On later versions of Windows 11 it is possible to enumerate versions of packages installed on a target using the native winget command. Might be good to give some documentation on this as I imagine this might be useful for finding out installed software on a target and associated versions that one could use for further exploitation.

Please help me

Im sorry to anyone who has an email notif as a result.

In NFS Exported shares you say
List NFS exported shares. If 'rw,no_root_squash' is present, upload and execute sid-shell

I'd like to get the code for sid-shell as the link https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/sid-shell.c is dead.

where could i find this c code im not finding the proper CVE online.

Thanks, sorry for the burden.

Hello,
in
offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing
Microsoft network client: Digitally sign communications (always)
should be
Microsoft network server: Digitally sign communications (always)

What is the license type for this repo? Having a snippet at the top of the readme about cloning is non-enforceable.

Hi, I think there's a typo on this Article. It says:
"Note that the NetNTLMv2 hashes can only be relayed to the same host they are originating from. You can, however, try cracking them offline and use them on the machine they originated from".
But the whole article shows how to relay an NetNTLMv2 hash to different host. I think you meant "NetNTLMv2 hashes cannot be relay to the same host they are originating from".

This was fixed with MS08-068 (https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html).

In this page, it is stated that relocations may need to be fixed, and ntdll does not have any relocations to fix. However, ntdll does indeed have relocations (in fact, my version holds 7577 relocations), as can be seen if you open it in CFF Explorer. Indeed, this is because CreateFileMapping and MapViewOfFile already does the relocations for you. As such, no matter what DLL you use, this method should work to map it into memory without needing to solve for relocations (even the more complex ones such as kernel32.dll). In fact, if you implement your own mapping function (using things such as fopen), you will see that the ImageBase observed is completely different from the ImageBase you get after using CreateFileMapping and MapViewOfFile

Hey,
I've just noticed that the hash function provided in the tutorial is not so good - I found at least two hash collision of different api function names. one of them is this:


I recommend the following one, written in c by me and inpired by this excellent paper: "The Last Stage of Delirium. Win32 Assembly Components"

DWORD getHashFromString(char* instring)
{
char* string = instring;
DWORD hash = 0xab10f29f;
while (*string) hash = ((hash << 5) | (hash >> 27)) + *string++;
//printf("%s: 0x%x\n", string, hash);
return hash;
}

Hi, I'm the developer of bloodyAD. If you're interested I can add to your guides bloodyAD command lines as a Windows/Linux alternative to Powerview.

sir do you have any material(Script) regarding this. ShadowAttack(AutoShadow)tool.
refer link :- https://people.engr.tamu.edu/guofei/paper/ShadowAttacks_final-onecolumn.pdf
anyhelp is appreciated

I learned a lot from your article, thank you for sharing, but several addresses have failed.

https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/sid-shell.c
https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/raptor/raptor.tar
https://github.com/mantvydasb/Offensive-Security-Cheatsheets/blob/master/raptor_udf2.c

This is the only way I found to contact someone from https://www.ired.team/ I would love someone to teach me everything they know about all the different bypass methods on that site. how they learned the C++ for it. what tools they use. how they found the tools. I have been developing my own malware for a resume. it will be a program that makes fully undetectable meterpreter payloads if anyone can help me in my learning process please email me at: [email protected]

I also have discord: inviting_fawn_33780

please reach out; it would mean the world to me, This has been my goal for 3 years but no matter what I tried, I never got closer to it

PS: I can hire for $200 if needed

Hi,
there is a bug in the following line of code (arguments for ReadFile()) for Reflective DLL injection.
LPVOID dllBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dllSize); ReadFile(dll, dllBytes, dllSize, NULL, NULL);
the 3rd argument for ReadFile() cant be NULL if the 4th is already a NULL.

LPVOID dllBytes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dllSize); DWORD outsize; ReadFile(dll, dllBytes, dllSize, &outsize, NULL);

https://github.com/khast3x/Redcloud
May or may not be of interest.

where is D/Invoke ?

Hi. I suggest to add a small trick under this section
https://ired.team/offensive-security-experiments/offensive-security-cheetsheets#creating-user-and-adding-to-local-administrators

Hide newly created local administrator
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v spotless /d 0 /f

Hey there, I'm going to translate this series of notes, I'm a security beginner and I found this notes are great, I'm going to follow this experiment and make the Chinese version of the notes, I've already done part of it!

This is my blog
But, technically, he's not a translator, so maybe he counts as my study record? Because I'm not strictly following your notes, or I'm doing a Chinese project on my own, I don't know if that's possible.

Maybe this part can be simplified by using hashcat with --username

At Pentesting Cheatsheets, the sid-shell url at the NFS Exported Shares paragraph is broken (404).

At the page on AddressOfEntryPoint Code Injection without VirtualAllocEx RWX, this is not really done without using RWX. As shown in the first picture, the entrypoint memory page is already under RX permissions, and as shown here, the only reason this method works is because WriteProcessMemory is being nice and trying to change RX to RWX temporarily, which would end up creating an RWX page anyways, essentially making this technique still easily detectable by EDRs that look for RWX regions.

As you probably know,
using .gitignore file can prevent .vscode directory from being committing
for example:

.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json

Hey, can you add an RSS/Atom feed to your blog? Would make subscribing to new posts easier :)