General

R3zk0n · October 2, 2025

API   Evasion   Exploitation   Network   Recon   Security   Web   Windows

Contents

## RDP
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:dnn /u:administrator /p:studentlab /size:1180x708

## Webshells
/usr/share/webshells (then leverage webshells to escalate to RCE)

## Apache Debugging
sudo nano /etc/php5/apache2/php.ini
# display_errors = On
sudo systemctl restart apache2

## C# .NET Disable Optimisations
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]

## MariaDB
sudo nano /etc/mysql/my.cnf

general_log_file        = /var/log/mysql/mysql.log
general_log             = 1

sudo systemctl restart mysql
sudo tail -f /var/log/mysql/mysql.log

## MySQL
sudo nano /etc/mysql/my.cnf
sudo systemctl restart mysql
sudo tail –f /var/log/mysql/mysql.log

---

C# .NET

• Debugger: https://github.com/dnSpyEx/dnSpy
• Disable Optimisations: C# .NET/Debugging.md
• Decompile .exe and .dll files using dnSpy
• Attach to process (w3wp.exe)
• iisreset /noforce

Common Vulnerabilities

Deserialisation

• https://book.hacktricks.xyz/pentesting-web/deserialization
• ysoserial.exe -g [gadget] -f [serializer] -o raw -c [command] -t [Use powershell script for windows]
• Formatters: DataContractSerializer (2) , FastJson , FsPickler , JavaScriptSerializer , Json.Net , SharpSerializerBinary , SharpSerializerXml , Xaml (4) , XmlSerializer (2) , YamlDotNet < 5.0.0 ```c# DeserializeHashTableXml XmlUtils.DeSerializeHashtable # (Cannot serialise classes) LoadXml Deserialize TypeNameHandling JavaScriptTypeResolver TypeObject XmlSerializer xmlSerializer = new XmlSerializer(Type.GetType(attribute2)); // Type is not sanitised

FileSystemUtils PullFile

ObjectDataProvider

Other Keywords to Search

user login, get user, update user membership, validate user, create user validate login password reset, generate password authentication [auth] select

----------------------------------------------------------------------------------------------------------
# Python

Pickle Deserialisation https://book.hacktricks.xyz/pentesting-web/deserialization

Frappe Unauthenticated @frappe.whitelist(allow_guest=True)

Jinja Template Bypass https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

----------------------------------------------------------------------------------------------------------
# PHP
Unauthenticated
  + $_GET, $_POST, $_REQUEST etc.
  + grep -rnw /var/www/html/ATutor -e "^.*user_location.*public.*" --color ($_user_location    = 'public';)
  + grep -rnw /var/www/html/ATutor -e "function searchFriends" --color
  + grep -rnw /var/www/html/ATutor -e "\$addslashes.*=" --color

Command Execution
  + PHP README.md
SQL Injection
  + Keywords
    ```
    select.*from.*
    exec
    sql
    db
    where
    count\(
    ('|") *\.
    ```
  + PHP README.md + Web Application/SQL Injection
  + String Concatenation
  + Retrieve:
    + Admin Session
    + JWT Tokens
  + Postgresql RCE (Copy, LOID)

File Upload
  + Bypassing Illegal Extensions
    + `$_config_defaults['illegal_extentions']= 'exe|asp|php|php3|bat|cgi|pl|com|vbs|reg|pcd|pif|scr|bas|inf|vb|vbe|wsc|wsf|wsh';`
  + https://book.hacktricks.xyz/pentesting-web/file-upload
  + Directory Traversal, Invalid zip files
  
Password Reset
  + Keywords
    ```
    resetLink
    passwordreset
    passwordresetlink
    ```
  + Time-based random reset - refer to Java random
  + Type Juggling (Refer to substr())
  + Can be chained from previous SQL Injection (If username and password cannot be used for authentication, or if password is a hash)

Type Juggling
  + `$code = substr(md5($e . $row['creation_date'] . $id), 0, 10);`
  + `if ($code == $m)`

Magic Hashes (https://www.whitehatsec.com/blog/magic-hashes/)
  + `echo md5('240610708');`

----------------------------------------------------------------------------------------------------------
# Node
```js
// Logic Error (https://github.com/directus/directus/blob/v9.0.0-rc.34/api/src/middleware/authenticate.ts)
if (!req.token) return next();

// Prototype Pollution (https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution#handlebars)
hasOwnProperty()
toString()
[ in .js files in VSCode
merge, extend, set

// Exploiting Prototype Pollution
isAdmin == true (Cannot override explicitly set values)
child_process.exec
eval
vm.runInNewContext

{}.__proto__.preface = "');console.log('RUNNING ANY CODE WE WANT')//"
options.escape

// AST Injection (Refer to 14.X.X, payload is 14.5.2)
Object.prototype.block = {"type":"Text","val":`<script>alert(origin)</script>`};

// Websockets
grep -r "wss:"
var io = require('socket.io')

// Beautify Javascript
// http://www.jsnice.org/

// RCE
eval()
exec()

//SSTI
app.set('view engine', 'pug');

//Credentials
.env (file may contain credentials to mySQL)

---

Java

Setup

# Windows
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:manageengine /u:Administrator /p:studentlab /size:1180x708

## Use notepad++ or vscode to perform detailed source code analysis

• JD-GUI: https://www.kali.org/tools/jd-gui/

  • Decompile the JAR

    WAR

    EAR files to source code

  • Zip Export and open with Notepad++ or VSCode
  • Comes with syntax highlighting, useful for locating variables/functions
• Locating Java Process
  • Process Explorer
  • Process properties for the binary (Ideally a single binary) can be used to discover the PATH

Tree Structure

- WEB-INF
----- web.xml (Servlet mappings, mapping class location)
----- lib
----------- struts.jar                                 - Third party library
----------- xmlsec-1.3.0.jar                           - Third party library
----------- AdventNetAppManagerWebClient.jar           - Native library (Of interest)

• Explore:
  • web.xml
  • Servlets handling HTTP Requests
  • Java Server Pages (JSP)
    • userHome.requestPasswordReset();
    • /META-INF/application.xml
      • <library-directory>APP-INF/lib</library-directory>
  • JAR Class Files
    • public void requestPasswordReset(UserHome userHome)
    • String resetToken = Utils.getRandomBase62(40);
• Spring Framework
  • https://www.marcobehler.com/guides/spring-framework
  • classes DAOs (data access object)

Java Interactive Testing

Java Interactive Testing

• Java IDE: sudo apt install openjdk-11-jdk-headless –> javac and jshell
• java -version
• Instances of java.util.Random are not cryptographically secure.

Common Vulnerabilities

SQL Injection

• ^.*?query.*?select.*?
• ^.*query.*?select.*?where.*?\+.*?\;
• doGet, doPost, doPut, doDelete, doCopy, doOptions
• select.*\+
• UDF Reverse Shell Upload

Insecure Randomization (Extra Mile 10.2.4 and 10.2.5, Java/Password Reset Authentication Bypass)

• import java.util.Random;
• new Random(seed);
• System.currentTimeMillis()

Search code base for readObject or Serializable

• java.util.HashMap today = (java.util.HashMap)ois.readObject();
• Serializable/java.io.Serializable

XML External Entity

• java.sql.SQLDataException
• Tomcat
  • file:///home/student/crx/apache-tomee-plus-7.0.5/conf/tomcat-users.xml
• HSQLDB
  • file:///home/student/crx/data/hsqldb/dbmanager.sh
• Configuration Files
  • file:///home/student/crx/data/hsqldb/crx.properties

HSQLDB - read and write files

• java -cp ./hsqldb.jar org.hsqldb.util.DatabaseManagerSwing --url jdbc:hsqldb:hsql://127.0.0.1:9001/CRX --user sa --password manager99

  XSS, CSRF and CORS Bypass

  XSS: Refer to 11.X.X exercises CSRF and CORS: Refer to 12.X.X exercises

Use fetch requests.

Gobuster Enumerate differences (/users, /invite) Enumerate second-level (/users/invite) Verb tampering SSRF + Port Scanning

• Scan localhost
• Subnet range scanning (private IP network 172/192/10)
• Host Enumeration Render

• renderQuerySchema

Share: Twitter, Facebook