploitation (Groovy Script Console)\nRottenPotato (SeImpersonatePrivilege)\nPassTheHash (Psexec)\nBreaking KeePass\nAlternate Data Streams (ADS) Information Leakage\nSNMP Enumeration (Snmpwalk/Snmpbulkwalk)\nSeedDMS Exploitation\nSELinux (Extra)\nSNMP Code Execution SMB Enumeration\nKerberos User Enumeration (Kerbrute)\nASRepRoast Attack (GetNPUsers)\nBloodhound Enumeration\nAbusing ForceChangePassword Privilege (net rpc)\nLsass Dump Analysis (Pypykatz)\nAbusing WinRM\nSeBackupPrivilege Exploitation\nDiskShadow\nRobocopy Usage\nNTDS Credentials Extraction (secretsdump) XSS Injection\nXSS Cookie Stealing\nCookie Hijacking\nCode Analysis\nBuilding a Key Generator (PYTHON)\nSQLI (Error Based)\nLFI \u0026\u0026 Wrappers\nBash Scripting for Host Discovering\nInformation Leakage\nPivoting\nAbusing Docker\nAbusing Capabilities Abusing Squid Proxy\nAbusing GlusterFS\nInformation Leakage\nServer Side Template Injection (SSTI)[RCE]\nAbusing Azure Storage Server Side Request Forgery (SSRF)\nExploiting Voting System\nAbusing AlwaysInstallElevated (msiexec/msi file) NoSQL Injection (Authentication Bypass)\nXXE File Read\nNodeJS Deserialization Attack (IIFE Abusing)\nMongo Database Enumeration NodeJS SSTI (Server Side Template Injection)\nAppArmor Profile Bypass (Privilege Escalation) Information Leakage\nSubdomain Enumeration\nSSTI (Server Side Template Injection)\nAbusing PassBolt\nAbusing GPG SQLI (Error Based)\nHash Cracking Weak Algorithms\nPassword Reuse\nServer Side Template Injection (SSTI)\nDocker Breakout (Privilege Escalation) [PIVOTING] OpenSSL Cipher Brute Force and Decryption\nDrupal Enumeration/Exploitation\nH2 Database Exploitation Information Leakage\nWordPress Plugin Exploitation (Spritz)\nLocal File Inclusion (LFI)\nCacti 1.2.12 Exploitation\nApache OfBiz Deserialization Attack (RCE)\nDocker Breakout (cap_sys_module Capabilitie) [PRIVILEGE ESCALATION] Information Leakage\nKerberos Enumeration (Kerbrute)\nCreating a DNS Record (dnstool.py) [Abusing ADIDNS]\nIntercepting Net-NTLMv2 Hashes with Responder\nBloodHound Enumeration\nAbusing ReadGMSAPassword Rights (gMSADumper)\nPywerview Usage\nAbusing Unconstrained Delegation\nAbusing AllowedToDelegate Rights (getST.py) (User Impersonation)\nUsing .ccache file with wmiexec.py (KRB5CCNAME) Domain Zone Transfer (AXFR)\nSQLI (Error Based) [WHOIS]\nPCAP Analysis (Tshark \u0026\u0026 Wireshark)\nAbusing Rootkit Password Guessing\nSCF Malicious File\nPrint Spooler Local Privilege Escalation (PrintNightmare) [CVE-2021-1675] Server Side Request Forgery (SSRF) [Internal Port Discovery]\nICMP Reverse Shell (PowerShell) [Firewall Bypassing]\nAlternate Data Streams (ADS)\nFirewall Evasion [Firewall Rules Manipulation] SMBCacls Enumeration\nMalicious SCF File (Getting NetNTLMv2 Hash)\nLdap Enumeration (LdapDomainDump)\nAbusing Microsoft Active Directory Certificate Services\nCreating Certificate Signing Requests (CSR) [Openssl]\nCLM / AppLocker Break Out (Escaping ConstrainedLanguage)\nPSByPassCLM Usage (CLM / AppLocker Break out)\nMsbuild (CLM / AppLocker Break Out)\nKerberoasting Attack (Rubeus)\nKerberoasting Attack (Chisel Port Forward - GetUserSPNs.py)\nWINRM Connections\nBloodHound Enumeration\nDCSync Attack (secretsdump.py)\nDCSync Attack (Mimikatz)\nPassTheHash (wmiexec.py) PostgreSQL Injection (RCE)\nAbusing boot2docker [Docker-Toolbox]\nPivoting WordPress Lcars Plugin SQLI Vulnerability\nSQL Injection (boolean-based blind, error-based, time-based blind)\nWordPress Exploitation [www-data] (Theme Edition - 404.php Template)\nJoomla Exploitation [www-data] (Template Manipulation)\nDocker Breakout\nGhidra Binary Analysis\nBuffer Overflow (No ASLR - PIE enabled) [RET2LIBC] (Privilege Escalation) Password Guessing\nAbusing e-mail service (claws-mail)\nCrypto Challenge (Decrypt Secret Message - AES Encrypted)\nLaTeX Injection (RCE)\nBypassing rbash (Restricted Bash)\nExtracting Credentials from Firefox Profile Kubernetes API Enumeration (kubectl)\nKubelet API Enumeration (kubeletctl)\nCommand Execution through kubeletctl on the containers\nCluster Authentication (ca.crt/token files) with kubectl\nCreating YAML file for POD creation\nExecuting commands on the new POD\nReverse Shell through YAML file while deploying the POD Information Leakage (GitBucket)\nBreaking Parser Logic - Abusing Reverse Proxy / URI Normalization\nExploiting Tomcat (RCE) [Creating malicious WAR]\nAbusing existing YML Playbook file [Cron Job]\nAnsible-playbook exploitation (sudo privilege) Abusing URI Normalization\nServer Side Template Injection (SSTI) [NUXEO Vulnerability]\nUnified Remote 3 Exploitation (RCE)\nDecrypt Mozilla protected passwords\nReversing EXE in Ghidra\nBuffer Overflow (Socket Reuse Technique) [AVANZADO] SNMP Enumeration\nNetwork Printer Abuse\nCUPS Administration Exploitation (ErrorLog)\nEXTRA -\u003e (DirtyPipe) [CVE-2022-0847] Jenkins Exploitation (New Job + Abusing Build Periodically)\nJenkins Exploitation (Abusing Trigger builds remotely using TOKEN)\nFirewall Enumeration Techniques\nJenkins Password Decrypt\nBloodHound Enumeration\nAbusing ForceChangePassword with PowerView\nAbusing GenericWrite (Set-DomainObject - Setting Script Logon Path)\nAbusing WriteOwner (Takeover Domain Admins Group) Apache Struts Exploitation (CVE-2017-5638)\nPython Library Hijacking (Privilege Escalation) Fuzzing Directory .git (GIT Project Recomposition)\nWeb Injection (RCE)\nAbusing InfluxDB (CVE-2019-20933)\nAbusing Devzat Chat /file command (Privilege Escalation)\nEXTRA (Crypto CTF Challenge | N Factorization) ManageEngine ServiceDesk Plus User Enumeration\nManageEngine ServiceDesk Plus Authentication Bypassing\nManageEngine ServiceDesk Plus Remote Code Execution\nDisabling Windows Defender (PowerShell)\nMimikatz - Getting NTLM User Hashes (lsadump::sam)\nReading Event Logs with Powershell (RamblingCookieMonster) [Get-WinEventData]\nDecrypting EFS files with Mimikatz\nGetting the certificate with Mimikatz (crypto::system)\nDecrypting the masterkey with Mimikatz (dpapi::masterkey)\nDecrypting the private key with Mimikatz (dpapi::capi)\nBuilding a correct PFX with Openssl\nInstalling the PFX via certutil\nInstalling VNC in the box via msiexec\nConnecting to the VNC service using vncviewer\nConverting Secure String File to PlainText\nUsing RunAs to execute commands as the administrator Login Bypass (Type Juggling Attack)\nDecrypting a ZIP file (PlainText Attack - Bkcrack) - CONTI RANSOMWARE Blind XSS Injection\nStealing the session cookie by XSS injection\nSQLI - Error Based\nSQLI - File Access\nSQLI - Stealing Net-NTLMv2 Hash (impacket-smbserver)\nXSS + XSRF =\u003e RCE\nAbusing a custom binary (Brute Force Pin \u0026\u0026 Overflow) PHP Deserialization Attack\nAbusing Race Condition Virtual Hosting Enumeration\nReferer XSS Injection\nXSS - Creating JS file (accessing unauthorized resources)\nChecking/Reading mail through XSS injection\nAWS Enumeration\nLambda Enumeration\nCreating a Lambda Function (NodeJS)\nInvoking the created lambda function\nRCE on LocalStack\nAbusing FunctionName Parameter (AWS) by exploiting XSS vulnerability (RCE)\nFinding and exploiting custom 0Day [Privilege Escalation]\nRoot FileSystem Access by abusing Docker Database Enumeration (DBeaver)\nBloodhound Enumeration (bloodhound-python)\nExploiting MS14-068 (goldenPac.py) [Microsoft Kerberos Checksum Validation Vulnerability] Abusing JWT (Gaining privileges)\nAbusing Upload File\nDocker Breakout [CVE-2019-5736 - RUNC] (Privilege Escalation) Git Project Recomposition (.git) [Git-Dumper]\nAbusing WordPress (SimplePie + Memcache) [PHP Code Analysis]\nMemcache Object Poisoning (Gopherus + Deserialization Attack + RCE)\nLDAP Enumeration (Apache Directory Studio - GUI)\nAbusing LDAP to add an SSH Key\nAbusing LDAP to modify the user group to sudo (Privilege Escalation) ShellShock Attack (User-Agent)\nAbusing Sudoers Privilege (Perl)\nEXTRA: Creamos nuestro propio CTF en Docker que contemple ShellShock Information Leakage\nMass Emailing Attack with SWAKS\nPassword Theft\nAbusing Pypi Server (Creating a Malicious Pypi Package)\nAbusing Sudoers Privilege (Pip3) Code Analysis\nAbusing an API\nJson Web Tokens (JWT)\nAbusing/Leveraging Core Dump [Privilege Escalation] SQL Injection (XP_DIRTREE) [SQLI] - Get Net-NTLMv2 Hash\nWindows Defender Evasion (Ebowla)\nWindows Defender Evasion (Building our own C program)\nService Listing Techniques\nAbusing Unifi-Video (Privilege Escalation) ElasticSearch Enumeration\nInformation Leakage\nKibana Enumeration\nKibana Exploitation (CVE-2018-17246)\nAbusing Logstash (Privilege Escalation) CuteNews Exploitation\nCode Analysis\nUSBCreator D-Bus Privilege Escalation\nPython Exploit Development (AutoPwn) Brute Force Pin / Rate-Limit Bypass [Headers]\nType Juggling Bypassing\nSQL Injection (Error Based)\nSQLI to RCE -\u003e INTO OUTFILE Query\nDirty Pipe Exploit (But with PAM-Wordle configured) Abusing IPMI (Intelligent Platform Management Interface)\nZabbix Exploitation\nMariaDB Remote Code Execution (CVE-2021-27928) SharePoint Enumeration\nInformation Leakage\nPlaying with mounts (cifs, curlftpfs)\nAbusing Keepass\nAbusing Microsoft SQL Server (mssqlclient.py - xp_cmdshell RCE)\nAbusing SeImpersonatePrivilege (JuicyPotato) Abusing Werkzeug Debugger (RCE)\nBinary Exploitation\nAdvanced Buffer Overflow x64 - ROP / ASLR Bypass (Leaking Libc Address + Ret2libc + Setuid) HTTP/3 Enumeration\nRecompiling curl to accept HTTP/3 requests\nInformation Leakage\nBrute force in authentication panel\nXSS Injection\nAbusing Esigate (ESI Injection - RCE)\nManipulating passwords in the database\nAbuing POS Print Server (File Hijacking Attack) Nostromo Exploitation\nAbusing Nostromo HomeDirs Configuration\nExploiting Journalctl (Privilege Escalation) HTTP Request Smuggling Exploitation (Leak Admin Cookie)\nCookie Hijacking\nInformation Leakage\nAWS Enumeration\nAWS Secrets Manager\nAWS Key_management Enumeration\nAWS KMS Decrypting File Padding Oracle Attack (Padbuster)\nPadding Oracle Attack (Bit Flipper Attack - BurpSuite) [EXTRA]\nCookie Hijacking\nSQL Injection (Generic UNION query) [SQLI] - Error Based\nBreaking Password\nUpload File - Abusing Exiftool (RCE)\nDNS Hijacking (Abusing Cron Job)\nGhidra Binary Analysis\nReversing Code (Computing valid PIN)\nBuffer Overflow (Controlling the program and manipulating its flow to desired functions)\nAbusing Decryption Function (XOR Trick) [Privilege Escalation] Advanced SQL Injection [SQLI] - MS SQL Server 2014 [Bypass Protection] [Python Scripting] [RCE]\nAbusing Cron Jobs\nCapcom Rootkit Privilege Escalation\nBinary and DLL Analysis in order to get root.txt [Radare2] Local File Inclusion (LFI)\nAbusing Tomcat Virtual Host Manager\nAbusing Tomcat Text-Based Manager - Deploy Malicious War (Curl Method)\nLXC Exploitation (Privilege Escalation) API Enumeration\nAbusing API - Registering a new user\nAbusing API - Logging in as the created user\nEnumerating FastApi Endpoints through Docs\nAbusing FastAPI - We managed to change the admin password\nAbusing FastAPI - We get the ability to read files from the machine (Source Analysis)\nCreating our own privileged JWT\nAbusing FastAPI - We achieved remote command execution through the exec endpoint\nInformation Leakage (Privilege Escalation) Subdomain Enumeration\nInformation Leakage\nPassword Fuzzing\nGophish Template Log Poisoning (Limited RCE)\nInternal Port Discovery\nreGeorg - Accessing internal ports through a SOCKS proxy (proxychains)\nAccessing the WinRM service through reGeorg and SOCKS proxy\nAbusing Cron Job + SeImpersonatePrivilege Alternative Exploitation\nPlaying with PIPES - pipeserverimpersonate\nImpersonating users and executing commands as the impersonated user\nBypassing Firewall Rules (BlockInbound/BlockOutbound)\nAbusing Services\nAlternate Data Streams (ADS) Abusing October CMS (Upload File Vulnerability)\nBuffer Overflow - Bypassing ASLR + Ret2libc (x32 bits)\nBuffer Overflow - Ret2libc without ASLR (x32 bits EXTRA) SQL Injection [SQLI] - Sqlite\nXSS Injection - Bypassing Techniques (fromCharCode) + Own Javascript Code + Session Cookie Theft\nAbusing existing parameters - RCE\nNodeJS npm - Privilege Escalation Bludit CMS Exploitation\nBypassing IP Blocking (X-Forwarded-For Header)\nDirectory Traversal Image File Upload (Playing with .htaccess)\nAbusing sudo privilege (CVE-2019-14287) Compressed File Recomposition (Fixgz)\nAbusing TOTP (Python Scripting - NTP protocol)\nPlaying with Static Routes\nXDebug Exploitation (RCE)\nAbusing PHP-FPM (RCE) [CVE-2019-11043] (PIVOTING)\nAbusing Capabilities (cap_setuid + Path Hijacking | Privilege Escalation) XXE (XML External Entity Injection) Exploitation\nModifying a wordpress login to steal credentials (Privilege Escalation) Macro Inspection (Olevba2)\nMSSQL Hash Stealing [Net-NTLMv2] (xp_dirtree)\nAbusing MSSQL (xp_cmdshell)\nCached GPP Files (Privilege Escalation) Abusing GOGS (Project Enumeration)\nStatic Code Analysis (Finding a backdoor with php-malware-scanner)\nCode deofuscation\nReverse shell through backdoor\nSetting up a SOCKS5 Proxy (Chisel/Proxychains)\nDatabase Enumeration (Accessing GOGS)\nAbusing API (Stealing an authentication hash in MYSQL through Wireshark)\nPlaying with epoch time to generate a potential list of passwords\nCracking Hashes\nPIVOTING\nProcess Enumeration (pspy)\nAbusing cron job to obtain a private key\nDecrypting database passwords (AES Encryption)\nAbusing PAM (Ghidra Analysis)\nGetting the root password by abusing time\nAdvanced persistence techniques WordPress Local File Inclusion Vulnerability (LFI)\nLFI to RCE (Abusing /proc/PID/cmdline)\nGdbserver RCE Vulnerability\nAbusing Screen (Privilege Escalation) [Session synchronization] SQL Injection [SQLI] - Error Based\nAdvanced Bash Scripting (EXTRA)\nSQLI to RCE (Into Outfile - PHP File Creation)\nConPtyShell (Fully Interactive Reverse Shell for Windows)\nPlaying with ScriptBlocks and PSCredential to execute commands as another user\nAppLocker Bypass\nWinPEAS Enumeration\nService ImagePath Hijacking (Privilege Escalation) Inspecting custom application\nCode Analysis\nInformation Leakage\nLocal File Inclusion (LFI)\nGoogle CloudStorage Commands Vulnerability (Command Injection) [RCE]\nPrototype Pollution Exploitation (Granting us privileges)\nKubernetes (Interacting with the API) [kubectl]\nFinding containers with kubectl\nPIVOTING\nAbusing Prototype Pollution to jump to another container\nListing secrets with kubectl\nCreating malicious Pod (Privilege Escalation) [Bad Pods]\nPeirates - Kubernetes Penetration Testing Tool [EXTRA] Information Leakage (Code Inspection)\nAbusing OpenEMR\nBroken Access Control\nAuthentication Bypassing (Abusing the registration panel)\nSQL Injection - Error Based [SQLI]\nOpenEMR Authentication Exploit (RCE)\nAbusing Docker Group (Privilege Escalation) Information Leakage\nPFsense - Abusing RRD Graphs (RCE) [Evasion Techniques]\nPython Exploit Development (AutoPwn) [EXTRA] Local File Inclusion (LFI) [Abusing file_get_contents]\nAbusing No Redirect\nForge PHPSESSID and getting valid Cookies\nForge JWT\nUploading WebShell\nObtaining system credentials through the webshell\nAbusing Sticky Notes\nBinary Analysis (Radare2)\nSQL Injection (SQLI) [Error Based]\nAES Decrypt (Cyberchief) Information Leakage - Password in picture (wtf?)\nRPC Enumeration (rpcclient)\nLdap Enumeration (ldapdomaindump)\nBloodhound Enumeration\nKerberoasting Attack (GetUserSPNs.py)\nSMB Password Spray Attack (Crackmapexec)\nUnprotecting password-protected Excel (Remove Protection)\nPlaying with pfx certificates\nGaining access to Windows PowerShell Web Access\nAbusing ReadGMSAPassword privilege\nAbusing GenericAll privilege (Resetting a user's password)\nGaining access with wmiexec ImageTragick Exploitation (Specially designed '.mvg' file)\nShellShock Attack (WAF Bypassing)\nAbusing Docker privilege\nPIVOTING Bypassing URL Blacklist\nServer Side Request Forgery (SSRF)\nAbusing Sudoers Privilege (Abusing Python Script) Magento CMS Exploitation (Creating an admin user)\nMagento - Froghopper Attack (RCE)\nAbusing sudoers (Privilege Escalation) API Enumeration\nAbusing API - Registering a user\nAccessing the Docs path of FastAPI\nMass Assignment Attack (Becoming superusers)\nAbusing API - Reading system files\nInformation Leakage\nForge JWT (Assigning us an extra privilege)\nAbusing API - Creating a new file to achieve remote command execution (RCE)\nAbusing pam_wordle (Privilege Escalation) SQLI (SQL Injection) - Unicode Injection\nWAF Bypassing\nAdvanced Python Scripting - Creation of an automation tool to handle Unicode in SQL injection\nDatabase enumeration through the previously created utility\nCracking Passwords\nActive Directory Enumeration\nEnumerating domain information through SQL injection\nObtaining domain RIDs through SQL injection\nApplying brute-force attack  (SID = SID+RID) to obtain existing domain users [Python Scripting]\nSMB Brute Force Attack (Crackmapexec)\nEnumerating AD existing users (rpcclient/rpcenum)\nAbusing Remote Management User group\nMicrosoft Visual Studio 10.0 Exploitation (User Pivoting)\nUsing libwebsockets in order to connect to a CEF Debugger (RCE)\nAMSI Bypass - Playing with Nishang\nAMSI Bypass - Bypass-4MSI Alternative (evil-winrm)\nDLL Inspection - Information Leakage\nBloodHound Enumeration\nAbusing the GenericWrite privilege on a user\nMaking a user vulnerable to an ASREPRoast attack - Disabling Kerberos Pre-Authentication\nRequesting the TGT of the manipulated user\nAbusing Server Operators Group\nAbusing an existing service by manipulating its binPATH\nWe change the password of the administrator user after restarting the manipulated service JWT Enumeration\nJWT - Claim Misuse Vulnerability\nJSON Web Key Generator (Playing with mkjwk)\nForge JWT\nOpen Redirect Vulnerability\nCreating a JWT for the admin user\nLFI (Local File Inclusion) - Unicode Normalization Vulnerability\nAbusing Sudoers Privilege\nPlaying with pyinstxtractor and pycdc\nBypassing badchars and creating a new passwd archive  (Privilege Escalation) Redis Enumeration\nRedis Exploitation - Write SSH Key\nWebmin Exploitation - Python Scripting\nWe create our own exploit in Python - AutoPwn [Ruby code adaptation from Metasploit] NVMS-1000 Exploitation - Directory Traversal\nLocal File Inclusion (LFI)\nLocal Port Forwarding - SSH\nNSClient++ Exploitation - Privilege Escalation VHost Brute Force\nMoodle Enumeration\nMoodle - Stored XSS\nStealing a teacher's session cookie\nPrivilege escalation from teacher role into manager role to RCE [CVE-2020-14321]\nElevating our privilege to Manager in Moodle - User Impersonation\nMass Assignment Attack - Enable Full Permissions\nGiving us the ability to install a plugin\nAchieving remote command execution through installation of a malicious Plugin\nEnumerating the database once we have gained access to the system\nCracking Hashes\nAbusing sudoers privilege (pkg install package) [Privilege Escalation] SQL Injection (SQLI)\nServer Side Template Injection (SSTI) (RCE)\nAbusing Knockd\nNetwork enumeration techniques using bash oneliners\nPIVOTING\nPortainer 1.11.1 Exploitation - Resetting the admin password\nCreating a new container from Portainer (Privilege Escalation) LDAP Injection\nLDAP Injection - Discovering valid usernames\nLDAP Injection - Attribute Brute Force [Discovering valid LDAP fields]\nLDAP Injection - Obtaining OTP Seed\nGenerating One-Time Password (OTP) [stoken]\nSecond Order Ldap Injection\nAbusing backup - 7za Symbolic Links (Privilege Escalation) Gym Management System Exploitation (RCE)\nCloudMe Exploitation [Buffer Overflow] [OSCP Like] (Manual procedure) [Python Scripting] Server Side Request Forgery (SSRF) [Internal Port Discovery]\nInformation Leakage [Backup]\nTomcat Exploitation [Malicious WAR]\nDumping hashes [NTDS]\nWget 1.12 Vulnerability [CVE-2016-4971] [Privilege Escalation] (PIVOTING) FTP SSL Certificate Enumeration\nXSS Injection\nSubdomain Enumeration through the Origin Header [Access-Control-Allow-Origin]\nAccessing internal websites through XSS - Creating a javascript file\nRegistering a new user through XSS - CSRF Protection Bypass\nUploading a webshell with lftp\nCracking Hashes\nAbusing Cron Job\nphp-shellcommand exploitation - escapeArgs option is not working properly\nInjecting data into the database to achieve remote command execution (RCE) [User Pivoting]\nBinary Analysis - dbmsg [GHIDRA]\nReversing\nCreating an exploit - Abusing Rand [Time travel]\nAbusing symbolic links\nInjecting our own public key as authorized_keys in /root Local File Inclusion (LFI)\nLFI - Base64 Wrapper [Reading PHP files]\nLFI to RCE - ZIP Wrapper\nThunderbird - Password Extraction \u0026 Reading Messages (firefoxpwd tool)\nRootkit - apache_modrootme [GHIDRA/Radare2 Analysis] (Privilege Escalation) HTML Injection\nXSS Injection\nSQL Injection (SQLI) - Error Based\nOpenSSH \u003c= 6.6 SFTP misconfiguration universal exploit (RCE)\nScript Modification\nBinary Analysis [GHIDRA/Radare2]\nIn-depth analysis with Radare2 [Tips and tricks]\nCommand Injection - User Pivoting\nUbuntu Xenial Privilege Escalation - Kernel Exploitation SNMP Fast Enumeration\nInformation Leakage\nLocal Port Forwarding\nSQL Injection - Admin Session Hijacking\nPandoraFMS v7.0NG Authenticated Remote Code Execution [CVE-2019-20224]\nAbusing Custom Binary - PATH Hijacking [Privilege Escalation] Drupal Enumeration\nDrupal 7.X Module Services - Remote Code Execution [SQL Injection]\nDrupal Admin Cookie Hijacking\nDrupal \u003c 7.58 / \u003c 8.3.9 / \u003c 8.4.6 / \u003c 8.5.1 - 'Drupalgeddon2' Remote Code Execution\nSA-CORE-2018-004 - 'Drupalgeddon3' Remote Code Execution\nSherlock Enumeration (Privilege Escalation)\nMS15-051-KB3045171 - Kernel Exploitation [Way 1]\nAbusing SeImpersonatePrivilege [Way 2] Information Leakage\nBuffer Overflow [x64] [ROP Attacks using PwnTools] [NX Bypass] [ASLR Bypass]\nTrying to hijack the argument to the system() function by loading our content in RDI [Way 1]\nLeaking puts and libc address to make a system call with the argument loaded in RDI [Way 2] [EXTRA]\nAbusing keepass to obtain the root password [Privilege Escalation] Subdomain Enumeration\nXSS Injection - Stealing the admin user cookie\nInjection RCE\nAbusing Custom Binary - Binary Exploitation\nBuffer Overflow [x64] [ROP Attacks using PwnTools] [NX Bypass] [ASLR Bypass] [Privilege Escalation] RFI (Remote File Inclusion) - Abusing Wordpress Plugin [Gwolle-gb]\nRFI to RCE (Creating our malicious PHP file)\nAbusing Sudoers Privilege (Tar Command)\nAbusing Cron Job (Privilege Escalation) [Code Analysis] [Bash Scripting] Domain Zone Transfer (AXFR)\nSQLI (Blind Time Based) - Creating a custom Python script\nCommand Injection\nAbusing Cron Job [Privilege Escalation] Subdomain Enumeration\nAdminer Enumeration\nSSRF (Server Side Request Forgery) in Adminer [CVE-2021-21311]\nAbusing redirect to discover internal services\nOpenTSDB Exploitation [CVE-2020-35476] [Remote Code Execution]\nSearching for valid metrics\nOpenCats PHP Object Injection to Arbitrary File Write\nAbusing Fail2ban [Remote Code Execution] (CVE-2021-32749)\nPlaying with phpggc in order to serialize our data\nAbusing whois config file + OpenCats + Fail2ban [Privilege Escalation] Information Leakage\nAdmirer Exploitation (Abusing LOAD DATA LOCAL Query)\nAbusing Sudoers Privilege [Library Hijacking - Python] (Privilege Escalation) Jackson CVE-2019-12384 Exploitation - SSRF to RCE\nAbusing Cron Job [Privilege Escalation] Abusing http forms with Hydra - Login Brute Force\nLocal File Inclusion (LFI)\nSteganography - id_rsa hidden in image\nAbusing phpLiteAdmin v1.9 (Remote Code Execution)\nAbusing Knockd - Port Knocking\nChkrootkit 0.49 - Local Privilege Escalation\nUsing Wrappers - LFI [EXTRA] Command Injection\nOpenSSL - Creating a new key\nOpenSSL - Creating a CSR file (Certificate Signing Request)\nOpenSSL - Creating a PEM file\nOpenSSL - Creating a PFX file (pkcs12) to import it into the Firefox browser\nNFS share mount\nEditing our user ID in order to gain access to the NFS directories\nCode Analysis - Crypto Challenge Local File Inclusion (LFI)\nUsing Wrappers - Base64 Wrapper\nCode Inspection\nRole manipulation\nFile Upload Exploitation\nAbusing Sudoers Privilege - Playing with symbolic links IIS Enumeration\nCreating our own extension fuzzer in Python [Python Scripting] [EXTRA]\nIIS Exploitation - Executing code via web.config file upload\nAbusing SeImpersonatePrivilege - Juicy Potato [Privilege Escalation] Information  Leakage wtf xd\nJoomla Enumeration\nJoomla Exploitation [Abusing Templates] [RCE]\nDecompression Challenge\nAbusing Curl [Playing with Config files] [Privilege Escalation] RPC Enum\nSQLi Bypass Login + SQL Injection [Database Enumeration]\nSQLi - File System Enumeration (Abusing load_file)\nPython Code Analysis\nCommand Injection\nCracking Hashes\nPostfix Enumeration\nAbusing Cron Job [User Pivoting]\nAbusing apt config files [Privilege Escalation] Metadata Inspection\nSMTP Enumeration (VRFY Manual vs smtp-user-enum)\nCrafting a malicious RTF document [PHISHING] [CVE-2017-0199]\nSending an email to get command execution [RCE]\nPlaying with PSCredential Objects (XML files | PowerShell - Import-CliXml)\nACLs Inspection (Active Directory Enumeration)\nAbusing WriteOwner Active Directory Rights\nPlaying with PowerView (Set-DomainObjectOwner, Add-DomainObjectAcl \u0026 Set-DomainUserPassword)\nAbusing WriteDacl Active Directory Rights\nInformation Leakage [Privilege Escalation] Information Leakage\nAbusing Tomcat [Intrusion \u0026 Privilege Escalation] Subdomain Enumeration\nAbusing File Upload\nExiftool Exploitation [RCE]\nImageMagick Exploitation [User Pivoting] - SVG MSL Polyglot File\nAbusing Neofetch [Privilege Escalation] Code Analysis\nBinary Exploitation\nBuffer Overflow x32 - Socket Re-Use Shellcode Technique\nGDB Tips\nNFSv3 Privesc\nAbusing sudoers privilege (rvim command)\nCracking RAR file\nCrypto Challenge (Playing with RsaCtfTool to get the private key) Wordpress Enumeration\nCV filename disclosure on Job-Manager Wordpress Plugin [CVE-2015-6668]\nSteganography Challenge (Steghide)\nCracking Hashes [Protected SSH Private Key]\nAbusing sudoers privilege User Enumeration (Wfuzz)\nReflected XSS\nStored XSS\nSQL Injection\nCross-Site Request Forgery (CSRF) - Changing a user's password\nIIS Exploitation (Uploading WebShell)\nAbusing Linux subsystem\nInformation Leakage [Privilege Escalation] Achat 0.150 beta7 - Buffer Overflow (Windows 7 32 bits)\nGenerating a Shellcode based on our needs + TIPS\nIcacls Abuse (Privilege Escalation)\nPowerUp Enumeration (Alternative Privilege Escalation) SQLI (SQL Injection) - UNION Injection\nSQLI - Read Files\nHTTP Header Command Injection - X-FORWARDED-FOR [RCE]\nAbusing sudoers privilege [Privilege Escalation] Information Leakage\nAbussing WordPress - Unauthenticated View Private/Draft Posts\nAbusing Rocket Chat Bot\nPolkit (CVE-2021-3560) [Privilege Escalation] Applying brute force to an authentication panel - Wfuzz (Discovering valid password)\nApplying cookie discovery with Wfuzz (Brute Force)\nSSRF - Server Side Request Forgery (Internal Port Discovery) - Wfuzz\nAbusing Memcached - Getting stored credentials\nCracking Hashes\nSSH User Enumeration - CVE-2018-15473\nAbusing SUID Binary\nLtrace/Radare2 Inspection (Password Leaking)\nHijacking dynamically linked shared object library [Privilege Escalation] API Enumeration - Endpoint Brute Force\nAdvanced XXE Exploitation (XML External Entity Injection)\nXXE - Custom Entities\nXXE - External Entities\nXXE - XML Parameter Entities\nXXE - Blind SSRF (Exfiltrate data out-of-band) + Base64 Wrapper [Reading Internal Files]\nXXE + RFI (Remote File Inclusion) / SSRF to RCE\nHost Discovery - Bash Scripting\nPort Discovery - Bash Scripting\nDecrypting PSCredential Password with PowerShell\nPIVOTING 1 - Tunneling with Chisel + Evil-WinRM\nGaining access to a Windows system\nPowerView.ps1 - Active Directory Users Enumeration (Playing with Get-DomainUser)\nInformation Leakage - Domain User Password\nPIVOTING 2 - Using Invoke-Command to execute commands on another Windows server\nFirewall Bypassing (Playing with Test-NetConnection in PowerShell) - DNS Reverse Shell\nAuthenticating to the DC shares - SYSVOL Enumeration\nInformation Leakage - Domain Admin Password\nPIVOTING 3 - Using Invoke-Command to execute commands on the Domain Controller (DC) RPC Enumeration\nCredential Brute Force - CrackMapExec\nShell Over WinRM\nAbusing Azure Admins Group - Obtaining the administrator's password (Privilege Escalation) Subdomain Enumeration\nJWT Enumeration\nInformation Leakage - Abusing No Redirect\nPlaying with BFAC (Backup File Artifacts Checker) in order to find a configuration file\nPHP Source Code Analysis\nForge JWT\nAbusing ffmpeg AVI Exploit in order to read internal files\nEscaping Limited Shell - OpenSSH 7.2p1 (Authenticated) XAuth Command Injection\nAbusing Codiad IDE in order to execute commands (RCE - www-data)\nAbusing Cron Job (Privilege Escalation) Asgaros Forum Exploitation - Unauthenticated Blind Time Based SQL Injection (SQLI)\nDownload From Files 1.48 - Arbitrary File Upload (WordPress Plugin Exploitation)\nCracking Hashes\nAbusing PAM configuration for the Secure Shell service (SSH)\nAbusing Cron Job (Rsync Exploitation) [Privilege Escalation] DomPDF Exploitation - Local File Inclusion (LFI) [CVE-2014-2383]\nBash Scripting\nAbusing Squid Proxy\nInternal Port Discovery via Squid Proxy - Wfuzz\nAbusing WebDAV - WebShell (Using davtest)\nCreating a Forward Shell (Python Scripting) - Bypassing Firewall Rules\nPIVOTING\nHost Discovery \u0026\u0026 Port Discovery - Bash Scripting\nAbusing Cron Job - Apt Pre-Invoke Script (Privilege Escalation) SSL Certificate Inspection\nLogin Bypass - SQLI\nSQLI (Blind Time Based) [Python Scripting]\nAbusing preg_replace (REGEX Danger) [RCE]\nCreating an AutoPwn script for Intrusion [Python Scripting]\nAbusing Cron Job [Privilege Escalation] Information Leakage\nAbusing Moodle - Login BruteForce (Wfuzz)\nMoodle Exploitation - Code Injection (Abusing Math formulas in Quiz component) [RCE]\nDatabase Enumeration\nCracking Hashes\nAbusing Cron Job [Privilege Escalation] Information Leakage\nSQL Injection (SQLI) - Abusing substring function\nObaining user passwords [Python Scripting]\nPHP Type Juggling Exploitation (0e hash collision)\nAbusing File Upload - File name truncation (Bordering the limits)\nAbusing video group - Taking a screenshot to view a password [GIMP \u0026\u0026 Playing with virtual_size]\nAbusing disk group to read the flag [debugfs] [Privilege Escalation] HttpFileServer 2.3 Exploitation [RCE]\nSystem Recognition - Windows Exploit Suggester\nMicrosoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098) [Privilege Escalation] Virtual Hosting Enumeration\nAbusing Directory Listing\nPHPUnit 5.6 Exploitation (CVE-2017-9841) [RCE]\nBackup Inspection\nBinary Analysis - GHIDRA\nCracking Hashes\nApache Backdoor Analysis [Privilege Escalation] SVN - Subversion Enumeration\nInformation Leakage\nVHost Fuzzing - Gobuster\nAzure DevOps Enumeration\nAbusing Azure DevOps - Creating a Branch\nAbusing Azure DevOps - Playing with existing Pipelines [RCE]\nIIS Exploitation\nElevating our Azure DevOps privilege\nAbusing Azure DevOps - Creating a new Pipeline\nAzure DevOps Exploitation - Creating a malicious YAML file [Privilege Escalation] Subdomain Enumeration - Gobuster\nInformation Leakage\nUsername enumeration - Abusing the Forget Password Option\nSimple Chat Exploitation - Creating a new user\nLog Poisoning Attack - User Agent [RCE]\nNishang Invoke-PowerShellTcp Shell\nAbusing SeImpersonatePrivilege [Privilege Escalation] UDP Scan\nSNMP Enumeration\nEnumerating Ike Hosts - ike-scan\nInstalling and configuring Strongswan (IPSEC/VPN) [ipsec.secret/ipsec.conf]\nPerforming a new scan through IPSEC\nAbusing IIS - File Upload via FTP (Malicious ASP file) [RCE]\nNishang Invoke-PowerShellTcp Shell\nAbusing SeImpersonatePrivilege [Privilege Escalation] Adobe ColdFusion 8 Exploitation\nDirectory Traversal Vulnerability\nCracking Hashes\nAbusing Scheduled Tasks - Creating malicious JSP file\nAbusing SeImpersonatePrivilege [Privilege Escalation] Mobile Application Penetration Testing\nAPK Analysis and Debugging\nDecoding APK with APKTool\nFiles Inspection\nInstalling Anbox on Parrot Security\nSetting up a new proxy in Anbox\nInstalling the APK application and analyzing requests with Burpsuite\nCommand Injection in one of the found requests [RCE]\nLinPeas Recon - Enumeration\nAbusing Sudo Version 1.8.31 [Privilege Escalation] FTP Enumeration\nAbusing OAuth Endpoint\nVirtual Hosting Enumeration\nBreaking OAuth Logic - Authorize as Administrator\nRegistering a new application - Django Docs\nAbusing Authorization Workflow\nToken Stealing\nPlaying with Bearer Tokens - Abusing Authentication\nInformation Leakage\nHost Discovery \u0026\u0026 Port Discovery - Bash Scripting\nPIVOTING\nUWSGI Exploitation [RCE] - User Pivoting\nAbusing DBUS Message [Privilege Escalation] NodeJS Deserialization Attack [RCE]\nIIFE Serialization/Deserialization Attack - Explained\nNode Reverse Shell\nAbusing Cron Job RPC Enumeration - Abusing querydispinfo\nCrackMapExec SMB Authentication Sprying\nAbusing WinRM - EvilWinRM\nInformation Leakage\nLOLBAS\nAbusing DnsAdmins Group - dnscmd [Privilege Escalation]\nCreating a malicious DLL and injecting it into the dns service SQL Truncation Attack\nLocal File Read via XSS in Dynamically Generated PDF - HackTricks\nAbusing Cron Job - Logrotate Exploit (Logrotten) [Privilege Escalation] SSRF Attack (Server Side Request Forgery)\nAbusing a Curl implementation - Upload malicious PHP file\nCommand Injection - Alternative Exploitation\nGNU Screen 4.5.0 - Local Privilege Escalation Virtual Hosting\nInformation Leakage\nAbusing Windows PowerShell Web Access\nReal-time monitoring of the victim's screen\nGetting remote command execution on another server - PIVOTING\nAbusing a PowerShell file to get remote command execution as another user - User Pivoting\nDump Hives \u0026\u0026 Get Hashes\nCracking Hashes\nPassword Reuse\nAbusing Cron Job - BAT file [Privilege Escalation] Information Leakage\nLdap Enumeration\nKerberos User Enumeration - Kerbrute\nASRepRoast Attack (GetNPUsers)\nCracking Hashes\nSystem Enumeration - WinPEAS\nAutoLogon Credentials\nBloodHound - SharpHound.ps1\nDCSync Attack - Secretsdump [Privilege Escalation]\nPassTheHash Padding Oracle Attack (Padbuster)\nBit Fliper Attack (BurpSuite) - Obtaining the admin user's Cookie\nAbusing SUID binary\nPATH Hijacking [Privilege Escalation] SQLI (SQL Injection) - Union Injection\nSQLI - WAF Bypass\nCracking Hashes\nUploading a file abusing a hidden property\nFiltering Bypass\nAbusing RSA - Creating a private key based on a public one\nDecrypting a message with the generated private key\nAbusing SUID Binary [Privilege Escalation] Information leakage in error message\nRCE by deserialization in Apache Tomcat with PersistentManager - CVE-2020-9484 [RCE]\nPlaying with Ysoserial - CommonsCollections2\nManipulating our session cookie (JSESSIONID) + Directory Path Traversal\nPlaying with chisel [Socks Proxy + Proxychains (socks5)]\nSaltStack Exploitation - CVE-2020-1651\nGaining root access to a container\nPlaying with docker.sock file + Abusing Docker API [Privilege Escalation]\nPIVOTING SMB Enumeration\nEternalblue Exploitation (MS17-010) [Triple Z Exploit]\nObtaining credentials stored in memory [MIMIKATZ + Windows Defender Evasion] (EXTRA)\nEnabling RDP from CrackMapExec (EXTRA)\nWindows Persistence techniques (EXTRA)\nWindows Persistence - Playing with debugger [When a user opens a program] (EXTRA)\nWindows Persistence - Playing with Gflags [When a user closes a program] (EXTRA)\nWindows Persistence - Playing with WMI Events [Executing tasks at regular intervals of time] (EXTRA)\nPersistence + Windows Defender Evasion [Playing with Ebowla] (EXTRA) APK Analysis (apktool, d2j-dex2jar)\nJD-GUI - Code Inspection\nInformation Leakage - Visible Token values\nCachet Framework Exploitation - SQLI\nLet's Chat Exploitation - Abusing API (Reading Private Messages)\nCachet Framework Exploitation - Server Side Template Injection (SSTI) [RCE]\nAbusing Cron Job [Privilege Escalation] Creating a malicious office document (libreoffice) - Playing with Macros\nMacros Obfuscation - Bypassing YARA Rules\nConPtyShell - Enhancing our console mobility\nAbusing defined task in the system\nMalicious Ace files for WinRAR \u003c 5.70 beta 1 - WinRAR Exploitation (Evil-WinRAR-Gen)\nIIS ASPX WebShell through WinRAR Exploitation\nGHIDRA Exploitation - XXE Vulnerability (XML External Entity Injection) [Project Handling]\nIntercepting NetNTLM-v2 hash through the XXE\nCracking Hashes\nAbusing WinRM - Evil-WinRM\nPlaying with Invoke-Command to execute commands as a user whose credentials we know\nPowerUp System Recognition\nAbuse UsoSvc - Creating a new user [Privilege Escalation]\nManipulating system logs to grant privileges to the newly created user (Psexec) Abusing PUT \u0026 MOVE Methods - Uploading Aspx WebShell\nMicrosoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow [RCE]\nToken Kidnapping - Churrasco [Privilege Escalation] SSL Certificate Inspection - OpenSSL\nXSS (Cross-Site Scripting)\nASP SSTI (Server Side Template Injection) (HackingDream ASP Resource) [RCE]\nInvokePowerShellTcp.ps1 - PowerShell Reverse Shell\nConPtyShell (AntonioCoco Utility) - Shell Improvement\nCertificate Signing Request Inspection - OpenSSL\nChisel  + Remote Port Forwarding + Proxychains - Creating a SOCKS5 tunnel\nAbusing Software Portal\nTraffic inspection with Tcpdump and Tshark\nURL Host Manipulation Attack + Intercepting authentications with Netcat\nPlaying with Responder to get a Net-NTLMv2 hash\nCracking Hashes\nSMB enumeration with authenticated user\nJamovi \u003c=1.6.18 Exploitation - Malicious OMV File (XSS Vulnerability - Cross-Site Scripting Attack)\nXSS + NodeJS Command Injection + InvokePowerShellTcp.ps1 (Nishang) Reverse Shell\nConPtyShell (AntonioCoco Utility) - Shell Improvement\nAbusing Certificate Services\nPlaying with Certify.exe to find vulnerable templates\nPowerView.ps1 + ADCS.ps1 in order to generate a certificate request and get it approved by the CA\nADCS.ps1 script manipulation (userprincipalname/samaccountname [Substitution Applied])\nListing certificates with gci command\nAttempting to obtain credentials with Rubeus (asktgt mode) [ERROR - No longer working]\nExploiting CVE-2021-42278/CVE-2021-42287 (noPac.py) through Proxychains [Alternative Exploitation]\nSynchronizing our time with DC time (rdate) - Headers Information Leakage\nGetting an interactive console as the administrator user on the DC (noPac.py) Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow [RCE]\nToken Kidnapping - Churrasco [Privilege Escalation] XXE (XML External Entity Injection) Exploitation\nReading internal files through XXE - Private SSH Key\nAbusing a Github project - Information Leakage in Project Commits [Privilege Escalation] Virtual Hosting Enumeration\nAbusing Upload File - Image to Text Flask Utility\nSSTI - Server Side Template Injection\nReading files through SSTI - SSH Private Key\nAbusing Cron Job [Privilege Escalation] Information Leakage\nPython Source Code Analysis\nURL Command Injection\nKnown Plaintext Attack - Cryptography Challenge\nAbusing Sudoers Privilege - Shadow Race Condition [Privilege Escalation] Information Leakage\nAPI Enumeration\nCracking Hashes\nCracking ZIP file\nBackup Download - Stored credentials\nMongoDB Enumeration\nMongo Task Injection - Command Injection [User Pivoting]\nSUID Backup Binary Exploitation - Dynamic Analysis (1st way)\nSUID Backup Binary Exploitation - Buffer Overflow 32 bits [NX Bypass + ASLR / Ret2libc] (2nd way) Information Leakage\nSteganography Challenge - Hidden message in the spectrogram of an audio file (Audacity)\nCryptography Challenge - Elliptic Curve (py-seccure)\nAbusing Sudoers Privilege - User Pivoting (Vi)\nAbusing Cron Job - Chown Wildcard Exploitation [Privilege Escalation] Wordpress Enumeration\nImage Stego Challenge - Steghide\nInformation Leakage - User Enumeration\nWordPress Exploitation - Theme Editor [RCE]\nAbusing misconfigured permissions [Privilege Escalation] LFI (Local File Inclusion) - Filter Bypass\nObtaining a user's SSH private key through the LFI\nEscaping from a container\nRestricted Shell Bypass\nAbusing Capabilities (cap_dac_read_search+ei) [Privilege Escalation] Virtual Hosting\nInformation Leakage\nOpen Redirect Exploitation\nOpen Redirect to XSS (Cross-Site Scripting) - Playing with eval/atob\nOpen Redirect + XSS evasion technique to fetch an external resource (1st way) [Not working at all]\nXSS Exploitation - Loading encoded URL document.body.innerHTML external file (2nd way) [Success]\nSubdomain Enumeration - Gobuster\nJS File Inspection - Information Leakage\nAPI Enumeration\nAbusing API - Attempting to register a new user\nNoSQL Injection - OTP Code Bypass\nAbusing API - We have been able to register a new user\nAbusing CHAT - A user checks our links\nAbusing CHAT - Link Inspection + Open Redirect + XSS\nCreating a malicious JS file - Controlling the flow of requests\nJWT Inspection\nCreating a Bash script to enumerate valid users through the API\nAbusing API - We found 3 valid users\nInspecting the LocalStorage\nLocalStorage Headers Manipulation - Attempting to impersonate a user [Failed]\nLocalStorage Headers Manipulation - Assigning admin privileges to our user\nLocalStorage Headers Manipulation - We found a new file upload field\nFile Upload Attempt (No admintoken header present) [Failed]\nCSTI (Client Side Template Injection) Exploitation\nStored/Reflected XSS (Cross-Site Scripting) Attack - AngularJS\nAngularJS XSS + LocalStorage Data Fields Exfiltration\nGraphQL Enumeration\nAbusing GraphQL - Basic Enumeration (Listing the name of all the types being used)\nAbusing GraphQL - Extracting all the types and it's arguments\nAbusing GraphQL - Causing errors to list sensitive data\nAbusing GraphQL - Enumerating Database Schema via Introspection\nGraphQL Voyager - Visualizing the data through Introspection\nAbusing GraphQL - Creating our own queries in order to list users information\nAbusing LocalStorage - User Impersonation (ID included) [Success]\nOpenRedirect + XSS + CSTI + JS Malicious File + GraphQL Concatenaed Attack - Stealing adminToken\nWe managed to obtain the adminToken by updating the profile using the previous attack\nAbusing File Upload - FFmpeg Exploitation\nExternal SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing\nCreating specially designed m3u8 and avi files\nLocal File Read - Data Exfiltration through FFmpeg exploitation\nFFmpeg exploitation - Reading SSH private key (user id_rsa)\nGaining access via SSH as the user 'user'\nAbusing Node Project - Manipulating the service logic to inject commands as root [Unintentional way]\nWe were able to assign SUID privileges to the system bash TLS Certificate Inspection\nWordPress Enumeration\nWordPress WP Support Plus Responsive Ticket System Exploitation - Gaining access as admin user\nInformation Leakage - Data type conversion for displaying a password in cleartext\nSMTP Enumeration\nCrypto Challenge - Vigenère Cipher\nGaining access over SSH\nAbusing LXD group [Privilege Escalation] (1st way) [Unintended]\nRSA Crypto Challenge (2nd way) [Privilege Escalation] SSL Cert Enumeration\nCookies Manipulation - Gaining access to restricted areas of the site\nAbusing Mailer Configuration\nMail server hijacking - Intercepting mails with Python\nSQLI (SQL Injection) - Error based in registered patient cancelation form\nGaining access as the 'sysadm' user to an Ajenti panel\nAjenti Server Management System Exploitation\nAjenti Exploitation - Creating an authorized public key on the server\nAssigning file permissions through the API\nManaging authorized access through the 'hosts.allow' file\nEscaping Restricted Bash (rbash)\nAbusing SUID Binary (GNU Screen) [Privilege Escalation] Abusing Oracle Database\nOracle Database Attacking Tool (ODAT) Installation\nOracle DB Exploitation - Identifying valid SIDs (sidguesser)\nOracle DB Exploitation - Discovering valid credentials (passwordguesser)\nOracle DB Exploitation - Attempting a remote file read\nOracle DB Exploitation - Attempting a remote file upload\nOracle DB Exploitation - Attempting execution of a previously uploaded binary file Information Leakage\nCisco Password Cracker (password7)\nSMB Enumeration - CrackMapExec\nGetting more valid system users - lookupsid.py\nAbusing WinRM - EvilWinRM\nCreating a dump file of the Firefox process - Procdump64.exe (Windows Sysinternals)\nReading the password of the administrator user in the previously performed dump [Privilege Escalation] RPC Enumeration\nAbusing RPC - IOXIDResolver.py (Obtaining the IPV6 machine address)\nPort scanning with nmap via ipv6\nSMB enumeration via ipv6\nCracking ZIP file\nNTDS enumeration (secretsdump.py)\nAbusing Kerberos - Kerbrute (Valid user enumeration)\nSMB Hash Sprying Attempt (Our attack is blocked)\nPyKerbrute Script Manipulation - Adapting the script to our needs (Kerberos attack)\nReg.py - Reading machine registers remotely (Registry Hives Enumeration)\nAbusing WinRM - Evil-WinRM\nWinPeas - System Enumeration\nWindows Defender Evasion\nWindows Defender Evasion - Bypass-4MSI to disable AMSI (Evil-WinRM)\nWindows Defender Evasion - Playing with Invoke-Binary to load an EXE into memory (Evil-WinRM)\nNTLM clients and services support NTLMv1\nCollecting Net-NTLMv1 Hash via Responder (1122334455667788 Challenge)\nCracking Hashes (Net-NTLMv1) [crack.sh]\nSecretsdump.py - Dumping the hashes for the rest of the AD users (Using the DRSUAPI method) PHP 8.1.0-dev - 'User-Agent' Remote Code Execution [RCE]\nAbusing Sudoers Privilege (Knife Binary) [Privilege Escalation] LFI (Local File Inclusion) - Filter Bypass [Abusing str_replace]\nBuffer Overflow x64 - Full RELRO, NX, PIE, ASLR Bypass [ROP - Abusing a writable section]\nCreating an Autopwn Script [Python Scripting]\nAbusing System Services [User Pivoting]\nAbusing binfmt_misc [Privilege Escalation] XXE (XML External Entity Injection) Exploitation\nXXE PHP File Read - Base64 Wrapper\nAbusing Sudoers Privilege [Privilege Escalation] Rsync \u0026 EncFS\nEncfs2john to obtain a Hash we can crack\nCracking Hashes\nSquid Proxy Enumeration\nBurpsuite Tip - Upstream Proxy Servers\nSquid Cache Manager Enumeration\nXPath Injection\nXPath Injection - Discovering valid users\nXPath Injection - Enumerating the password length of the found users\nXPath Injection - Obtaining users' passwords\nCreating a Python script to automate XPATH Injection\nSSH Brute Force - Hydra\nLocal Port Forwarding to reach the Pi-Hole web server\nPi-Hole Exploitation CVE-2020-11108 [PIVOTING] - Abusing Static DHCP leases configuration\nInformation Leakage [Privilege Escalation] Samba 3.0.20 \u003c 3.0.25rc3 - Username Map Script [Command Execution] SMB Enumeration\nCracking ZIp Password Protected File (fcrackzip)\nCracking and reading .PFX File (crackpkcs12)\nGaining SSL access with Evil-WinRM\nInformation Leakage - Reading the user's Powershell history (User Pivoting)\nAbusing LAPS to get passwords (Get-LAPSPasswords.ps1) [Privilege Escalation] SMB Enumeration\nEternalblue Exploitation (MS17-010) [Triple Z Exploit] Abusing FTP + IIS Services\nCreating an AutoPwn Script [Python Scripting]\nMicrosoft Windows (x86) – ‘afd.sys’ (MS11-046) [Privilege Escalation] SSL Heartbleed Exploitation\nCracking Hashes\nTmux Socket File Session [Privilege Escalation]\nLinux Kernel 2.6.22 \u003c 3.9 - Dirty Cow PTRACE_POKEDATA Race Condition privilege Escalation Jamovi Enumeration\nRj Editor Code Execution (Reverse Shell)\nInformation Leakage\nBolt - Access to the administration panel\nBolt - PHP File Manipulation (Injecting Malicious Code) [RCE]\nPIVOTING\nDetecting tasks running on the system - PSPY\nRemote Port Forwarding - Chisel\nMongoDB - Changing the admin user password\nAbusing Rocket.Chat - Creating a new malicious webhook\nFile Upload Tip - Playing with PwnCat-CS\nDocker Breakout - CDK Utility AXFR - Domain Zone Transfer Attack (Failed)\nRPC Enumeration - Getting valid domain users\nPerforming an AS-RepRoast attack with the obtained users\nCracking Hashes\nAbusing WinRM - EvilWinRM\nLdap Enumeration - ldapdomaindump\nBloodHound Enumeration\nGathering system information with SharpHound.ps1 - PuckieStyle\nRepresenting and visualizing data in BloodHound\nFinding an attack vector in BloodHound\nAbusing Account Operators Group - Creating a new user\nAbusing Account Operators Group - Assigning a group to the newly created user\nAbusing WriteDacl in the domain - Granting DCSync Privileges\nDCSync Exploitation - Secretsdump.py Abusing James Remote Administration Tool\nChanging a user's email password\nInformation Leakage\nEscaping Restricted Bash (rbash)\nCreating a bash script in order to detect cron jobs (procmon.sh)\nAbusing Cron Job [Privilege Escalation] Abusing Basic Auth Path\nAbusing Centreon API - User Brute Force (Wfuzz)\nAbusing Centreon Login Panel - Python Scripting\nCentreon 19.04 Exploitation [RCE]\nWAF Testing\nWAF Bypassing\nScreen 4.5.0 SUID Binary Exploitation [Privilege Escalation] Fuzzing Parameters - Wfuzz\nWAF Bypassing\nCommand Injection\nAbusing Sudoers Privilege [Privilege Escalation] Information Leakage\nFTP RFC2428 Enumeration\nAbusing RFC-2428 via EPRT command\nAbusing RFC-2428 - Machine IPV6 address information leakage\nIPV6 Scanning with nmap\nRsync Enumeration\nAbusing Rsync - Brute Force in order to find a valid password [Bash Scripting]\nAbusing Rsync - Creating SSH key pairs to gain access to the system\nPostgres Enumeration\nEnumerating Github Projects\nSYSLOG Enumeration\nSYSLOG Exploitation - Abusing Priorities + SQL Injection [RCE as Postgres]\nPassword pattern information leak [Privilege Escalation] Information Leakage - User Enumeration [Brute-Force Wfuzz]\nFinding valid users - Wfuzz\nSSTI (Server Side Template Injection) [Failed]\nJWT Enumeration\nAbusing JWT - Flask-Unsign\nCracking Flask Cookie Secret - Flask-Unsign\nCookie Hijacking\nFTP Enumeration\nInformation Leakage in PDF document\nFinding a command injection in the web\nRCE in md-to-pdf 4.1.0\nAbusing the vulnerable code definition - Alternative Command Injection (RCE)\nAbusing MYSQL service running as the root user [Privilege Escalation] (raptor_udf2.so) Msfvenom Exploitation [CVE-2020-7384] [RCE]\nAbusing Logs + Cron Job [Command Injection / User Pivoting]\nAbusing Sudoers Privilege [Msfconsole Privilege Escalation] Abusing No Redirect\nJson Deserialization Exploitation - ysoserial.net [RCE]\nAppLocker Bypass\nAbusing SeImpersonatePrivilege - JuicyPotato [Privilege Escalation]\nAbusing SeImpersonatePrivilege - Creating a new user\nAbusing SeImpersonatePrivilege - Adding the user to the local administrators group\nAbusing SeImpersonatePrivilege - Modifying the registry entry LocalAccountTokenFilterPolicy\nPlaying with psexec.py and wmiexec.py\nPassTheHash - wmiexec.py\nExecuting commands with CrackMapExec\nDumping the SAM with CrackMapExec\nEnabling RDP with CrackMapExec\nPlaying with Remmina to gain access to the system Local File Inclusion (LFI)\nRemote File Inclusion (RFI) [Failed]\nRemote File Inclusion through SMB Server (net usershare technique) [Success]\nCreating a webshell and achieving remote command execution [RCE]\nInformation Leakage [User Pivoting]\nPlaying with Chisel and ScriptBlocks using Invoke-Command\nCreating a malicious CHM file (Out-CHM.ps1) [Privilege Escalation] Elastix 2.2.0 Exploitation - Local File Inclusion (LFI)\nInformation Leakage\nVtiger CRM Exploitation - Abusing File Upload (1st way) [RCE]\nShellshock Attack (2nd way) [RCE] Virtual Hosting\nNoSQL Injection Login Bypass\nNoSQL Injection - Dumping Users and Passwords [Python Scripting]\nAbusing SUID Binary - JJS [Privilege Escalation] Domain Zone Transfer Attack - AXFR (dig)\nInformation Leakage\nAbusing File Upload [RCE]\nAbusing SUID Binary (WTF?) [Privilege Escalation] Information Leakage\nOWA Password Spray - SprayingToolkit\nCreating a user list - spindrift.py\nApplying brute force to OWA - atomizer.py\nOWA Phishing - Stealing Net-NTLMv2 Hashes with Responder\nGaining access from PowerShell with Enter-PSSession\nConstrainedLanguage Mode Bypassing Techniques\nPlaying with Nishang to get a fully interactive console (Invoke-PowerShellTcpOneLine.ps1)\nPowershell filtering methods (EXTRA)\nAbusing StickyNotes - Viewing another user password\nAbusing defined functions [Privilege Escalation] FTP Enumeration\nInformation Leakage\nAbusing NodeJS Application\nAPI Enumeration\nAbusing Ajenti Administration Panel Server Side Template Injection (SSTI)\nExploiting the SSTI by calling Popen without guessing the offset (1st way) [RCE]\nCommand Injection (2nd way) [RCE]\nAbusing adm group - Finding credentials in request logs\nSplunk Exploitation (Universal Forwarder Missconfiguration) - SplunkWhisperer2 [Privilege Escalation] SSL Certificate Enumeration\nSMB Enumeration\nKerberos User Enumeration (Kerbrute)\nASREPRoast Attack (Failed)\nSQL Injection (MSSQL) - WAF Bypass\nNTLM Hash Stealing through SQL Injection (xp_dirtree)\nCracking Hashes\nLocal File Inclusion (LFI)\nLFI + Wrappers (base64 encoding)\nRemote File Inclusion (RFI)\nRFI + RCE via malicious PHP script\nInformation Leakage - Database administrator user credentials\nEnumerating the database with sqlcmd\nPassword sprying with CrackMapExec\nAbusing WinRM - EvilWinRM\nAbusing Firefox Stored Profile Passwords - Firepwd\nBloodhound Enumeration\nPlaying with SharpHound.ps1 - Puckiestyle\nAbusing WriteOwner privilege over a group - PowerView.ps1\nPlaying with Add-DomainObjectAcl \u0026\u0026 Add-DomainGroupMember utilities\nGetting LAPS Passwords - ldapsearch [Privilege Escalation] SMB Enumeration\nAbusing GPP Passwords\nDecrypting GPP Passwords - gpp-decrypt\nKerberoasting Attack (GetUserSPNs.py) [Privilege Escalation] Web Enumeration\nInformation Leakage\nPlaying with esoteric languages - Ook! and Brainfuck\nCracking Zip Password Protected Files\nPlaySMS Exploitation - 'import.php' Remote Code Execution [RCE]\nBufferOverflow 32 bits - Ret2libc [Privilege Escalation] Gitweb Enumeration\nInformation Leakage\nCracking Hashes\nSearching for vulnerabilities in Ruby on Rails with Brakeman\nDeserialization Attack (CVE-2020-8165) - Rails \u003c 5.2.3.4 [RCE]\nCreating a new application with Rails\nCreating the payload with Ruby console\nAbusing Google Authentication (oathtool)\nAbusing sudoers privilege (gem command) [Privilege Escalation] SSL Certificate Enumeration\nGitlab Enumeration\nGitlab Exploitation - Arbitrary file read via the UploadsRewriter when moving an issue\nGitlab Exploitation - Malicious Marshalled Payload in a session cookie + Deserialization Attack [RCE]\nAbusing gitlab-rails console - Granting administrator privileges to our user\nEXTRA - Playing with Vulhub Pre-Built Vulnerable Environments Based on Docker-Compose\nInformation Leakage - SSH Access\nAbusing SUID Binary + PATH Hijacking [Privilege Escalation] WordPress Enumeration\nInformation Leakage\nAnalyzing a jar file - JD-Gui + SSH Access\nAbusing Sudoers Privilege [Privilege Escalation] SMB Enumeration\nEXE Binary Analysis\nAbusing electron-updater - Signature Validation Bypass [RCE]\nAbusing PortableKanban - Reading the encrypted password\nRedis Enumeration - Obtaining the encrypted password of the administrator user\nDecrypting obtained passwords + Abusing WinRM (Evil-WinRM) [Privilege Escalation] SQUID Proxy Enumeration\nUDP Enumeration\nAbusing TFTP - Getting Squid Proxy Credentials\nCracking Hashes\nInternal port discovery via SQUID Proxy\nAbusing Interactive Console [RCE]\nBypassing iptables rules - UDP Reverse Shell\nAbusing Sudoers Privilege [Abusing sudoedit - User Pivoting]\nAbusing Cron Job + TAR Wildcards [Privilege Escalation] FTP Enumeration\nInformation Leakage\nAbusing PRTG Network Monitor - Command Injection [RCE] RPC Enumeration\nUser Enumeration via Kerberos - Kerbrute\nASREPRoast Attack - GetNPUsers.py (Failed)\nLDAP Enumeration - ldapsearch \u0026\u0026 ldapdomaindump\nSMB Enumeration - smbclient \u0026\u0026 smbmap\nCracking TightVNC Password - vncpwd\nKerberoasting Attack - GetUserSPNs.py (Failed)\nAbusing WinRM - EvilWinRM\nEnumerating SQLite3 Database File\nAnalysis of Windows EXE binary\nInstalling DotPeek on a Windows virtual machine\nReverse engineering the CBC cipher - Obtaining clear text passwords\nAbusing AD Recycle Bin Group - Active Directory Object Recovery (Get-ADObject) [Privilege Escalation]\nEXTRA: Chisel Remote Port Forwarding (RDP + Remmina) Virtual Hosting Enumeration\nAbusing Support Ticket System\nAccess to MatterMost\nInformation Leakage\nDatabase Enumeration - MYSQL\nCracking Hashes\nPlaying with hashcat rules in order to create passwords\nPlaying with sucrack to find out a user's password Local File Inclusion (LFI)\nLFI to RCE - Log Poisoning\nCracking ZIP file\nAbusing VNC - vncviewer [Privilege Escalation] Web Enumeration\nInformation Leakage\nLdap Enumeration\nKerberos Enumeration\nUser Enumeration - Kerbrute\nPassword Brute Force - Kerbrute\nSMB Enumeration - Kerberos Authentication [getTGT.py]\nASREPRoast Attack - GetNPUsers.py (Failed)\nKerberoasting Attack - GetUserSPNs.py\nManipulating the GetUserSPNs.py script to make it work the way we want it to work\nCracking Hashes\nAttempting to authenticate to the MSSQL service via kerberos (Failed)\nExplaining Kerberos Auth Flow (TGT, TGS, KDC, AS-REQ, AS-REP, TGS-REQ, TGS-REP, AP-REQ, AP-REP)\nExplaining how Silver Ticket Attack works\nForging a new TGS as Administrator user (NTLM Hash, Domain SID and SPN) [ticketer.py \u0026\u0026 getPAC.py]\nConnecting to the MSSQL service with the newly created ticket\nMSSQL Enumeration\nEnabling xp_cmdshell component in MSSQL [RCE]\nAbusing SeImpersonatePrivilege [JuicyPotatoNG Alternative for Windows Server 2019] (Unintended Way)\nBinary and DLL Analysis\nDownloading OpenVPN from a Windows machine and configuring it to reverse downloaded resources\nDnspy Installation\nDLL Inspection with Dnspy - Found a backdoor in the code\nWe realize that serialization and deserialization of data is being used\nCreating a malicious base64 serialized Payload with ysoserial.net in order to get RCE\nWe send the serialized data to the server [Privilege Escalation] Web Enumeration\nNFS Enumeration - Showmount\nInformation Leakage\nAbusing Umbraco Admin Panel\nUmbraco CMS - Remote Code Execution by authenticated administrators\nObtaining the TeamViewer password from the system registers (AES128 - CBC) [Privilege Escalation] Abusing Nibbleblog - Remote Code Execution via File Upload\nAbusing Sudoers Privilege [Privilege Escalation] Web Enumeration\nGithub Project Enumeration\nInformation Leakage\nAbusing File Upload - Replacing Python Files [RCE]\nLocal File Inclusion (LFI)\nShell via Flask Debug - Finding out the PIN (Werkzeug Debugger) [Unintended Way]\nPlaying with Chisel - Remote Port Forwarding [PIVOTING]\nAbusing Gitea + Information Leakage\nAbusing Cron Job + Git Hooks [Privilege Escalation] Web Enumeration\nSQL Injection (SQLI) - Manual Blind Time Based [Python Scripting]\nInformation Leakage - Error Messages\nLogin bypass - SQLI\nAbusing MPDF - Local File Inclusion (LFI)\nAbusing meta-git command - RCE via insecure command formatting\nAbusing gdb capabilitie (cap_sys_ptrace+ep) [Privilege Escalation] DNS Enumeration\nDomain Zone Transfer Attack (AXFR)\nSQL Injection (SQLI) - Manual Blind SQLI with Conditional Responses [Python Scripting - AutoPwn]\nLocal File Inclusion (LFI) + Wrappers\nSubdomain Discovery\nLocal File Inclusion (LFI) + Restriction bypassing\nSMTP Enumeration (VRFY - Discovering valid users)\nLFI to RCE - Nginx Log Poisoning\nAbusing Sudoers Privilege (fail2ban command) Web Enumeration\nInformation Leakage\nInsecure Direct Object Reference (IDOR) in order to discover valid reports\nAbusing File Upload - Uploading a PHP file disguised as PDF + Obfuscated Web Shell (Weevely3)\nAbusing Internal Web Server\nWordpress Brandfolder 3.0 Plugin Exploitation - Local/Remote File Inclusion (User Pivoting)\nChanging admin user password in wordpress via MYSQL (Wordpress Password Hash Generator)\nVirtual Box Image Enumeration\nCracking VirtualBox Encryption (virtualbox2hashcat)\nCreating a new virtual machine in VirtualBox and installing the extension pack\nDecrypting the VirtualBox VDI Image with VBoxManage\nMounting the VirtualBox VDI Image (qemu-nbd)\nCracking the LUKS v2 Password (bruteforce-luks-static-linux-amd64)\nMounting the Luks Drive (cryptsetup)\nFinding a password among the mounted files\nAbusing sudoers privilege [Privilege Escalation] Web Enumeration\nSQL Injection (SQLI) in a Cookie\nCracking Hashes\nAbusing Cron Job\niPython Arbitrary Code Execution - CVE-2022-21699 (User Pivoting)\nInformation Leakage\nAbusing Redis - Sandbox Escape (CVE-2022-0543) [Privilege Escalation] Server Side Template Injection (SSTI)\nSSTI - Bypassing special character restriction\nSSTI - Creation of a Python script to automate java injection (RCE)\nCreating a Bash script for process monitoring with user included\nAbusing log file + Image etadata + XML External Entity Injection (XXE) [Privilege Escalation] NFS Enumeration\nAbusing owners assigned to NFS shares by creating new users on the system (Get Access to Web Root)\nCreating a web shell to gain system access\nAbusing .Xauthority file (Pentesting X11)\nTaking a screenshot of another user's display Web Enumeration\nParameter Fuzzing with Wfuzz\nMass Assignment Attack - Giving admin privileges to our user\nCreating a HTML form with OpenAI in order to exploit file uploading\nInformation Leakage - Reading sensitive files with hardcoded passwords\nTrudesk API Enumeration\nTrudesk API Enumeration - Finding valid tickets + Xargs Tip (Fast ticket discovery)\nSetting up Zoiper\nMaking a call from Zoiper to obtain access credentials\nAbusing Capabilities (tcpdump)\nAbusing Weak Cipher Suite - TLS_RSA_WITH_AES_256_CBC_SHA256 (TLSv1.2 Traffic)\nImporting the certificate into Wireshark and decrypting traffic\nBackdrop Enumeration \u0026\u0026 Backdrop Exploitation\nAbusing Backdrop - Installing a new module\nAbusing a cron job on a container [Container privilege escalation]\nAbusing CVE-2022-0492 (Container Escape via Cgroups) [Privilege Escalation] SMB Enumeration\nEXE Binary Analysis\nDebugging with DNSpy\nSetting breakpoints and getting an LDAP password in clear text (DNSpy)\nKerberos User Enumeration (kerbrute)\nLdap Enumeration (ldapsearch)\nInformation Leakage\nAbusing Remote Management Users group (Evil-WinRM)\nSharpHound + BloodHound Enumeration\nAbusing Shared Support Accounts (GenericAll) (rbcd Attack) [Resource Based Constrained Delegation]\nResource Based Constrained Delegation Attack - Creating a Computer Object (powermad.ps1)\nResource Based Constrained Delegation Attack - PowerView.ps1\nResource Based Constrained Delegation Attack - Getting the impersonated service ticket (getST.py)\nUsing the ticket to gain Administrator access [Privilege Escalation] SMB Enumeration\nFollina Exploitation (CVE-2022-30190) + Nishang PowerShell TCP Shell [Remote Code Execution]\nSharpHound + BloodHound DC Enumeration\nAbusing AddKeyCredentialLink Privilege [Invoke-Whisker.ps1 - Shadow Credentials]\nGetting the user's NTLM Hash with Rubeus\nAbusing WinRM - EvilWinRM\nAbusing WSUS Administrators Group\nWSUS Exploitation - Creating a malicious patch for deployment [Privilege Escalation] Web Enumeration\nAbusing WebHook Setup\nCreating a PHP file to apply a Redirect and point to internal machine services [Restriction Bypassing]\nGogs v0.5.5 Exploitation - SQL Injection [CVE-2014-8682]\nRunning Gogs v0.5.5 Locally for successful exploitation\nCreating a SQL injection that allows us to obtain the salt and password of a user\nHash restructuring in order to crack it\nSSRF (Server Side Request Forgery) + SQL Injection\nCracking Hashes\nAbusing Cron Job (Database Manipulation) [Privilege Escalation] Virtual Hosting\nSubdomain Enumeration\nNoSQL Injection (Admin Auth Bypass)\nAbusing the Shoppy App search engine (NoSQL Injection) - Obtaining the password of DB users\nCracking Hashes Online\nLog into Mattermost + Information Leakage\nAbusing Sudoers Privilege\nBinary Analysis - GHIDRA (Reverse Engineering)\nAbusing docker group [Privilege Escalation] Web Enumeration\nSubdomain Discovery (gobuster)\nFinding .git directory with nmap (http-enum)\nPlaying with git-dumper in order to get the files of the project\nPHP Source Analysis\nInformation Leakage\nAbusing HTACCESS Policies\nAbusing File Upload (ZIP file + PHP File + Restriction Bypass + PHAR Wrapper)\nPlaying with dfunc-bypasser in order to find functions through which we can execute commands\nAbusing proc_open and executing commands [RCE]\nAbusing SUID Binary (Command injection in Python2 Input function) [User Pivoting]\nAbusing Sudoers Privilege (easy_install binary) [Privilege Escalation] Web Enumeration\nGrafana v8.2.0 Exploitation [CVE-2021-43798] (Unauthorized Arbitrary File Read Vulnerability)\nEnumerating a sqlite3 file [Extracting mysql login credentials]\nSystem Github Project Enumeration\nHashicorp Consul Exploitation (Command Execution via API) [Privilege Escalation] Virtual Hosting\nWeb Enumeration\nInformation Leakage - Credentials in Javascript File\nAbusing Image Download Utility (Command Injection) [RCE]\nAbusing Sudoers privilege + PATH Hijacking (find command) [1st way] [Privilege Escalation]\nAbusing Sudoers privilege + PATH Hijacking ( ] command ) [2st way] [Privilege Escalation] Pdfkit v0.8.6 Exploitation - Command Injection (CVE-2022-25765)\nAdvanced Python Scripting - Autopwn Script [EXTRA]\nInformation Leakage [User Pivoting]\nAbusing sudoers privilege + Yaml Deserialization Attack [Privilege Escalation] Virtual Hosting\nSubdomain Enumeration\nAPI Enumeration\nAbusing API\nSNMP Enumeration (snmpwalk \u0026\u0026 snmpbulkwalk) + Community String Brute Force\nInformation Leakage\nAbusing JWT\nAPI Exploitation (Command Injection)\nChisel Tunnel + Postgresql Service Enumeration + Information Leakage\nAbusing Sudoers Privilege [Privilege Escalation] Web Enumeration\nLocal File Inclusion + Directory Listing\nInformation Leakage\nSpring Cloud Exploitation (CVE-2022-22963) [Spring4Shell]\nAbusing Cron Job\nMalicious Ansible Playbook (Privilege Escalation) requests-baskets 1.2.1 Exploitation (SSRF - Server Side Request Forgery)\nMaltrail 0.53 Exploitation (RCE - Username Injection)\nAbusing sudoers privilege (systemctl) [Privilege Escalation] File uploading abuse (%00 Injection) [Failed]\nZipSlip Exploitation Technique for internal reading of files\nSQL Injection + Regular Expression Bypass (%0a) + RCE through into outfile instruction\nCustom binary abuse + Malicious Shared Object (.so) Injection [Privilege Escalation] XSS Injection + CSP Bypass\nAbusing File Upload + Indirect XSS Injection\nIDOR Exploitation\nProfile and order enumeration via XSS\nXSS + LFI aiming to read private files from the server\nInformation Leakage through LFI\nAbusing Internal Javascript Web Application\nAbusing ebook-convert [User Pivoting]\nAbusing Symlinks + ebook-convert for Arbitrary Write\nAbusing sudoers privilege\nSQL Injection + PostScript Injection for privileged writing to system [Privilege Escalation] Abusing a game via the browser console\nAbusing NFS + Information Leakage\nCode Analysis\nMass Assignment Exploitation in order to elevate our user privileges\nBypass Check via Netline Injection\nRCE through nickname manipulation + Mass Assignment Attack\nAbusing Custom Binary\nBinary Analysis with Ghidra (Reversing) [User Pivoting]\nAbusing Sudoers\nXXE Exploitation [Privilege Escalation] Abusing Request Tracker\nInformation Leakage\nObtaining KeePass password through memory dump [Privilege Escalation] IDOR Exploitation + OOP Python Scripting\nInformation Leakage\nSqlite3 file enumeration\nCracking Hashes\nGitea Enumeration + Information Leakage\nAbusing Custom Binary\nBinary Analysis with GHIDRA\nExploiting SUID binary + Command injection through sqlite3 extension loading [Privilege Escalation] Jenkins Exploitation - CVE-2024-23897 in order to read arbitrary files (RCE)\nCracking Hashes\nAbusing the Jenkins cipher to crack the password [Privilege Escalation] SMB Enumeration\nAbusing File Upload (.phar extension + Python Scripting)\nAbusing PHP Disable Functions in order to RCE\nGameOver(lay) Exploitation (Privilege Escalation)\nCracking Hashes\nEnumerating domain users (rpcclient)\nTesting ASREPRoast attack (impacket-GetNPUsers)\nFraudulent sending of eps file by mail through RoundCube\nAbusing XAMPP for privilege escalation CraftCMS Exploitation (CVE-2023-41892) - RCE\nInformation Leakage\nCracking Hashes\nZoneMinder + Sudoers Exploitation (Privilege Escalation) Building a Python3 Stealth port scanner with Scapy\nAbusing declared Javascript functions from the browser console\nAbusing the API to generate a valid invite code\nAbusing the API to elevate our privilege to administrator\nCommand injection via poorly designed API functionality\nInformation Leakage\nPrivilege Escalation via Kernel Exploitation (CVE-2023-0386) - OverlayFS Vulnerability Credential guessing\nActiveMQ Exploitation - Deserialization Attack (CVE-2023-46604) [RCE]\nAbusing sudoers privilege (nginx) [Privilege Escalation] Nagios Enumeration\nAPI Enumeration\nSNMP Enumeration\nAbusing API\nNagios XI Exploitation (CVE-2023-40931)\nSQL Injection Manual Exploitation\nAbusing API Key to create new administrator user (Mass Assignment Attack)\nCreating a new command and service in Nagios to get a reverse shell\nAbusing Sudoers [Privilege Escalation] Subdomain Enumeration\nAbusing Joomla\nJoomla Exploitation (CVE-2023-23752)\nCustomizing administration template to achieve RCE\nDatabase Enumeration (User Pivoting)\nAbusing sudoers privilege (apport-cli) [Privilege Escalation] IIS Enumeration\nSubdomain Enumeration\nInformation Leakage\nAbusing NAPLISTENER Backdoor\nCreating a reverse shell payload in C#\nCreating an executable from C# code with mcs\nElasticsearch Enumeration\nBinary Analysis with GHIDRA\nGhidra extensions installation\nCreation of script in Go to decrypt a message by abusing a given seed\nUsing RunasCs to execute commands as another user + UAC Bypass [Privilege Escalation] Apache OFBiz Exploitation (Authentication Bypass)\nAnalysis of OFBiz code to understand the hashed storage mechanism\nAdapting found hashes to a crackable format\nCracking Hashes [Privilege Escalation] SMB Enumeration\nUser Enumeration [1st way] - RID Cycling Attack (rpcclient)\nUser Enumeration [2nd way] - RID Cycling Attack (CrackMapExec)\nUser Enumeration [3rd way] - Kerberos User Enumeration (Kerbrute)\nLdap Enumeration (ldapdomaindump)\nCredentials Brute Force (CrackMapExec)\nMSSQL Enumeration (mssqlclient.py)\nAbusing MSSQL (xp_dirtree)\nInformation Leakage\nAbusing WinRM to get an interactive console\nDC Enumeration (adPEAS) - Powershell tool to automate Active Directory enumeration\nAbusing Advice Directory Certificate Services (ADCS)\nESC7 exploitation case with certipy [Privilege Escalation] FTP Enumeration\nInformation Leakage\nSSH Brute Force with CrackMapExec\nAbusing Capabilities - Reaver\nAbusing an AP's WPS to get the root password [Privilege Escalation]\nTrying to change the password and showing how the WPS Pin is still giving the new password SMB Enumeration\nVirtual Hosting\nSubdomain Enumeration\nKerberos - User Brute Force Enumeration (kerbrute)\nWeb Fuzzing\nLDAP Injection\nCreating a Python script to easily exploit LDAP injection\nDiscovering valid users through LDAP injection\nEnumerating user description through LDAP injection + Information Leakage\nTesting ASREPRoast attack (impacket-GetNPUsers)\nTesting Kerberoasting attack (impacket-GetUsersSPNs)\nExploitation of a customized analysis panel\nCreating a PHP webshell for command execution + Reverse Shell with Nishang\nSystem enumeration with WinPeas\nObtaining user credentials stored in the autologon registry\nAbusing Snort (Loading Dynamic Modules) [Privilege Escalation]\nCreation of malicious DLL with msfvenom for loading into snort Subdomain Enumeration\nMetabase Exploitation (CVE-2023-38646)\nDocker Container Information Leakage\nKernel Exploitation - GameOver(lay) / Abusing OverlayFS [Privilege Escalation] Subdomain Enumeration\nLFI through CV Download\nAbusing ViewState IIS Parameter + web.config secrets in order to achieve RCE\nPlaying with ysoserial.net to create a serialized payload\nReading a powershell credential and decrypting the contents of the PSCredential object\nRunasCs.exe to execute command as another user whose credentials are known to us\nAbusing SeDebugPrivilege [Privilege Escalation]\nPlaying with chisel + WinRM for a more stable shell\nUsing psgetsys.ps1 to execute commands as the administrator user through memory injection Subdomain Enumeration\nDolibarr 17.0.0 Exploitation - CVE-2023-30253\nInformation Leakage (User Pivoting)\nEnlightenment SUID Binary Exploitation [Privilege Escalation] Virtual Hosting\nAbusing File Upload\nServer Side Request Forgery (SSRF) Exploitation + Internal Port Discovery\nAPI enumeration through SSRF\nPrivate Github Project Enumeration + Information Leakage\nAbusing sudoers [Privilege Escalation] - GitPython Exploitation (CVE-2022-24439) Web Enumeration\nInformation Leakage through LFI (hMailServer)\nCracking Hashes\nMicrosoft Outlook Remote Code Execution (RCE) - CVE-2024-21413\nStealing NetNTLMv2 hash\nAbusing WinRM\nLibreOffice Exploitation (CVE-2023-2255) [Privilege Escalation] Insecure Directory Object Reference (IDOR)\nInformation Leakage\nAbusing Capabilities (Python3.8) [Privilege Escalation] Subdomain Enumeration\nJetBrains TeamCity 2023.05.3 Exploitation (RCE) [CVE-2023-42793]\nInformation Leakage\nCracking Hashes\nLocal Port Forwarding\nPortainer Exploitation (Mounting a host volume inside a container) [Privilege Escalation] Web Enumeration\nHTML Injection\nXSS Exploitation\nAbusing JWT\nServer Side Template Injection (SSTI) + Bypassing most common filters (RCE)\nDatabase Enumeration\nCracking Hashes\nAbusing sudoers privilege (qpdf binary exploitation) Subdomain Enumeration\nSQLI - Boolean-Based Blind Injection (MANUAL) + BurpSuite Tips\nPython Scripting in order to exploit SQLI\nCracking Hashes\nLaravel-admin Exploitation (RCE by abusing file upload)\nBinary Analysis (GHIDRA)\nAbusing Sudoers Privilege + Custom Binary in order to get Root SSH Private Key [Privilege Escalation] SMB Enumeration\nXMPP/Jabber Enumeration via Pidgin\nInformation Leakage\nUser Enumeration via Pidgin's Advanced User Search Option\nTesting for ASREP-Roast Attack\nCracking Hashes\nSMB Enumeration via CrackMapExec + Module Tip\nBloodHound Enumeration\nAbusing ExecuteDCOM Execution Right (impacket-dcomexec)\nRCE through the abuse of a DCOM object with impacket-dcomexec\nRemote Port Forwarding (Chisel)\nOpenFire Exploitation (CVE-2023-32315) - Malicious plugin installation [Privilege Escalation] Subdomain Enumeration\nChamilo LMS Exploitation - Unauthenticated Command Injection [CVE-2023-31803] (RCE)\nInformation Leakage\nAbusing Sudoers - Custom Bash Script (playing with setfacl) [Privilege Escalation] Minecraft Exploitation - Log4Shell (RCE)\nJAR Plugin Analysis with JD-GUI + Information Leakage\nUsing RunasCs to execute commands as administrator [Privilege Escalation] Subdomain Enumeration\nBlazor Traffic Processor - BurpSuite Extension\nDLL Inspection - AvalonialLSpy\nInformation Leakage\nBuilding our own admin JWT\nSQL Injection - Stacked Queries (RCE via xp_cmdshell)\nBloodHound Enumeration - Docker TIP\nKerberoasting Attack (PowerView.ps1)\nCracking Hashes\nFind-InterestingDomainAcl PowerView Enumeration\nAbusing Logon Scripts (ScriptPath)\nDCSync via Mimikatz (Getting the ntlm hash of the admin user) + Mimikatz [Privilege Escalation] XSS injection via custom header\nStealing administrator user session cookie via XSS\nCommand injection in web panel\nAbusing sudoers privilege [Privilege Escalation] Newline Injection + SSTI (ERB Injection) [RCE]\nCracking Hashes - Creating your own rules with hashcat\nAbusing the 'sudo' group once the user's password is known Web Fuzzing\nWonderCMS Exploitation (XSS + RCE)\nCracking Hashes\nLocal Port Forwarding + Internal System Monitor Web Exploitation (Command Injection)\nCommand Injection + Access with Authorized SSH Key Pairs [Privilege Escalation] Information Leakage\nApache Struts Exploitation [CVE-2024-53677]\nApache Struts, Interceptors and OGNL Expression Language Explained\nAbusing File Upload (Malicious JSP File)\nAbusing Sudoers Privilege (tcpdump) [Privilege Escalation] Subdomain Enumeration\nSQLI - Manual Time Based Blind Injection (Python Scripting)\nCracking Hashes\nCacti Exploitation (CVE-2024-25642) - Malicious Package Import\nInformation Leakage\nInternal Service Exploitation - Duplicati\nAbusing Duplicati - Bypassing Login Authentication with Server Passphrase\nDuplicati - Creating a backup for privileged reading and writing of files [Privilege Escalation] Cacti 1.2.22 Exploitation - Command Injection\nCracking Hashes\nDocker Exploitation (CVE-2021-41091) [Privilege Escalation] Subdomain Enumeration\nInformation Leakage - Github project rebuild with GitHack\nPrestaShop 8.1.5 Exploitation - [CVE-2024-34716]\nDatabase Enumeration\nCracking Hashes\nCreating bash script to apply host recognition\nCreating bash script to apply port recognition on other containers\nLocal Port Forwarding to gain access to a service available in one of the containers\nChangeDetection 0.45.20 Exploitation [CVE-2024-32651] - SSTI (RCE)\nAbusing Sudoers Privilege (prusaslicer)\nCreating a malicious .3mf file using PrusaSlicer [Privilege Escalation] SMB Enumeration\nWeb Enumeration\nJoomla 4.2.7 Exploitation - Leak Password [CVE-2023-23752]\nKerberos User Enumeration (kerbrute)\nPassword Spraying - CrackMapExec\nPcap Analysis - Wireshark\nKerberos AS-REQ Frame Analysis\nDetailed Explanation of How Kerberos Works (EXTRA)\nCreating a crackable hash through the visible data in the AS-REQ frame\nCracking Hashes\nExploitation of Joomla through template manipulation to achieve RCE\nUsing RunasCs to get reverse shell as another user\nRemote Port Forwarding with Chisel to expose internal service\nExploiting 'Floating Frame' in LibreOffice to achieve (RCE) [CVE-2023-2255]\nManipulating LibreOffice Macro Security via 'Registry Editors' (Alternative RCE)\nCreating a malicious macro in LibreOffice to achieve RCE (Alternative RCE)\nCredential Theft via DPAPI Decryption and RPC Abuse\nDPAPI Master Key Decryption via MS-BKRP (dpapi::masterkey)\nDumping Saved Passwords by Exploiting DPAPI and RPC (dpapi::cred)\nAbusing WinRM\nAbusing 'GPO Managers' group\nSharpGPOAbuse.exe to assign us administrator privileges [Privilege Escalation] WEB Enumeration\nSQLPad Exploitation - Command Injection [CVE-2022-0944]\nCracking Hashes\nNginx/Apache File System Enumeration\nSSH Port Forwarding + Froxlor Exploitation (Creating an admin user) [CVE-2024-34070]\nChanging an FTP user's password to login (lftp)\nBreaking the password of a keepass file by brute force and obtaining id_rsa [Privilege Escalation] Pluck Enumeration\nGitea Enumeration\nCode Analysis + Information Leakage\nCracking Hashes\nPluck 4.7.18 Exploitation - Creating a Malicious Module (RCE)\nDepixelizing a pixelated field of a PDF document [Privilege Escalation] Spring Boote Web Page Enumeration\nInformation Leakage\nCookie Hijacking\nCommand Injection + Filter Bypass\nJAR archive inspection with JD-GUI + Information Leakage\nPostgreSQL Database Enumeration\nCracking Hashes\nAbusing Sudoers Privilege (ssh) [Privilege Escalation] Gitea Enumeration\nInformation Leakage\nGit Exploitation [CVE-2024-32002] (RCE)\nSQLite Database File Enumeration\nCreating Hashes in PBKDF2 Format to Get Them Cracked\nCracking hashes\nMicrosoft Visual Studio 2019 Exploitation (CVE-2024-20656) [Privilege Escalation] Subdomain Enumeration\nNoSQL Injection - Authentication Bypass\nAbusing API + Information Leakage\nServer-Side XSS + LFI Exploitation through Dynamic PDF Generation\nAbusing Sudoers Privilege (node + Path Traversal Attack Targeting JavaScript Files) [Privilege Escalation] Subdomain Enumeration\nEnumerating Grafana Requests\nExecuting system commands through PostgreSQL by exploiting an API (RCE)\nCreation of bash script to enumerate processes and commands running on the system (procmon.sh)\nCommand Execution via Shadow Simulation (User Pivoting)\nLocal Port Forwarding + Abusing Jupyter Notebook in order to get RCE (User Pivoting)\nAbusing Sudoers Privilege (sattrack) - File Read/File Write [Privilege Escalation] Web Enumeration\nTesting the Payment System\nTricking the Payment System so that the Information Passes through our Server\nOperating as a Fake Bank to Give an Alternative Response\nCreating Malicious QR with an Embedded XSS Payload (zbarimg/qrencode)\nStealing a User's Session Cookie through Generated QR\nCracking Hashes\nBinary Analysis (GHIDRA) - Reversing\nBuffer Overflow - Arbitrary File Write Vulnerability\nInformation Leakage\nHTTP Docker Registry Enumeration (DockerRegistryGrabber)\nDjango Serialization Exploitation (Creating a Malicious Session Cookie to Obtain RCE)\nContainer CAP_SYS_MODULE Capability Exploitation - Docker Breakout [Privilege Escalation] Web Enumeration\nAbusing Tiny File Manager (RCE by Uploading a Malicious PHP File)\nWebSocket SQL Boolean-Based/Time-Based Blind Injection\nAbusing Doas Privilege (dstat) [Privilege Escalation] Information Leakage\nCreating a Custom Dictionary with Cewl\nBrute Force with Netexec to SMB to Obtain Valid Credentials\nChanging a User's Password with impacket-smbpasswd\nInformation Leakage through Printer Enumeration with rpcclient\nAbusing SeLoadDriverPrivilege\nLoading a Vulnerable Driver for Further Exploitation (EoPLoadDriver \u0026 Capcom.sys)\nDriver Exploitation (ExploitCapcom) [Privilege Escalation] SMB Enumeration\nInformation Leakage\nRID Brute with Netexec for Potential User Discovery\nInformation Leakage through Rpcclient (querydispinfo)\nAbusing SeBackupPrivilege/SeRestorePrivilege [Privilege Escalation] Web Enumeration\nWebpack Application Enumeration\nAPI Endpoints - Information Leakage\nSubdomain Enumeration\nCracking Hashes\nSSRF (Server-Side Request Forgery) Exploitation\nDiscovering Internal Ports and Web Services through SSRF\nInternal Express API Documentation Source Analysis\nCracking JWT\nFile Reading (LFI) through Creation of a Malicious JWT and API Abuse\nAbusing Xpad - Sticky Notes Application (Information Leakage)\nCommand Injection through Adding Products to a Cart (Abusing Mail Cron Job) [Privilege Escalation] gRPC Enumeration with grpcurl and gRPC UI\nRegistering a User in the Application through grpcurl\nSQL Injection in SQLite through grpcurl (Enumerating Tables, Columns and Data)\nAbusing Internal Web Service - PyLoad 0.5.0\nPyLoad Exploitation (CVE-2023-0297) [RCE and Privilege Escalation] Subdomain Enumeration\nLaTeX Injection + Blocklisted Function Bypass\nFile Read through LaTeX Injection\nCracking Hashes\nCreating Bash Script to List Commands and Cron Jobs Running on the System (Procmon.sh)\nAbusing Cron Job in gnuplot to Run Privileged Commands [Privilege Escalation] Web Enumeration\nJWT Enumeration\nDirectory Traversal + Local File Inclusion\nAbusing Cryptographic Key Generation\n   Explaining how RSA works [EXTRA]\nExplaining how RSA works: Creating a key pair through 2 prime numbers [EXTRA]\nExplaining how RSA works: Encrypting files with the generated keys using openssl [EXTRA]\nExplaining how RSA works: Explaining RSA: Factoring n to Derive the Private Key [EXTRA]\nBreaking JWT Cryptography to Forge an Admin Token\nSQL Injection: Playing with extractvalue() to Enumerate Database Information [Manual Exploitation]\nSQL Injection + INTO OUTFILE + Abusing Cron Jobs for RCE\nInformation Leakage\nExploiting Sudoers Privileges and Mercurial Hooks to Execute Commands as Another User\nAbusing Sudoers privilege (rsync) [Privilege Escalation] Web Enumeration\nExecution After Redirect (EAR) Vulnerability - Skipping Redirects\nPHP Source Code Analysis\nCommand Injection (RCE)\nInformation Leakage\nDatabase Enumeration\nCracking Hashes\nAbusing Sudoers Privilege + PATH Hijacking [Privilege Escalation] WordPress Enumeration\nWordPress Plugins Enumeration\nBookingPress \u003c 1.0.11 - Unauthenticated SQL Injection [CVE-2022-0739]\nCracking Hashes\nAuthenticated XXE Within the WordPress Media Library - File Inclusion\nAbusing FTP + Information Leakage\nAbusing Passpie (Multiplatform command-line password manager)\nAbusing GnuPG Encryption Tool - Cracking Private PGP Key (gpg2john + john)\nExtracting Stored Root Password with Passpie [Privilege Escalation] (LFI) Local File Inclusion Vulnerability + Filter Bypass Restriction\nSource Code Analysis (PHP)\nManually Generating Invitation Codes Based on Server Time During Registration\nGetting Logged in with the Generated Invitation Code\nCreating a Serialized Payload to Achieve File Writing During Deserialization and Achieve RCE\nPostgres Database Enumeration\nPassword Composition in Salt + MD5 Format with the Obtained Hashes and Cracking Them\nAbusing Cron Job\nCreating a Certificate with Openssl with Malicious CommonName Field to get RCE [Privilege Escalation] Web Enumeration\nAPI Endpoints Enumeration\nFuzzing POST API Parameters\nExploiting dompdf 1.2.0 Vulnerability (XSS to RCE through Malicious CSS File)\nEnumerating Cron Jobs Running on the System (Procmon.sh)\nShell Script Arithmetic Expression Injection or Quoted Expression Injection [Privilege Escalation] Web Enumeration\nSubdomain Enumeration\nInformation Leakage\nPython Source Code Analysis\nAbusing the os.path.join Operation in Python to Read Files from the Server\nFileSystem Enumeration\nBypassing Filter Due to ill-defined Regular Expression with re.match [RCE]\nInternal Services Enumeration\nRemote Port Forwarding with Chisel\nAbusing Neo4j Database\nNeo4j Cypher Injection\nNeo4j Cypher Injection - Enumerating Labels\nNeo4j Cypher Injection - Enumerating Label Keys\nNeo4j Cypher Injection - Extracting Keys Data\nCracking hashes\nAbusing Sudoers Privilege (pip3 download)\nCreating a malicious package in Python and defining a malicious setup.py structure [Privilege Escalation] APK Analysis (apktool)\nInformation Leakage\nAPI Enumeration (Swagger)\nDirectory Traversal + File Read (id_rsa)\nAbusing SolarPutty Session Backup File (Brute Force) [Privilege Escalation] Subdomain Enumeration\nGitea Enumeration\nPHP Code Analysis\nFinding Code-Level Vulnerability that Allows Attackers to Read Alternative Files (LFI)\nReading the Nginx Web Service Structure through the LFI\nAbusing a Proxy_Pass Bug to Interact with a Redis Unix Socket\nAltering User Properties through Redis Abusing Proxy_Pass Bug\nCreation of Malicious PHP File through Poorly Sanitized PHP Code and Write Capability\nRedis Enumeration\nAbusing Sudoers Privilege (Custom Python Script + .format() exploitation) [Privilege Escalation] Abusing vm2 NodeJS Package (RCE) [CVE-2023-30547]\nSQLite Database File Enumeration\nCracking Hashes\nAbusing Sudoers Privilege (Custom Script)\nAbusing String Comparison Without Quote Marks (Bypass + Python Script) [Privilege Escalation] Malicious CIF File (RCE)\nSQLite Database File Enumeration\nCracking Hashes\naiohttp/3.9.1 Exploitation (CVE-2024.23334) [Privilege Escalation] Rocket.Chat Enumeration\nSubdomain Enumeration - CAIDO\nClearML Enumeration\nClearML 1.31.1 Exploitation [CVE-2024-24590]\nDeploying the Vulnerable ClearML Version Locally\nCreating an Artifact with a Malicious Pickle Payload to Achieve Remote Command Execution\nAbusing Sudoers Privilege (Custom Bash Script)\nBash Code Analysis - Detecting Logic Flaw that Allows Loading and Execution of a Malicious Model\nCreating Malicious PTH File and Getting Privileged Command Execution [Privilege Escalation] SMB Enumeration\nCreating malicious XLL File (Achieving Command Execution without Using Macros)\nDLL Execution via Excel.Application RegisterXLL() Method\nSending Malicious Office Documents by Mail with Swaks\nhMailServer Enumeration\nAbusing WebSite Shorcut File to Run a Custom Executable\nUsing WinPeas for System Enumeration\nInformation Leakage in a User's Powershell History\nUsing bloodhound-python to Enumerate System Information\nAnalyzing the Results Obtained with Bloodhound and Neo4j\nAbusing ForceChangePassword Rights\nUpdating a User's Password via PowerView\nAbusing Windows Driver Kit (WDK) StandaloneRunner.exe [Privilege Escalation] SMB Enumeration\nWeb Enumeration\nKerberos User Enumeration (kerbrute)\nAttempting User Enumeration with netexec (RID Cycling Attack)\nRegistering a New User on the Website\nLogging into the Account Thanks to the Forget Password Bad Logic\nAnalyzing QR Code (zbarimg)\nExploiting IDOR through the URL Structure Present in the QR\nGetting the sessionid of the Administrator User through IDOR\nAbusing SQL Terminal in Django Administration Section\nMSSQL - DB Enumeration\nMSSQL - Abusing Impersonate Privilege\nMSSQL - Enabling Advanced Options and xp_cmdshell for Executing Commands\nSetting the Limit of our String to the Allowed Limit for Executing Powershell Instructions\nBypassing Antivirus Software So That It Does Not Detect our Powershell Code as Malicious Content\nAntivirus Evasion Tip to Avoid Detection [Signature and Heuristic] (Reverse Shell)\nAttempting AS-REPRoast Attack to Obtain TGT Tickets (impacket-GetNPUsers)\nInformation Leakage - Passwords Stored in SQLEXPR Configuration File\nPassword Spraying - Netexec\nAttempting Kerberoasting Attack to Obtain TGS Tickets (impacket-GetUserSPNs)\nPlaying with RunasCs to Execute Commands as Another User\nMemory Dump Analysis with Memprocfs\nDumping SAM and LSA SECRETS Hashes with Secretsdump Leveraging Memory Dump Data\nAbusing WinRM\nDC Enumeration with Bloodhound-Python\nDeploying the Latest Version of Bloodhound to See More Attack Vectors\nAbusing GenericWrite Rights over the DC\nAdding an Attacker-Controlled Computer Account Using Impacket’s addcomputer.py\nConfiguring the Target Object to Allow Attacker-Controlled Delegation with rbcd.py\nObtaining a Service Ticket to Impersonate an Admin Using Impacket’s getST.py\nPerforming Pass-the-Ticket to Retrieve the Administrator's NTLM Hash Using secretsdump.py\nConnecting to the Target Machine with evil-winrm Using PasstheHash [Privilege Escalation] Gaining SSH Access Using Default Raspberry Credentials\nAbusing Sudo Group [Privilege Escalation]\nRecovering Deleted root.txt File through a Connected External Device SMB Enumeration\nBloodhound Enumeration\nAbusing WriteOwner Rights\nModifying the Owner of Existing Group (owneredit.py)\nGiving the Rights to Add Users to a Group (dacledit.py)\nAdding User to a Group with Net Rpc Group AddMem Instruction\nShadow Credential Attack (pywhisker.py) - Generating PFX file to subsequently obtain a TGT [1st User]\nObtaining TGT to later obtain NT hash of the user (gettgtpkinit.py) [1st User]\nPassTheTicket + Obtaining NT hash of the user (getnthash.py) [1st User]\nConnection by WinRM via evil-winrm\nAbusing GenericAll Rights\nShadow Credential Attack (pywhisker.py) - Generating PFX file to subsequently obtain a TGT [2nd user]\nObtaining TGT to later obtain NT hash of the user (gettgtpkinit.py) [2nd User]\nPassTheTicket + Obtaining NT hash of the user (getnthash.py) [2nd User]\nListing vulnerabilities in existing certificate templates (certipy)\nAbusing ADCS (User Can Enroll and Template Has No Security Extension) - ESC9\nESC9 [Privilege Escalation] Web Enumeration\nFile Upload Enumeration\nAbusing .git - Git-Dumper (Information Leakage)\nImageMagick 7.1.0-40 beta Exploitation (Arbitrary File Read) [CVE-2022-44268]\nSQLite Database File Enumeration via CVE-2022-44268\nAbusing an Active Service through a Script that is Run by Root\nBinwalk 2.3.2 Exploitation - CVE-2022-4510 (RCE) [Privilege Escalation] Web Enumeration\nAPI Enumeration\nSubdomain Brute Force (gobuster)\nLocal File Inclusion by Abusing the API\nCreating a Proxy with Flask for Convenient Query Handling (Python Scripting)\nReading Internal Files on the Server through the Proxy with Flask\nFinding .git/ Path on the Server and Re-structuring All Files Manually\nUsing git-dumper as an Alternative and Adapting Flask's Proxy to be Functional\nAbusing the Structure of a URI to Achieve SSRF due to Bad Code Implementation\nFinding another LFI\nExplaining Trick to through Wrappers and Coding Changes, Achieve Command Execution\nSSRF + LFI + PHP Filter Chain +  RCE\nAbusing Sudoers Privilege + Git post-commit hooks (RCE)\nAbusing Sudoers Privilege (Systemctl and Systemd Malicious Service File) [Privilege Escalation] XSS - Injection Via Markdown\nDiscovering LFI accessible from XSS\nCracking Hashes\nExploiting Web Service Executed by Root\nCreating a Malicious php File in Writable Path [Privilege Escalation] Creating a Python Script with Scapy to Detect if a Host is Active [EXTRA]\nCreating a Port Scanner with Scapy [EXTRA]\nXdebug Exploitation (RCE)\nCracking 802.11 - WiFi .cap Capture Analysis with Tshark\nWiFi Cracking - Aircrack-ng\nDomain Zone Transfer (dig)\nPort Knocking - Custom Script with Scapy\nAbusing docker group [Privilege Escalation] Web Enumeration\nSQL Injection - Login Bypass\nInformation Leakage\nUDP Scan with Nmap\nSNMP Enumeration - OneSixtyOne Community Strings Brute Force\nSNMP Enumeration - SnmpWalk vs SnmpBulkWalk\nSNMP Enumeration - Finding IPV6\nNmap IPV6 Scan\nSSH Connection via IPV6\nBinary Static Analysis [GHIDRA]\nBuffer Overflow Exploitation (x32 bits - No ASLR/NX) [Privilege Escalation] Web Enumeration\nFile Upload Vulnerability - Abusing Content-Type to Upload Malicious PHP File (RCE)\nKernel Exploitation (2.6.31) - DirtyCow (/etc/passwd) [Privilege Escalation] Web Enumeration\nAbusing WebShell Utility (RCE)\nAbusing Sudoers Privilege (User Pivoting)\nDetecting Cron Jobs Running on the System\nExploiting Cron Job Through File Manipulation in Python Executed by Root [Privilege Escalation] UnrealIRCd 3.2.8.1 Exploitation (RCE)\nSteganography Challenge\nAbusing SUID Binary\nBinary Analysis (GHIDRA)\nSUID Binary Exploitation [Privilege Escalation] Subdomain Enumeration\n.git Exposure (GitHack)\nInformation Leakage\nGhost 5.58 Exploitation (CVE-2023-40028) [Arbitrary File Read]\nAbusing Sudoers Privilege (Abusing Custom Bash Script Logic via Double Symlinks)\nReading the Root id_rsa Key and Becoming Root [Privilege Escalation] Information Leakage\nPHP Source Code Analysis\nAbusing File Upload (AddHandler Exploitation) [RCE]\nAbusing Cron Job [Command Injection] (User Pivoting)\nBash Source Code Analysis\nAbusing Sudoers Privilege (Custom Script Exploitation) [Privilege Escalation] Web Enumeration\nDefault Credentials (Supervisord Default Password)\nFuzzing (Gobuster/Wfuzz)\nLua Command Injection (RCE)\nCracking Hashes\nAbusing Internal Web Service [httpd Configuration (-u parameter and /~user/)]\nDecrypting files (netpgp and .gnupg keyrings)\nAbusing Doas Privilege [Privilege Escalation] Web Enumeration\nVirtual Hosting\nInformation Leakage (wp-config.php.save)\nGaining Administrator Access to the WordPress Dashboard\nModifying an Existing Akismet Plugin to Obtain RCE\nPython Reverse Shell\nInformation Leakage (passwd file)\nAbusing Sudoers Privilege (/sbin/initctl) [Privilege Escalation] SMB Enumeration (Netexec, Smbmap)\nListing Existing Users at Domain Level (rpcclient)\nLDAP Enumeration (ldapdomaindump)\nTesting Kerberoasting and ASRepRoast Attack\nBloodound (Docker Version) - DC Enumeration\nAbusing GenericAll Right (net rpc) [Change User Password]\nAbusing ForceChangePassword (net rpc) [Change User Password]\nFTP Enumeration\nPassword Safe (pwsafe) Linux Installation\nExtracting the Hash from the PSafe3 File for Further Cracking\nCracking Hashes\nOpening the PSafe3 file with Password Safe and Viewing User Credentials\nAbusing GenericWrite Right (targetedKerberoast.py) + Cracking Hashes\nAbusing GetChanges/GetChangesAll Privilege (dcsync Attack - secretsdump.py) [Privilege Escalation] Web Enumeration\nInformation Disclosure (.git) - GitHack\nPHP Code Analysis\nXSS Exploitation\nManual Blind SQL Injection (sqlite) + Python Scripting [EXTRA]\nCracking Hashes\nAbusing adm group (Reading Apache log files)\nLocal Port Forwarding + Gitea Exploitation\nGitea 1.22.0 Exploitation (Stored XSS) [CVE-2024-6886]\nReading a password from an internal Gitea project via XSS [Privilege Escalation] Information Disclosure (.git) - GitHack\nInformation Leakage (Hardcoded passwords in code)\nCreating a new malicious module for Backdrop (RCE)\nAbusing sudoers privilege (bustom bee binary) [Privilege Escalation] Web Enumeration\nPython Reverse Shell Restriction Bypass\nDatabase SQLite File Enumeration\nCracking Hashes\nDirectory Path Traversal Restriction Bypass + Abusing Sudoers Privilege [Privilege Escalation] Web Enumeration\nUser Enumeration Vulnerability\nInformation Leakage\nExploitation in the Website Backup Creation Process (RCE)\nCracking Hashes\nLocal Port Forwarding + ISPConfig 3.2 Exploitation [Privilege Escalation] Kerberos User Enumeration (Kerbrute)\nSMB Enumeration\nDomain Users Enumeration via RPCClient\nTesting AS-REP Roast and Kerberoasting attack\nBloodHound Enumeration (BloodHound-CE Docker)\nAbusing GenericWrite Rights\nAdding Ourselves to a Group via 'net rpc group addmem'\nAccess KeePassXC Database\nAbusing GenericAll Rights\nChanging a User's Password via 'net rpc password'\nLdap Enumeration (ldapsearch)\nChanging User Properties with ldapmodify + Enabling a Disabled Account\nInformation Leakage\nAbusing DPAPI (Extracting Passwords Stored in the System via impacket-dpapi)\nDCSync + Extracting the NTDS to view the NT Hash of the Administrator User [Privilege Escalation]","video":"Writeup https://www.youtube.com/watch?v=hFIWuWVIDek https://www.youtube.com/watch?v=78i-qbhEUVU https://www.youtube.com/watch?v=Q6vlt9BlnWg https://www.youtube.com/watch?v=XQQ104hWFXE https://www.youtube.com/watch?v=5QC5lshrDDo https://www.youtube.com/watch?v=s2b-BH0I7R4 https://www.youtube.com/watch?v=67TQsX88EtM https://www.youtube.com/watch?v=tMsK6ZiB7CQ https://www.youtube.com/watch?v=TwJiEWjI6Go https://www.youtube.com/watch?v=mxHbnV_LB20 https://www.youtube.com/watch?v=0cPq2UV2vmg https://www.youtube.com/watch?v=31CvSq9lcqU https://www.youtube.com/watch?v=MQeB_fItmW8 https://www.youtube.com/watch?v=5tEBvG0OnWQ https://www.youtube.com/watch?v=MPArplyCIjM https://www.youtube.com/watch?v=RRig0TQKYy8 https://www.youtube.com/watch?v=zemqqJMl1VA https://www.youtube.com/watch?v=r3WMeRtwmFc https://www.youtube.com/watch?v=qiCozh2m0yE https://www.youtube.com/watch?v=u0eFap03oDY https://www.youtube.com/watch?v=LI8wnTUc5-I https://www.youtube.com/watch?v=5-L8T8Qsxfs https://www.youtube.com/watch?v=TY8NgOUVXjM https://www.youtube.com/watch?v=yCXJI0H0704 https://www.youtube.com/watch?v=7W2h7qoCShk https://www.youtube.com/watch?v=0wTYfJsZdKU https://www.youtube.com/watch?v=2ZzVu5mdzgA https://www.youtube.com/watch?v=-t0CkWmiq6s https://www.youtube.com/watch?v=q3mFOd8eRQs https://www.youtube.com/watch?v=IShxpoRMxW8 https://www.youtube.com/watch?v=A_7Cwl2bBC0 https://www.youtube.com/watch?v=pvtergVU__4 https://www.youtube.com/watch?v=K8d2CmQAV9Q https://www.youtube.com/watch?v=KADZhYY9Wpw https://www.youtube.com/watch?v=WXdF3wqwtqQ https://www.youtube.com/watch?v=EGlLewVI_M0 https://www.youtube.com/watch?v=_hnKZ1YgzyA https://www.youtube.com/watch?v=NAKePo2HLjI https://www.youtube.com/watch?v=Isgpbsi9Tpc https://www.youtube.com/watch?v=L1w3DwxFHFg https://www.youtube.com/watch?v=3p0myaukHBk https://www.youtube.com/watch?v=dekA2dzLSlE https://www.youtube.com/watch?v=B5_NsxWlXTU https://www.youtube.com/watch?v=xaOgoGYyJF4 https://www.youtube.com/watch?v=QWkM74ZBVO4 https://www.youtube.com/watch?v=YfVnbzpjz2I https://www.youtube.com/watch?v=2ZnbIAPzmpg https://www.youtube.com/watch?v=-Ck0z8N1LxQ https://www.youtube.com/watch?v=O5v3yzvgYjw https://www.youtube.com/watch?v=_8ih4aNNI4M https://www.youtube.com/watch?v=mkB1Vfw35XY https://www.youtube.com/watch?v=fMZCktwAD2w https://www.youtube.com/watch?v=8dLPT-imMYk https://www.youtube.com/watch?v=C1NZVah39ms https://www.youtube.com/watch?v=7aCplH8WZm0 https://www.youtube.com/watch?v=2qKXz_Rk2YE https://www.youtube.com/watch?v=tEbBDlOFen0 https://www.youtube.com/watch?v=DWF0inlo8Zw https://www.youtube.com/watch?v=hKCNrXXLClQ https://www.youtube.com/watch?v=OugU0j3_COM https://www.youtube.com/watch?v=UMyJt-fiBz8 https://www.youtube.com/watch?v=3QZfUBVr-AA https://www.youtube.com/watch?v=ymvb94yAefM https://www.youtube.com/watch?v=C64POGPpank https://www.youtube.com/watch?v=BmtLkWmJbgk https://www.youtube.com/watch?v=Q2jTs8QepFQ https://www.youtube.com/watch?v=hfzYnjBzW_k https://www.youtube.com/watch?v=TLKid8-aI0E https://www.youtube.com/watch?v=u5hjJ3p-XfU https://www.youtube.com/watch?v=I1IDYLQeieE https://www.youtube.com/watch?v=zWDLDqis0Hs https://www.youtube.com/watch?v=C0zJUGM00mc https://www.youtube.com/watch?v=mWTmXpQlgCs https://www.youtube.com/watch?v=R89-6VzGgFs https://www.youtube.com/watch?v=vTsD0TSgdGg https://www.youtube.com/watch?v=mjrrfNc454c https://www.youtube.com/watch?v=6JWPJ3YgDXc https://www.youtube.com/watch?v=7Lc9taXgLCA https://www.youtube.com/watch?v=JLaMxPbdvlo https://www.youtube.com/watch?v=z6nmcyk1Pbo https://www.youtube.com/watch?v=ofz_1ncuCm4 https://www.youtube.com/watch?v=PE3B3rHVTSw https://www.youtube.com/watch?v=UOrtDZsP0aQ https://www.youtube.com/watch?v=HNHvMgQwHQM https://www.youtube.com/watch?v=nqGs42yM75c https://www.youtube.com/watch?v=LWh6unoFu8I https://www.youtube.com/watch?v=TytUFooC3kU https://www.youtube.com/watch?v=q2Cv2IQUzdw https://www.youtube.com/watch?v=sIaVrGnzRjM https://www.youtube.com/watch?v=6IO3gAtP3dc https://www.youtube.com/watch?v=nBDnCjRxmO8 https://www.youtube.com/watch?v=Np_zA-SOwYo https://www.youtube.com/watch?v=VHeDNq4OrqI https://www.youtube.com/watch?v=jvoiMos46IY https://www.youtube.com/watch?v=prg88ajxAPc https://www.youtube.com/watch?v=nyp6eixPSMA https://www.youtube.com/watch?v=kBw3UyBt7Hc https://www.youtube.com/watch?v=YmZLdJRBKv0 https://www.youtube.com/watch?v=ofAHf1i8XMQ https://www.youtube.com/watch?v=ESxAyDX2Dg4 https://www.youtube.com/watch?v=ATDC1eGgnp0 https://www.youtube.com/watch?v=zYjeNFx-ymg https://www.youtube.com/watch?v=5GH6Ze84FTQ https://www.youtube.com/watch?v=lVLVaArHL5o https://www.youtube.com/watch?v=NKKvDtPacOw https://www.youtube.com/watch?v=Eh5ywJJX1oE https://www.youtube.com/watch?v=ai5_9H-wutw https://www.youtube.com/watch?v=bB-M5vPegMk https://www.youtube.com/watch?v=L58krS9kY_A https://www.youtube.com/watch?v=lCrQLzE-CjI https://www.youtube.com/watch?v=T1pr-A8qA7I https://www.youtube.com/watch?v=JZf7t3UMuVw https://www.youtube.com/watch?v=mQnwwu97f1g https://www.youtube.com/watch?v=i2aHMXFb1Yk https://www.youtube.com/watch?v=7X5p3WmSnIs https://www.youtube.com/watch?v=ZmagS_Q_FrY https://www.youtube.com/watch?v=O8-l2KNeRkM https://www.youtube.com/watch?v=-wQFA1zPqIc https://www.youtube.com/watch?v=UEGJKIvx_Y0 https://www.youtube.com/watch?v=2dI1F8c0al8 https://www.youtube.com/watch?v=RcvpSxngnQI https://www.youtube.com/watch?v=PpkQW8U0-cc https://www.youtube.com/watch?v=SZoH_6maN6k https://www.youtube.com/watch?v=VMlTK6Okxok https://www.youtube.com/watch?v=ggkUREL6djQ https://www.youtube.com/watch?v=L7MU3DZqIN0 https://www.youtube.com/watch?v=Bcwl1OfFOfU https://www.youtube.com/watch?v=zqwCsqeyNrI https://www.youtube.com/watch?v=i2khZEZvoPk https://www.youtube.com/watch?v=cZ-C3d7mux0 https://www.youtube.com/watch?v=AWD2eDF1oiw https://www.youtube.com/watch?v=uIIZG2miowo https://www.youtube.com/watch?v=esrAYODKnBY https://www.youtube.com/watch?v=h_brlhoSfy8 https://www.youtube.com/watch?v=d7GcXm_DWHg https://www.youtube.com/watch?v=9gurBGeazok https://www.youtube.com/watch?v=ZYW-Cj1yjdQ https://www.youtube.com/watch?v=zuMEHLnH_E0 https://www.youtube.com/watch?v=1bJryn5mJLM https://www.youtube.com/watch?v=S1L92tszls0 https://www.youtube.com/watch?v=0e91a_Pns2Q https://www.youtube.com/watch?v=92XycxcAXkI https://www.youtube.com/watch?v=A6oVNwawRzM https://www.youtube.com/watch?v=KX138goKVC0 https://www.youtube.com/watch?v=cMeNaUNKK5Y https://www.youtube.com/watch?v=oFBSn4iaLUo https://www.youtube.com/watch?v=uIasBAMSWsI https://www.youtube.com/watch?v=6zrxDaAmjB8 https://www.youtube.com/watch?v=XxqXoLZtASY https://www.youtube.com/watch?v=chcJmcDrtW4 https://www.youtube.com/watch?v=0AzaHJZfqwE https://www.youtube.com/watch?v=C2VOcO8MdmI https://www.youtube.com/watch?v=ATqk2HpRp_s https://www.youtube.com/watch?v=KpYZh3gc79o https://www.youtube.com/watch?v=cYVf2KVXyFI https://www.youtube.com/watch?v=0C8zlzxBv7w https://www.youtube.com/watch?v=aPbfiHW8GW8 https://www.youtube.com/watch?v=_ahxa5Zq5TY https://www.youtube.com/watch?v=EKwRNymiYfY https://www.youtube.com/watch?v=hh0iNaaCv1I https://www.youtube.com/watch?v=NiV52j3fsh8 https://www.youtube.com/watch?v=ys-az6SyheE https://www.youtube.com/watch?v=egcvKwYpi0g https://www.youtube.com/watch?v=TMQFehvMTvI https://www.youtube.com/watch?v=9WY2rSejDOY https://www.youtube.com/watch?v=NnlYSY83EsA https://www.youtube.com/watch?v=RuWkPH_Vecg https://www.youtube.com/watch?v=FdCh0A2gZmk https://www.youtube.com/watch?v=6vvgfbh9cy4 https://www.youtube.com/watch?v=9GNYyb942tI https://www.youtube.com/watch?v=7G5wkoBpFWU https://www.youtube.com/watch?v=d3tzLtW6SWE https://www.youtube.com/watch?v=MYJbamO88vw https://www.youtube.com/watch?v=VdJbvaGXUAA https://www.youtube.com/watch?v=hB0G0Jp_MBg https://www.youtube.com/watch?v=FoFQgoDYzog https://www.youtube.com/watch?v=VXvdwHfYd8M https://www.youtube.com/watch?v=nAF0JnTGkNM https://www.youtube.com/watch?v=YQn3jAZeZAI https://www.youtube.com/watch?v=9BA_s6CGtpY https://www.youtube.com/watch?v=w7gO7i212c8 https://www.youtube.com/watch?v=eWZ29FJxEmA https://www.youtube.com/watch?v=gr78zhxjC7I https://www.youtube.com/watch?v=tIoV_Nkrusw https://www.youtube.com/watch?v=2bELzcFGnY4 https://www.youtube.com/watch?v=lP_ylWaw9eU https://www.youtube.com/watch?v=cDutnBcTQtM https://www.youtube.com/watch?v=mL7ADmxL7ss https://www.youtube.com/watch?v=71wQWq50aNE https://www.youtube.com/watch?v=kspptAGubDo https://www.youtube.com/watch?v=SJf_jAufs-k https://www.youtube.com/watch?v=FNQw93y3XNE https://www.youtube.com/watch?v=AoZiJaW5tc8 https://www.youtube.com/watch?v=aPS0VIIL0nQ https://www.youtube.com/watch?v=utTEk0WNO04 https://www.youtube.com/watch?v=aTOlZz1ucsc https://www.youtube.com/watch?v=HYqQCYh0CzA https://www.youtube.com/watch?v=osmFGqnFe8c https://www.youtube.com/watch?v=YCApOqCgoC4 https://www.youtube.com/watch?v=vAhrLjw1JEA https://www.youtube.com/watch?v=Be5wJyhgB_A https://www.youtube.com/watch?v=AnVAmSH81DQ https://www.youtube.com/watch?v=NZY6rLNJEAw https://www.youtube.com/watch?v=oYmY8HPYWJY https://www.youtube.com/watch?v=MGL6PK5s2yU https://www.youtube.com/watch?v=Ugz1RcYLd5M https://www.youtube.com/watch?v=maTw2StNFI4 https://www.youtube.com/watch?v=dkJQMRJHeKg https://www.youtube.com/watch?v=AlrB-uBUuTA https://www.youtube.com/watch?v=3xU66O-1pWU https://www.youtube.com/watch?v=7wwOejPwwYU https://www.youtube.com/watch?v=1pddk1u9jnQ https://www.youtube.com/watch?v=36Ua0nrwc7g https://www.youtube.com/watch?v=fli1xeT3c-s https://www.youtube.com/watch?v=rAY1GMvrO0g https://www.youtube.com/watch?v=0WA4b3P5ZMM https://www.youtube.com/watch?v=dEP6h3jxLRI https://www.youtube.com/watch?v=5gfA_wIaNRs https://www.youtube.com/watch?v=gfupbVibReM https://www.youtube.com/watch?v=YVdVKoqeoHs https://www.youtube.com/watch?v=hC8XnmxzwJ8 https://www.youtube.com/watch?v=gGyfo3jkzDk https://www.youtube.com/watch?v=lhVQxvz9Sh8 https://www.youtube.com/watch?v=VrscVIpSyV0 https://www.youtube.com/watch?v=wVSW6uMVe_w https://www.youtube.com/watch?v=CecJxqA2WPo https://www.youtube.com/watch?v=JIEsfS6noWk https://www.youtube.com/watch?v=Nm9HwJerMqs https://www.youtube.com/watch?v=o6aRIbFuKNA https://www.youtube.com/watch?v=oO9tvq9_HU8 https://www.youtube.com/watch?v=GMVmxYnHsLA https://www.youtube.com/watch?v=yKNxdxixfHg https://www.youtube.com/watch?v=Xw2Ojg26v2g https://www.youtube.com/watch?v=6uzYhgtDPTM https://www.youtube.com/watch?v=MTcZbk0QzB8 https://www.youtube.com/watch?v=1X6Ak_IBDrM https://www.youtube.com/watch?v=FCk5K7sm5uo https://www.youtube.com/watch?v=wxoaRHCfGHA https://www.youtube.com/watch?v=yxFFqfH3vQ8 https://www.youtube.com/watch?v=YSyCvjXl38k https://www.youtube.com/watch?v=H03cE35APwU https://www.youtube.com/watch?v=lXpnVFukinE https://www.youtube.com/watch?v=sV5OWqd-tXg https://www.youtube.com/watch?v=DModvDIU-uw https://www.youtube.com/watch?v=IWb7SNXRINU https://www.youtube.com/watch?v=qpXPV6Ui5TU https://www.youtube.com/watch?v=yNFyXb3lAh4 https://www.youtube.com/watch?v=5bZwmqmrFCs https://www.youtube.com/watch?v=6TkEvRP6Jz0 https://www.youtube.com/watch?v=Z0u7wP2yv-8 https://www.youtube.com/watch?v=Wi-QAH_JxtQ https://www.youtube.com/watch?v=yMRLMM1ROuA https://www.youtube.com/watch?v=px4FfpcLPLM https://www.youtube.com/watch?v=L3ywxkXARpA https://www.youtube.com/watch?v=ACCimo3KZDs https://www.youtube.com/watch?v=5S_ouR5hXqk https://www.youtube.com/watch?v=2AnVkG7sQiY https://www.youtube.com/watch?v=a-AEHNis4X4 https://www.youtube.com/watch?v=35V8Inkg4g0 https://www.youtube.com/watch?v=0UGnEcoxUlY https://www.youtube.com/watch?v=g8OA2O9Nbps https://www.youtube.com/watch?v=OTb_eJE1pU8 https://www.youtube.com/watch?v=CAiKwIiAl5E https://www.youtube.com/watch?v=qHgO2n4FFWQ https://www.youtube.com/watch?v=FdlH1QT5iy4 https://www.youtube.com/watch?v=ujcfgUztTYU https://www.youtube.com/watch?v=lBWOvgu_ayw https://www.youtube.com/watch?v=oBl_n1TtweQ https://www.youtube.com/watch?v=tEIBkTF3RfI https://www.youtube.com/watch?v=reOQJ-gJZs0 https://www.youtube.com/watch?v=8A4HFycriHk https://www.youtube.com/watch?v=zf89K5p28uQ https://www.youtube.com/watch?v=yQ9UTZqKicQ https://www.youtube.com/watch?v=dU5n3PJOp5U https://www.youtube.com/watch?v=OTsBGxbwS2s https://www.youtube.com/watch?v=lmdG1fSspQk https://www.youtube.com/watch?v=4ePSry_uSxc https://www.youtube.com/watch?v=SO5wmX4Sm0s https://www.youtube.com/watch?v=H7-Jd6HaLbI https://www.youtube.com/watch?v=ZApq09OJOcA https://www.youtube.com/watch?v=RsMhM67_RJY https://www.youtube.com/watch?v=ftkzWW4kEWE https://www.youtube.com/watch?v=kIEVAbtWJWI https://www.youtube.com/watch?v=eg85oOWvonM https://www.youtube.com/watch?v=RW58bxOKfTQ https://www.youtube.com/watch?v=f4gZqwUSKaQ https://www.youtube.com/watch?v=7-UoMtIBD-A https://www.youtube.com/watch?v=wIHr76Tq3a4 https://www.youtube.com/watch?v=Bs_nGDxTB44 https://www.youtube.com/watch?v=p4dJD_R4ZKM https://www.youtube.com/watch?v=NZBDKeraF5o https://www.youtube.com/watch?v=vEmxLFG5Nwk https://www.youtube.com/watch?v=AWFIODGw2kc https://www.youtube.com/watch?v=wRp87y8OAaI https://www.youtube.com/watch?v=ulFpGl5f7Uw https://www.youtube.com/watch?v=0rUu-VRusC4 https://www.youtube.com/watch?v=eR8lC3AyHQQ https://www.youtube.com/watch?v=TaYC6_5A9AU https://www.youtube.com/watch?v=aQtrcfWe_wI https://www.youtube.com/watch?v=det9ZYpa6b8 https://www.youtube.com/watch?v=b2ab9RGwWug https://www.youtube.com/watch?v=00rxFA6lLyA https://www.youtube.com/watch?v=8Hm0RGoXYPA"},{"certification":"OSCP\nOSEP\neCPPTv3\neCPTXv3\nActive Directory","ip":"10.129.194.134","name":"BabyTwo","os":"Windows","platform":"HackTheBox","state":"Medium","techniques":"SMB Enumeration\nNetExec spider_plus Module\nUser Enumeration (NetExec RID Cycling Brute Force Attack)\nBloodHound Enumeration (BloodHound-CE Docker)\nCreating Malicious VBS File\nAbusing WriteOwner \u0026\u0026 WriteDacl Rights (PowerView.ps1)\nAbusing GenericAll Right + GPO Exploitation (pyGPOAbuse) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=vR8SUg4E6bc"},{"certification":"eWPT\neWPTXv2","ip":"","name":"Reset","os":"Linux","platform":"HackTheBox","state":"Easy","techniques":"Web Enumeration\nInformation Disclosure\nInsecure Password Reset\nUser Enumeration\nLog File Inclusion + Log Poisoning\nPHP Code Injection + RCE\nBerkeley r-commands Abuse (rlogin)\n.rhosts Trust Abuse\nLateral Movement\nCredential Discovery\ntmux Session Hijacking\nSudo Missconfiguration (Nano Escape) [Privilege Escalation]","video":"https://www.youtube.com/watch?v=wpeKeibfz1E"}],"totalMachines":{"htb":3,"vuln":58,"swigger":4}}